[Swan] Fw: Libreswan to Cisco IOS

Paul Wouters paul at nohats.ca
Thu Dec 10 17:55:38 UTC 2020 

On Thu, 10 Dec 2020, John Serink wrote:

> I am trying to get a session working from my laptop to my IOS router using ikev2. I have it working using ikev1 fine but want
> to get it up using asymmetric keys to the Cisco.
> 
> Here is the my laptop end:
> jserinki7 /home/jserink # ipsec auto --up SOIUKUP2

> 002 "SOIUKUP2" #2: IKEv2 mode peer ID is ID_KEY_ID: '@#0x4343726f75746572'
> 003 "SOIUKUP2" #2: AUTH mismatch: Received AUTH != computed AUTH
> 002 "SOIUKUP2" #2: PSK Authentication failed: AUTH mismatch in R2 Auth Payload!
> 036 "SOIUKUP2" #2: encountered fatal error in state STATE_PARENT_I2

It looks like you are using a hex encoding for ID and not Ascii?

Try using @CCrouter as the ID in the ipsec.secrets file ?

> The Cisco is happy, it thinks the session is up and shows my laptop in the "sh crypto session br" listing.

That is normal for IKEv2. Since IKE and IPsec SA establish at the same
time (2nd message roundtrip), the problem is that if the Cisco
authenticates and is happy, it will install the IPsec SA, and then
send the IKE_AUTH reply. If libreswan then rejects the authentication,
then it will not have a tunnel while the cisco does have a tunnel. Newer
versions of libreswan _should_ send a delete (as per RFC 7296) if it
reached authentication failed as initiator.


> Here is my "redacted" ipsec.conf:
> conn SOIUKUP2
>      keyingtries=0
>      left=%defaultroute
>      leftsourceip=2.2.22.22
>      leftsubnet=2.2.22.22/32
>      leftid=@[jserink]
>      leftauth=secret
>      rightauth=secret
>      ike=aes256-sha2;modp2048
>      phase2alg=aes256-sha2;modp2048
>      auto=add
>      type=tunnel
>      right=A.B.C.D
>      rightsubnet=1.1.1.10/32
>      rightsourceip=1.1.1.10
>      rightid=@[CCrouter]
>      fragmentation=yes
>      dpdtimeout=30
>      dpdaction=restart
>      ikev2=yes
>      pfs=yes

Remove leftauth/rightauth and just use authby=secret
I think you want leftid=@jserink and rightid=@CCrouter ?

but if the cisco insists on the hex format, then be sure to try the hex
format in the secrets, so @#0x4343726f75746572 instead of @[CCrouter] ?

> And the ipsec.secrets:
> @[jserink] : PSK "Here is my psk for jserink"
> @[CCrouter] : PSK "Here is my psk for CCrouter"

Those should be on one line, and the secret should be the same. A PSK
identifies a "host pair" and not a host or host group. See the previous
email to the list I send you.

Paul

More information about the Swan mailing list