[Swan] cisco asa IKEv2 Negotiation aborted due to ERROR: The peer's KE payload contained the wrong DH group

Dmitry Melekhov dm at belkam.com
Mon May 13 04:28:41 UTC 2019


Well, hit the same problem on EdgeOS which runs strongswan.

Looks like this problem is caused by mobike in all cases.
Disabled.

We'll see...


24.12.2018 9:56, Dmitry Melekhov пишет:
>
> Hello!
>
> I run cisco ASA 5506-X  asa992-36  and libreswan on another side - 
> Centos 7.6  ipsec --version
> Linux Libreswan 3.25 (netkey) on 3.10.0-957.1.3.el7.x86_64
>
>
> And sometimes , several times per day, I have rekeying problem.
>
> From libreswan side is looks like:
>
>
> дек 24 08:55:36 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: local 
> ESP/AH proposals for peer (ESP/AH initiator emitting proposals): 
> 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;DH=MODP1024;ESN=DISABLED
> дек 24 08:55:36 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: 
> STATE_V2_REKEY_CHILD_I: STATE_V2_REKEY_CHILD_I
> дек 24 08:55:36 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: 
> dropping unexpected CREATE_CHILD_SA message containing 
> INVALID_KE_PAYLOAD notification; message payloads: SK; encrypted 
> payloads: N; missing payloads: SA,Ni,TSi,TSr
> дек 24 08:55:37 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: 
> STATE_V2_REKEY_CHILD_I: retransmission; will wait 0.5 seconds for response
> дек 24 08:55:37 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: 
> dropping unexpected CREATE_CHILD_SA message containing 
> INVALID_KE_PAYLOAD notification; message payloads: SK; encrypted 
> payloads: N; missing payloads: SA,Ni,TSi,TSr
> дек 24 08:55:37 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: 
> STATE_V2_REKEY_CHILD_I: retransmission; will wait 1 seconds for response
> дек 24 08:55:37 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: 
> dropping unexpected CREATE_CHILD_SA message containing 
> INVALID_KE_PAYLOAD notification; message payloads: SK; encrypted 
> payloads: N; missing payloads: SA,Ni,TSi,TSr
> дек 24 08:55:38 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: 
> STATE_V2_REKEY_CHILD_I: retransmission; will wait 2 seconds for response
> дек 24 08:55:38 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: 
> dropping unexpected CREATE_CHILD_SA message containing 
> INVALID_KE_PAYLOAD notification; message payloads: SK; encrypted 
> payloads: N; missing payloads: SA,Ni,TSi,TSr
> дек 24 08:55:40 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: 
> STATE_V2_REKEY_CHILD_I: retransmission; will wait 4 seconds for response
> дек 24 08:55:40 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: 
> dropping unexpected CREATE_CHILD_SA message containing 
> INVALID_KE_PAYLOAD notification; message payloads: SK; encrypted 
> payloads: N; missing payloads: SA,Ni,TSi,TSr
> дек 24 08:55:44 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: 
> STATE_V2_REKEY_CHILD_I: retransmission; will wait 8 seconds for response
> дек 24 08:55:44 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: 
> dropping unexpected CREATE_CHILD_SA message containing 
> INVALID_KE_PAYLOAD notification; message payloads: SK; encrypted 
> payloads: N; missing payloads: SA,Ni,TSi,TSr
> дек 24 08:55:52 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: 
> STATE_V2_REKEY_CHILD_I: retransmission; will wait 16 seconds for response
> дек 24 08:55:52 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: 
> dropping unexpected CREATE_CHILD_SA message containing 
> INVALID_KE_PAYLOAD notification; message payloads: SK; encrypted 
> payloads: N; missing payloads: SA,Ni,TSi,TSr
> дек 24 08:56:08 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: 
> STATE_V2_REKEY_CHILD_I: retransmission; will wait 32 seconds for response
> дек 24 08:56:08 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: 
> dropping unexpected CREATE_CHILD_SA message containing 
> INVALID_KE_PAYLOAD notification; message payloads: SK; encrypted 
> payloads: N; missing payloads: SA,Ni,TSi,TSr
> дек 24 08:56:40 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: 
> STATE_V2_REKEY_CHILD_I: 60 second timeout exceeded after 7 
> retransmits.  No response (or no acceptable response) to our IKEv2 message
> дек 24 08:56:40 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: 
> starting keying attempt 2 of an unlimited number
> дек 24 08:56:40 ast-zab.zab.belkam.com pluto[5971]: "peer" #341: local 
> ESP/AH proposals for peer (ESP/AH initiator emitting proposals): 
> 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;DH=MODP1024;ESN=DISABLED
> дек 24 08:56:40 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: 
> deleting state (STATE_V2_REKEY_CHILD_I) and NOT sending notification
> дек 24 08:56:40 ast-zab.zab.belkam.com pluto[5971]: "peer" #341: 
> message id deadlock? wait sending, add to send next list using parent 
> #337 unacknowledged 1 next message id=1 ike exchange window 1
>
> дек 24 09:00:00 ast-zab.zab.belkam.com pluto[5971]: "peer" #341: 
> deleting state (STATE_V2_CREATE_I0) and NOT sending notification
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #339: 
> deleting state (STATE_V2_IPSEC_R) and sending notification
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #339: ESP 
> traffic information: in=226MB out=117MB
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: expire unused 
> parent SA #337 "peer"
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #337: 
> received delete request for PROTO_v2_ESP SA(0xf257a6bd) but 
> corresponding state not found
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #337: 
> ISAKMP SA expired (LATEST!)
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #337: 
> deleting state (STATE_PARENT_R2) and sending notification
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: packet from 
> 88.80.32.210:500: INFORMATIONAL message request has no corresponding 
> IKE SA
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: packet from 
> 88.80.32.210:500: ISAKMP_v2_INFORMATIONAL message response has no 
> matching IKE SA
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: assign_holdpass() 
> no bare shunt to remove? - mismatch?
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: initiate on demand 
> from 192.168.200.33:0 to 192.168.200.34:0 proto=47 because: acquire
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #342: 
> initiating v2 parent SA
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: packet from 
> asaip:500: ignoring unknown Vendor ID payload 
> [434953434f28434f505952494748542926436f70797269676874202863292032...]
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: packet from 
> asaip:500: proposal 
> 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024 
> chosen from remote proposals 
> 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024[first-match]
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #342: 
> STATE_PARENT_I1: sent v2I1, expected v2R1
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #343: 
> STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=aes_256 
> integ=sha1_96 prf=sha group=MODP1024}
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #342: local 
> ESP/AH proposals for peer (IKE SA initiator emitting ESP/AH 
> proposals): 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;DH=NONE;ESN=DISABLED
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #344: 
> STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=aes_256 
> integ=sha1_96 prf=sha group=MODP1024}
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #343: IKEv2 
> mode peer ID is ID_IPV4_ADDR: '88.80.32.210'
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #343: 
> Authenticated using authby=secret
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #343: local 
> ESP/AH proposals for peer (IKE SA responder matching remote ESP/AH 
> proposals): 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;DH=NONE;ESN=DISABLED
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #343: 
> proposal 
> 1:ESP:SPI=d98dfdbf;ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;ESN=DISABLED 
> chosen from remote proposals 
> 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;ESN=DISABLED[first-match]
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #343: 
> received unsupported NOTIFY v2N_NON_FIRST_FRAGMENTS_ALSO
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #345: 
> negotiated connection [192.168.200.33-192.168.200.33:0-65535 0] -> 
> [192.168.200.34-192.168.200.34:0-65535 0]
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #345: 
> STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0xd98dfdbf 
> <0xd5eba6e1 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=none NATD=none DPD=active}
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #344: IKEv2 
> mode peer ID is ID_IPV4_ADDR: 'asaip'
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #344: 
> Authenticated using authby=secret
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #344: 
> negotiated connection [192.168.200.33-192.168.200.33:0-65535 0] -> 
> [192.168.200.34-192.168.200.34:0-65535 0]
> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #344: 
> STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0x3956d69f 
> <0x0b6fe415 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=none NATD=none DPD=active}
>
> from ASA side :
>
> Dec 24 08:55:36 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet 
> received on asaip:500 from libreswanip:500
> Dec 24 08:55:36 192.168.42.129 %ASA-4-750003: Local:asaip:500 
> Remote:libreswanip:500 Username:libreswanip IKEv2 Negotiation aborted 
> due to ERROR: The peer's KE payload contained the wrong DH group
> Dec 24 08:55:37 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet 
> received on asaip:500 from libreswanip:500
> Dec 24 08:55:37 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet 
> received on asaip:500 from libreswanip:500
> Dec 24 08:55:38 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet 
> received on asaip:500 from libreswanip:500
> Dec 24 08:55:40 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet 
> received on asaip:500 from libreswanip:500
> Dec 24 08:55:44 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet 
> received on asaip:500 from libreswanip:500
> Dec 24 08:55:52 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet 
> received on asaip:500 from libreswanip:500
> Dec 24 08:56:08 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet 
> received on asaip:500 from libreswanip:500
> Dec 24 09:00:06 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet 
> received on asaip:500 from libreswanip:500
> Dec 24 09:00:06 192.168.42.129 %ASA-6-602304: IPSEC: An outbound 
> LAN-to-LAN SA (SPI= 0xBCAAE666) between asaip and libreswanip (user= 
> libreswanip) has been deleted.
> Dec 24 09:00:06 192.168.42.129 %ASA-6-602304: IPSEC: An inbound 
> LAN-to-LAN SA (SPI= 0xF257A6BD) between libreswanip and asaip (user= 
> libreswanip) has been deleted.
> Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request discarded 
> from libreswanip to outside:asaip
> Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: message repeated 2 
> times: [ ESP request discarded from libreswanip to outside:asaip]
> Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request discarded 
> from libreswanip to outside:asaip
> Dec 24 09:00:06 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet 
> received on asaip:500 from libreswanip:500
> Dec 24 09:00:06 192.168.42.129 %ASA-5-750007: Local:asaip:500 
> Remote:libreswanip:500 Username:libreswanip IKEv2 SA DOWN. Reason: 
> peer request
> Dec 24 09:00:06 192.168.42.129 %ASA-4-113019: Group = libreswanip, 
> Username = libreswanip, IP = libreswanip, Session disconnected. 
> Session Type: LAN-to-LAN, Duration: 1h:00m:00s, Bytes xmt: 237319950, 
> Bytes rcv: 122586307, Reason: User Requested
> Dec 24 09:00:06 192.168.42.129 %ASA-5-750001: Local:asaip:500 
> Remote:libreswanip:500 Username:Unknown IKEv2 Received request to 
> establish an IPsec tunnel; local traffic selector = Address Range: 
> 192.168.200.34-192.168.200.34 Protocol: 0 Port Range: 0-65535 ; remote 
> traffic selector = Address Range: 192.168.200.33-192.168.200.33 
> Protocol: 0 Port Range: 0-65535
> Dec 24 09:00:06 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet 
> received on asaip:500 from libreswanip:500
> Dec 24 09:00:06 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet 
> received on asaip:500 from libreswanip:500
> Dec 24 09:00:06 192.168.42.129 %ASA-5-750002: Local:asaip:500 
> Remote:libreswanip:500 Username:Unknown IKEv2 Received a IKE_INIT_SA 
> request
> Dec 24 09:00:06 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet 
> received on asaip:500 from libreswanip:500
> Dec 24 09:00:06 192.168.42.129 %ASA-5-750006: Local:asaip:500 
> Remote:libreswanip:500 Username:libreswanip IKEv2 SA UP. Reason: New 
> Connection Established
> Dec 24 09:00:06 192.168.42.129 %ASA-6-113009: AAA retrieved default 
> group policy (DfltGrpPolicy) for user = libreswanip
> Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request discarded 
> from libreswanip to outside:asaip
> Dec 24 09:00:06 192.168.42.129 %ASA-6-602303: IPSEC: An outbound 
> LAN-to-LAN SA (SPI= 0x0B6FE415) between asaip and libreswanip (user= 
> libreswanip) has been created.
> Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request discarded 
> from libreswanip to outside:asaip
> Dec 24 09:00:06 192.168.42.129 %ASA-6-602303: IPSEC: An inbound 
> LAN-to-LAN SA (SPI= 0x3956D69F) between asaip and libreswanip (user= 
> libreswanip) has been created.
> Dec 24 09:00:06 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet 
> received on asaip:500 from libreswanip:500
> Dec 24 09:00:06 192.168.42.129 %ASA-5-750006: Local:asaip:500 
> Remote:libreswanip:500 Username:libreswanip IKEv2 SA UP. Reason: New 
> Connection Established
> Dec 24 09:00:06 192.168.42.129 %ASA-6-602304: IPSEC: An outbound 
> LAN-to-LAN SA (SPI= 0x0B6FE415) between asaip and libreswanip (user= 
> libreswanip) has been deleted.
> Dec 24 09:00:06 192.168.42.129 %ASA-6-602304: IPSEC: An inbound 
> LAN-to-LAN SA (SPI= 0x3956D69F) between libreswanip and asaip (user= 
> libreswanip) has been deleted.
> Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request discarded 
> from libreswanip to outside:asaip
> Dec 24 09:00:06 192.168.42.129 %ASA-6-602303: IPSEC: An outbound 
> LAN-to-LAN SA (SPI= 0xD5EBA6E1) between asaip and libreswanip (user= 
> libreswanip) has been created.
> Dec 24 09:00:06 192.168.42.129 %ASA-6-602303: IPSEC: An inbound 
> LAN-to-LAN SA (SPI= 0xD98DFDBF) between asaip and libreswanip (user= 
> libreswanip) has been created.
> Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request discarded 
> from libreswanip to outside:asaip
> Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: message repeated 2 
> times: [ ESP request discarded from libreswanip to outside:asaip]
> Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request discarded 
> from libreswanip to outside:asaip
> Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: message repeated 3 
> times: [ ESP request discarded from libreswanip to outside:asaip]
> Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request discarded 
> from libreswanip to outside:asaip
> Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request discarded 
> from libreswanip to outside:asaip
>
>
> As you can see , connections are created, but ASA drops ESP packets...
>
>
> Configuration:
>
>
> libreswan:
>
> conn peer
>         left=libreswanip
>         right=asaip
>         leftsubnet=192.168.200.33/32
>         rightsubnet=192.168.200.34/32
>         ike=aes256-sha1;modp1024
>          ikev2=insist
>          pfs=yes
>         ikelifetime=28800s
>         phase2alg=aes256-sha1
>         keylife=3600s
>         rekeymargin=540s
>         type=tunnel
>         compress=no
>         authby=secret
>         auto=start
>         keyingtries=%forever
>         dpddelay=10
>         dpdtimeout=2
>         dpdaction=restart
>         #dpdaction=hold
>
>
> asa:
>
> crypto ipsec ikev2 ipsec-proposal zabegalovo
>   protocol esp encryption aes-256
>   protocol esp integrity sha-1
>
> crypto ikev2 policy 1
>   encryption aes-256
>   integrity sha
>   group 2
>   prf sha
>   lifetime seconds 28800
>
> crypto map russneft-ipsec 50 match address ZABEGALOVO-IPSEC
> crypto map russneft-ipsec 50 set peer libreswanip
> crypto map russneft-ipsec 50 set ikev2 ipsec-proposal zabegalovo
>
> access-list ZABEGALOVO-IPSEC extended permit ip host 192.168.200.34 host 192.168.200.33
>
>
>
> right now I'm solving this by script , which checks if another side is available by ping and do connection restart if not:
> /usr/sbin/ipsec auto --down peer;/usr/sbin/ipsec auto --up peer
>
>
> Could you tell me is something wrong in my configuration?
> Or is this asa or libreswan bug?
>
> Thank you!
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20190513/1f42da0c/attachment-0001.html>


More information about the Swan mailing list