cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2764
Views
0
Helpful
8
Replies

ASA L2TP and OSX

Gaston Bougie
Level 1
Level 1

Hi,

I've configured an asa5520 for L2L, ipsec vpn with cisco client and L2TP clients.

The L2TP config works fine for windows and osx clients. The windows l2tp tunnel is stable for long time.

Allways after one hour, the osx l2tp tunnel get's broken on the asa (I think because of a rekey issue that doesn't work out well).

3   IKE Peer: 1.2.3.4 (windows client)
    Type    : user            Role    : responder
    Rekey   : no              State   : MM_ACTIVE
    Encrypt : 3des            Hash    : SHA
    Auth    : preshared       Lifetime: 28800
    Lifetime Remaining: 22311

4   IKE Peer: 1.2.3.5 (osx client)
    Type    : user            Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
    Encrypt : 3des            Hash    : SHA
    Auth    : preshared       Lifetime: 3600   <<---- notice the changed lifetime, on the osx client which is exactly one hour
    Lifetime Remaining: 3537

Does someone know where to look for?

Regards,

8 Replies 8

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Gaston,

Notice that role is initiator ...

What is ASA's version.

Can you provide "debug cry isa 100" and debug "crypto ipsec 100" during rekey?

Marcin

Hello Marcin,

Thank you for your interest in the debug output. (it's a lot )
I've attached the debug in the file, which is a cat & grep on the public ip address of the osx and windows client.

Some things I've seen:

21:50 2x l2tp vpn started on windows and osx.  ±22:49 problem with osx l2tp connection.

I've checked during a working vpn and the asa is now responder and the osx client is the vpn initiator.

Very strange this changed for some reason. Maybe during of after a rekey it could get change? (I though about it after the capture).

When the vpn has a problem syslog level3 errors are shown:

%ASA-3-713902: Group = DefaultRAGroup, Username = fake.user, IP = 84.28.x.x, QM FSM error (P2 struct &0xcd568180, mess id 0x364b26c5)!
%ASA-1-713900: Group = DefaultRAGroup, Username = fake.user, IP = 84.28.x.x, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Jul 03 22:37:18 [IKEv1]: Group = DefaultRAGroup, Username = fake.user, IP = 84.28.x.x, QM FSM error (P2 struct &0xcd568180, mess id 0x364b26c5)!
Jul 03 22:37:18 [IKEv1]: Group = DefaultRAGroup, Username = fake.user, IP = 84.28.x.x, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
%ASA-3-713902: Group = DefaultRAGroup, Username = fake.user, IP = 84.28.x.x, QM FSM error (P2 struct &0xcd489b58, mess id 0xaa8de5a8)!

Jul  3 22:48:53 172.0.0.0 %ASA-7-713906: Group = DefaultRAGroup, Username = fake.user, IP = 84.28.x.x, Attempted to init Phase 2 ESP session with no Phase 1 atts present!

Jul  3 22:49:23 172.0.0.0 %ASA-4-113019: Group = DefaultRAGroup, Username = fake.user, IP = 84.28.x.x, Session disconnected. Session Type: IPsecOverNatT, Duration: 0h:57m:31s, Bytes xmt: 2658660, Bytes rcv: 1142084, Reason: Phase 2 Error

My first thought would be that osx has a problem with generating new keys.

For me it still could be phase 1 or 2.

It could be a phase 1 error, so phase 2 can't bind it's new sa to it.

Or phase 1 is ok, and it's only phase 2 that has a problem.

Take in mind I had to start 2 l2tp ipsec-vpn's behind the same public IP, but 2 different private ip's: one OSX, and one Windows (in vmware).

As I think osx is to blame I'm reading something about a guy who has wrote some experience with it:
http://www.jacco2.dds.nl/networking/openswan-macosx.html

" Paul Wouters of the Openswan team noted that a rekeying problem occurred after one hour."

Regards,

Gaston

Gaston,

Unless you're running something prior to 7.2.4 there have not been anything like this reported to be a problem on ASA's side.

Note:

Jul  3 22:36:52 172.0.0.0 %ASA-7-713906: IP = 84.28.x.x, Starting phase 1 rekey

There is a problem to re-negotiate phase 2 tho, no reply from mac:

Jul  3 22:36:52 172.0.0.0 %ASA-7-713236: IP = 84.28.x.x, IKE_DECODE SENDING Message (msgid=364b26c5) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 160

Jul  3 22:36:52 172.0.0.0 %ASA-7-710007: NAT-T keepalive received from 84.28.x.x/4500 to outside:22asa.95.1.34/4500

Jul  3 22:37:11 172.0.0.0 %ASA-7-710007: NAT-T keepalive received from 84.28.x.x/1024 to outside:22asa.95.1.34/4500

Jul  3 22:37:12 172.0.0.0 %ASA-7-710007: NAT-T keepalive received from 84.28.x.x/4500 to outside:22asa.95.1.34/4500

Jul  3 22:37:24 172.0.0.0 %ASA-3-713902: Group = DefaultRAGroup, Username = fake.user, IP = 84.28.x.x, QM FSM error (P2 struct &0xcd568180, mess id 0x364b26c5)!

Jul  3 22:37:24 172.0.0.0 %ASA-7-715065: Group = DefaultRAGroup, Username = fake.user, IP = 84.28.x.x, IKE QM Initiator FSM error history (struct &0xcd568180)  , :  QM_DONE, EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent-->QM_SND_MSG1, EV_SND_MSG-->QM_SND_MSG1, EV_START_TMR-->QM_SND_MSG1, EV_RESEND_MSG-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent

Soon after you will see sequences like this:

Jul  3 22:39:53 172.0.0.0 %ASA-7-713236: IP = 84.28.x.x, IKE_DECODE RECEIVED Message (msgid=aa8de5a8) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NAT-OA (21) + NAT-OA (21) + NONE (0) total length : 248

(and moments later)

Jul  3 22:39:53 172.0.0.0 %ASA-7-715065: Group = DefaultRAGroup, Username = fake.user, IP = 84.28.x.x, IKE QM Responder FSM error history (struct &0xcd489b58)  , :  QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH-->QM_BLD_MSG2, EV_VALIDATE_MSG

Of course problem might be that I'm seeing debugs from two users at a time

When the connection is establishe by mac, can you get me "show vpn-session det remote" ?

I'm curious to the timers.

Marcin

Jup, I'm going to deliver the info. It just takes one hour waiting and waiting

I will also disable the windows vpn for managing so I have only one l2tp client connected.

P.S.

The ASA is running Cisco Adaptive Security Appliance Software Version 8.2(1)

I've attached the logfile in te attachment with timings, and at the end the osx logging.

Notice how the vpn role changed from responder to initiator after the problem starts.

I've put some marks in the logfile. You are right about phase 2.

Also the vpn-part config on the ASA:

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set Trans-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set Trans-3DES-SHA mode transport
crypto ipsec transform-set Trans-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set Trans-AES-128-SHA mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec security-association replay window-size 128
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set Trans-AES-128-SHA Trans-3DES-SHA ESP-3DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 86400
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 9
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 3600

Gaston,

There's your problem:

Jul  4 17:48:08 macbookclient racoon[34200]: IKE Packet: receive success. (Information message).
Jul  4 17:48:08 macbookclient racoon[34200]: IKE Packet: receive failed. (Responder, Quick-Mode Message 1).

If we don't know WHY receive failed it's hard to say more ... we can go into debuggin further until IKE captures, but it will require effort on our side.

However honestly, to bypass a problem like this. Set manaully IKE lifetime to one day and forget about it :-)

Marcin

Hee Marcin,

I think osx knows they have some compatibility issue, but they give you the option to build the following vpn's:

1 - PPTP

2 - L2TP over IPsec

3 - Cisco IPsec   (haven't seen this one the first time as I was focused on L2TP to check between osx and windows.)

both option 2 and 3 give you the "group" option, so onder the hood there must be something different als option 3 doesn't break the vpn tunnel in a rekey. Thank you for debugging.

Regards,

Gaston

Gaston,

Option three is a pure IPsec client. In works very similar to Cisco VPN client and I'm using it from time to time (supportability issues between cisco vpnclient and Mac OS).

Marcin