[Swan] Connecting Libreswan to Cisco ASA

Dmitry Melekhov dm at belkam.com
Sat Mar 27 13:27:23 UTC 2021


27.03.2021 00:32, Bruno пишет:
> Hi,
> I'm trying to connect to a remote site where they're using a Cisco ASA 
> 5555, but I'm consistently receiving the error: INVALID_ID_INFORMATION.
> Phase 1 seems to be ok, the problem seems to be on phase 2. But I'm 
> pretty confident there isn't much to change on Libreswan side.
>
> The admin from the remote site sent me an excerpt from their logs, 
> which follows below. I don't have much experience with Cisco but the 
> message "Rejecting IPSec tunnel: no matching crypto map entry for 
> remote proxy" seems to point to a possible cause of the problem.
> I know this is the Libreswan list, not Cisco's, but what I'm hoping to 
> find is if anyone with enough experience could tell if there are some 
> special set of settings so the Cisco device would connect to 
> Libreswan, or if there is something to do with the remote site's 
> "crypto map".


There is nothing special here, I run asa 5506 on one side and libreswan 
on another and it works, although I have different configuration.

Looks like configuration problem is on asa side, do you have config?


>
> Another thing I'd like to point out that when starting the connection 
> on Libreswan, logs roll out like crazy, something like 300 connection 
> attempts in 10 seconds.
>
> On my side I'm using Libreswan 3.25, Linux 4.19.80.
>
> Thanks!
>
>
> ---- Local conf
>
> conn zebes-tunnel
>         type=tunnel
>         authby=secret
>         left=A.A.A.A
>         leftid=A.A.A.A
>         leftsubnet=10.4.218.0/24 <http://10.4.218.0/24>
>         right=B.B.B.B
>         rightid=B.B.B.B
> rightsubnets={192.168.168.151,192.168.168.152,192.168.168.153}
>         ike=aes256-sha1;modp1536
>         ikelifetime=86400s
>         ikev2=no
>         esp=aes256-sha1
>         salifetime=3600s
>         pfs=no
>         auto=start
>
>
> ---- Libreswan logs
>
> Mar 26 10:26:26.124744: initiating all conns with alias='zebes-tunnel'
> Mar 26 10:26:26.160043: "zebes-tunnel/0x3" #2: STATE_MAIN_I2: sent 
> MI2, expecting MR2
> Mar 26 10:26:26.193605: "zebes-tunnel/0x3" #2: ignoring unknown Vendor 
> ID payload [e26481be08eae0fded3990cb0fc983cd]
> Mar 26 10:26:26.195213: "zebes-tunnel/0x3" #2: STATE_MAIN_I3: sent 
> MI3, expecting MR3
> Mar 26 10:26:26.227947: | protocol/port in Phase 1 ID Payload is 17/0. 
> accepted with port_floating NAT-T
> Mar 26 10:26:26.227978: "zebes-tunnel/0x3" #2: Peer ID is 
> ID_IPV4_ADDR: 'B.B.B.B'
> Mar 26 10:26:26.228027: "zebes-tunnel/0x3" #2: STATE_MAIN_I4: ISAKMP 
> SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha 
> group=MODP1536}
> Mar 26 10:26:26.228059: "zebes-tunnel/0x1" #6: initiating Quick Mode 
> PSK+ENCRYPT+TUNNEL+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO 
> {using isakmp#2 msgid:e90700c1 proposal=AES_CBC_256-HMAC_SHA1_96 
> pfsgroup=no-pfs}
> Mar 26 10:26:26.228085: "zebes-tunnel/0x2" #7: initiating Quick Mode 
> PSK+ENCRYPT+TUNNEL+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO 
> {using isakmp#2 msgid:f15bb82d proposal=AES_CBC_256-HMAC_SHA1_96 
> pfsgroup=no-pfs}
> Mar 26 10:26:26.228208: "zebes-tunnel/0x3" #8: initiating Quick Mode 
> PSK+ENCRYPT+TUNNEL+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO 
> {using isakmp#2 msgid:760985c2 proposal=AES_CBC_256-HMAC_SHA1_96 
> pfsgroup=no-pfs}
> Mar 26 10:26:26.262645: "zebes-tunnel/0x3" #2: ignoring informational 
> payload INVALID_ID_INFORMATION, msgid=00000000, length=160
> Mar 26 10:26:26.262667: | ISAKMP Notification Payload
> Mar 26 10:26:26.262674: |   00 00 00 a0  00 00 00 01  03 04 00 12
> Mar 26 10:26:26.262680: "zebes-tunnel/0x3" #2: received and ignored 
> informational message
> Mar 26 10:26:26.263371: "zebes-tunnel/0x3" #2: received Delete SA 
> payload: self-deleting ISAKMP State #2
> Mar 26 10:26:26.263431: "zebes-tunnel/0x3" #2: deleting state 
> (STATE_MAIN_I4) and sending notification
> Mar 26 10:26:26.263546: "zebes-tunnel/0x3" #2: reschedule pending 
> child #8 STATE_QUICK_I1 of connection "zebes-tunnel/0x3" - the parent 
> is going away
> Mar 26 10:26:26.263578: "zebes-tunnel/0x3" #2: reschedule pending 
> child #7 STATE_QUICK_I1 of connection "zebes-tunnel/0x2" - the parent 
> is going away
> Mar 26 10:26:26.263594: "zebes-tunnel/0x3" #2: reschedule pending 
> child #6 STATE_QUICK_I1 of connection "zebes-tunnel/0x1" - the parent 
> is going away
> Mar 26 10:26:26.263603: "zebes-tunnel/0x3" #2: deleting IKE SA for 
> connection 'zebes-tunnel/0x3' but connection is supposed to remain up; 
> schedule EVENT_REVIVE_CONNS
> Mar 26 10:26:26.263674: packet from B.B.B.B:500: received and ignored 
> empty informational notification payload
> Mar 26 10:26:26.263818: "zebes-tunnel/0x3" #8: deleting state 
> (STATE_QUICK_I1) and NOT sending notification
> Mar 26 10:26:26.263875: "zebes-tunnel/0x2" #7: deleting state 
> (STATE_QUICK_I1) and NOT sending notification
> Mar 26 10:26:26.263900: "zebes-tunnel/0x1" #6: deleting state 
> (STATE_QUICK_I1) and NOT sending notification
>
>
> ---- Cisco ASA logs
>
> Group = A.A.A.A, IP = A.A.A.A, Sending p2 'Invalid ID info' notify 
> message with SPI ea69decf.
> Group = A.A.A.A, IP = A.A.A.A, sending notify message
> Group = A.A.A.A, IP = A.A.A.A, Rejecting IPSec tunnel: no matching 
> crypto map entry for remote proxy 10.4.218.0/255.255.255.0/0/0 
> <http://10.4.218.0/255.255.255.0/0/0> local proxy 
> 192.168.100.0/255.255.255.224/0/0 
> <http://192.168.100.0/255.255.255.224/0/0> on interface OUTSIDE
> Group = A.A.A.A, IP = A.A.A.A, Skipping dynamic map 
> SYSTEM_DEFAULT_CRYPTO_MAP sequence 65535: cannot match peerless map 
> when peer found in previous map entry.
> IP = A.A.A.A, Received DPD VID
> IP = A.A.A.A, processing SA payload
> IP = A.A.A.A, IKE_DECODE_RECEIVED Message (msgid=0) with payloads: HDR 
> + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + 
> VENDOR (13) + VENDOR (13) + NONE (0) total length : 208
> IKE Receiver: Packet received on B.B.B.B:500 from A.A.A.A:500
> Group = A.A.A.A, Username = A.A.A.A, IP A.A.A.A, Session disconnected. 
> Session Type: LAN-to-LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes 
> rcv: 0, Reason: crypto map policy not found
> Group = A.A.A.A, IP = A.A.A.A, Session is being torn down. Reason: 
> crypto map policy not found
> IP = A.A.A.A, IKE_DECODE_SENDING Message (msgid=95cd13f8) with 
> payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
> Group = A.A.A.A, IP = A.A.A.A, constructing qm hash payload
> Group = A.A.A.A, IP = A.A.A.A, constructing IKE delete payload
> Group = A.A.A.A, IP = A.A.A.A, constructing blank hash payload
> Group = A.A.A.A, IP = A.A.A.A, sending delete/delete with reason message
> Group = A.A.A.A, IP = A.A.A.A, IKE SA MM:25efb702 terminating: flags 
> 0x1000002, refcnt 0, tuncnt 0
> Group = A.A.A.A, IP = A.A.A.A, Removing peer from correlator table 
> failed, no match!
> Group = A.A.A.A, IP = A.A.A.A, Removing peer from correlator table 
> failed, no match!
> Group = A.A.A.A, IP = A.A.A.A, sending delete/delete with reason message
> Group = A.A.A.A, IP = A.A.A.A, sending delete/delete with reason message
> (VPN-Primary) Sending Phase 1 Terminate message (type L2L, remote addr 
> A.A.A.A, my cookie BBBB1111, his cookie AAAA0000) to standby unit
> Group = A.A.A.A, IP = A.A.A.A, Remove from IKEv1MIB Table succeeded 
> for SA with logical ID 111111111
> Group = A.A.A.A, IP = A.A.A.A, Remove from IKEv1 Tunnel Table 
> succeeded for SA with logicalId 111111111
> Group = A.A.A.A, IP = A.A.A.A, IKE SA MM: BBBB1111 rcv'd Terminate: 
> state MM_ACTIVE flags 0x00000042, refcnt 1, tuncnt 2
> Group = A.A.A.A, IP = A.A.A.A, Removing peer from correlator table 
> failed, no match!
> IP = A.A.A.A, IKE Responder starting QM: msg id = ba6018a2
> Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, map = 
> OUTSIDE_map, seq = 42, ACL does not match proxy IDs src:10.4.218.0 
> dst:192.168.100.0
> Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, checking map = 
> OUTSIDE_map, seq = 42...
> Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, checking map = 
> OUTSIDE_map, seq = 41...
> Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, checking map = 
> OUTSIDE_map, seq = 40...
>
>
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20210327/20ac009b/attachment.html>


More information about the Swan mailing list