[Swan] Problem connecting to a Cisco ASA
Nick Howitt
nick at howitts.co.uk
Wed Mar 10 11:29:40 UTC 2021
On 10/03/2021 11:17, Miguel Ponce Antolin wrote:
> Thanks for your answer Paul,
>
> I have tried the options you said with similar results, the connection
> is not stablished in any case.
>
> The other side configuration is mandatory, so the AES256 must be effective.
>
> We have seen that the aes256 configuration selects AES_CBC and the 256
> bit option have to be selected.
>
> Does libreswan accepts this 256 bits option on AES_CBC?
>
> Looking on the libreswan wiki the Implemented Standards
> <https://libreswan.org/wiki/Implemented_Standards> I can see that the
> option is possible but I cannot assure that when cipherkey is selected
> as AES_CBC the 256 bits are selected.
>
> The other peer is sure that the problem is about this and I don't know
> if the 256 bits option is effective when the Payload is negotiated.
>
> Maybe you can bring me some clarity,
>
> Thanks in advance!
>
> El mié, 10 mar 2021 a las 4:16, Paul Wouters (<paul at nohats.ca
> <mailto:paul at nohats.ca>>) escribió:
>
> On Mon, 8 Mar 2021, Miguel Ponce Antolin wrote:
>
> > I think we are facing issues with the IKE algorithms.
> >
> > The Cisco peer has the next configuration:
> > - pfs group14
> > - ikev2 ipsec-proposal AES256-SHA256
> > - security-association lifetime seconds 28800
> >
> > So the libreswan side is configured in the ipsec.d/vpn.conf with
> similar parameters using the yum repository last version 3.25:
> >
> > conn vpn
> > type=tunnel
> > authby=secret
> > auto=start
> > left=%defaultroute
> > leftid=xxx.xxx.xxx.120
> > leftsubnets=10.xxx.xxx.xxx/28
> > right=xxx.xxx.xxx.45
> > rightsubnets=xxx.xxx.xxx.17/32
> > leftsourceip=xxx.xxx.xxx.92
> > leftnexthop=%defaultroute
> > ikev2=insist
> > ike=aes256-sha2;dh14
> > keyexchange=ike
> > ikelifetime=28800s
> > salifetime=28800s
> > dpddelay=30
> > dpdtimeout=120
> > dpdaction=restart
> > remote_peer_type=cisco
> > aggrmode=yes
> > initial-contact=yes
> > encapsulation=no
>
> Delete the lines with remote_peer_type, aggrmode, and encapsulation
>
> Try using ike=aes256-sha2_256;dh14
>
> > Mar 8 12:33:25.540325: | selected state microcode Initiator:
> process AUTHENTICATION_FAILED AUTH notification
>
> It could also be that they are expected a different leftid= then you
> think?
>
> Despite them claiming pfs, you can try pfs=no as well to see if that
> makes a difference.
>
> Paul
>
>
>
> --
>
> Logo Especialidad
>
> *Miguel Ponce Antolín.*
> Sistemas · +34 670 360 655
> Linea
> Logo Paradigma · paradig.ma <https://www.paradigmadigital.com/> ·
> contáctanos <https://www.paradigmadigital.com/contacto> · Twitter
> <https://twitter.com/paradigmate> Youtube
> <https://www.youtube.com/user/ParadigmaTe?feature=watch> Linkedin
> <https://www.linkedin.com/company/paradigma-digital/> Instagram
> <https://www.instagram.com/paradigma_digital/?hl=es>
>
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
>
Is "sha2-truncbug = yes" relevant?
More information about the Swan
mailing list