ipsec VPN Tunnel between Debian host and Cisco ASA

Svyat — Wed, 11 Mar 2020 20:43:23 GMT

Hello,

We trying to setup tonnel between our Debian host and Cisco ASA 5585X.

The phase 1 passed well and we have established connection.

Howewer, we have error on phase 2

Mar 11 20:04:34 host charon[15239]: 09[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Mar 11 20:04:34 host charon[15239]: 09[IKE] failed to establish CHILD_SA, keeping IKE_SA

We know that is wrong esp config - but can't solve it.

Could you help me please?

The inputs:

Technical Information
VPN Gateway Information	Cisco ASA 5585X	ipsec
Tunnel mode (transport/tunnel)	tunnel	tunnel
Peer IP Address	5.0.0.90	1.0.0.42
IP address SHEP/VSHEP (subnet)	5.0.1.0/24	0.0.0.0/24
Tunnel Properties
Authentication Method	PSK	PSK
Private Shared Key	via SMS	via SMS
Cryptography Type	IKEv2	IKEv2
Diffie-Hellman Group	Group 14	Group 14
Cryptography Algorithm	AES-CBC-256	AES-CBC-256
Hash Algorithm	SHA 256	SHA 256
Lifetime (for renegotiation)	default	default
Tunnel Properties
Encapsulation (ESP or AH)	ESP	ESP
Cryptography Algorithm	AES 256	AES 256
Algorithm Method	SHA 256	SHA 256
Perfect Forward Secrecy	Group 14	Group 14
Lifetime (for renegotiation)	default	default
Lifesize in KB (for renegotiation)	default	default

ipsec.config

config setup
        charondebug="all"
        strictcrlpolicy=no
        uniqueids=yes
conn Host-to-ASA
        keyexchange=ikev2
        mobike=no
        fragmentation=yes
        auto=start
        type=tunnel
        authby=psk
        keyingtries=%forever
        left=1.0.0.42
        leftid=1.0.0.42
        leftsubnet=0.0.0.0/0

## Destination LAN
        right=5.0.0.90
        rightsubnet=5.0.1.0/24
        ike=aes256-sha256-modp2048!
        esp=aes256-sha256-modp2048!

# ipsec statusall

# ipsec statusall
Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.0-6-amd64, x86_64):
  uptime: 5 minutes, since Mar 11 20:04:33 2020
  malloc: sbrk 2830336, mmap 0, used 695920, free 2134416
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon addrblock agent attr certexpire connmark constraints counters dhcp dnskey eap-aka eap-gtc eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-tnc eap-ttls error-notify farp fips-prf gcm gmp led lookip md5 mgf1 openssl pem pgp pkcs1 pkcs12 pkcs7 pkcs8 pubkey random rc2 resolve revocation sshkey tnc-tnccs unity vici x509 xauth-eap xauth-generic xauth-pam xcbc nonce aes sha1 sha2 hmac stroke kernel-netlink socket-default updown
Listening IP addresses:
  1.0.0.42
Connections:
  Host-to-ASA:  1.0.0.42...5.0.0.90  IKEv2
  Host-to-ASA:   local:  [1.0.0.42] uses pre-shared key authentication
  Host-to-ASA:   remote: [5.0.0.90] uses pre-shared key authentication
  Host-to-ASA:   child:  0.0.0.0/0 === 5.0.1.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
  Host-to-ASA[1]: ESTABLISHED 5 minutes ago, 1.0.0.42[1.0.0.42]...5.0.0.90[5.0.0.90]
  Host-to-ASA[1]: IKEv2 SPIs: 4e7a3605sdfer50f7_i* 850fssdfrgt1f4af7_r, pre-shared key reauthentication in 2 hours
  Host-to-ASA[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048

connection log from my host

Mar 11 20:04:31 host ipsec_starter[14586]: ipsec starter stopped
Mar 11 20:04:33 host ipsec_starter[15215]: Starting strongSwan 5.7.2 IPsec [starter]...
Mar 11 20:04:33 host ipsec_starter[15215]: !! Your strongswan.conf contains manual plugin load options for charon.
Mar 11 20:04:33 host ipsec_starter[15215]: !! This is recommended for experts only, see
Mar 11 20:04:33 host ipsec_starter[15215]: !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
Mar 11 20:04:34 host charon[15239]: 00[DMN] Starting IKE charon daemon (strongSwan 5.7.2, Linux 4.19.0-6-amd64, x86_64)
Mar 11 20:04:34 host charon[15239]: 00[NET] could not open socket: Address family not supported by protocol
Mar 11 20:04:34 host charon[15239]: 00[NET] could not open IPv6 socket, IPv6 disabled
Mar 11 20:04:34 host charon[15239]: 00[KNL] received netlink error: Address family not supported by protocol (97)
Mar 11 20:04:34 host charon[15239]: 00[KNL] unable to create IPv6 routing table rule
Mar 11 20:04:34 host charon[15239]: 00[CFG] loaded 0 RADIUS server configurations
Mar 11 20:04:34 host charon[15239]: 00[CFG] HA config misses local/remote address
Mar 11 20:04:34 host charon[15239]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Mar 11 20:04:34 host charon[15239]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Mar 11 20:04:34 host charon[15239]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Mar 11 20:04:34 host charon[15239]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Mar 11 20:04:34 host charon[15239]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Mar 11 20:04:34 host charon[15239]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Mar 11 20:04:34 host charon[15239]: 00[CFG]   loaded IKE secret for 1.0.0.42 5.0.0.90
Mar 11 20:04:34 host charon[15239]: 00[CFG]   loaded IKE secret for 1.0.0.42
Mar 11 20:04:34 host charon[15239]: 00[LIB] loaded plugins: charon addrblock agent attr certexpire connmark constraints counters dhcp dnskey eap-aka eap-gtc eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-tnc eap-ttls error-notify farp fips-prf gcm gmp led lookip md5 mgf1 openssl pem pgp pkcs1 pkcs12 pkcs7 pkcs8 pubkey random rc2 resolve revocation sshkey tnc-tnccs unity vici x509 xauth-eap xauth-generic xauth-pam xcbc nonce aes sha1 sha2 hmac stroke kernel-netlink socket-default updown
Mar 11 20:04:34 host charon[15239]: 00[LIB] dropped capabilities, running as uid 0, gid 0
Mar 11 20:04:34 host charon[15239]: 00[JOB] spawning 16 worker threads
Mar 11 20:04:34 host ipsec_starter[15238]: charon (15239) started after 40 ms
Mar 11 20:04:34 host charon[15239]: 05[CFG] received stroke: add connection 'Host-to-ASA'
Mar 11 20:04:34 host charon[15239]: 05[CFG] added configuration 'Host-to-ASA'
Mar 11 20:04:34 host charon[15239]: 07[CFG] received stroke: initiate 'Host-to-ASA'
Mar 11 20:04:34 host charon[15239]: 07[IKE] initiating IKE_SA Host-to-ASA[1] to 5.0.0.90
Mar 11 20:04:34 host charon[15239]: 07[IKE] initiating IKE_SA Host-to-ASA[1] to 5.0.0.90
Mar 11 20:04:34 host charon[15239]: 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Mar 11 20:04:34 host charon[15239]: 07[NET] sending packet: from 1.0.0.42[500] to 5.0.0.90[500] (464 bytes)
Mar 11 20:04:34 host charon[15239]: 10[NET] received packet: from 5.0.0.90[500] to 1.0.0.42[500] (574 bytes)
Mar 11 20:04:34 host charon[15239]: 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) V ]
Mar 11 20:04:34 host charon[15239]: 10[IKE] received Cisco Delete Reason vendor ID
Mar 11 20:04:34 host charon[15239]: 10[IKE] received Cisco Copyright (c) 2009 vendor ID
Mar 11 20:04:34 host charon[15239]: 10[IKE] received FRAGMENTATION vendor ID
Mar 11 20:04:34 host charon[15239]: 10[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Mar 11 20:04:34 host charon[15239]: 10[IKE] authentication of '1.0.0.42' (myself) with pre-shared key
Mar 11 20:04:34 host charon[15239]: 10[IKE] establishing CHILD_SA Host-to-ASA{1}
Mar 11 20:04:34 host charon[15239]: 10[IKE] establishing CHILD_SA Host-to-ASA{1}
Mar 11 20:04:34 host charon[15239]: 10[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Mar 11 20:04:34 host charon[15239]: 10[NET] sending packet: from 1.0.0.42[500] to 5.0.0.90[500] (256 bytes)
Mar 11 20:04:34 host charon[15239]: 09[NET] received packet: from 5.0.0.90[500] to 1.0.0.42[500] (160 bytes)
Mar 11 20:04:34 host charon[15239]: 09[ENC] parsed IKE_AUTH response 1 [ V IDr AUTH N(NO_PROP) ]
Mar 11 20:04:34 host charon[15239]: 09[IKE] authentication of '5.0.0.90' with pre-shared key successful
Mar 11 20:04:34 host charon[15239]: 09[IKE] IKE_SA Host-to-ASA[1] established between 1.0.0.42[1.0.0.42]...5.0.0.90[5.0.0.90]
Mar 11 20:04:34 host charon[15239]: 09[IKE] IKE_SA Host-to-ASA[1] established between 1.0.0.42[1.0.0.42]...5.0.0.90[5.0.0.90]
Mar 11 20:04:34 host charon[15239]: 09[IKE] scheduling reauthentication in 10176s
Mar 11 20:04:34 host charon[15239]: 09[IKE] maximum IKE_SA lifetime 10716s
Mar 11 20:04:34 host charon[15239]: 09[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Mar 11 20:04:34 host charon[15239]: 09[IKE] failed to establish CHILD_SA, keeping IKE_SA

Log from ASA

4 Mar 11 2020 15:33:25 750003 Local:5.0.0.90:500 Remote:1.0.0.42:500 Username:91.215.139.42 IKEv2 Negotiation aborted due to ERROR: Failed to find a matching policy

Re: ipsec VPN Tunnel between Debian host and Cisco ASA

Sheraz.Salim — Wed, 11 Mar 2020 20:49:25 GMT

could you run this command on ASA and display the output

debug crypto isakmp 127
debug crypto ipsec 127

debug crypto peer condition x.x.x.x

Re: ipsec VPN Tunnel between Debian host and Cisco ASA

Cristian Matei — Wed, 11 Mar 2020 22:02:33 GMT

Hi,

Verify that your IPsec settings are matching on both sides. If that is done and still doesn't work, i would lower the security level (like disable PFS or use a lower group number, use 3des instead of aes, and MD5 instead of SHA), sometimes, the most secure algorithms are supported to be configured but may fail to work.

Regards,

Cristian Matei.

Re: ipsec VPN Tunnel between Debian host and Cisco ASA

Sheraz.Salim — Wed, 11 Mar 2020 22:06:43 GMT

3des is a weak encryption. lower down mean you compromising the network.

Re: ipsec VPN Tunnel between Debian host and Cisco ASA

Svyat — Thu, 12 Mar 2020 05:58:16 GMT

Thanks for the answer.
The ASA is on provider side - so I can't change group or security settings.
I'll try to get debug log.

debug crypto isakmp 127
debug crypto ipsec 127
debug crypto peer condition x.x.x.x

Can you check, maybe I made a mistake in the config regarding the inputs?

Re: ipsec VPN Tunnel between Debian host and Cisco ASA

Cristian Matei — Thu, 12 Mar 2020 11:22:30 GMT

Hi,

@Sheraz.Salim The recommendation to lower down the security level, was only temporary for testing purposes, to avoid available features that don't actually work. In my experience, it happened a lot that whenever i was an early adopter of some new technology (maybe not that new, but nobody was using it to detect bugs, like for example using the strongest DH groups, or EH), that it didn't work, due to bugs.

Regards,

Cristian Matei.

Re: ipsec VPN Tunnel between Debian host and Cisco ASA

Svyat — Thu, 12 Mar 2020 18:11:18 GMT

Hello,

It seems that the problem was on the provider side.
We managed to get phase 2.
Thank you for the answers.

By the way @Sheraz.Salim, right first command:

debug crypto condition peer x.x.x.x

topic Re: ipsec VPN Tunnel between Debian host and Cisco ASA in Network Security

ipsec VPN Tunnel between Debian host and Cisco ASA

Re: ipsec VPN Tunnel between Debian host and Cisco ASA

Re: ipsec VPN Tunnel between Debian host and Cisco ASA

Re: ipsec VPN Tunnel between Debian host and Cisco ASA

Re: ipsec VPN Tunnel between Debian host and Cisco ASA

Re: ipsec VPN Tunnel between Debian host and Cisco ASA

Re: ipsec VPN Tunnel between Debian host and Cisco ASA