[Swan] Problem connecting to a Cisco ASA

Miguel Ponce Antolin mponce at paradigmadigital.com
Wed Mar 10 11:17:25 UTC 2021 

Thanks for your answer Paul,

I have tried the options you said with similar results, the connection is
not stablished in any case.

The other side configuration is mandatory, so the AES256 must be effective.

We have seen that the aes256 configuration selects AES_CBC and the 256 bit
option have to be selected.

Does libreswan accepts this 256 bits option on AES_CBC?

Looking on the libreswan wiki the Implemented Standards
<https://libreswan.org/wiki/Implemented_Standards> I can see that the
option is possible but I cannot assure that when cipherkey is selected as
AES_CBC the 256 bits are selected.

The other peer is sure that the problem is about this and I don't know if
the 256 bits option is effective when the Payload is negotiated.

Maybe you can bring me some clarity,

Thanks in advance!

El mié, 10 mar 2021 a las 4:16, Paul Wouters (<paul at nohats.ca>) escribió:

> On Mon, 8 Mar 2021, Miguel Ponce Antolin wrote:
>
> > I think we are facing issues with the IKE algorithms.
> >
> > The Cisco peer has the next configuration:
> > - pfs group14
> > - ikev2 ipsec-proposal AES256-SHA256
> > - security-association lifetime seconds 28800
> >
> > So the libreswan side is configured in the ipsec.d/vpn.conf with similar
> parameters using the yum repository last version 3.25:
> >
> > conn vpn
> >     type=tunnel
> >     authby=secret
> >     auto=start
> >     left=%defaultroute
> >     leftid=xxx.xxx.xxx.120
> >     leftsubnets=10.xxx.xxx.xxx/28
> >     right=xxx.xxx.xxx.45
> >     rightsubnets=xxx.xxx.xxx.17/32
> >     leftsourceip=xxx.xxx.xxx.92
> >     leftnexthop=%defaultroute
> >     ikev2=insist
> >     ike=aes256-sha2;dh14
> >     keyexchange=ike
> >     ikelifetime=28800s
> >     salifetime=28800s
> >     dpddelay=30
> >     dpdtimeout=120
> >     dpdaction=restart
> >     remote_peer_type=cisco
> >     aggrmode=yes
> >     initial-contact=yes
> >     encapsulation=no
>
> Delete the lines with remote_peer_type, aggrmode, and encapsulation
>
> Try using ike=aes256-sha2_256;dh14
>
> > Mar  8 12:33:25.540325: | selected state microcode Initiator: process
> AUTHENTICATION_FAILED AUTH notification
>
> It could also be that they are expected a different leftid= then you think?
>
> Despite them claiming pfs, you can try pfs=no as well to see if that
> makes a difference.
>
> Paul
>


-- 

[image: Logo Especialidad]

*Miguel Ponce Antolín.*
Sistemas    ·    +34 670 360 655
[image: Linea]
[image: Logo Paradigma]   ·   paradig.ma <https://www.paradigmadigital.com/>
·   contáctanos <https://www.paradigmadigital.com/contacto>   ·   [image:
Twitter] <https://twitter.com/paradigmate>  [image: Youtube]
<https://www.youtube.com/user/ParadigmaTe?feature=watch>  [image: Linkedin]
<https://www.linkedin.com/company/paradigma-digital/>  [image: Instagram]
<https://www.instagram.com/paradigma_digital/?hl=es>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20210310/063a1d36/attachment.html>

More information about the Swan mailing list