[Swan] Problem configuring connection with Cisco ASA in HA

Paul Wouters paul at nohats.ca
Wed Sep 8 07:25:59 UTC 2021


V4.5 addresses some connection switching issues which might be what you are experiencing 

Sent using a virtual keyboard on a phone

> On Sep 8, 2021, at 10:12, Miguel Ponce Antolin <mponce at paradigmadigital.com> wrote:
> 
> 
> Hi all,
> 
> We are facing this problem, maybe there is any advice you could give us.
> 
> We are configuring two libreswan (v4.4) instances which are going to be a main and a backup endpoints for a Cisco ASA.
> 
> The connection works well when the configured as main libreswan endpoint has ipsec running, but when we test to stop ipsec on this main instance the backup instance do not complete the authentication process.
> 
> We have switched both instances in the Cisco configuration side but, always, the instance configured as main works as expected, while the backup do not. The backup instance has been rebooted, the ipsec service has been restarted and we even tested to switch off the main instance to avoid the possibility of some blocked connection.
> 
> This is the error that appears on the pluto log:
> 
> Sep  7 10:53:27.711642: | processing payload: ISAKMP_NEXT_v2N (len=0)
> Sep  7 10:53:27.711657: | error notification v2N_NO_PROPOSAL_CHOSEN is not supported
> Sep  7 10:53:27.711694: | selected state microcode roof
> Sep  7 10:53:27.711706: "vpn/1x1" #4: dropping unexpected IKE_AUTH message containing NO_PROPOSAL_CHOSEN notification; message payloads: SK; encrypted payloads: IDr,AUTH,N,V; unexpected payloads: IDr,AUTH
> Sep  7 10:53:27.711716: | #4 complete_v2_state_transition() PARENT_I2->ESTABLISHED_CHILD_SA with status STF_FATAL; md.svm=NULL
> Sep  7 10:53:27.711722: "vpn/1x1" #4: encountered fatal error in state STATE_PARENT_I2
> Sep  7 10:53:27.711726: | Message ID: forcing a response received update
> 
> I hope this is enough information, thanks in advance!
> 
> Kind regards
> 
> -- 
> 
> 
> Miguel Ponce Antolín.
> Sistemas    ·    +34 670 360 655
> 
>    ·   paradig.ma   ·   contáctanos   ·              
> 
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20210908/9c01cb67/attachment-0001.html>


More information about the Swan mailing list