[Swan] cisco asa IKEv2 Negotiation aborted due to ERROR: The peer's KE payload contained the wrong DH group
Dmitry Melekhov
dm at belkam.com
Tue Dec 25 04:38:35 UTC 2018
OK, looks like this is ASA bug, it was not happy with
keylife=3600s from libreswan
set it to default, which is the same from cisco side and looks like now
there in no such problem,
at list while there is no connectivity loss...
24.12.2018 9:56, Dmitry Melekhov пишет:
>
> Hello!
>
> I run cisco ASA 5506-X asa992-36 and libreswan on another side -
> Centos 7.6 ipsec --version
> Linux Libreswan 3.25 (netkey) on 3.10.0-957.1.3.el7.x86_64
>
>
> And sometimes , several times per day, I have rekeying problem.
>
> From libreswan side is looks like:
>
>
> дек 24 08:55:36 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: local
> ESP/AH proposals for peer (ESP/AH initiator emitting proposals):
> 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;DH=MODP1024;ESN=DISABLED
> дек 24 08:55:36 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
> STATE_V2_REKEY_CHILD_I: STATE_V2_REKEY_CHILD_I
> дек 24 08:55:36 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
> dropping unexpected CREATE_CHILD_SA message containing
> INVALID_KE_PAYLOAD notification; message payloads: SK; encrypted
> payloads: N; missing payloads: SA,Ni,TSi,TSr
> дек 24 08:55:37 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
> STATE_V2_REKEY_CHILD_I: retransmission; will wait 0.5 seconds for response
> дек 24 08:55:37 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
> dropping unexpected CREATE_CHILD_SA message containing
> INVALID_KE_PAYLOAD notification; message payloads: SK; encrypted
> payloads: N; missing payloads: SA,Ni,TSi,TSr
> дек 24 08:55:37 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
> STATE_V2_REKEY_CHILD_I: retransmission; will wait 1 seconds for response
> дек 24 08:55:37 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
> dropping unexpected CREATE_CHILD_SA message containing
> INVALID_KE_PAYLOAD notification; message payloads: SK; encrypted
> payloads: N; missing payloads: SA,Ni,TSi,TSr
> дек 24 08:55:38 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
> STATE_V2_REKEY_CHILD_I: retransmission; will wait 2 seconds for response
> дек 24 08:55:38 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
> dropping unexpected CREATE_CHILD_SA message containing
> INVALID_KE_PAYLOAD notification; message payloads: SK; encrypted
> payloads: N; missing payloads: SA,Ni,TSi,TSr
> дек 24 08:55:40 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
> STATE_V2_REKEY_CHILD_I: retransmission; will wait 4 seconds for response
> дек 24 08:55:40 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
> dropping unexpected CREATE_CHILD_SA message containing
> INVALID_KE_PAYLOAD notification; message payloads: SK; encrypted
> payloads: N; missing payloads: SA,Ni,TSi,TSr
> дек 24 08:55:44 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
> STATE_V2_REKEY_CHILD_I: retransmission; will wait 8 seconds for response
> дек 24 08:55:44 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
> dropping unexpected CREATE_CHILD_SA message containing
> INVALID_KE_PAYLOAD notification; message payloads: SK; encrypted
> payloads: N; missing payloads: SA,Ni,TSi,TSr
> дек 24 08:55:52 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
> STATE_V2_REKEY_CHILD_I: retransmission; will wait 16 seconds for response
> дек 24 08:55:52 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
> dropping unexpected CREATE_CHILD_SA message containing
> INVALID_KE_PAYLOAD notification; message payloads: SK; encrypted
> payloads: N; missing payloads: SA,Ni,TSi,TSr
> дек 24 08:56:08 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
> STATE_V2_REKEY_CHILD_I: retransmission; will wait 32 seconds for response
> дек 24 08:56:08 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
> dropping unexpected CREATE_CHILD_SA message containing
> INVALID_KE_PAYLOAD notification; message payloads: SK; encrypted
> payloads: N; missing payloads: SA,Ni,TSi,TSr
> дек 24 08:56:40 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
> STATE_V2_REKEY_CHILD_I: 60 second timeout exceeded after 7
> retransmits. No response (or no acceptable response) to our IKEv2 message
> дек 24 08:56:40 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
> starting keying attempt 2 of an unlimited number
> дек 24 08:56:40 ast-zab.zab.belkam.com pluto[5971]: "peer" #341: local
> ESP/AH proposals for peer (ESP/AH initiator emitting proposals):
> 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;DH=MODP1024;ESN=DISABLED
> дек 24 08:56:40 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
> deleting state (STATE_V2_REKEY_CHILD_I) and NOT sending notification
> дек 24 08:56:40 ast-zab.zab.belkam.com pluto[5971]: "peer" #341:
> message id deadlock? wait sending, add to send next list using parent
> #337 unacknowledged 1 next message id=1 ike exchange window 1
>
> дек 24 09:00:00 ast-zab.zab.belkam.com pluto[5971]: "peer" #341:
> deleting state (STATE_V2_CREATE_I0) and NOT sending notification
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #339:
> deleting state (STATE_V2_IPSEC_R) and sending notification
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #339: ESP
> traffic information: in=226MB out=117MB
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: expire unused
> parent SA #337 "peer"
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #337:
> received delete request for PROTO_v2_ESP SA(0xf257a6bd) but
> corresponding state not found
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #337:
> ISAKMP SA expired (LATEST!)
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #337:
> deleting state (STATE_PARENT_R2) and sending notification
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: packet from
> 88.80.32.210:500: INFORMATIONAL message request has no corresponding
> IKE SA
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: packet from
> 88.80.32.210:500: ISAKMP_v2_INFORMATIONAL message response has no
> matching IKE SA
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: assign_holdpass()
> no bare shunt to remove? - mismatch?
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: initiate on demand
> from 192.168.200.33:0 to 192.168.200.34:0 proto=47 because: acquire
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #342:
> initiating v2 parent SA
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: packet from
> asaip:500: ignoring unknown Vendor ID payload
> [434953434f28434f505952494748542926436f70797269676874202863292032...]
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: packet from
> asaip:500: proposal
> 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024
> chosen from remote proposals
> 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024[first-match]
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #342:
> STATE_PARENT_I1: sent v2I1, expected v2R1
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #343:
> STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=aes_256
> integ=sha1_96 prf=sha group=MODP1024}
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #342: local
> ESP/AH proposals for peer (IKE SA initiator emitting ESP/AH
> proposals): 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;DH=NONE;ESN=DISABLED
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #344:
> STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=aes_256
> integ=sha1_96 prf=sha group=MODP1024}
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #343: IKEv2
> mode peer ID is ID_IPV4_ADDR: '88.80.32.210'
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #343:
> Authenticated using authby=secret
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #343: local
> ESP/AH proposals for peer (IKE SA responder matching remote ESP/AH
> proposals): 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;DH=NONE;ESN=DISABLED
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #343:
> proposal
> 1:ESP:SPI=d98dfdbf;ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;ESN=DISABLED
> chosen from remote proposals
> 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;ESN=DISABLED[first-match]
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #343:
> received unsupported NOTIFY v2N_NON_FIRST_FRAGMENTS_ALSO
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #345:
> negotiated connection [192.168.200.33-192.168.200.33:0-65535 0] ->
> [192.168.200.34-192.168.200.34:0-65535 0]
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #345:
> STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0xd98dfdbf
> <0xd5eba6e1 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=none NATD=none DPD=active}
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #344: IKEv2
> mode peer ID is ID_IPV4_ADDR: 'asaip'
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #344:
> Authenticated using authby=secret
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #344:
> negotiated connection [192.168.200.33-192.168.200.33:0-65535 0] ->
> [192.168.200.34-192.168.200.34:0-65535 0]
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #344:
> STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0x3956d69f
> <0x0b6fe415 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=none NATD=none DPD=active}
>
> from ASA side :
>
> Dec 24 08:55:36 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet
> received on asaip:500 from libreswanip:500
> Dec 24 08:55:36 192.168.42.129 %ASA-4-750003: Local:asaip:500
> Remote:libreswanip:500 Username:libreswanip IKEv2 Negotiation aborted
> due to ERROR: The peer's KE payload contained the wrong DH group
> Dec 24 08:55:37 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet
> received on asaip:500 from libreswanip:500
> Dec 24 08:55:37 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet
> received on asaip:500 from libreswanip:500
> Dec 24 08:55:38 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet
> received on asaip:500 from libreswanip:500
> Dec 24 08:55:40 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet
> received on asaip:500 from libreswanip:500
> Dec 24 08:55:44 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet
> received on asaip:500 from libreswanip:500
> Dec 24 08:55:52 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet
> received on asaip:500 from libreswanip:500
> Dec 24 08:56:08 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet
> received on asaip:500 from libreswanip:500
> Dec 24 09:00:06 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet
> received on asaip:500 from libreswanip:500
> Dec 24 09:00:06 192.168.42.129 %ASA-6-602304: IPSEC: An outbound
> LAN-to-LAN SA (SPI= 0xBCAAE666) between asaip and libreswanip (user=
> libreswanip) has been deleted.
> Dec 24 09:00:06 192.168.42.129 %ASA-6-602304: IPSEC: An inbound
> LAN-to-LAN SA (SPI= 0xF257A6BD) between libreswanip and asaip (user=
> libreswanip) has been deleted.
> Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request discarded
> from libreswanip to outside:asaip
> Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: message repeated 2
> times: [ ESP request discarded from libreswanip to outside:asaip]
> Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request discarded
> from libreswanip to outside:asaip
> Dec 24 09:00:06 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet
> received on asaip:500 from libreswanip:500
> Dec 24 09:00:06 192.168.42.129 %ASA-5-750007: Local:asaip:500
> Remote:libreswanip:500 Username:libreswanip IKEv2 SA DOWN. Reason:
> peer request
> Dec 24 09:00:06 192.168.42.129 %ASA-4-113019: Group = libreswanip,
> Username = libreswanip, IP = libreswanip, Session disconnected.
> Session Type: LAN-to-LAN, Duration: 1h:00m:00s, Bytes xmt: 237319950,
> Bytes rcv: 122586307, Reason: User Requested
> Dec 24 09:00:06 192.168.42.129 %ASA-5-750001: Local:asaip:500
> Remote:libreswanip:500 Username:Unknown IKEv2 Received request to
> establish an IPsec tunnel; local traffic selector = Address Range:
> 192.168.200.34-192.168.200.34 Protocol: 0 Port Range: 0-65535 ; remote
> traffic selector = Address Range: 192.168.200.33-192.168.200.33
> Protocol: 0 Port Range: 0-65535
> Dec 24 09:00:06 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet
> received on asaip:500 from libreswanip:500
> Dec 24 09:00:06 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet
> received on asaip:500 from libreswanip:500
> Dec 24 09:00:06 192.168.42.129 %ASA-5-750002: Local:asaip:500
> Remote:libreswanip:500 Username:Unknown IKEv2 Received a IKE_INIT_SA
> request
> Dec 24 09:00:06 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet
> received on asaip:500 from libreswanip:500
> Dec 24 09:00:06 192.168.42.129 %ASA-5-750006: Local:asaip:500
> Remote:libreswanip:500 Username:libreswanip IKEv2 SA UP. Reason: New
> Connection Established
> Dec 24 09:00:06 192.168.42.129 %ASA-6-113009: AAA retrieved default
> group policy (DfltGrpPolicy) for user = libreswanip
> Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request discarded
> from libreswanip to outside:asaip
> Dec 24 09:00:06 192.168.42.129 %ASA-6-602303: IPSEC: An outbound
> LAN-to-LAN SA (SPI= 0x0B6FE415) between asaip and libreswanip (user=
> libreswanip) has been created.
> Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request discarded
> from libreswanip to outside:asaip
> Dec 24 09:00:06 192.168.42.129 %ASA-6-602303: IPSEC: An inbound
> LAN-to-LAN SA (SPI= 0x3956D69F) between asaip and libreswanip (user=
> libreswanip) has been created.
> Dec 24 09:00:06 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet
> received on asaip:500 from libreswanip:500
> Dec 24 09:00:06 192.168.42.129 %ASA-5-750006: Local:asaip:500
> Remote:libreswanip:500 Username:libreswanip IKEv2 SA UP. Reason: New
> Connection Established
> Dec 24 09:00:06 192.168.42.129 %ASA-6-602304: IPSEC: An outbound
> LAN-to-LAN SA (SPI= 0x0B6FE415) between asaip and libreswanip (user=
> libreswanip) has been deleted.
> Dec 24 09:00:06 192.168.42.129 %ASA-6-602304: IPSEC: An inbound
> LAN-to-LAN SA (SPI= 0x3956D69F) between libreswanip and asaip (user=
> libreswanip) has been deleted.
> Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request discarded
> from libreswanip to outside:asaip
> Dec 24 09:00:06 192.168.42.129 %ASA-6-602303: IPSEC: An outbound
> LAN-to-LAN SA (SPI= 0xD5EBA6E1) between asaip and libreswanip (user=
> libreswanip) has been created.
> Dec 24 09:00:06 192.168.42.129 %ASA-6-602303: IPSEC: An inbound
> LAN-to-LAN SA (SPI= 0xD98DFDBF) between asaip and libreswanip (user=
> libreswanip) has been created.
> Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request discarded
> from libreswanip to outside:asaip
> Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: message repeated 2
> times: [ ESP request discarded from libreswanip to outside:asaip]
> Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request discarded
> from libreswanip to outside:asaip
> Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: message repeated 3
> times: [ ESP request discarded from libreswanip to outside:asaip]
> Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request discarded
> from libreswanip to outside:asaip
> Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request discarded
> from libreswanip to outside:asaip
>
>
> As you can see , connections are created, but ASA drops ESP packets...
>
>
> Configuration:
>
>
> libreswan:
>
> conn peer
> left=libreswanip
> right=asaip
> leftsubnet=192.168.200.33/32
> rightsubnet=192.168.200.34/32
> ike=aes256-sha1;modp1024
> ikev2=insist
> pfs=yes
> ikelifetime=28800s
> phase2alg=aes256-sha1
> keylife=3600s
> rekeymargin=540s
> type=tunnel
> compress=no
> authby=secret
> auto=start
> keyingtries=%forever
> dpddelay=10
> dpdtimeout=2
> dpdaction=restart
> #dpdaction=hold
>
>
> asa:
>
> crypto ipsec ikev2 ipsec-proposal zabegalovo
> protocol esp encryption aes-256
> protocol esp integrity sha-1
>
> crypto ikev2 policy 1
> encryption aes-256
> integrity sha
> group 2
> prf sha
> lifetime seconds 28800
>
> crypto map russneft-ipsec 50 match address ZABEGALOVO-IPSEC
> crypto map russneft-ipsec 50 set peer libreswanip
> crypto map russneft-ipsec 50 set ikev2 ipsec-proposal zabegalovo
>
> access-list ZABEGALOVO-IPSEC extended permit ip host 192.168.200.34 host 192.168.200.33
>
>
>
> right now I'm solving this by script , which checks if another side is available by ping and do connection restart if not:
> /usr/sbin/ipsec auto --down peer;/usr/sbin/ipsec auto --up peer
>
>
> Could you tell me is something wrong in my configuration?
> Or is this asa or libreswan bug?
>
> Thank you!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20181225/844d1f78/attachment-0001.html>
More information about the Swan
mailing list