[Swan] Cisco IOS XE Interoperability with Libreswan

Reuben Farrelly reuben-libreswan at reub.net
Tue Aug 14 14:03:30 UTC 2018 

Hi,

I've recently been able to upgrade my router hardware from a Cisco IOS 
based router to an IOS XE based router and am running into what I think 
are interoperability issues between the two.

I'm tracking libreswan git master at the moment so hopefully picking up 
all the most recent fixes (and bugs).

Basically what I am experiencing is IPSec sessions are not establishing 
and I think there are multiple problems, so I'm trying to break it down 
into smaller discrete problems which may make it easier to solve.
The first issue is the negotiation of ikev2 and ipsec algorithms.

1. The documentation in the man page states that "the default IKE 
proposal depends on the version of libreswan used".  The page also 
states that I can look up the ipsec_spi(8) man page for values of --ike.
Unfortunately that seemingly dated man page just states various 
arguments of which there doesn't even appear to be an --ike option at 
all and it's certainly not obvious what option I should be using to show 
a list if valid ciphers or defaults.
Finding out this information is entirely unfriendly to someone who is 
just trying to get things to work.  Can the default proposals please be 
spelt out in release notes or in a table in the FAQ so that this is easy 
to determine?

2. Cisco IOS and IOS XE both defaults to using supposedly secure 
algorithms by default, which means that I don't (shouldn't) need to 
specifically configure anything on the IOS/IOS-XE device for a variety 
of algorithms to be presented and something in common matched with 
Libreswan.

Assuming I want to hard set the Libreswan side, what should I be using 
in this case?

Cisco defaults as of IOS-XE 16.9.1 are:

router-2#show crypto ikev2 proposal
  IKEv2 proposal: default
      Encryption : AES-CBC-256
      Integrity  : SHA512 SHA384
      PRF        : SHA512 SHA384
      DH Group   : DH_GROUP_256_ECP/Group 19 DH_GROUP_2048_MODP/Group 14 
DH_GROUP_521_ECP/Group 21 DH_GROUP_1536_MODP/Group 5
router-2#

and

router-2#show crypto ipsec transform-set
Transform set AES_GCM_256: { esp-gcm 256  }
    will negotiate = { Transport,  },

Transform set AES_CBC_256_HMAC_SHA1: { esp-256-aes esp-sha-hmac  }
    will negotiate = { Transport,  },

Transform set AES_CBC_128_HMAC_SHA1: { esp-aes esp-sha-hmac  }
    will negotiate = { Transport,  },

Transform set default: { esp-aes esp-sha-hmac  }
    will negotiate = { Transport,  },

router-2#

How do I represent that in my libreswan config file?  This this correct?

         ike=aes_cbc256-sha2_512;dh19
         phase2alg=aes_gcm256

[The documentation doesn't give any examples of sha2_512 - I'm hoping 
that that is the same as SHA512 in the Cisco default?)

3. Following on from this, if I do not hard set my proposal at all on 
either end, then I would expect some out-of-the-box negotiation of some 
fairly strong ciphers to be negotiated instead.

However in practice this doesn't work for either classic IOS or IOS-XE.

Debugs show:

Aug 14 23:42:30.350605: | remote proposal 1 transform 6 (DH=MODP2048) 
matches local proposal 1 type 4 (DH) transform 0
Aug 14 23:42:30.350612: | remote proposal 1 transform 6 (DH=MODP2048) 
matches local proposal 2 type 4 (DH) transform 0
Aug 14 23:42:30.350618: | remote proposal 1 transform 6 (DH=MODP2048) 
matches local proposal 3 type 4 (DH) transform 0
Aug 14 23:42:30.350625: | remote proposal 1 transform 6 (DH=MODP2048) 
matches local proposal 4 type 4 (DH) transform 0
Aug 14 23:42:30.350631: | *****parse IKEv2 Transform Substructure Payload:
Aug 14 23:42:30.350638: |    last transform: v2_TRANSFORM_NON_LAST (0x3)
Aug 14 23:42:30.350644: |    length: 8 (0x8)
Aug 14 23:42:30.350650: |    IKEv2 transform type: TRANS_TYPE_DH (0x4)
Aug 14 23:42:30.350656: |    IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15)
Aug 14 23:42:30.350662: | *****parse IKEv2 Transform Substructure Payload:
Aug 14 23:42:30.350669: |    last transform: v2_TRANSFORM_LAST (0x0)
Aug 14 23:42:30.350674: |    length: 8 (0x8)
Aug 14 23:42:30.350680: |    IKEv2 transform type: TRANS_TYPE_DH (0x4)
Aug 14 23:42:30.350686: |    IKEv2 transform ID: OAKLEY_GROUP_MODP1536 (0x5)
Aug 14 23:42:30.350694: | remote proposal 1 proposed transforms: 
ENCR+PRF+INTEG+DH; matched: ENCR+PRF+INTEG+DH; unmatched: none
Aug 14 23:42:30.350707: | comparing remote proposal 1 containing 
ENCR+PRF+INTEG+DH transforms to local proposal 1; required: ENCR+PRF+DH; 
optional: INTEG; matched: PRF+DH
Aug 14 23:42:30.350716: | remote proposal 1 does not match local 
proposal 1; unmatched transforms: ENCR+INTEG; missing transforms: ENCR
Aug 14 23:42:30.350723: | comparing remote proposal 1 containing 
ENCR+PRF+INTEG+DH transforms to local proposal 2; required: ENCR+PRF+DH; 
optional: INTEG; matched: PRF+DH
Aug 14 23:42:30.350730: | remote proposal 1 does not match local 
proposal 2; unmatched transforms: ENCR+INTEG; missing transforms: ENCR
Aug 14 23:42:30.350738: | comparing remote proposal 1 containing 
ENCR+PRF+INTEG+DH transforms to local proposal 3; required: 
ENCR+PRF+INTEG+DH; optional: none; matched: ENCR+PRF+INTEG+DH
Aug 14 23:42:30.350745: | remote proposal 1 matches local proposal 3
Aug 14 23:42:30.350754: packet from 1.129.98.157:585: proposal 
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;INTEG=HMAC_SHA2_512_256;DH=MODP2048 
chosen from remote proposals 
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;DH=ECP_256;DH=MODP2048;DH=ECP_521;DH=MODP1536[first-match]
Aug 14 23:42:30.350763: | accepted IKE proposal ikev2_proposal: 
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;INTEG=HMAC_SHA2_512_256;DH=MODP2048
Aug 14 23:42:30.350773: | converting proposal to internal trans attrs
Aug 14 23:42:30.350783: packet from 1.129.98.157:585: initiator guessed 
wrong keying material group (ECP_256); responding with 
INVALID_KE_PAYLOAD requesting MODP2048
Aug 14 23:42:30.350791: | sending INVALID_KE back with MODP2048(14)
Aug 14 23:42:30.350799: packet from 1.129.98.157:585: responding to 
SA_INIT message (ID 0) from 1.129.98.157:585 with unencrypted 
notification INVALID_KE_PAYLOAD
Aug 14 23:42:30.350805: | Opening output PBS unencrypted notification
Aug 14 23:42:30.350816: | **emit ISAKMP Message:
Aug 14 23:42:30.350823: |    initiator cookie:
Aug 14 23:42:30.350828: |   f3 98 56 bb  01 87 9e 48
Aug 14 23:42:30.350834: |    responder cookie:
Aug 14 23:42:30.350839: |   00 00 00 00  00 00 00 00
Aug 14 23:42:30.350845: |    first contained payload type: 
ISAKMP_NEXT_NONE (0x0)
Aug 14 23:42:30.350852: |    ISAKMP version: IKEv2 version 2.0 
(rfc4306/rfc5996) (0x20)
Aug 14 23:42:30.350857: |    exchange type: ISAKMP_v2_SA_INIT (0x22)
Aug 14 23:42:30.350864: |    flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20)
Aug 14 23:42:30.350873: |    message ID:  00 00 00 00
Aug 14 23:42:30.350892: | next payload type: saving message location 
'ISAKMP Message'.'first contained payload type'
Aug 14 23:42:30.350906: | Adding a v2N Payload

Which of course is all rather broken and leads to IKEv2 not finishing 
negotiation at all.

Is this likely to be a Libreswan problem or an IOS problem?  Looks a 
little like IOS-XE is negotiating one group but trying to use another.

And lastly:

4. In the Linux kernel there are a number of options relating to 
encryption ciphers which I can compile in support for.  Are these used 
by Libreswan or the kernel in this case or does it not matter?
Do I need to match the kernel options with at the very least to include 
the encryption ciphers I am intending to use in my IPSec sessions?

Examples:

CONFIG_CRYPTO_SHA1_MB=y
CONFIG_CRYPTO_SHA256_MB=y
CONFIG_CRYPTO_SHA512_MB=y
CONFIG_CRYPTO_SHA256=y
CONFIG_CRYPTO_SHA512=y

Thanks,
Reuben

More information about the Swan mailing list