cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8008
Views
10
Helpful
6
Replies

ipsec VPN Tunnel between Debian host and Cisco ASA

Svyat
Level 1
Level 1

Hello,

We trying to setup tonnel between our Debian host and Cisco ASA 5585X.

The phase 1 passed well and we have established connection.

Howewer, we have error on phase 2

Mar 11 20:04:34 host charon[15239]: 09[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Mar 11 20:04:34 host charon[15239]: 09[IKE] failed to establish CHILD_SA, keeping IKE_SA

We know that is wrong esp config - but can't solve it.

Could you help me please?


The inputs:

Spoiler
Technical Information
VPN Gateway Information
Cisco ASA 5585X
ipsec
Tunnel mode (transport/tunnel)
tunnel
tunnel
Peer IP Address
5.0.0.90
1.0.0.42
IP address SHEP/VSHEP (subnet)
5.0.1.0/24
 0.0.0.0/24
Tunnel Properties
Authentication Method
PSK
PSK
Private Shared Key
via SMS
via SMS
Cryptography Type
IKEv2
IKEv2
Diffie-Hellman Group
Group 14
Group 14
Cryptography Algorithm
AES-CBC-256
AES-CBC-256
Hash Algorithm
SHA 256
SHA 256
Lifetime (for renegotiation)
default
default
Tunnel Properties
Encapsulation (ESP or AH)
ESP
ESP
Cryptography Algorithm
AES 256
AES 256
Algorithm Method
SHA 256
SHA 256
Perfect Forward Secrecy
Group 14
Group 14
Lifetime (for renegotiation)
default
default
Lifesize in KB (for renegotiation)
default
default

ipsec.config 

Spoiler
config setup
        charondebug="all"
        strictcrlpolicy=no
        uniqueids=yes
conn Host-to-ASA
        keyexchange=ikev2
        mobike=no
        fragmentation=yes
        auto=start
        type=tunnel
        authby=psk
        keyingtries=%forever
        left=1.0.0.42
        leftid=1.0.0.42
        leftsubnet=0.0.0.0/0

## Destination LAN
        right=5.0.0.90
        rightsubnet=5.0.1.0/24
        ike=aes256-sha256-modp2048!
        esp=aes256-sha256-modp2048!

# ipsec statusall

Spoiler
# ipsec statusall
Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.0-6-amd64, x86_64):
  uptime: 5 minutes, since Mar 11 20:04:33 2020
  malloc: sbrk 2830336, mmap 0, used 695920, free 2134416
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon addrblock agent attr certexpire connmark constraints counters dhcp dnskey eap-aka eap-gtc eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-tnc eap-ttls error-notify farp fips-prf gcm gmp led lookip md5 mgf1 openssl pem pgp pkcs1 pkcs12 pkcs7 pkcs8 pubkey random rc2 resolve revocation sshkey tnc-tnccs unity vici x509 xauth-eap xauth-generic xauth-pam xcbc nonce aes sha1 sha2 hmac stroke kernel-netlink socket-default updown
Listening IP addresses:
  1.0.0.42
Connections:
  Host-to-ASA:  1.0.0.42...5.0.0.90  IKEv2
  Host-to-ASA:   local:  [1.0.0.42] uses pre-shared key authentication
  Host-to-ASA:   remote: [5.0.0.90] uses pre-shared key authentication
  Host-to-ASA:   child:  0.0.0.0/0 === 5.0.1.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
  Host-to-ASA[1]: ESTABLISHED 5 minutes ago, 1.0.0.42[1.0.0.42]...5.0.0.90[5.0.0.90]
  Host-to-ASA[1]: IKEv2 SPIs: 4e7a3605sdfer50f7_i* 850fssdfrgt1f4af7_r, pre-shared key reauthentication in 2 hours
  Host-to-ASA[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048

connection log from my host

Spoiler
Mar 11 20:04:31 host ipsec_starter[14586]: ipsec starter stopped
Mar 11 20:04:33 host ipsec_starter[15215]: Starting strongSwan 5.7.2 IPsec [starter]...
Mar 11 20:04:33 host ipsec_starter[15215]: !! Your strongswan.conf contains manual plugin load options for charon.
Mar 11 20:04:33 host ipsec_starter[15215]: !! This is recommended for experts only, see
Mar 11 20:04:33 host ipsec_starter[15215]: !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
Mar 11 20:04:34 host charon[15239]: 00[DMN] Starting IKE charon daemon (strongSwan 5.7.2, Linux 4.19.0-6-amd64, x86_64)
Mar 11 20:04:34 host charon[15239]: 00[NET] could not open socket: Address family not supported by protocol
Mar 11 20:04:34 host charon[15239]: 00[NET] could not open IPv6 socket, IPv6 disabled
Mar 11 20:04:34 host charon[15239]: 00[KNL] received netlink error: Address family not supported by protocol (97)
Mar 11 20:04:34 host charon[15239]: 00[KNL] unable to create IPv6 routing table rule
Mar 11 20:04:34 host charon[15239]: 00[CFG] loaded 0 RADIUS server configurations
Mar 11 20:04:34 host charon[15239]: 00[CFG] HA config misses local/remote address
Mar 11 20:04:34 host charon[15239]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Mar 11 20:04:34 host charon[15239]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Mar 11 20:04:34 host charon[15239]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Mar 11 20:04:34 host charon[15239]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Mar 11 20:04:34 host charon[15239]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Mar 11 20:04:34 host charon[15239]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Mar 11 20:04:34 host charon[15239]: 00[CFG]   loaded IKE secret for 1.0.0.42 5.0.0.90
Mar 11 20:04:34 host charon[15239]: 00[CFG]   loaded IKE secret for 1.0.0.42
Mar 11 20:04:34 host charon[15239]: 00[LIB] loaded plugins: charon addrblock agent attr certexpire connmark constraints counters dhcp dnskey eap-aka eap-gtc eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-tnc eap-ttls error-notify farp fips-prf gcm gmp led lookip md5 mgf1 openssl pem pgp pkcs1 pkcs12 pkcs7 pkcs8 pubkey random rc2 resolve revocation sshkey tnc-tnccs unity vici x509 xauth-eap xauth-generic xauth-pam xcbc nonce aes sha1 sha2 hmac stroke kernel-netlink socket-default updown
Mar 11 20:04:34 host charon[15239]: 00[LIB] dropped capabilities, running as uid 0, gid 0
Mar 11 20:04:34 host charon[15239]: 00[JOB] spawning 16 worker threads
Mar 11 20:04:34 host ipsec_starter[15238]: charon (15239) started after 40 ms
Mar 11 20:04:34 host charon[15239]: 05[CFG] received stroke: add connection 'Host-to-ASA'
Mar 11 20:04:34 host charon[15239]: 05[CFG] added configuration 'Host-to-ASA'
Mar 11 20:04:34 host charon[15239]: 07[CFG] received stroke: initiate 'Host-to-ASA'
Mar 11 20:04:34 host charon[15239]: 07[IKE] initiating IKE_SA Host-to-ASA[1] to 5.0.0.90
Mar 11 20:04:34 host charon[15239]: 07[IKE] initiating IKE_SA Host-to-ASA[1] to 5.0.0.90
Mar 11 20:04:34 host charon[15239]: 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Mar 11 20:04:34 host charon[15239]: 07[NET] sending packet: from 1.0.0.42[500] to 5.0.0.90[500] (464 bytes)
Mar 11 20:04:34 host charon[15239]: 10[NET] received packet: from 5.0.0.90[500] to 1.0.0.42[500] (574 bytes)
Mar 11 20:04:34 host charon[15239]: 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) V ]
Mar 11 20:04:34 host charon[15239]: 10[IKE] received Cisco Delete Reason vendor ID
Mar 11 20:04:34 host charon[15239]: 10[IKE] received Cisco Copyright (c) 2009 vendor ID
Mar 11 20:04:34 host charon[15239]: 10[IKE] received FRAGMENTATION vendor ID
Mar 11 20:04:34 host charon[15239]: 10[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Mar 11 20:04:34 host charon[15239]: 10[IKE] authentication of '1.0.0.42' (myself) with pre-shared key
Mar 11 20:04:34 host charon[15239]: 10[IKE] establishing CHILD_SA Host-to-ASA{1}
Mar 11 20:04:34 host charon[15239]: 10[IKE] establishing CHILD_SA Host-to-ASA{1}
Mar 11 20:04:34 host charon[15239]: 10[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Mar 11 20:04:34 host charon[15239]: 10[NET] sending packet: from 1.0.0.42[500] to 5.0.0.90[500] (256 bytes)
Mar 11 20:04:34 host charon[15239]: 09[NET] received packet: from 5.0.0.90[500] to 1.0.0.42[500] (160 bytes)
Mar 11 20:04:34 host charon[15239]: 09[ENC] parsed IKE_AUTH response 1 [ V IDr AUTH N(NO_PROP) ]
Mar 11 20:04:34 host charon[15239]: 09[IKE] authentication of '5.0.0.90' with pre-shared key successful
Mar 11 20:04:34 host charon[15239]: 09[IKE] IKE_SA Host-to-ASA[1] established between 1.0.0.42[1.0.0.42]...5.0.0.90[5.0.0.90]
Mar 11 20:04:34 host charon[15239]: 09[IKE] IKE_SA Host-to-ASA[1] established between 1.0.0.42[1.0.0.42]...5.0.0.90[5.0.0.90]
Mar 11 20:04:34 host charon[15239]: 09[IKE] scheduling reauthentication in 10176s
Mar 11 20:04:34 host charon[15239]: 09[IKE] maximum IKE_SA lifetime 10716s
Mar 11 20:04:34 host charon[15239]: 09[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Mar 11 20:04:34 host charon[15239]: 09[IKE] failed to establish CHILD_SA, keeping IKE_SA

Log from ASA

4 Mar 11 2020 15:33:25 750003 Local:5.0.0.90:500 Remote:1.0.0.42:500 Username:91.215.139.42 IKEv2 Negotiation aborted due to ERROR: Failed to find a matching policy

 

 

 

 

 

 

1 Accepted Solution

Accepted Solutions

Sheraz.Salim
VIP Alumni
VIP Alumni

could you run this command on ASA and display the output

!

debug crypto isakmp 127
debug crypto ipsec 127

debug crypto peer condition x.x.x.x

please do not forget to rate.

View solution in original post

6 Replies 6

Sheraz.Salim
VIP Alumni
VIP Alumni

could you run this command on ASA and display the output

!

debug crypto isakmp 127
debug crypto ipsec 127

debug crypto peer condition x.x.x.x

please do not forget to rate.

Cristian Matei
VIP Alumni
VIP Alumni

Hi,

 

   Verify that your IPsec settings are matching on both sides. If that is done and still doesn't work, i would lower the security level (like disable PFS or use a lower group number, use 3des instead of aes, and MD5 instead of SHA), sometimes, the most secure algorithms are supported to be configured but may fail to work. 

 

Regards,

Cristian Matei.

3des is a weak encryption. lower down mean you compromising the network.

please do not forget to rate.

Hi,

 

 @Sheraz.Salim The recommendation to lower down the security level, was only temporary for testing purposes, to avoid available features that don't actually work. In my experience, it happened a lot that whenever i was an early adopter of some new technology (maybe not that new, but nobody was using it to detect bugs, like for example using the strongest DH groups, or EH), that it didn't work, due to bugs.

 

Regards,

Cristian Matei.

Thanks for the answer.
The ASA is on provider side - so I can't change group or security settings.
I'll try to get debug log.

debug crypto isakmp 127
debug crypto ipsec 127
debug crypto peer condition x.x.x.x

Can you check, maybe I made a mistake in the config regarding the inputs?

 

 

Svyat
Level 1
Level 1

Hello,

 

It seems that the problem was on the provider side.
We managed to get phase 2.
Thank you for the answers.

 

By the way @Sheraz.Salim, right first command:

debug crypto condition peer x.x.x.x
Review Cisco Networking for a $25 gift card