[Swan] Problem connecting to a Cisco ASA
Miguel Ponce Antolin
mponce at paradigmadigital.com
Mon Mar 8 15:17:58 UTC 2021
Hi everyone,
I hope this is the right place to contact for a connection problem on phase
1 and there is enough information to expose the problem.
I am working on a VPN connection between two peers, a Cisco ASA and a
Libreswan over Amazon Linux 2 (RHEL based).
The peer I am configuring is the Libreswan because the Cisco peer has a
defined configuration shared with other connections.
I think we are facing issues with the IKE algorithms.
The Cisco peer has the next configuration:
- pfs group14
- ikev2 ipsec-proposal AES256-SHA256
- security-association lifetime seconds 28800
So the libreswan side is configured in the ipsec.d/vpn.conf with similar
parameters using the yum repository last version 3.25:
conn vpn
type=tunnel
* authby=secret* auto=start
left=%defaultroute
leftid=xxx.xxx.xxx.120
leftsubnets=10.xxx.xxx.xxx/28
right=xxx.xxx.xxx.45
rightsubnets=xxx.xxx.xxx.17/32
leftsourceip=xxx.xxx.xxx.92
leftnexthop=%defaultroute
* ikev2=insist* *ike=aes256-sha2;dh14*
keyexchange=ike
*ikelifetime=28800s*
salifetime=28800s
dpddelay=30
dpdtimeout=120
dpdaction=restart
remote_peer_type=cisco
aggrmode=yes
initial-contact=yes
encapsulation=no
You can find attached the log file where the next failure message is showed:
Mar 8 12:33:25.539914: | #2 ikev2 ISAKMP_v2_AUTH decrypt success
Mar 8 12:33:25.539968: | Now let's proceed with payload (ISAKMP_NEXT_v2N)
Mar 8 12:33:25.540003: | **parse IKEv2 Notify Payload:
Mar 8 12:33:25.540034: | next payload type: ISAKMP_NEXT_v2NONE (0x0)
Mar 8 12:33:25.540105: | flags: none (0x0)
Mar 8 12:33:25.540140: | length: 8 (0x8)
Mar 8 12:33:25.540170: | Protocol ID: PROTO_v2_IKE (0x1)
Mar 8 12:33:25.540238: | SPI size: 0 (0x0)
Mar 8 12:33:25.540275: | Notify Message Type: v2N_AUTHENTICATION_FAILED
(0x18)
Mar 8 12:33:25.540301: | processing payload: ISAKMP_NEXT_v2N (len=8)
Mar 8 12:33:25.540325: | selected state microcode Initiator: process
AUTHENTICATION_FAILED AUTH notification
Mar 8 12:33:25.540349: | Now lets proceed with state specific processing
Mar 8 12:33:25.540407: | calling processor Initiator: process
AUTHENTICATION_FAILED AUTH notification
Mar 8 12:33:25.540444: "vpn/1x1" #2: IKE SA authentication request
rejected: AUTHENTICATION_FAILED
In the other side, the Cisco Peer shows a problem in the IKE negotiation
step 4, it continues negotiating until step 7 when there is a message
referring to the failure in step 4.
If you could provide me some help with this issue.
Thanks in advance,
Best regards
--
[image: Logo Especialidad]
*Miguel Ponce Antolín.*
Sistemas · +34 670 360 655
[image: Linea]
[image: Logo Paradigma] · paradig.ma <https://www.paradigmadigital.com/>
· contáctanos <https://www.paradigmadigital.com/contacto> · [image:
Twitter] <https://twitter.com/paradigmate> [image: Youtube]
<https://www.youtube.com/user/ParadigmaTe?feature=watch> [image: Linkedin]
<https://www.linkedin.com/company/paradigma-digital/> [image: Instagram]
<https://www.instagram.com/paradigma_digital/?hl=es>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20210308/ebe872a8/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: vpn_log_20210308_1233
Type: application/octet-stream
Size: 251032 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20210308/ebe872a8/attachment-0001.obj>
More information about the Swan
mailing list