[Swan] Connecting Libreswan to Cisco ASA
Dmitry Melekhov
dm at belkam.com
Sat Mar 27 13:27:23 UTC 2021
27.03.2021 00:32, Bruno пишет:
> Hi,
> I'm trying to connect to a remote site where they're using a Cisco ASA
> 5555, but I'm consistently receiving the error: INVALID_ID_INFORMATION.
> Phase 1 seems to be ok, the problem seems to be on phase 2. But I'm
> pretty confident there isn't much to change on Libreswan side.
>
> The admin from the remote site sent me an excerpt from their logs,
> which follows below. I don't have much experience with Cisco but the
> message "Rejecting IPSec tunnel: no matching crypto map entry for
> remote proxy" seems to point to a possible cause of the problem.
> I know this is the Libreswan list, not Cisco's, but what I'm hoping to
> find is if anyone with enough experience could tell if there are some
> special set of settings so the Cisco device would connect to
> Libreswan, or if there is something to do with the remote site's
> "crypto map".
There is nothing special here, I run asa 5506 on one side and libreswan
on another and it works, although I have different configuration.
Looks like configuration problem is on asa side, do you have config?
>
> Another thing I'd like to point out that when starting the connection
> on Libreswan, logs roll out like crazy, something like 300 connection
> attempts in 10 seconds.
>
> On my side I'm using Libreswan 3.25, Linux 4.19.80.
>
> Thanks!
>
>
> ---- Local conf
>
> conn zebes-tunnel
> type=tunnel
> authby=secret
> left=A.A.A.A
> leftid=A.A.A.A
> leftsubnet=10.4.218.0/24 <http://10.4.218.0/24>
> right=B.B.B.B
> rightid=B.B.B.B
> rightsubnets={192.168.168.151,192.168.168.152,192.168.168.153}
> ike=aes256-sha1;modp1536
> ikelifetime=86400s
> ikev2=no
> esp=aes256-sha1
> salifetime=3600s
> pfs=no
> auto=start
>
>
> ---- Libreswan logs
>
> Mar 26 10:26:26.124744: initiating all conns with alias='zebes-tunnel'
> Mar 26 10:26:26.160043: "zebes-tunnel/0x3" #2: STATE_MAIN_I2: sent
> MI2, expecting MR2
> Mar 26 10:26:26.193605: "zebes-tunnel/0x3" #2: ignoring unknown Vendor
> ID payload [e26481be08eae0fded3990cb0fc983cd]
> Mar 26 10:26:26.195213: "zebes-tunnel/0x3" #2: STATE_MAIN_I3: sent
> MI3, expecting MR3
> Mar 26 10:26:26.227947: | protocol/port in Phase 1 ID Payload is 17/0.
> accepted with port_floating NAT-T
> Mar 26 10:26:26.227978: "zebes-tunnel/0x3" #2: Peer ID is
> ID_IPV4_ADDR: 'B.B.B.B'
> Mar 26 10:26:26.228027: "zebes-tunnel/0x3" #2: STATE_MAIN_I4: ISAKMP
> SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha
> group=MODP1536}
> Mar 26 10:26:26.228059: "zebes-tunnel/0x1" #6: initiating Quick Mode
> PSK+ENCRYPT+TUNNEL+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
> {using isakmp#2 msgid:e90700c1 proposal=AES_CBC_256-HMAC_SHA1_96
> pfsgroup=no-pfs}
> Mar 26 10:26:26.228085: "zebes-tunnel/0x2" #7: initiating Quick Mode
> PSK+ENCRYPT+TUNNEL+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
> {using isakmp#2 msgid:f15bb82d proposal=AES_CBC_256-HMAC_SHA1_96
> pfsgroup=no-pfs}
> Mar 26 10:26:26.228208: "zebes-tunnel/0x3" #8: initiating Quick Mode
> PSK+ENCRYPT+TUNNEL+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
> {using isakmp#2 msgid:760985c2 proposal=AES_CBC_256-HMAC_SHA1_96
> pfsgroup=no-pfs}
> Mar 26 10:26:26.262645: "zebes-tunnel/0x3" #2: ignoring informational
> payload INVALID_ID_INFORMATION, msgid=00000000, length=160
> Mar 26 10:26:26.262667: | ISAKMP Notification Payload
> Mar 26 10:26:26.262674: | 00 00 00 a0 00 00 00 01 03 04 00 12
> Mar 26 10:26:26.262680: "zebes-tunnel/0x3" #2: received and ignored
> informational message
> Mar 26 10:26:26.263371: "zebes-tunnel/0x3" #2: received Delete SA
> payload: self-deleting ISAKMP State #2
> Mar 26 10:26:26.263431: "zebes-tunnel/0x3" #2: deleting state
> (STATE_MAIN_I4) and sending notification
> Mar 26 10:26:26.263546: "zebes-tunnel/0x3" #2: reschedule pending
> child #8 STATE_QUICK_I1 of connection "zebes-tunnel/0x3" - the parent
> is going away
> Mar 26 10:26:26.263578: "zebes-tunnel/0x3" #2: reschedule pending
> child #7 STATE_QUICK_I1 of connection "zebes-tunnel/0x2" - the parent
> is going away
> Mar 26 10:26:26.263594: "zebes-tunnel/0x3" #2: reschedule pending
> child #6 STATE_QUICK_I1 of connection "zebes-tunnel/0x1" - the parent
> is going away
> Mar 26 10:26:26.263603: "zebes-tunnel/0x3" #2: deleting IKE SA for
> connection 'zebes-tunnel/0x3' but connection is supposed to remain up;
> schedule EVENT_REVIVE_CONNS
> Mar 26 10:26:26.263674: packet from B.B.B.B:500: received and ignored
> empty informational notification payload
> Mar 26 10:26:26.263818: "zebes-tunnel/0x3" #8: deleting state
> (STATE_QUICK_I1) and NOT sending notification
> Mar 26 10:26:26.263875: "zebes-tunnel/0x2" #7: deleting state
> (STATE_QUICK_I1) and NOT sending notification
> Mar 26 10:26:26.263900: "zebes-tunnel/0x1" #6: deleting state
> (STATE_QUICK_I1) and NOT sending notification
>
>
> ---- Cisco ASA logs
>
> Group = A.A.A.A, IP = A.A.A.A, Sending p2 'Invalid ID info' notify
> message with SPI ea69decf.
> Group = A.A.A.A, IP = A.A.A.A, sending notify message
> Group = A.A.A.A, IP = A.A.A.A, Rejecting IPSec tunnel: no matching
> crypto map entry for remote proxy 10.4.218.0/255.255.255.0/0/0
> <http://10.4.218.0/255.255.255.0/0/0> local proxy
> 192.168.100.0/255.255.255.224/0/0
> <http://192.168.100.0/255.255.255.224/0/0> on interface OUTSIDE
> Group = A.A.A.A, IP = A.A.A.A, Skipping dynamic map
> SYSTEM_DEFAULT_CRYPTO_MAP sequence 65535: cannot match peerless map
> when peer found in previous map entry.
> IP = A.A.A.A, Received DPD VID
> IP = A.A.A.A, processing SA payload
> IP = A.A.A.A, IKE_DECODE_RECEIVED Message (msgid=0) with payloads: HDR
> + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) +
> VENDOR (13) + VENDOR (13) + NONE (0) total length : 208
> IKE Receiver: Packet received on B.B.B.B:500 from A.A.A.A:500
> Group = A.A.A.A, Username = A.A.A.A, IP A.A.A.A, Session disconnected.
> Session Type: LAN-to-LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes
> rcv: 0, Reason: crypto map policy not found
> Group = A.A.A.A, IP = A.A.A.A, Session is being torn down. Reason:
> crypto map policy not found
> IP = A.A.A.A, IKE_DECODE_SENDING Message (msgid=95cd13f8) with
> payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
> Group = A.A.A.A, IP = A.A.A.A, constructing qm hash payload
> Group = A.A.A.A, IP = A.A.A.A, constructing IKE delete payload
> Group = A.A.A.A, IP = A.A.A.A, constructing blank hash payload
> Group = A.A.A.A, IP = A.A.A.A, sending delete/delete with reason message
> Group = A.A.A.A, IP = A.A.A.A, IKE SA MM:25efb702 terminating: flags
> 0x1000002, refcnt 0, tuncnt 0
> Group = A.A.A.A, IP = A.A.A.A, Removing peer from correlator table
> failed, no match!
> Group = A.A.A.A, IP = A.A.A.A, Removing peer from correlator table
> failed, no match!
> Group = A.A.A.A, IP = A.A.A.A, sending delete/delete with reason message
> Group = A.A.A.A, IP = A.A.A.A, sending delete/delete with reason message
> (VPN-Primary) Sending Phase 1 Terminate message (type L2L, remote addr
> A.A.A.A, my cookie BBBB1111, his cookie AAAA0000) to standby unit
> Group = A.A.A.A, IP = A.A.A.A, Remove from IKEv1MIB Table succeeded
> for SA with logical ID 111111111
> Group = A.A.A.A, IP = A.A.A.A, Remove from IKEv1 Tunnel Table
> succeeded for SA with logicalId 111111111
> Group = A.A.A.A, IP = A.A.A.A, IKE SA MM: BBBB1111 rcv'd Terminate:
> state MM_ACTIVE flags 0x00000042, refcnt 1, tuncnt 2
> Group = A.A.A.A, IP = A.A.A.A, Removing peer from correlator table
> failed, no match!
> IP = A.A.A.A, IKE Responder starting QM: msg id = ba6018a2
> Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, map =
> OUTSIDE_map, seq = 42, ACL does not match proxy IDs src:10.4.218.0
> dst:192.168.100.0
> Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, checking map =
> OUTSIDE_map, seq = 42...
> Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, checking map =
> OUTSIDE_map, seq = 41...
> Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, checking map =
> OUTSIDE_map, seq = 40...
>
>
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20210327/20ac009b/attachment.html>
More information about the Swan
mailing list