03-11-2020 01:43 PM
Hello,
We trying to setup tonnel between our Debian host and Cisco ASA 5585X.
The phase 1 passed well and we have established connection.
Howewer, we have error on phase 2
Mar 11 20:04:34 host charon[15239]: 09[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built Mar 11 20:04:34 host charon[15239]: 09[IKE] failed to establish CHILD_SA, keeping IKE_SA
We know that is wrong esp config - but can't solve it.
Could you help me please?
The inputs:
Technical Information | ||
VPN Gateway Information | Cisco ASA 5585X | ipsec |
Tunnel mode (transport/tunnel) | tunnel | tunnel |
Peer IP Address | 5.0.0.90 | 1.0.0.42 |
IP address SHEP/VSHEP (subnet) | 5.0.1.0/24 | 0.0.0.0/24 |
Tunnel Properties | ||
Authentication Method | PSK | PSK |
Private Shared Key | via SMS | via SMS |
Cryptography Type | IKEv2 | IKEv2 |
Diffie-Hellman Group | Group 14 | Group 14 |
Cryptography Algorithm | AES-CBC-256 | AES-CBC-256 |
Hash Algorithm | SHA 256 | SHA 256 |
Lifetime (for renegotiation) | default | default |
Tunnel Properties | ||
Encapsulation (ESP or AH) | ESP | ESP |
Cryptography Algorithm | AES 256 | AES 256 |
Algorithm Method | SHA 256 | SHA 256 |
Perfect Forward Secrecy | Group 14 | Group 14 |
Lifetime (for renegotiation) | default | default |
Lifesize in KB (for renegotiation) | default | default |
ipsec.config
config setup charondebug="all" strictcrlpolicy=no uniqueids=yes conn Host-to-ASA keyexchange=ikev2 mobike=no fragmentation=yes auto=start type=tunnel authby=psk keyingtries=%forever left=1.0.0.42 leftid=1.0.0.42 leftsubnet=0.0.0.0/0 ## Destination LAN right=5.0.0.90 rightsubnet=5.0.1.0/24 ike=aes256-sha256-modp2048! esp=aes256-sha256-modp2048!
# ipsec statusall
# ipsec statusall Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.0-6-amd64, x86_64): uptime: 5 minutes, since Mar 11 20:04:33 2020 malloc: sbrk 2830336, mmap 0, used 695920, free 2134416 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2 loaded plugins: charon addrblock agent attr certexpire connmark constraints counters dhcp dnskey eap-aka eap-gtc eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-tnc eap-ttls error-notify farp fips-prf gcm gmp led lookip md5 mgf1 openssl pem pgp pkcs1 pkcs12 pkcs7 pkcs8 pubkey random rc2 resolve revocation sshkey tnc-tnccs unity vici x509 xauth-eap xauth-generic xauth-pam xcbc nonce aes sha1 sha2 hmac stroke kernel-netlink socket-default updown Listening IP addresses: 1.0.0.42 Connections: Host-to-ASA: 1.0.0.42...5.0.0.90 IKEv2 Host-to-ASA: local: [1.0.0.42] uses pre-shared key authentication Host-to-ASA: remote: [5.0.0.90] uses pre-shared key authentication Host-to-ASA: child: 0.0.0.0/0 === 5.0.1.0/24 TUNNEL Security Associations (1 up, 0 connecting): Host-to-ASA[1]: ESTABLISHED 5 minutes ago, 1.0.0.42[1.0.0.42]...5.0.0.90[5.0.0.90] Host-to-ASA[1]: IKEv2 SPIs: 4e7a3605sdfer50f7_i* 850fssdfrgt1f4af7_r, pre-shared key reauthentication in 2 hours Host-to-ASA[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
connection log from my host
Mar 11 20:04:31 host ipsec_starter[14586]: ipsec starter stopped Mar 11 20:04:33 host ipsec_starter[15215]: Starting strongSwan 5.7.2 IPsec [starter]... Mar 11 20:04:33 host ipsec_starter[15215]: !! Your strongswan.conf contains manual plugin load options for charon. Mar 11 20:04:33 host ipsec_starter[15215]: !! This is recommended for experts only, see Mar 11 20:04:33 host ipsec_starter[15215]: !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad Mar 11 20:04:34 host charon[15239]: 00[DMN] Starting IKE charon daemon (strongSwan 5.7.2, Linux 4.19.0-6-amd64, x86_64) Mar 11 20:04:34 host charon[15239]: 00[NET] could not open socket: Address family not supported by protocol Mar 11 20:04:34 host charon[15239]: 00[NET] could not open IPv6 socket, IPv6 disabled Mar 11 20:04:34 host charon[15239]: 00[KNL] received netlink error: Address family not supported by protocol (97) Mar 11 20:04:34 host charon[15239]: 00[KNL] unable to create IPv6 routing table rule Mar 11 20:04:34 host charon[15239]: 00[CFG] loaded 0 RADIUS server configurations Mar 11 20:04:34 host charon[15239]: 00[CFG] HA config misses local/remote address Mar 11 20:04:34 host charon[15239]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Mar 11 20:04:34 host charon[15239]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Mar 11 20:04:34 host charon[15239]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Mar 11 20:04:34 host charon[15239]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Mar 11 20:04:34 host charon[15239]: 00[CFG] loading crls from '/etc/ipsec.d/crls' Mar 11 20:04:34 host charon[15239]: 00[CFG] loading secrets from '/etc/ipsec.secrets' Mar 11 20:04:34 host charon[15239]: 00[CFG] loaded IKE secret for 1.0.0.42 5.0.0.90 Mar 11 20:04:34 host charon[15239]: 00[CFG] loaded IKE secret for 1.0.0.42 Mar 11 20:04:34 host charon[15239]: 00[LIB] loaded plugins: charon addrblock agent attr certexpire connmark constraints counters dhcp dnskey eap-aka eap-gtc eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-tnc eap-ttls error-notify farp fips-prf gcm gmp led lookip md5 mgf1 openssl pem pgp pkcs1 pkcs12 pkcs7 pkcs8 pubkey random rc2 resolve revocation sshkey tnc-tnccs unity vici x509 xauth-eap xauth-generic xauth-pam xcbc nonce aes sha1 sha2 hmac stroke kernel-netlink socket-default updown Mar 11 20:04:34 host charon[15239]: 00[LIB] dropped capabilities, running as uid 0, gid 0 Mar 11 20:04:34 host charon[15239]: 00[JOB] spawning 16 worker threads Mar 11 20:04:34 host ipsec_starter[15238]: charon (15239) started after 40 ms Mar 11 20:04:34 host charon[15239]: 05[CFG] received stroke: add connection 'Host-to-ASA' Mar 11 20:04:34 host charon[15239]: 05[CFG] added configuration 'Host-to-ASA' Mar 11 20:04:34 host charon[15239]: 07[CFG] received stroke: initiate 'Host-to-ASA' Mar 11 20:04:34 host charon[15239]: 07[IKE] initiating IKE_SA Host-to-ASA[1] to 5.0.0.90 Mar 11 20:04:34 host charon[15239]: 07[IKE] initiating IKE_SA Host-to-ASA[1] to 5.0.0.90 Mar 11 20:04:34 host charon[15239]: 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Mar 11 20:04:34 host charon[15239]: 07[NET] sending packet: from 1.0.0.42[500] to 5.0.0.90[500] (464 bytes) Mar 11 20:04:34 host charon[15239]: 10[NET] received packet: from 5.0.0.90[500] to 1.0.0.42[500] (574 bytes) Mar 11 20:04:34 host charon[15239]: 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) V ] Mar 11 20:04:34 host charon[15239]: 10[IKE] received Cisco Delete Reason vendor ID Mar 11 20:04:34 host charon[15239]: 10[IKE] received Cisco Copyright (c) 2009 vendor ID Mar 11 20:04:34 host charon[15239]: 10[IKE] received FRAGMENTATION vendor ID Mar 11 20:04:34 host charon[15239]: 10[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 Mar 11 20:04:34 host charon[15239]: 10[IKE] authentication of '1.0.0.42' (myself) with pre-shared key Mar 11 20:04:34 host charon[15239]: 10[IKE] establishing CHILD_SA Host-to-ASA{1} Mar 11 20:04:34 host charon[15239]: 10[IKE] establishing CHILD_SA Host-to-ASA{1} Mar 11 20:04:34 host charon[15239]: 10[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] Mar 11 20:04:34 host charon[15239]: 10[NET] sending packet: from 1.0.0.42[500] to 5.0.0.90[500] (256 bytes) Mar 11 20:04:34 host charon[15239]: 09[NET] received packet: from 5.0.0.90[500] to 1.0.0.42[500] (160 bytes) Mar 11 20:04:34 host charon[15239]: 09[ENC] parsed IKE_AUTH response 1 [ V IDr AUTH N(NO_PROP) ] Mar 11 20:04:34 host charon[15239]: 09[IKE] authentication of '5.0.0.90' with pre-shared key successful Mar 11 20:04:34 host charon[15239]: 09[IKE] IKE_SA Host-to-ASA[1] established between 1.0.0.42[1.0.0.42]...5.0.0.90[5.0.0.90] Mar 11 20:04:34 host charon[15239]: 09[IKE] IKE_SA Host-to-ASA[1] established between 1.0.0.42[1.0.0.42]...5.0.0.90[5.0.0.90] Mar 11 20:04:34 host charon[15239]: 09[IKE] scheduling reauthentication in 10176s Mar 11 20:04:34 host charon[15239]: 09[IKE] maximum IKE_SA lifetime 10716s Mar 11 20:04:34 host charon[15239]: 09[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built Mar 11 20:04:34 host charon[15239]: 09[IKE] failed to establish CHILD_SA, keeping IKE_SA
Log from ASA
4 Mar 11 2020 15:33:25 750003 Local:5.0.0.90:500 Remote:1.0.0.42:500 Username:91.215.139.42 IKEv2 Negotiation aborted due to ERROR: Failed to find a matching policy
Solved! Go to Solution.