[Swan] cisco asa IKEv2 Negotiation aborted due to ERROR: The peer's KE payload contained the wrong DH group
Dmitry Melekhov
dm at belkam.com
Mon May 13 16:16:24 UTC 2019
13.05.2019 20:10, Paul Wouters пишет:
> On Mon, 13 May 2019, Dmitry Melekhov wrote:
>
>>
>> Subject: Re: [Swan] cisco asa IKEv2 Negotiation aborted due to ERROR:
>> The
>> peer's KE payload contained the wrong DH group
>>
>> Well, hit the same problem on EdgeOS which runs strongswan.
>>
>> Looks like this problem is caused by mobike in all cases.
>> Disabled.
>
> Odd?
>
> Note that strongswan does not implement the RFC processing of DH group
> and KE payload to the letter, unless you set
> charon.prefer_configured_proposals
> to "no". Meaning if the initiator and strongswan responder share some DH
> groups including the initiator's prefered pick for which it build the KE
> payload, strongswan still rejects the valid proposal and insists the
> initiator uses the single prefered responder proposal and its matching
> KE payload.
>
> Paul
>
Well, I mean connecting edgeos strongswan to cisco asa.
Looks like it works good, with mobike=no, set this on centos 7 libreswan
too, need to wait more .
It is not possible to disable mobike support on Cisco ASA.
btw, I have no problems on centos 7 libreswan and edgeos strongswan
connections.
Thank you!
>> We'll see...
>>
>>
>> 24.12.2018 9:56, Dmitry Melekhov пишет:
>>
>> Hello!
>>
>> I run cisco ASA 5506-X asa992-36 and libreswan on another
>> side - Centos 7.6 ipsec --version
>> Linux Libreswan 3.25 (netkey) on 3.10.0-957.1.3.el7.x86_64
>>
>>
>> And sometimes , several times per day, I have rekeying problem.
>>
>> From libreswan side is looks like:
>>
>>
>> дек 24 08:55:36 ast-zab.zab.belkam.com pluto[5971]: "peer"
>> #340: local ESP/AH proposals for peer (ESP/AH initiator emitting
>> proposals):
>> 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;DH=MODP1024;ESN=DISABLED
>> дек 24 08:55:36 ast-zab.zab.belkam.com pluto[5971]: "peer"
>> #340: STATE_V2_REKEY_CHILD_I: STATE_V2_REKEY_CHILD_I
>> дек 24 08:55:36 ast-zab.zab.belkam.com pluto[5971]: "peer"
>> #340: dropping unexpected CREATE_CHILD_SA message containing
>> INVALID_KE_PAYLOAD
>> notification; message payloads: SK; encrypted payloads: N;
>> missing payloads: SA,Ni,TSi,TSr
>> дек 24 08:55:37 ast-zab.zab.belkam.com pluto[5971]: "peer"
>> #340: STATE_V2_REKEY_CHILD_I: retransmission; will wait 0.5 seconds
>> for response
>> дек 24 08:55:37 ast-zab.zab.belkam.com pluto[5971]: "peer"
>> #340: dropping unexpected CREATE_CHILD_SA message containing
>> INVALID_KE_PAYLOAD
>> notification; message payloads: SK; encrypted payloads: N;
>> missing payloads: SA,Ni,TSi,TSr
>> дек 24 08:55:37 ast-zab.zab.belkam.com pluto[5971]: "peer"
>> #340: STATE_V2_REKEY_CHILD_I: retransmission; will wait 1 seconds for
>> response
>> дек 24 08:55:37 ast-zab.zab.belkam.com pluto[5971]: "peer"
>> #340: dropping unexpected CREATE_CHILD_SA message containing
>> INVALID_KE_PAYLOAD
>> notification; message payloads: SK; encrypted payloads: N;
>> missing payloads: SA,Ni,TSi,TSr
>> дек 24 08:55:38 ast-zab.zab.belkam.com pluto[5971]: "peer"
>> #340: STATE_V2_REKEY_CHILD_I: retransmission; will wait 2 seconds for
>> response
>> дек 24 08:55:38 ast-zab.zab.belkam.com pluto[5971]: "peer"
>> #340: dropping unexpected CREATE_CHILD_SA message containing
>> INVALID_KE_PAYLOAD
>> notification; message payloads: SK; encrypted payloads: N;
>> missing payloads: SA,Ni,TSi,TSr
>> дек 24 08:55:40 ast-zab.zab.belkam.com pluto[5971]: "peer"
>> #340: STATE_V2_REKEY_CHILD_I: retransmission; will wait 4 seconds for
>> response
>> дек 24 08:55:40 ast-zab.zab.belkam.com pluto[5971]: "peer"
>> #340: dropping unexpected CREATE_CHILD_SA message containing
>> INVALID_KE_PAYLOAD
>> notification; message payloads: SK; encrypted payloads: N;
>> missing payloads: SA,Ni,TSi,TSr
>> дек 24 08:55:44 ast-zab.zab.belkam.com pluto[5971]: "peer"
>> #340: STATE_V2_REKEY_CHILD_I: retransmission; will wait 8 seconds for
>> response
>> дек 24 08:55:44 ast-zab.zab.belkam.com pluto[5971]: "peer"
>> #340: dropping unexpected CREATE_CHILD_SA message containing
>> INVALID_KE_PAYLOAD
>> notification; message payloads: SK; encrypted payloads: N;
>> missing payloads: SA,Ni,TSi,TSr
>> дек 24 08:55:52 ast-zab.zab.belkam.com pluto[5971]: "peer"
>> #340: STATE_V2_REKEY_CHILD_I: retransmission; will wait 16 seconds
>> for response
>> дек 24 08:55:52 ast-zab.zab.belkam.com pluto[5971]: "peer"
>> #340: dropping unexpected CREATE_CHILD_SA message containing
>> INVALID_KE_PAYLOAD
>> notification; message payloads: SK; encrypted payloads: N;
>> missing payloads: SA,Ni,TSi,TSr
>> дек 24 08:56:08 ast-zab.zab.belkam.com pluto[5971]: "peer"
>> #340: STATE_V2_REKEY_CHILD_I: retransmission; will wait 32 seconds
>> for response
>> дек 24 08:56:08 ast-zab.zab.belkam.com pluto[5971]: "peer"
>> #340: dropping unexpected CREATE_CHILD_SA message containing
>> INVALID_KE_PAYLOAD
>> notification; message payloads: SK; encrypted payloads: N;
>> missing payloads: SA,Ni,TSi,TSr
>> дек 24 08:56:40 ast-zab.zab.belkam.com pluto[5971]: "peer"
>> #340: STATE_V2_REKEY_CHILD_I: 60 second timeout exceeded after 7
>> retransmits. No
>> response (or no acceptable response) to our IKEv2 message
>> дек 24 08:56:40 ast-zab.zab.belkam.com pluto[5971]: "peer"
>> #340: starting keying attempt 2 of an unlimited number
>> дек 24 08:56:40 ast-zab.zab.belkam.com pluto[5971]: "peer"
>> #341: local ESP/AH proposals for peer (ESP/AH initiator emitting
>> proposals):
>> 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;DH=MODP1024;ESN=DISABLED
>> дек 24 08:56:40 ast-zab.zab.belkam.com pluto[5971]: "peer"
>> #340: deleting state (STATE_V2_REKEY_CHILD_I) and NOT sending
>> notification
>> дек 24 08:56:40 ast-zab.zab.belkam.com pluto[5971]: "peer"
>> #341: message id deadlock? wait sending, add to send next list using
>> parent #337
>> unacknowledged 1 next message id=1 ike exchange window 1
>>
>> дек 24 09:00:00 ast-zab.zab.belkam.com pluto[5971]: "peer"
>> #341: deleting state (STATE_V2_CREATE_I0) and NOT sending notification
>> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer"
>> #339: deleting state (STATE_V2_IPSEC_R) and sending notification
>> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer"
>> #339: ESP traffic information: in=226MB out=117MB
>> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: expire
>> unused parent SA #337 "peer"
>> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer"
>> #337: received delete request for PROTO_v2_ESP SA(0xf257a6bd) but
>> corresponding state
>> not found
>> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer"
>> #337: ISAKMP SA expired (LATEST!)
>> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer"
>> #337: deleting state (STATE_PARENT_R2) and sending notification
>> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: packet from
>> 88.80.32.210:500: INFORMATIONAL message request has no corresponding
>> IKE SA
>> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: packet from
>> 88.80.32.210:500: ISAKMP_v2_INFORMATIONAL message response has no
>> matching IKE SA
>> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]:
>> assign_holdpass() no bare shunt to remove? - mismatch?
>> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: initiate on
>> demand from 192.168.200.33:0 to 192.168.200.34:0 proto=47 because:
>> acquire
>> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer"
>> #342: initiating v2 parent SA
>> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: packet from
>> asaip:500: ignoring unknown Vendor ID payload
>> [434953434f28434f505952494748542926436f70797269676874202863292032...]
>> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: packet from
>> asaip:500: proposal
>> 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024
>> chosen from remote proposals
>> 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024[first-match]
>> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer"
>> #342: STATE_PARENT_I1: sent v2I1, expected v2R1
>> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer"
>> #343: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2
>> cipher=aes_256
>> integ=sha1_96 prf=sha group=MODP1024}
>> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer"
>> #342: local ESP/AH proposals for peer (IKE SA initiator emitting
>> ESP/AH proposals):
>> 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;DH=NONE;ESN=DISABLED
>> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer"
>> #344: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2
>> cipher=aes_256
>> integ=sha1_96 prf=sha group=MODP1024}
>> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer"
>> #343: IKEv2 mode peer ID is ID_IPV4_ADDR: '88.80.32.210'
>> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer"
>> #343: Authenticated using authby=secret
>> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer"
>> #343: local ESP/AH proposals for peer (IKE SA responder matching
>> remote ESP/AH
>> proposals):
>> 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;DH=NONE;ESN=DISABLED
>> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer"
>> #343: proposal
>> 1:ESP:SPI=d98dfdbf;ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;ESN=DISABLED
>> chosen from remote proposals
>> 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;ESN=DISABLED[first-match]
>> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer"
>> #343: received unsupported NOTIFY v2N_NON_FIRST_FRAGMENTS_ALSO
>> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer"
>> #345: negotiated connection [192.168.200.33-192.168.200.33:0-65535 0] ->
>> [192.168.200.34-192.168.200.34:0-65535 0]
>> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer"
>> #345: STATE_V2_IPSEC_R: IPsec SA established tunnel mode
>> {ESP=>0xd98dfdbf <0xd5eba6e1
>> xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=none NATD=none DPD=active}
>> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer"
>> #344: IKEv2 mode peer ID is ID_IPV4_ADDR: 'asaip'
>> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer"
>> #344: Authenticated using authby=secret
>> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer"
>> #344: negotiated connection [192.168.200.33-192.168.200.33:0-65535 0] ->
>> [192.168.200.34-192.168.200.34:0-65535 0]
>> дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer"
>> #344: STATE_V2_IPSEC_I: IPsec SA established tunnel mode
>> {ESP=>0x3956d69f <0x0b6fe415
>> xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=none NATD=none DPD=active}
>>
>> from ASA side :
>>
>> Dec 24 08:55:36 192.168.42.129 %ASA-7-713906: IKE Receiver:
>> Packet received on asaip:500 from libreswanip:500
>> Dec 24 08:55:36 192.168.42.129 %ASA-4-750003: Local:asaip:500
>> Remote:libreswanip:500 Username:libreswanip IKEv2 Negotiation aborted
>> due to ERROR:
>> The peer's KE payload contained the wrong DH group
>> Dec 24 08:55:37 192.168.42.129 %ASA-7-713906: IKE Receiver:
>> Packet received on asaip:500 from libreswanip:500
>> Dec 24 08:55:37 192.168.42.129 %ASA-7-713906: IKE Receiver:
>> Packet received on asaip:500 from libreswanip:500
>> Dec 24 08:55:38 192.168.42.129 %ASA-7-713906: IKE Receiver:
>> Packet received on asaip:500 from libreswanip:500
>> Dec 24 08:55:40 192.168.42.129 %ASA-7-713906: IKE Receiver:
>> Packet received on asaip:500 from libreswanip:500
>> Dec 24 08:55:44 192.168.42.129 %ASA-7-713906: IKE Receiver:
>> Packet received on asaip:500 from libreswanip:500
>> Dec 24 08:55:52 192.168.42.129 %ASA-7-713906: IKE Receiver:
>> Packet received on asaip:500 from libreswanip:500
>> Dec 24 08:56:08 192.168.42.129 %ASA-7-713906: IKE Receiver:
>> Packet received on asaip:500 from libreswanip:500
>> Dec 24 09:00:06 192.168.42.129 %ASA-7-713906: IKE Receiver:
>> Packet received on asaip:500 from libreswanip:500
>> Dec 24 09:00:06 192.168.42.129 %ASA-6-602304: IPSEC: An
>> outbound LAN-to-LAN SA (SPI= 0xBCAAE666) between asaip and
>> libreswanip (user= libreswanip)
>> has been deleted.
>> Dec 24 09:00:06 192.168.42.129 %ASA-6-602304: IPSEC: An inbound
>> LAN-to-LAN SA (SPI= 0xF257A6BD) between libreswanip and asaip (user=
>> libreswanip)
>> has been deleted.
>> Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request
>> discarded from libreswanip to outside:asaip
>> Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: message repeated
>> 2 times: [ ESP request discarded from libreswanip to outside:asaip]
>> Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request
>> discarded from libreswanip to outside:asaip
>> Dec 24 09:00:06 192.168.42.129 %ASA-7-713906: IKE Receiver:
>> Packet received on asaip:500 from libreswanip:500
>> Dec 24 09:00:06 192.168.42.129 %ASA-5-750007: Local:asaip:500
>> Remote:libreswanip:500 Username:libreswanip IKEv2 SA DOWN. Reason:
>> peer request
>> Dec 24 09:00:06 192.168.42.129 %ASA-4-113019: Group =
>> libreswanip, Username = libreswanip, IP = libreswanip, Session
>> disconnected. Session Type:
>> LAN-to-LAN, Duration: 1h:00m:00s, Bytes xmt: 237319950, Bytes
>> rcv: 122586307, Reason: User Requested
>> Dec 24 09:00:06 192.168.42.129 %ASA-5-750001: Local:asaip:500
>> Remote:libreswanip:500 Username:Unknown IKEv2 Received request to
>> establish an IPsec
>> tunnel; local traffic selector = Address Range:
>> 192.168.200.34-192.168.200.34 Protocol: 0 Port Range: 0-65535 ;
>> remote traffic selector = Address
>> Range: 192.168.200.33-192.168.200.33 Protocol: 0 Port Range:
>> 0-65535
>> Dec 24 09:00:06 192.168.42.129 %ASA-7-713906: IKE Receiver:
>> Packet received on asaip:500 from libreswanip:500
>> Dec 24 09:00:06 192.168.42.129 %ASA-7-713906: IKE Receiver:
>> Packet received on asaip:500 from libreswanip:500
>> Dec 24 09:00:06 192.168.42.129 %ASA-5-750002: Local:asaip:500
>> Remote:libreswanip:500 Username:Unknown IKEv2 Received a IKE_INIT_SA
>> request
>> Dec 24 09:00:06 192.168.42.129 %ASA-7-713906: IKE Receiver:
>> Packet received on asaip:500 from libreswanip:500
>> Dec 24 09:00:06 192.168.42.129 %ASA-5-750006: Local:asaip:500
>> Remote:libreswanip:500 Username:libreswanip IKEv2 SA UP. Reason: New
>> Connection
>> Established
>> Dec 24 09:00:06 192.168.42.129 %ASA-6-113009: AAA retrieved
>> default group policy (DfltGrpPolicy) for user = libreswanip
>> Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request
>> discarded from libreswanip to outside:asaip
>> Dec 24 09:00:06 192.168.42.129 %ASA-6-602303: IPSEC: An
>> outbound LAN-to-LAN SA (SPI= 0x0B6FE415) between asaip and
>> libreswanip (user= libreswanip)
>> has been created.
>> Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request
>> discarded from libreswanip to outside:asaip
>> Dec 24 09:00:06 192.168.42.129 %ASA-6-602303: IPSEC: An inbound
>> LAN-to-LAN SA (SPI= 0x3956D69F) between asaip and libreswanip (user=
>> libreswanip)
>> has been created.
>> Dec 24 09:00:06 192.168.42.129 %ASA-7-713906: IKE Receiver:
>> Packet received on asaip:500 from libreswanip:500
>> Dec 24 09:00:06 192.168.42.129 %ASA-5-750006: Local:asaip:500
>> Remote:libreswanip:500 Username:libreswanip IKEv2 SA UP. Reason: New
>> Connection
>> Established
>> Dec 24 09:00:06 192.168.42.129 %ASA-6-602304: IPSEC: An
>> outbound LAN-to-LAN SA (SPI= 0x0B6FE415) between asaip and
>> libreswanip (user= libreswanip)
>> has been deleted.
>> Dec 24 09:00:06 192.168.42.129 %ASA-6-602304: IPSEC: An inbound
>> LAN-to-LAN SA (SPI= 0x3956D69F) between libreswanip and asaip (user=
>> libreswanip)
>> has been deleted.
>> Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request
>> discarded from libreswanip to outside:asaip
>> Dec 24 09:00:06 192.168.42.129 %ASA-6-602303: IPSEC: An
>> outbound LAN-to-LAN SA (SPI= 0xD5EBA6E1) between asaip and
>> libreswanip (user= libreswanip)
>> has been created.
>> Dec 24 09:00:06 192.168.42.129 %ASA-6-602303: IPSEC: An inbound
>> LAN-to-LAN SA (SPI= 0xD98DFDBF) between asaip and libreswanip (user=
>> libreswanip)
>> has been created.
>> Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request
>> discarded from libreswanip to outside:asaip
>> Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: message repeated
>> 2 times: [ ESP request discarded from libreswanip to outside:asaip]
>> Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request
>> discarded from libreswanip to outside:asaip
>> Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: message repeated
>> 3 times: [ ESP request discarded from libreswanip to outside:asaip]
>> Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request
>> discarded from libreswanip to outside:asaip
>> Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request
>> discarded from libreswanip to outside:asaip
>>
>>
>> As you can see , connections are created, but ASA drops ESP
>> packets...
>>
>>
>> Configuration:
>>
>>
>> libreswan:
>>
>> conn peer
>> left=libreswanip
>> right=asaip
>> leftsubnet=192.168.200.33/32
>> rightsubnet=192.168.200.34/32
>> ike=aes256-sha1;modp1024
>> ikev2=insist
>> pfs=yes
>> ikelifetime=28800s
>> phase2alg=aes256-sha1
>> keylife=3600s
>> rekeymargin=540s
>> type=tunnel
>> compress=no
>> authby=secret
>> auto=start
>> keyingtries=%forever
>> dpddelay=10
>> dpdtimeout=2
>> dpdaction=restart
>> #dpdaction=hold
>>
>>
>> asa:
>>
>> crypto ipsec ikev2 ipsec-proposal zabegalovo
>> protocol esp encryption aes-256
>> protocol esp integrity sha-1
>>
>> crypto ikev2 policy 1
>> encryption aes-256
>> integrity sha
>> group 2
>> prf sha
>> lifetime seconds 28800
>>
>> crypto map russneft-ipsec 50 match address ZABEGALOVO-IPSEC
>> crypto map russneft-ipsec 50 set peer libreswanip crypto map
>> russneft-ipsec 50 set ikev2 ipsec-proposal zabegalovo
>>
>> access-list ZABEGALOVO-IPSEC extended permit ip host 192.168.200.34
>> host 192.168.200.33
>>
>>
>> right now I'm solving this by script , which checks if another side
>> is available by ping and do connection restart if not:
>> /usr/sbin/ipsec auto --down peer;/usr/sbin/ipsec auto --up peer
>>
>>
>> Could you tell me is something wrong in my configuration?
>> Or is this asa or libreswan bug?
>>
>> Thank you!
>>
>>
>>
>>
More information about the Swan
mailing list