[strongSwan] Help to diagnose connection problem with Cisco ASA5585X

Jim Geurts jim at mpirik.com
Sun May 10 16:14:11 CEST 2020


Gave that a shot and no luck :( I appreciate the suggestion, though!

On Sun, May 10, 2020 at 3:59 AM Alex K <rightkicktech at gmail.com> wrote:

>
>
> On Sat, May 9, 2020, 17:19 Jim Geurts <jim at mpirik.com> wrote:
>
>> Hi,
>>
>> I'm new to the world of strongswan and vpns in general, so I apologize if
>> this is answered elsewhere. I inherited a strongSwan box running Linux
>> strongSwan U5.7.2/K4.14.177-139.253.amzn2.x86_64. The other end is a Cisco
>> ASA5585X. The connection was up and running a few days ago, but I've been
>> trying to get auto=route working (it was previously auto=start) and that
>> caused the tunnel to go up/down a couple times. Now the tunnel will not
>> establish a connection. To me, it seems like it's the phase 2 establishment
>> that is failing, but I'm curious if someone could help clear up what is
>> going on or which part is failing?
>>
>> My understanding (waiting for verification) is that the
>> configured settings for the tunnel from the cisco side are:
>>
>> Phase 1
>>   Encryption algorithm: AES-256
>>   Hash algorithm: SHA-512
>>   DH Group: 14
>>   Lifetime: 28800 (seconds)
>>
>> Phase 2:
>>   Mode: IKE V2 Tunnel
>>   ESP Encryption algorithm: AES-256
>>   ESP Hash algorithm: SHA-512
>>   PFS: DH Group 14
>>   Lifetime: 3600 (seconds)
>>
>> I have the following ipsec.conf file for the tunnel:
>>
>> config setup
>>         # strictcrlpolicy=yes
>>         # uniqueids = no
>>         charondebug="ike 2, knl 2,esp 2, cfg 2, chd 2, lib 2, net 2"
>>
>> conn %default
>>         ikelifetime=480m
>>         keylife=60m
>>         rekeymargin=3m
>>         keyingtries=1
>>         keyexchange=ikev1
>>         authby=secret
>>
>> conn FOO
>>         leftid=205.251.242.103
>>         left=172.30.101.187
>>         leftsubnet=205.251.242.103/32
>>         leftupdown=/tmp/vpn/firewall-rules.sh
>>         right=176.32.98.166
>>         rightsubnet=104.40.92.107/32
>>         ike=aes256-sha512-modp2048!
>>         keyexchange=ikev2
>>         esp=aes256-sha2_512-modp2048!
>>         rekeymargin=9m
>>         type=tunnel
>>         compress=no
>>         authby=secret
>>         auto=route
>>         keyingtries=%forever
>>         forceencaps=yes
>>         mobike=no
>>
>>
>> ipsec statusall gives the following:
>>
>> Status of IKE charon daemon (strongSwan 5.7.2, Linux
>> 4.14.177-139.253.amzn2.x86_64, x86_64):
>>   uptime: 19 hours, since May 08 18:56:20 2020
>>   malloc: sbrk 1884160, mmap 0, used 828960, free 1055200
>>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
>> scheduled: 0
>>   loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5
>> mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7
>> pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519
>> chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve
>> socket-default farp stroke vici updown eap-identity eap-sim eap-aka
>> eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic
>> eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam
>> xauth-noauth dhcp led duplicheck unity counters
>> Listening IP addresses:
>>   172.30.101.187
>> Connections:
>>          FOO:  172.30.101.187...176.32.98.166  IKEv2
>>          FOO:   local:  [205.251.242.103] uses pre-shared key
>> authentication
>>          FOO:   remote: [176.32.98.166] uses pre-shared key authentication
>>          FOO:   child:  205.251.242.103/32 === 104.40.92.107/32 TUNNEL
>> Routed Connections:
>>          FOO{1}:  ROUTED, TUNNEL, reqid 1
>>          FOO{1}:   205.251.242.103/32 === 104.40.92.107/32
>> Security Associations (0 up, 0 connecting):
>>   none
>>
>>
>> Sending traffic to 104.40.92.107 does not bring the tunnel up. If I try
>> to bring the tunnel up manually using ipsec up FOO, I get the following:
>>
>> initiating IKE_SA FOO[1] to 176.32.98.166
>> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
>> N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
>> sending packet: from 172.30.101.187[500] to 176.32.98.166[500] (464 bytes)
>> received packet: from 176.32.98.166[500] to 172.30.101.187[500] (599
>> bytes)
>> parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP)
>> CERTREQ N(FRAG_SUP) V ]
>> received Cisco Delete Reason vendor ID
>> received Cisco Copyright (c) 2009 vendor ID
>> received FRAGMENTATION vendor ID
>> selected proposal:
>> IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
>> local host is behind NAT, sending keep alives
>> received 1 cert requests for an unknown ca
>> authentication of '205.251.242.103' (myself) with pre-shared key
>> establishing CHILD_SA FOO{2}
>> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr
>> N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
>> sending packet: from 172.30.101.187[4500] to 176.32.98.166[4500] (304
>> bytes)
>> received packet: from 176.32.98.166[4500] to 172.30.101.187[4500] (208
>> bytes)
>> parsed IKE_AUTH response 1 [ V IDr AUTH N(NO_PROP) ]
>> authentication of '176.32.98.166' with pre-shared key successful
>> IKE_SA FOO[1] established between
>> 172.30.101.187[205.251.242.103]...176.32.98.166[176.32.98.166]
>> scheduling reauthentication in 28116s
>> maximum IKE_SA lifetime 28656s
>> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
>>
> I would try:  esp=aes256-sha2_512-modp2048
>
> failed to establish CHILD_SA, keeping IKE_SA
>> establishing connection 'FOO' failed
>>
>>
>> Any help or direction would greatly be appreciated as I'm not really sure
>> what I can do next. Also, I'm hoping this is the underlying reason for
>> auto=route not working as expected. Thank you,
>>
>> Jim
>>
>> *Confidentiality and Privacy Notice: *Information transmitted by this
>> email is proprietary to [m]pirik and is intended for use only by the
>> individual or entity to which it is addressed, and may contain information
>> that is private, privileged, confidential or exempt from disclosure under
>> applicable law. All personal messages express views solely of the sender,
>> are not to be attributed to [m]pirik, and may not be copied or distributed
>> without this disclaimer. If you are not the intended recipient or it
>> appears that this mail has been forwarded to you without proper authority,
>> you are notified that any use or dissemination of this information in any
>> manner is strictly prohibited. In such cases, please delete this mail from
>> your records.
>>
>

-- 










*Confidentiality and Privacy Notice: *Information transmitted by 
this email is proprietary to [m]pirik and is intended for use only by the 
individual or entity to which it is addressed, and may contain information 
that is private, privileged, confidential or exempt from disclosure under 
applicable law. All personal messages express views solely of the sender, 
are not to be attributed to [m]pirik, and may not be copied or distributed 
without this disclaimer. If you are not the intended recipient or it 
appears that this mail has been forwarded to you without proper authority, 
you are notified that any use or dissemination of this information in any 
manner is strictly prohibited. In such cases, please delete this mail from 
your records.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200510/84c21574/attachment.html>


More information about the Users mailing list