Who Me Too'd this topic

Svyat · ‎03-11-2020

Hello,

We trying to setup tonnel between our Debian host and Cisco ASA 5585X.

The phase 1 passed well and we have established connection.

Howewer, we have error on phase 2

Mar 11 20:04:34 host charon[15239]: 09[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Mar 11 20:04:34 host charon[15239]: 09[IKE] failed to establish CHILD_SA, keeping IKE_SA

We know that is wrong esp config - but can't solve it.

Could you help me please?

The inputs:

Spoiler

Technical Information
VPN Gateway Information	Cisco ASA 5585X	ipsec
Tunnel mode (transport/tunnel)	tunnel	tunnel
Peer IP Address	5.0.0.90	1.0.0.42
IP address SHEP/VSHEP (subnet)	5.0.1.0/24	0.0.0.0/24
Tunnel Properties
Authentication Method	PSK	PSK
Private Shared Key	via SMS	via SMS
Cryptography Type	IKEv2	IKEv2
Diffie-Hellman Group	Group 14	Group 14
Cryptography Algorithm	AES-CBC-256	AES-CBC-256
Hash Algorithm	SHA 256	SHA 256
Lifetime (for renegotiation)	default	default
Tunnel Properties
Encapsulation (ESP or AH)	ESP	ESP
Cryptography Algorithm	AES 256	AES 256
Algorithm Method	SHA 256	SHA 256
Perfect Forward Secrecy	Group 14	Group 14
Lifetime (for renegotiation)	default	default
Lifesize in KB (for renegotiation)	default	default

Technical InformationVPN Gateway InformationCisco ASA 5585XipsecTunnel mode (transport/tunnel)tunneltunnelPeer IP Address5.0.0.901.0.0.42IP address SHEP/VSHEP (subnet)5.0.1.0/24 0.0.0.0/24Tunnel PropertiesAuthentication MethodPSKPSKPrivate Shared Keyvia SMSvia SMSCryptography TypeIKEv2IKEv2Diffie-Hellman GroupGroup 14Group 14Cryptography AlgorithmAES-CBC-256AES-CBC-256Hash AlgorithmSHA 256SHA 256Lifetime (for renegotiation)defaultdefaultTunnel PropertiesEncapsulation (ESP or AH)ESPESPCryptography AlgorithmAES 256AES 256Algorithm MethodSHA 256SHA 256Perfect Forward SecrecyGroup 14Group 14Lifetime (for renegotiation)defaultdefaultLifesize in KB (for renegotiation)defaultdefault

ipsec.config

Spoiler

config setup
        charondebug="all"
        strictcrlpolicy=no
        uniqueids=yes
conn Host-to-ASA
        keyexchange=ikev2
        mobike=no
        fragmentation=yes
        auto=start
        type=tunnel
        authby=psk
        keyingtries=%forever
        left=1.0.0.42
        leftid=1.0.0.42
        leftsubnet=0.0.0.0/0

## Destination LAN
        right=5.0.0.90
        rightsubnet=5.0.1.0/24
        ike=aes256-sha256-modp2048!
        esp=aes256-sha256-modp2048!

config setup charondebug="all" strictcrlpolicy=no uniqueids=yes conn Host-to-ASA keyexchange=ikev2 mobike=no fragmentation=yes auto=start type=tunnel authby=psk keyingtries=%forever left=1.0.0.42 leftid=1.0.0.42 leftsubnet=0.0.0.0/0 ## Destination LAN right=5.0.0.90 rightsubnet=5.0.1.0/24 ike=aes256-sha256-modp2048! esp=aes256-sha256-modp2048!

# ipsec statusall

Spoiler

# ipsec statusall
Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.0-6-amd64, x86_64):
  uptime: 5 minutes, since Mar 11 20:04:33 2020
  malloc: sbrk 2830336, mmap 0, used 695920, free 2134416
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon addrblock agent attr certexpire connmark constraints counters dhcp dnskey eap-aka eap-gtc eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-tnc eap-ttls error-notify farp fips-prf gcm gmp led lookip md5 mgf1 openssl pem pgp pkcs1 pkcs12 pkcs7 pkcs8 pubkey random rc2 resolve revocation sshkey tnc-tnccs unity vici x509 xauth-eap xauth-generic xauth-pam xcbc nonce aes sha1 sha2 hmac stroke kernel-netlink socket-default updown
Listening IP addresses:
  1.0.0.42
Connections:
  Host-to-ASA:  1.0.0.42...5.0.0.90  IKEv2
  Host-to-ASA:   local:  [1.0.0.42] uses pre-shared key authentication
  Host-to-ASA:   remote: [5.0.0.90] uses pre-shared key authentication
  Host-to-ASA:   child:  0.0.0.0/0 === 5.0.1.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
  Host-to-ASA[1]: ESTABLISHED 5 minutes ago, 1.0.0.42[1.0.0.42]...5.0.0.90[5.0.0.90]
  Host-to-ASA[1]: IKEv2 SPIs: 4e7a3605sdfer50f7_i* 850fssdfrgt1f4af7_r, pre-shared key reauthentication in 2 hours
  Host-to-ASA[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048

# ipsec statusall Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.0-6-amd64, x86_64): uptime: 5 minutes, since Mar 11 20:04:33 2020 malloc: sbrk 2830336, mmap 0, used 695920, free 2134416 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2 loaded plugins: charon addrblock agent attr certexpire connmark constraints counters dhcp dnskey eap-aka eap-gtc eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-tnc eap-ttls error-notify farp fips-prf gcm gmp led lookip md5 mgf1 openssl pem pgp pkcs1 pkcs12 pkcs7 pkcs8 pubkey random rc2 resolve revocation sshkey tnc-tnccs unity vici x509 xauth-eap xauth-generic xauth-pam xcbc nonce aes sha1 sha2 hmac stroke kernel-netlink socket-default updown Listening IP addresses: 1.0.0.42 Connections: Host-to-ASA: 1.0.0.42...5.0.0.90 IKEv2 Host-to-ASA: local: [1.0.0.42] uses pre-shared key authentication Host-to-ASA: remote: [5.0.0.90] uses pre-shared key authentication Host-to-ASA: child: 0.0.0.0/0 === 5.0.1.0/24 TUNNEL Security Associations (1 up, 0 connecting): Host-to-ASA[1]: ESTABLISHED 5 minutes ago, 1.0.0.42[1.0.0.42]...5.0.0.90[5.0.0.90] Host-to-ASA[1]: IKEv2 SPIs: 4e7a3605sdfer50f7_i* 850fssdfrgt1f4af7_r, pre-shared key reauthentication in 2 hours Host-to-ASA[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048

connection log from my host

Spoiler

Mar 11 20:04:31 host ipsec_starter[14586]: ipsec starter stopped
Mar 11 20:04:33 host ipsec_starter[15215]: Starting strongSwan 5.7.2 IPsec [starter]...
Mar 11 20:04:33 host ipsec_starter[15215]: !! Your strongswan.conf contains manual plugin load options for charon.
Mar 11 20:04:33 host ipsec_starter[15215]: !! This is recommended for experts only, see
Mar 11 20:04:33 host ipsec_starter[15215]: !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
Mar 11 20:04:34 host charon[15239]: 00[DMN] Starting IKE charon daemon (strongSwan 5.7.2, Linux 4.19.0-6-amd64, x86_64)
Mar 11 20:04:34 host charon[15239]: 00[NET] could not open socket: Address family not supported by protocol
Mar 11 20:04:34 host charon[15239]: 00[NET] could not open IPv6 socket, IPv6 disabled
Mar 11 20:04:34 host charon[15239]: 00[KNL] received netlink error: Address family not supported by protocol (97)
Mar 11 20:04:34 host charon[15239]: 00[KNL] unable to create IPv6 routing table rule
Mar 11 20:04:34 host charon[15239]: 00[CFG] loaded 0 RADIUS server configurations
Mar 11 20:04:34 host charon[15239]: 00[CFG] HA config misses local/remote address
Mar 11 20:04:34 host charon[15239]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Mar 11 20:04:34 host charon[15239]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Mar 11 20:04:34 host charon[15239]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Mar 11 20:04:34 host charon[15239]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Mar 11 20:04:34 host charon[15239]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Mar 11 20:04:34 host charon[15239]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Mar 11 20:04:34 host charon[15239]: 00[CFG]   loaded IKE secret for 1.0.0.42 5.0.0.90
Mar 11 20:04:34 host charon[15239]: 00[CFG]   loaded IKE secret for 1.0.0.42
Mar 11 20:04:34 host charon[15239]: 00[LIB] loaded plugins: charon addrblock agent attr certexpire connmark constraints counters dhcp dnskey eap-aka eap-gtc eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-tnc eap-ttls error-notify farp fips-prf gcm gmp led lookip md5 mgf1 openssl pem pgp pkcs1 pkcs12 pkcs7 pkcs8 pubkey random rc2 resolve revocation sshkey tnc-tnccs unity vici x509 xauth-eap xauth-generic xauth-pam xcbc nonce aes sha1 sha2 hmac stroke kernel-netlink socket-default updown
Mar 11 20:04:34 host charon[15239]: 00[LIB] dropped capabilities, running as uid 0, gid 0
Mar 11 20:04:34 host charon[15239]: 00[JOB] spawning 16 worker threads
Mar 11 20:04:34 host ipsec_starter[15238]: charon (15239) started after 40 ms
Mar 11 20:04:34 host charon[15239]: 05[CFG] received stroke: add connection 'Host-to-ASA'
Mar 11 20:04:34 host charon[15239]: 05[CFG] added configuration 'Host-to-ASA'
Mar 11 20:04:34 host charon[15239]: 07[CFG] received stroke: initiate 'Host-to-ASA'
Mar 11 20:04:34 host charon[15239]: 07[IKE] initiating IKE_SA Host-to-ASA[1] to 5.0.0.90
Mar 11 20:04:34 host charon[15239]: 07[IKE] initiating IKE_SA Host-to-ASA[1] to 5.0.0.90
Mar 11 20:04:34 host charon[15239]: 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Mar 11 20:04:34 host charon[15239]: 07[NET] sending packet: from 1.0.0.42[500] to 5.0.0.90[500] (464 bytes)
Mar 11 20:04:34 host charon[15239]: 10[NET] received packet: from 5.0.0.90[500] to 1.0.0.42[500] (574 bytes)
Mar 11 20:04:34 host charon[15239]: 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) V ]
Mar 11 20:04:34 host charon[15239]: 10[IKE] received Cisco Delete Reason vendor ID
Mar 11 20:04:34 host charon[15239]: 10[IKE] received Cisco Copyright (c) 2009 vendor ID
Mar 11 20:04:34 host charon[15239]: 10[IKE] received FRAGMENTATION vendor ID
Mar 11 20:04:34 host charon[15239]: 10[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Mar 11 20:04:34 host charon[15239]: 10[IKE] authentication of '1.0.0.42' (myself) with pre-shared key
Mar 11 20:04:34 host charon[15239]: 10[IKE] establishing CHILD_SA Host-to-ASA{1}
Mar 11 20:04:34 host charon[15239]: 10[IKE] establishing CHILD_SA Host-to-ASA{1}
Mar 11 20:04:34 host charon[15239]: 10[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Mar 11 20:04:34 host charon[15239]: 10[NET] sending packet: from 1.0.0.42[500] to 5.0.0.90[500] (256 bytes)
Mar 11 20:04:34 host charon[15239]: 09[NET] received packet: from 5.0.0.90[500] to 1.0.0.42[500] (160 bytes)
Mar 11 20:04:34 host charon[15239]: 09[ENC] parsed IKE_AUTH response 1 [ V IDr AUTH N(NO_PROP) ]
Mar 11 20:04:34 host charon[15239]: 09[IKE] authentication of '5.0.0.90' with pre-shared key successful
Mar 11 20:04:34 host charon[15239]: 09[IKE] IKE_SA Host-to-ASA[1] established between 1.0.0.42[1.0.0.42]...5.0.0.90[5.0.0.90]
Mar 11 20:04:34 host charon[15239]: 09[IKE] IKE_SA Host-to-ASA[1] established between 1.0.0.42[1.0.0.42]...5.0.0.90[5.0.0.90]
Mar 11 20:04:34 host charon[15239]: 09[IKE] scheduling reauthentication in 10176s
Mar 11 20:04:34 host charon[15239]: 09[IKE] maximum IKE_SA lifetime 10716s
Mar 11 20:04:34 host charon[15239]: 09[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Mar 11 20:04:34 host charon[15239]: 09[IKE] failed to establish CHILD_SA, keeping IKE_SA

Mar 11 20:04:31 host ipsec_starter[14586]: ipsec starter stopped Mar 11 20:04:33 host ipsec_starter[15215]: Starting strongSwan 5.7.2 IPsec [starter]... Mar 11 20:04:33 host ipsec_starter[15215]: !! Your strongswan.conf contains manual plugin load options for charon. Mar 11 20:04:33 host ipsec_starter[15215]: !! This is recommended for experts only, see Mar 11 20:04:33 host ipsec_starter[15215]: !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad Mar 11 20:04:34 host charon[15239]: 00[DMN] Starting IKE charon daemon (strongSwan 5.7.2, Linux 4.19.0-6-amd64, x86_64) Mar 11 20:04:34 host charon[15239]: 00[NET] could not open socket: Address family not supported by protocol Mar 11 20:04:34 host charon[15239]: 00[NET] could not open IPv6 socket, IPv6 disabled Mar 11 20:04:34 host charon[15239]: 00[KNL] received netlink error: Address family not supported by protocol (97) Mar 11 20:04:34 host charon[15239]: 00[KNL] unable to create IPv6 routing table rule Mar 11 20:04:34 host charon[15239]: 00[CFG] loaded 0 RADIUS server configurations Mar 11 20:04:34 host charon[15239]: 00[CFG] HA config misses local/remote address Mar 11 20:04:34 host charon[15239]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Mar 11 20:04:34 host charon[15239]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Mar 11 20:04:34 host charon[15239]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Mar 11 20:04:34 host charon[15239]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Mar 11 20:04:34 host charon[15239]: 00[CFG] loading crls from '/etc/ipsec.d/crls' Mar 11 20:04:34 host charon[15239]: 00[CFG] loading secrets from '/etc/ipsec.secrets' Mar 11 20:04:34 host charon[15239]: 00[CFG] loaded IKE secret for 1.0.0.42 5.0.0.90 Mar 11 20:04:34 host charon[15239]: 00[CFG] loaded IKE secret for 1.0.0.42 Mar 11 20:04:34 host charon[15239]: 00[LIB] loaded plugins: charon addrblock agent attr certexpire connmark constraints counters dhcp dnskey eap-aka eap-gtc eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-tnc eap-ttls error-notify farp fips-prf gcm gmp led lookip md5 mgf1 openssl pem pgp pkcs1 pkcs12 pkcs7 pkcs8 pubkey random rc2 resolve revocation sshkey tnc-tnccs unity vici x509 xauth-eap xauth-generic xauth-pam xcbc nonce aes sha1 sha2 hmac stroke kernel-netlink socket-default updown Mar 11 20:04:34 host charon[15239]: 00[LIB] dropped capabilities, running as uid 0, gid 0 Mar 11 20:04:34 host charon[15239]: 00[JOB] spawning 16 worker threads Mar 11 20:04:34 host ipsec_starter[15238]: charon (15239) started after 40 ms Mar 11 20:04:34 host charon[15239]: 05[CFG] received stroke: add connection 'Host-to-ASA' Mar 11 20:04:34 host charon[15239]: 05[CFG] added configuration 'Host-to-ASA' Mar 11 20:04:34 host charon[15239]: 07[CFG] received stroke: initiate 'Host-to-ASA' Mar 11 20:04:34 host charon[15239]: 07[IKE] initiating IKE_SA Host-to-ASA[1] to 5.0.0.90 Mar 11 20:04:34 host charon[15239]: 07[IKE] initiating IKE_SA Host-to-ASA[1] to 5.0.0.90 Mar 11 20:04:34 host charon[15239]: 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Mar 11 20:04:34 host charon[15239]: 07[NET] sending packet: from 1.0.0.42[500] to 5.0.0.90[500] (464 bytes) Mar 11 20:04:34 host charon[15239]: 10[NET] received packet: from 5.0.0.90[500] to 1.0.0.42[500] (574 bytes) Mar 11 20:04:34 host charon[15239]: 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) V ] Mar 11 20:04:34 host charon[15239]: 10[IKE] received Cisco Delete Reason vendor ID Mar 11 20:04:34 host charon[15239]: 10[IKE] received Cisco Copyright (c) 2009 vendor ID Mar 11 20:04:34 host charon[15239]: 10[IKE] received FRAGMENTATION vendor ID Mar 11 20:04:34 host charon[15239]: 10[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 Mar 11 20:04:34 host charon[15239]: 10[IKE] authentication of '1.0.0.42' (myself) with pre-shared key Mar 11 20:04:34 host charon[15239]: 10[IKE] establishing CHILD_SA Host-to-ASA{1} Mar 11 20:04:34 host charon[15239]: 10[IKE] establishing CHILD_SA Host-to-ASA{1} Mar 11 20:04:34 host charon[15239]: 10[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] Mar 11 20:04:34 host charon[15239]: 10[NET] sending packet: from 1.0.0.42[500] to 5.0.0.90[500] (256 bytes) Mar 11 20:04:34 host charon[15239]: 09[NET] received packet: from 5.0.0.90[500] to 1.0.0.42[500] (160 bytes) Mar 11 20:04:34 host charon[15239]: 09[ENC] parsed IKE_AUTH response 1 [ V IDr AUTH N(NO_PROP) ] Mar 11 20:04:34 host charon[15239]: 09[IKE] authentication of '5.0.0.90' with pre-shared key successful Mar 11 20:04:34 host charon[15239]: 09[IKE] IKE_SA Host-to-ASA[1] established between 1.0.0.42[1.0.0.42]...5.0.0.90[5.0.0.90] Mar 11 20:04:34 host charon[15239]: 09[IKE] IKE_SA Host-to-ASA[1] established between 1.0.0.42[1.0.0.42]...5.0.0.90[5.0.0.90] Mar 11 20:04:34 host charon[15239]: 09[IKE] scheduling reauthentication in 10176s Mar 11 20:04:34 host charon[15239]: 09[IKE] maximum IKE_SA lifetime 10716s Mar 11 20:04:34 host charon[15239]: 09[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built Mar 11 20:04:34 host charon[15239]: 09[IKE] failed to establish CHILD_SA, keeping IKE_SA

Log from ASA

4 Mar 11 2020 15:33:25 750003 Local:5.0.0.90:500 Remote:1.0.0.42:500 Username:91.215.139.42 IKEv2 Negotiation aborted due to ERROR: Failed to find a matching policy

Who Me Too'd this topic

ipsec VPN Tunnel between Debian host and Cisco ASA