[Swan] Problem connecting to a Cisco ASA

Miguel Ponce Antolin mponce at paradigmadigital.com
Mon Mar 8 15:17:58 UTC 2021 

Hi everyone,

I hope this is the right place to contact for a connection problem on phase
1 and there is enough information to expose the problem.

I am working on a VPN connection between two peers, a Cisco ASA and a
Libreswan over Amazon Linux 2 (RHEL based).

The peer I am configuring is the Libreswan because the Cisco peer has a
defined configuration shared with other connections.

I think we are facing issues with the IKE algorithms.

The Cisco peer has the next configuration:
- pfs group14
- ikev2 ipsec-proposal AES256-SHA256
- security-association lifetime seconds 28800

So the libreswan side is configured in the ipsec.d/vpn.conf with similar
parameters using the yum repository last version 3.25:

conn vpn
    type=tunnel

*    authby=secret*    auto=start
    left=%defaultroute
    leftid=xxx.xxx.xxx.120
    leftsubnets=10.xxx.xxx.xxx/28
    right=xxx.xxx.xxx.45
    rightsubnets=xxx.xxx.xxx.17/32
    leftsourceip=xxx.xxx.xxx.92
    leftnexthop=%defaultroute

*    ikev2=insist*    *ike=aes256-sha2;dh14*
    keyexchange=ike
    *ikelifetime=28800s*
    salifetime=28800s
    dpddelay=30
    dpdtimeout=120
    dpdaction=restart
    remote_peer_type=cisco
    aggrmode=yes
    initial-contact=yes
    encapsulation=no

You can find attached the log file where the next failure message is showed:

Mar  8 12:33:25.539914: | #2 ikev2 ISAKMP_v2_AUTH decrypt success
Mar  8 12:33:25.539968: | Now let's proceed with payload (ISAKMP_NEXT_v2N)
Mar  8 12:33:25.540003: | **parse IKEv2 Notify Payload:
Mar  8 12:33:25.540034: |    next payload type: ISAKMP_NEXT_v2NONE (0x0)
Mar  8 12:33:25.540105: |    flags: none (0x0)
Mar  8 12:33:25.540140: |    length: 8 (0x8)
Mar  8 12:33:25.540170: |    Protocol ID: PROTO_v2_IKE (0x1)
Mar  8 12:33:25.540238: |    SPI size: 0 (0x0)
Mar  8 12:33:25.540275: |    Notify Message Type: v2N_AUTHENTICATION_FAILED
(0x18)
Mar  8 12:33:25.540301: | processing payload: ISAKMP_NEXT_v2N (len=8)
Mar  8 12:33:25.540325: | selected state microcode Initiator: process
AUTHENTICATION_FAILED AUTH notification
Mar  8 12:33:25.540349: | Now lets proceed with state specific processing
Mar  8 12:33:25.540407: | calling processor Initiator: process
AUTHENTICATION_FAILED AUTH notification
Mar  8 12:33:25.540444: "vpn/1x1" #2: IKE SA authentication request
rejected: AUTHENTICATION_FAILED

In the other side, the Cisco Peer shows a problem in the IKE negotiation
step 4, it continues negotiating until step 7 when there is a message
referring to the failure in step 4.

If you could provide me some help with this issue.

Thanks in advance,

Best regards


-- 

[image: Logo Especialidad]

*Miguel Ponce Antolín.*
Sistemas    ·    +34 670 360 655
[image: Linea]
[image: Logo Paradigma]   ·   paradig.ma <https://www.paradigmadigital.com/>
·   contáctanos <https://www.paradigmadigital.com/contacto>   ·   [image:
Twitter] <https://twitter.com/paradigmate>  [image: Youtube]
<https://www.youtube.com/user/ParadigmaTe?feature=watch>  [image: Linkedin]
<https://www.linkedin.com/company/paradigma-digital/>  [image: Instagram]
<https://www.instagram.com/paradigma_digital/?hl=es>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20210308/ebe872a8/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: vpn_log_20210308_1233
Type: application/octet-stream
Size: 251032 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20210308/ebe872a8/attachment-0001.obj>

More information about the Swan mailing list