[Swan] Problem connecting to a Cisco ASA

Nick Howitt nick at howitts.co.uk
Wed Mar 10 11:29:40 UTC 2021 


On 10/03/2021 11:17, Miguel Ponce Antolin wrote:
> Thanks for your answer Paul,
> 
> I have tried the options you said with similar results, the connection 
> is not stablished in any case.
> 
> The other side configuration is mandatory, so the AES256 must be effective.
> 
> We have seen that the aes256 configuration selects AES_CBC and the 256 
> bit option have to be selected.
> 
> Does libreswan accepts this 256 bits option on AES_CBC?
> 
> Looking on the libreswan wiki the Implemented Standards 
> <https://libreswan.org/wiki/Implemented_Standards> I can see that the 
> option is possible but I cannot assure that when cipherkey is selected 
> as AES_CBC the 256 bits are selected.
> 
> The other peer is sure that the problem is about this and I don't know 
> if the 256 bits option is effective when the Payload is negotiated.
> 
> Maybe you can bring me some clarity,
> 
> Thanks in advance!
> 
> El mié, 10 mar 2021 a las 4:16, Paul Wouters (<paul at nohats.ca 
> <mailto:paul at nohats.ca>>) escribió:
> 
>     On Mon, 8 Mar 2021, Miguel Ponce Antolin wrote:
> 
>      > I think we are facing issues with the IKE algorithms.
>      >
>      > The Cisco peer has the next configuration:
>      > - pfs group14
>      > - ikev2 ipsec-proposal AES256-SHA256
>      > - security-association lifetime seconds 28800
>      >
>      > So the libreswan side is configured in the ipsec.d/vpn.conf with
>     similar parameters using the yum repository last version 3.25:
>      >
>      > conn vpn
>      >     type=tunnel
>      >     authby=secret
>      >     auto=start
>      >     left=%defaultroute
>      >     leftid=xxx.xxx.xxx.120
>      >     leftsubnets=10.xxx.xxx.xxx/28
>      >     right=xxx.xxx.xxx.45
>      >     rightsubnets=xxx.xxx.xxx.17/32
>      >     leftsourceip=xxx.xxx.xxx.92
>      >     leftnexthop=%defaultroute
>      >     ikev2=insist
>      >     ike=aes256-sha2;dh14
>      >     keyexchange=ike
>      >     ikelifetime=28800s
>      >     salifetime=28800s
>      >     dpddelay=30
>      >     dpdtimeout=120
>      >     dpdaction=restart
>      >     remote_peer_type=cisco
>      >     aggrmode=yes
>      >     initial-contact=yes
>      >     encapsulation=no
> 
>     Delete the lines with remote_peer_type, aggrmode, and encapsulation
> 
>     Try using ike=aes256-sha2_256;dh14
> 
>      > Mar  8 12:33:25.540325: | selected state microcode Initiator:
>     process AUTHENTICATION_FAILED AUTH notification
> 
>     It could also be that they are expected a different leftid= then you
>     think?
> 
>     Despite them claiming pfs, you can try pfs=no as well to see if that
>     makes a difference.
> 
>     Paul
> 
> 
> 
> -- 
> 
> Logo Especialidad
> 
> *Miguel Ponce Antolín.*
> Sistemas  ·    +34 670 360 655
> Linea
> Logo Paradigma · paradig.ma <https://www.paradigmadigital.com/> · 
> contáctanos <https://www.paradigmadigital.com/contacto> · Twitter 
> <https://twitter.com/paradigmate> Youtube 
> <https://www.youtube.com/user/ParadigmaTe?feature=watch> Linkedin 
> <https://www.linkedin.com/company/paradigma-digital/> Instagram 
> <https://www.instagram.com/paradigma_digital/?hl=es>
> 
> 
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
> 
Is "sha2-truncbug = yes" relevant?

More information about the Swan mailing list