<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hello!</p>
<p>I run cisco ASA 5506-X asa992-36 and libreswan on another side
- Centos 7.6 ipsec --version<br>
Linux Libreswan 3.25 (netkey) on 3.10.0-957.1.3.el7.x86_64 <br>
</p>
<p><br>
</p>
<p>And sometimes , several times per day, I have rekeying problem.</p>
<p>From libreswan side is looks like:</p>
<p><br>
</p>
<p>дек 24 08:55:36 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
local ESP/AH proposals for peer (ESP/AH initiator emitting
proposals):
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;DH=MODP1024;ESN=DISABLED<br>
дек 24 08:55:36 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
STATE_V2_REKEY_CHILD_I: STATE_V2_REKEY_CHILD_I<br>
дек 24 08:55:36 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
dropping unexpected CREATE_CHILD_SA message containing
INVALID_KE_PAYLOAD notification; message payloads: SK; encrypted
payloads: N; missing payloads: SA,Ni,TSi,TSr<br>
дек 24 08:55:37 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
STATE_V2_REKEY_CHILD_I: retransmission; will wait 0.5 seconds for
response<br>
дек 24 08:55:37 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
dropping unexpected CREATE_CHILD_SA message containing
INVALID_KE_PAYLOAD notification; message payloads: SK; encrypted
payloads: N; missing payloads: SA,Ni,TSi,TSr<br>
дек 24 08:55:37 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
STATE_V2_REKEY_CHILD_I: retransmission; will wait 1 seconds for
response<br>
дек 24 08:55:37 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
dropping unexpected CREATE_CHILD_SA message containing
INVALID_KE_PAYLOAD notification; message payloads: SK; encrypted
payloads: N; missing payloads: SA,Ni,TSi,TSr<br>
дек 24 08:55:38 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
STATE_V2_REKEY_CHILD_I: retransmission; will wait 2 seconds for
response<br>
дек 24 08:55:38 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
dropping unexpected CREATE_CHILD_SA message containing
INVALID_KE_PAYLOAD notification; message payloads: SK; encrypted
payloads: N; missing payloads: SA,Ni,TSi,TSr<br>
дек 24 08:55:40 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
STATE_V2_REKEY_CHILD_I: retransmission; will wait 4 seconds for
response<br>
дек 24 08:55:40 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
dropping unexpected CREATE_CHILD_SA message containing
INVALID_KE_PAYLOAD notification; message payloads: SK; encrypted
payloads: N; missing payloads: SA,Ni,TSi,TSr<br>
дек 24 08:55:44 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
STATE_V2_REKEY_CHILD_I: retransmission; will wait 8 seconds for
response<br>
дек 24 08:55:44 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
dropping unexpected CREATE_CHILD_SA message containing
INVALID_KE_PAYLOAD notification; message payloads: SK; encrypted
payloads: N; missing payloads: SA,Ni,TSi,TSr<br>
дек 24 08:55:52 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
STATE_V2_REKEY_CHILD_I: retransmission; will wait 16 seconds for
response<br>
дек 24 08:55:52 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
dropping unexpected CREATE_CHILD_SA message containing
INVALID_KE_PAYLOAD notification; message payloads: SK; encrypted
payloads: N; missing payloads: SA,Ni,TSi,TSr<br>
дек 24 08:56:08 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
STATE_V2_REKEY_CHILD_I: retransmission; will wait 32 seconds for
response<br>
дек 24 08:56:08 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
dropping unexpected CREATE_CHILD_SA message containing
INVALID_KE_PAYLOAD notification; message payloads: SK; encrypted
payloads: N; missing payloads: SA,Ni,TSi,TSr<br>
дек 24 08:56:40 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
STATE_V2_REKEY_CHILD_I: 60 second timeout exceeded after 7
retransmits. No response (or no acceptable response) to our IKEv2
message<br>
дек 24 08:56:40 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
starting keying attempt 2 of an unlimited number<br>
дек 24 08:56:40 ast-zab.zab.belkam.com pluto[5971]: "peer" #341:
local ESP/AH proposals for peer (ESP/AH initiator emitting
proposals):
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;DH=MODP1024;ESN=DISABLED<br>
дек 24 08:56:40 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
deleting state (STATE_V2_REKEY_CHILD_I) and NOT sending
notification<br>
дек 24 08:56:40 ast-zab.zab.belkam.com pluto[5971]: "peer" #341:
message id deadlock? wait sending, add to send next list using
parent #337 unacknowledged 1 next message id=1 ike exchange window
1</p>
<p>дек 24 09:00:00 ast-zab.zab.belkam.com pluto[5971]: "peer" #341:
deleting state (STATE_V2_CREATE_I0) and NOT sending notification<br>
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #339:
deleting state (STATE_V2_IPSEC_R) and sending notification<br>
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #339:
ESP traffic information: in=226MB out=117MB<br>
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: expire unused
parent SA #337 "peer"<br>
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #337:
received delete request for PROTO_v2_ESP SA(0xf257a6bd) but
corresponding state not found<br>
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #337:
ISAKMP SA expired (LATEST!)<br>
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #337:
deleting state (STATE_PARENT_R2) and sending notification<br>
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: packet from
88.80.32.210:500: INFORMATIONAL message request has no
corresponding IKE SA<br>
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: packet from
88.80.32.210:500: ISAKMP_v2_INFORMATIONAL message response has no
matching IKE SA<br>
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]:
assign_holdpass() no bare shunt to remove? - mismatch?<br>
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: initiate on
demand from 192.168.200.33:0 to 192.168.200.34:0 proto=47 because:
acquire<br>
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #342:
initiating v2 parent SA<br>
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: packet from
asaip:500: ignoring unknown Vendor ID payload
[434953434f28434f505952494748542926436f70797269676874202863292032...]<br>
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: packet from
asaip:500: proposal
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024
chosen from remote proposals
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024[first-match]<br>
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #342:
STATE_PARENT_I1: sent v2I1, expected v2R1<br>
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #343:
STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2
cipher=aes_256 integ=sha1_96 prf=sha group=MODP1024}<br>
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #342:
local ESP/AH proposals for peer (IKE SA initiator emitting ESP/AH
proposals):
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;DH=NONE;ESN=DISABLED<br>
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #344:
STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2
cipher=aes_256 integ=sha1_96 prf=sha group=MODP1024}<br>
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #343:
IKEv2 mode peer ID is ID_IPV4_ADDR: '88.80.32.210'<br>
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #343:
Authenticated using authby=secret<br>
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #343:
local ESP/AH proposals for peer (IKE SA responder matching remote
ESP/AH proposals):
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;DH=NONE;ESN=DISABLED<br>
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #343:
proposal
1:ESP:SPI=d98dfdbf;ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;ESN=DISABLED
chosen from remote proposals
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;ESN=DISABLED[first-match]<br>
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #343:
received unsupported NOTIFY v2N_NON_FIRST_FRAGMENTS_ALSO<br>
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #345:
negotiated connection [192.168.200.33-192.168.200.33:0-65535 0]
-> [192.168.200.34-192.168.200.34:0-65535 0]<br>
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #345:
STATE_V2_IPSEC_R: IPsec SA established tunnel mode
{ESP=>0xd98dfdbf <0xd5eba6e1 xfrm=AES_CBC_256-HMAC_SHA1_96
NATOA=none NATD=none DPD=active}<br>
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #344:
IKEv2 mode peer ID is ID_IPV4_ADDR: 'asaip'<br>
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #344:
Authenticated using authby=secret<br>
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #344:
negotiated connection [192.168.200.33-192.168.200.33:0-65535 0]
-> [192.168.200.34-192.168.200.34:0-65535 0]<br>
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #344:
STATE_V2_IPSEC_I: IPsec SA established tunnel mode
{ESP=>0x3956d69f <0x0b6fe415 xfrm=AES_CBC_256-HMAC_SHA1_96
NATOA=none NATD=none DPD=active}<br>
<br>
</p>
<p>from ASA side :<br>
</p>
<p>Dec 24 08:55:36 192.168.42.129 %ASA-7-713906: IKE Receiver:
Packet received on asaip:500 from libreswanip:500<br>
Dec 24 08:55:36 192.168.42.129 %ASA-4-750003: Local:asaip:500
Remote:libreswanip:500 Username:libreswanip IKEv2 Negotiation
aborted due to ERROR: The peer's KE payload contained the wrong DH
group<br>
Dec 24 08:55:37 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet
received on asaip:500 from libreswanip:500<br>
Dec 24 08:55:37 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet
received on asaip:500 from libreswanip:500<br>
Dec 24 08:55:38 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet
received on asaip:500 from libreswanip:500<br>
Dec 24 08:55:40 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet
received on asaip:500 from libreswanip:500<br>
Dec 24 08:55:44 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet
received on asaip:500 from libreswanip:500<br>
Dec 24 08:55:52 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet
received on asaip:500 from libreswanip:500<br>
Dec 24 08:56:08 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet
received on asaip:500 from libreswanip:500<br>
Dec 24 09:00:06 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet
received on asaip:500 from libreswanip:500<br>
Dec 24 09:00:06 192.168.42.129 %ASA-6-602304: IPSEC: An outbound
LAN-to-LAN SA (SPI= 0xBCAAE666) between asaip and libreswanip
(user= libreswanip) has been deleted.<br>
Dec 24 09:00:06 192.168.42.129 %ASA-6-602304: IPSEC: An inbound
LAN-to-LAN SA (SPI= 0xF257A6BD) between libreswanip and asaip
(user= libreswanip) has been deleted.<br>
Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request
discarded from libreswanip to outside:asaip<br>
Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: message repeated 2
times: [ ESP request discarded from libreswanip to outside:asaip]<br>
Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request
discarded from libreswanip to outside:asaip<br>
Dec 24 09:00:06 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet
received on asaip:500 from libreswanip:500<br>
Dec 24 09:00:06 192.168.42.129 %ASA-5-750007: Local:asaip:500
Remote:libreswanip:500 Username:libreswanip IKEv2 SA DOWN. Reason:
peer request<br>
Dec 24 09:00:06 192.168.42.129 %ASA-4-113019: Group = libreswanip,
Username = libreswanip, IP = libreswanip, Session disconnected.
Session Type: LAN-to-LAN, Duration: 1h:00m:00s, Bytes xmt:
237319950, Bytes rcv: 122586307, Reason: User Requested<br>
Dec 24 09:00:06 192.168.42.129 %ASA-5-750001: Local:asaip:500
Remote:libreswanip:500 Username:Unknown IKEv2 Received request to
establish an IPsec tunnel; local traffic selector = Address Range:
192.168.200.34-192.168.200.34 Protocol: 0 Port Range: 0-65535 ;
remote traffic selector = Address Range:
192.168.200.33-192.168.200.33 Protocol: 0 Port Range: 0-65535 <br>
Dec 24 09:00:06 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet
received on asaip:500 from libreswanip:500<br>
Dec 24 09:00:06 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet
received on asaip:500 from libreswanip:500<br>
Dec 24 09:00:06 192.168.42.129 %ASA-5-750002: Local:asaip:500
Remote:libreswanip:500 Username:Unknown IKEv2 Received a
IKE_INIT_SA request<br>
Dec 24 09:00:06 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet
received on asaip:500 from libreswanip:500<br>
Dec 24 09:00:06 192.168.42.129 %ASA-5-750006: Local:asaip:500
Remote:libreswanip:500 Username:libreswanip IKEv2 SA UP. Reason:
New Connection Established<br>
Dec 24 09:00:06 192.168.42.129 %ASA-6-113009: AAA retrieved
default group policy (DfltGrpPolicy) for user = libreswanip<br>
Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request
discarded from libreswanip to outside:asaip<br>
Dec 24 09:00:06 192.168.42.129 %ASA-6-602303: IPSEC: An outbound
LAN-to-LAN SA (SPI= 0x0B6FE415) between asaip and libreswanip
(user= libreswanip) has been created.<br>
Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request
discarded from libreswanip to outside:asaip<br>
Dec 24 09:00:06 192.168.42.129 %ASA-6-602303: IPSEC: An inbound
LAN-to-LAN SA (SPI= 0x3956D69F) between asaip and libreswanip
(user= libreswanip) has been created.<br>
Dec 24 09:00:06 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet
received on asaip:500 from libreswanip:500<br>
Dec 24 09:00:06 192.168.42.129 %ASA-5-750006: Local:asaip:500
Remote:libreswanip:500 Username:libreswanip IKEv2 SA UP. Reason:
New Connection Established<br>
Dec 24 09:00:06 192.168.42.129 %ASA-6-602304: IPSEC: An outbound
LAN-to-LAN SA (SPI= 0x0B6FE415) between asaip and libreswanip
(user= libreswanip) has been deleted.<br>
Dec 24 09:00:06 192.168.42.129 %ASA-6-602304: IPSEC: An inbound
LAN-to-LAN SA (SPI= 0x3956D69F) between libreswanip and asaip
(user= libreswanip) has been deleted.<br>
Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request
discarded from libreswanip to outside:asaip<br>
Dec 24 09:00:06 192.168.42.129 %ASA-6-602303: IPSEC: An outbound
LAN-to-LAN SA (SPI= 0xD5EBA6E1) between asaip and libreswanip
(user= libreswanip) has been created.<br>
Dec 24 09:00:06 192.168.42.129 %ASA-6-602303: IPSEC: An inbound
LAN-to-LAN SA (SPI= 0xD98DFDBF) between asaip and libreswanip
(user= libreswanip) has been created.<br>
Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request
discarded from libreswanip to outside:asaip<br>
Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: message repeated 2
times: [ ESP request discarded from libreswanip to outside:asaip]<br>
Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request
discarded from libreswanip to outside:asaip<br>
Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: message repeated 3
times: [ ESP request discarded from libreswanip to outside:asaip]<br>
Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request
discarded from libreswanip to outside:asaip<br>
Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request
discarded from libreswanip to outside:asaip<br>
</p>
<p><br>
</p>
<p>As you can see , connections are created, but ASA drops ESP
packets...<br>
</p>
<p><br>
</p>
<p>Configuration:</p>
<p><br>
</p>
<p>libreswan:<br>
</p>
<p>conn peer<br>
left=libreswanip<br>
right=asaip<br>
leftsubnet=192.168.200.33/32<br>
rightsubnet=192.168.200.34/32<br>
ike=aes256-sha1;modp1024<br>
ikev2=insist<br>
pfs=yes<br>
ikelifetime=28800s<br>
phase2alg=aes256-sha1<br>
keylife=3600s<br>
rekeymargin=540s<br>
type=tunnel<br>
compress=no<br>
authby=secret<br>
auto=start<br>
keyingtries=%forever<br>
dpddelay=10<br>
dpdtimeout=2<br>
dpdaction=restart<br>
#dpdaction=hold<br>
</p>
<p><br>
</p>
<p>asa:<br>
</p>
<pre>crypto ipsec ikev2 ipsec-proposal zabegalovo
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 28800
crypto map russneft-ipsec 50 match address ZABEGALOVO-IPSEC
crypto map russneft-ipsec 50 set peer libreswanip
crypto map russneft-ipsec 50 set ikev2 ipsec-proposal zabegalovo
access-list ZABEGALOVO-IPSEC extended permit ip host 192.168.200.34 host 192.168.200.33
right now I'm solving this by script , which checks if another side is available by ping and do connection restart if not:
/usr/sbin/ipsec auto --down peer;/usr/sbin/ipsec auto --up peer
Could you tell me is something wrong in my configuration?
Or is this asa or libreswan bug?
Thank you!
</pre>
</body>
</html>