03-16-2020 09:57 PM
Hello all,
I'd like to start by saying I'm uncertain if I'm posting this thread in the right place. I am a novice with VPN technologies, and trying to get my sea legs. This actually is the first VPN I've ever tried to set up; I'm trying to establish site-to-site tunnel between ASA 5505 ver 8.4(6) and a raspberry pi imaged with Ubuntu 18.04 using Strongswan v5.6.2/K4.15.0-1032-raspi2. I was able to get phase 1 up relatively easily, and I see the IKE security associations established, but I'm stuck trying to get phase 2 up. Both the ASA & raspi are on separate networks, and are assigned private IP's sitting behind NAT devices. The raspi does not have any firewalls enabled. Neither the ASA's or the raspi's syslogs provide any error messages and I think I have my logging levels set as high as they can go. However, when I debug the ASA, I receive a notification that there is a policy mismatch. I used mainly the guides below, but have read several others as well and have followed them as closely as I can. It looks to me as though the phase 2 parameters are as identical as possibly make them, but I can't get past this point. Below is the debug output, my device configs. Any insight into why I cannot establish phase 2 would be greatly appreciated. If I am posting in the wrong place, or if I need to provide more (or less) info, please let me know.
Thanks all,
Jason
https://www.tecmint.com/setup-ipsec-vpn-with-strongswan-on-debian-ubuntu/
jasonasa# debug crypto ikev2 platform
jasonasa# debug crypto ikev2 protocol
jasonasa# IKEv2-PROTO-1: (26): Failed to find a matching policy
IKEv2-PROTO-1: (26): Received Policies:
ESP: Proposal 1: 3DES SHA96
IKEv2-PROTO-1: (26): Failed to find a matching policy
IKEv2-PROTO-1: (26): Expected Policies:
IKEv2-PROTO-1: (26): Failed to find a matching policy
IKEv2-PROTO-1: (26):
jasonasa# un all
Truncated /var/log/syslog (these are the only Strongswan/charon related msgs in the syslog anyway, not indicating any issue)
Mar 17 00:50:10 jason-pi-1 charon: 06[IKE] sending DPD request
Mar 17 00:50:10 jason-pi-1 charon: 06[ENC] generating INFORMATIONAL request 266 [ ]
Mar 17 00:50:10 jason-pi-1 charon: 06[NET] sending packet: from 192.168.1.254[4500] to 1.1.1.1[4500] (60 bytes)
Mar 17 00:50:10 jason-pi-1 charon: 07[NET] received packet: from 1.1.1.1[4500] to 192.168.1.254[4500] (60 bytes)
Mar 17 00:50:10 jason-pi-1 charon: 07[ENC] parsed INFORMATIONAL response 266 [ ]
:
ASA Version 8.4(6)
!
hostname jasonasa
enable password WPKenuJlg5kFIa7I encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.224
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.0.250 255.255.255.0
!
ftp mode passive
clock timezone EASTERN -5
dns domain-lookup outside
dns server-group DefaultDNS
name-server 4.2.2.2
name-server 8.8.4.4
object network obj_any
subnet 0.0.0.0 0.0.0.0
access-list TUNNEL extended permit 10 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 log
access-list TUNNEL extended permit 20 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0 log
pager lines 24
logging enable
logging timestamp
logging buffered informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
route outside 192.168.1.0 255.255.255.0 2.2.2.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:00:00 sip_media 0:00:00 sip-invite 0:30:00 sip-disconnect 0:10:00
timeout sip-provisional-media 0:30:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
no snmp-server location
no snmp-server contact
crypto ipsec ikev2 ipsec-proposal IPsec
protocol esp encryption 3des
protocol esp integrity sha-1
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association replay disable
crypto map TUNNEL 10 match address TUNNEL
crypto map TUNNEL 10 set peer 2.2.2.2
crypto map TUNNEL 10 set ikev2 ipsec-proposal IPsec
crypto map TUNNEL 10 set security-association lifetime seconds 2000
crypto map TUNNEL interface outside
crypto isakmp identity address
crypto isakmp nat-traversal 3600
crypto ikev2 policy 10
encryption 3des
integrity sha
group 2
prf sha
lifetime seconds 10000000
crypto ikev2 enable outside
telnet timeout 5
ssh 192.168.0.253 255.255.255.255 outside
ssh 192.168.0.254 255.255.255.255 outside
ssh timeout 30
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 129.6.15.28 source outside
webvpn
anyconnect-essentials
username abcde password JC3dvrSDTR58CY/x encrypted
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
peer-id-validate nocheck
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
# ipsec.conf - strongSwan IPsec configuration file
config setup
strictcrlpolicy=no
charondebug="all"
uniqueids=yes
conn babys-first-site-to-site-vpn
fragmentation=yes
type=tunnel
auto=start
keyexchange=ikev2
authby=psk
left=%any
leftsubnet=192.168.1.0/24
right=1.1.1.1
rightsubnet=192.168.0.0/24
rightid=%any
ike=3des-sha1-modp1024-prfsha1!
esp=3des-sha1!
aggressive=no
keyingtries=%forever
ikelifetime=10000000s
lifetime=3600s
dpddelay=30s
dpdtimeout=120s
dpdaction=restart
# ipsec.secrets
# This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
2.2.2.2 1.1.1.1 : PSK "poopies"
192.168.1.254 192.168.0.250 : PSK "poopies"
0183930@jason-pi-1:~$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default router.asus.com 0.0.0.0 UG 100 0 0 eth0
link-local 0.0.0.0 255.255.0.0 U 1000 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0183930@jason-pi-1:~$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.254 netmask 255.255.255.0 broadcast 192.168.1.255
03-17-2020 01:07 AM
Hi,
Clearly you have an issue with IKEv2 policy not matching. Options, stop on first one that fixes the problem:
1. I see the following two lines have an "!" mark at the end, not sure that this means and if it should be there:
ike=3des-sha1-modp1024-prfsha1!
esp=3des-sha1!
2. Try to exclude the PFR setting from Strongswan: instead of "ike=3des-sha1-modp1024-prfsha1!", use "ike=3des-sha1-modp1024"
3. Try using a different hashing/PRF algorithm, not SHA1, on both sides; try MD5 first, if it works, another version of SHA.
Let me know if any of the above fixed it.
Regards,
Cristian Matei.
03-17-2020 09:47 AM
03-17-2020 09:59 AM
Hi Christian, thank you for your reply. I will try that, but I am also a
bit confused. If there is an issue with my IKEv2 policy, why does it still
establish phase 1?
03-17-2020 09:47 PM
I also tried the suggestions of removing the strict flag (!, exclamation mark) from my Strongswan IKE policy & IPSec proposal, removed the PRF, and also switched to MD5 for both the IKEv2 policy & IPSec proposal, with the same result. Phase 1 establishes, but phase 2 does not =[ the debugs also still show that there is a policy mismatch, but I am not sure where the mismatch is. I don't really understand why phase 1 even establishes successfully since the debug states the IKEv2 policy is mismatched...But from what I can tell, it looks like I am using the same Diffie-Hellman group 2, hash, encryption, and PRF (when I was using it). Do you have any more suggestions by chance? I appreciate your response
03-17-2020 11:20 PM
Hi,
If it's a Phase2 issue, it kind of makes sense. First, on the ASA:
- what traffic do you want to go through the tunnel? From 192.168.3.0/27 to 192.168.1.0/24? If so, this should be exempted from NAT, on both sides (ASA and Strongswan)
- the ACL on the ASA needs to match your interesting traffic and nothing else; if the above is what you need to send through the tunnel, i made corrections to the ASA config, if not answer the question above
interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.224
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.0.250 255.255.255.0
!
object network obj_any
subnet 0.0.0.0 0.0.0.0
!
object network LOCAL_LAN_INSIDE
subnet 192.168.3.0 255.255.255.224
!
object network REMOTE_LAN_VPN
subnet 192.168.1.0 255.255.255.0
!
nat (inside, outside) source static LOCAL_LAN_INSIDE LOCAL_LAN_INSIDE destination static REMOTE_LAN_VPN REMOTE_LAN_VPN
!
object network obj_any
nat (inside,outside) dynamic interface
!
no access-list TUNNEL extended permit 10 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 log
no access-list TUNNEL extended permit 20 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0 log
access-list TUNNEL extended permit 192.168.3.0 255.255.255.224 192.168.1.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
no route outside 192.168.1.0 255.255.255.0 2.2.2.2 1
- On Strongswan, if the above initial statements are correct, with traffic that needs to flow through the tunnel:
conn babys-first-site-to-site-vpn
fragmentation=yes
type=tunnel
auto=start
keyexchange=ikev2
authby=psk
left=WAN IP address of strongswan
leftsubnet=192.168.1.0/24
lefttid=%any
right=192.168.0.250
rightsubnet=192.168.3.0/27
rightid=%any
ike=3des-sha1-modp1024-prfsha1!
esp=3des-sha1!
aggressive=no
keyingtries=%forever
ikelifetime=10000000s
lifetime=3600s
dpddelay=30s
dpdtimeout=120s
dpdaction=restart
For strongswan, find below a working example:
https://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/117258-config-l2l.html
Regards,
Cristian Matei.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide