[Swan] ASA 5550 Connection Help

Nick Howitt nick at howitts.co.uk
Mon Apr 30 09:55:51 UTC 2018 

Have you seen the AWS set up section on the wiki at 
https://libreswan.org/wiki/Interoperability#The_elastic_IP_and_the_RFC1918_native_IP_address, 
noting the configuration of the loopback interface?

Nick

On 29/04/2018 23:19, Paul Connolly wrote:
> thanks so much for the response.  Below is the left side config.  The 
> ASA provider would only allow public IP networks so we provided them 
> with the elastic IP of the libreswan box as our endpoint and 
> <elasticIP>/32 for our vpn subnet.  This limits us to only being able 
> to use the vpn server for traffic across the tunnel, but for now 
> that's fine.  I was concerned that I wasn't presenting the IP or the 
> network properly to the ASA, so I did the test setup pointing to 
> another libreswan instance and using the values below for the right 
> side of the connection successfully established the tunnel and two way 
> traffic.  I took this to mean that I was presenting the public IP and 
> subnet properly.
>   left=%defaultroute
>   leftid=<elasticIP>
>   leftsourceip=<elasticIP>
>   leftnexthop=%defaultroute
>   leftsubnet=<elasticIP>/32
>
> I'm aware bad security of the ASA side settings and was concerned that 
> they weren't supported on the Libreswan side. The ASA provider is 
> unwilling to make ANY changes on their setup; they are an older large 
> company that does VPN connections to many vendors and they only 
> configuration values they will accept from us are our VPN IP and VPN 
> networks(and only public ones at that).  It's doubtful that I'll even 
> be able to get any logging from the ASA side to see why the connection 
> is failing.  On my side, pluto logs aren't super helpful:
>
> Apr 29 22:15:34: "ipsec" #257: starting keying attempt 258 of an 
> unlimited number
> Apr 29 22:15:34: "ipsec" #258: initiating Main Mode to replace #257
> Apr 29 22:15:34: deleting other state #257 (STATE_MAIN_I3) "ford"
> Apr 29 22:15:34: "ipsec" #258: transition from state STATE_MAIN_I1 to 
> state STATE_MAIN_I2
> Apr 29 22:15:34: "ipsec" #258: STATE_MAIN_I2: sent MI2, expecting MR2
> Apr 29 22:15:35: "ipsec" #258: ignoring unknown Vendor ID payload 
> [1516b07506feabaa5e8ed209f3332f89]
> Apr 29 22:15:35: "ipsec" #258: sending INITIAL_CONTACT
> Apr 29 22:15:35: "ipsec" #258: transition from state STATE_MAIN_I2 to 
> state STATE_MAIN_I3
> Apr 29 22:15:35: "ipsec" #258: STATE_MAIN_I3: sent MI3, expecting MR3
> Apr 29 22:15:35: "ipsec" #258: received 1 malformed payload notifies
> Apr 29 22:15:35: "ipsec" #258: discarding duplicate packet; already 
> STATE_MAIN_I3
> Apr 29 22:15:36: "ipsec" #258: discarding duplicate packet; already 
> STATE_MAIN_I3
> Apr 29 22:15:37: "ipsec" #258: discarding duplicate packet; already 
> STATE_MAIN_I3
> Apr 29 22:15:39: "ipsec" #258: next payload type of ISAKMP Hash 
> Payload has an unknown value: 255 (0xff)
> Apr 29 22:15:39: "ipsec" #258: malformed payload in packet
> Apr 29 22:16:39: "ipsec" #258: max number of retransmissions (8) 
> reached STATE_MAIN_I3.  Possible authentication failure: no acceptable 
> response to our first encrypted message
>
> On Sun, Apr 29, 2018 at 4:30 PM, Paul Wouters <paul at nohats.ca 
> <mailto:paul at nohats.ca>> wrote:
>
>     On Sun, 29 Apr 2018, Paul Connolly wrote:
>
>         I have to create an IPSec tunnel from amazon to an ASA 5500.
>         Below is the info I was provided on the ASA config:
>
>         Support Key Exchanged for Subnets: ON
>         IKE Encryption Method: AES256 SHA IKE Diffie-Hellman Groups
>         for Phase 1: Group 2 (1024 bit) IKE (Phase-1) Timeout: 1440
>         Min IPSEC Encryption Method: AES256 SHA IPSEC (Phase-2)
>         Timeout: 3600 Sec PFS (Perfect Forward Secrecy): Disabled
>         Keepalive: Disabled
>
>         I setup libreswan on a centos 7 ec2 instance. This is what I
>         have for Libreswan connection config:
>
>         conn ipsec
>           type=tunnel
>           authby=secret
>           remote_peer_type=cisco
>
>
>     Remove the remote_peer_type=cisco line, that is only needed when using
>     IKEv1 XAUTH as a client towards a Cisco server for Remote Access VPN.
>
>           initial-contact=yes
>           rekey=yes
>           pfs=no
>           ikelifetime=1440m
>           salifetime=60m
>           ike=aes256-sha1;dh2
>           phase2alg=aes256-sha1;modp1024
>           aggrmode=no
>
>         I've successfully created a tunnel to another libreswan
>         instance in a separate aws vpn and can pass traffic but when I
>         point to the ASA, I don't seem to be even getting
>         past the IKE phase. based on this ipsec status:
>
>
>         000 #1: "ipsec":4500 STATE_MAIN_I3 (sent MI3, expecting MR3);
>         EVENT_v1_RETRANSMIT in 12s; nodpd; idle; import:admin initiate
>         1: pending Phase 2 for "ipsec" replacing #0
>
>         I know the preshared key is correct but I'm at a loss. For
>         starters, do I at least have the correct libreswan config
>         based the ASA config?
>
>
>     The config looks fine except for you not specifying and IDs for either
>     end. Since you are in AWS, that means you are likely presenting your
>     pre-NAT IP as your ID which is most likely rejected by the Cisco.
>
>     You should ask them what ID they are using on their end and what ID
>     they expect you to have on your end.
>
>     Also, you should REALLY ask them to change dh2/modp1024 to at least
>     dh5/modp1536 because dh2/modp1024 has been declared obsolete by
>     RFC-8247
>     and support will soon be removed from libreswan. This DH group is
>     simply too weak for today's computing powers.
>
>     Paul
>
>
>
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan

More information about the Swan mailing list