<html><head></head><body><div style="color:#000; background-color:#fff; font-family:Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:13px"><div id="yui_3_16_0_ym19_1_1545724308034_9247"></div><div id="yui_3_16_0_ym19_1_1545724308034_9248"><span id="yui_3_16_0_ym19_1_1545724308034_9249">Hello Dmitry,</span></div><div id="yui_3_16_0_ym19_1_1545724308034_9250"><span id="yui_3_16_0_ym19_1_1545724308034_9251"><br id="yui_3_16_0_ym19_1_1545724308034_9252"></span></div><div id="yui_3_16_0_ym19_1_1545724308034_9253"><span id="yui_3_16_0_ym19_1_1545724308034_9254">1. I have the same problem with a centos <> cisco asa connection with the same behaviour.</span></div><div dir="ltr" id="yui_3_16_0_ym19_1_1545724308034_9255"><span id="yui_3_16_0_ym19_1_1545724308034_9256">Can you tell me please what are your final settings for </span><span id="yui_3_16_0_ym19_1_1545724308034_9257">ikelifetime, keylife and rekeymargin?</span></div><div id="yui_3_16_0_ym19_1_1545724308034_9258">2. With what periodicity do you run that testing script?</div><div id="yui_3_16_0_ym19_1_1545724308034_9259"><br id="yui_3_16_0_ym19_1_1545724308034_9260"></div><div id="yui_3_16_0_ym19_1_1545724308034_9261">Thanks a lot!</div>VV<div id="yui_3_16_0_ym19_1_1545724308034_9068"><span></span></div><div class="qtdSeparateBR" id="yui_3_16_0_ym19_1_1545724308034_9059"><br><br></div><div class="yahoo_quoted" id="yui_3_16_0_ym19_1_1545724308034_9042" style="display: block;"> <div style="font-family: Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 13px;" id="yui_3_16_0_ym19_1_1545724308034_9041"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;" id="yui_3_16_0_ym19_1_1545724308034_9040"> <div dir="ltr" id="yui_3_16_0_ym19_1_1545724308034_9039"> <font id="yui_3_16_0_ym19_1_1545724308034_9043" size="2" face="Arial"> <hr size="1"> <b><span style="font-weight:bold;">From:</span></b> Dmitry Melekhov <dm@belkam.com><br> <b><span style="font-weight: bold;">To:</span></b> swan@lists.libreswan.org <br> <b><span style="font-weight: bold;">Sent:</span></b> Tuesday, December 25, 2018 6:38 AM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [Swan] cisco asa IKEv2 Negotiation aborted due to ERROR: The peer's KE payload contained the wrong DH group<br> </font> </div> <div class="y_msg_container" id="yui_3_16_0_ym19_1_1545724308034_9046"><br><div id="yiv7077812119"><div id="yui_3_16_0_ym19_1_1545724308034_9045">
<div class="yiv7077812119moz-cite-prefix" id="yui_3_16_0_ym19_1_1545724308034_9051">OK, looks like this is ASA bug, it was
not happy with</div>
<div class="yiv7077812119moz-cite-prefix" id="yui_3_16_0_ym19_1_1545724308034_9263"> keylife=3600s from libreswan <br clear="none">
</div>
<div class="yiv7077812119moz-cite-prefix" id="yui_3_16_0_ym19_1_1545724308034_9050">set it to default, which is the same
from cisco side and looks like now there in no such problem,</div>
<div class="yiv7077812119moz-cite-prefix" id="yui_3_16_0_ym19_1_1545724308034_9044">at list while there is no connectivity
loss...</div>
<div class="yiv7077812119moz-cite-prefix" id="yui_3_16_0_ym19_1_1545724308034_9049"><br clear="none">
</div>
<div class="yiv7077812119moz-cite-prefix" id="yui_3_16_0_ym19_1_1545724308034_9047"><br clear="none">
</div>
<div class="yiv7077812119moz-cite-prefix" id="yui_3_16_0_ym19_1_1545724308034_9048">24.12.2018 9:56, Dmitry Melekhov пишет:<br clear="none">
</div>
<div class="yiv7077812119yqt8029551191" id="yiv7077812119yqt72573"><blockquote type="cite">
<div>Hello!</div>
<div>I run cisco ASA 5506-X asa992-36 and libreswan on another
side - Centos 7.6 ipsec --version<br clear="none">
Linux Libreswan 3.25 (netkey) on 3.10.0-957.1.3.el7.x86_64 <br clear="none">
</div>
<div><br clear="none">
</div>
<div>And sometimes , several times per day, I have rekeying problem.</div>
<div>From libreswan side is looks like:</div>
<div><br clear="none">
</div>
<div>дек 24 08:55:36 ast-zab.zab.belkam.com pluto[5971]: "peer"
#340: local ESP/AH proposals for peer (ESP/AH initiator emitting
proposals):
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;DH=MODP1024;ESN=DISABLED<br clear="none">
дек 24 08:55:36 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
STATE_V2_REKEY_CHILD_I: STATE_V2_REKEY_CHILD_I<br clear="none">
дек 24 08:55:36 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
dropping unexpected CREATE_CHILD_SA message containing
INVALID_KE_PAYLOAD notification; message payloads: SK; encrypted
payloads: N; missing payloads: SA,Ni,TSi,TSr<br clear="none">
дек 24 08:55:37 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
STATE_V2_REKEY_CHILD_I: retransmission; will wait 0.5 seconds
for response<br clear="none">
дек 24 08:55:37 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
dropping unexpected CREATE_CHILD_SA message containing
INVALID_KE_PAYLOAD notification; message payloads: SK; encrypted
payloads: N; missing payloads: SA,Ni,TSi,TSr<br clear="none">
дек 24 08:55:37 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
STATE_V2_REKEY_CHILD_I: retransmission; will wait 1 seconds for
response<br clear="none">
дек 24 08:55:37 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
dropping unexpected CREATE_CHILD_SA message containing
INVALID_KE_PAYLOAD notification; message payloads: SK; encrypted
payloads: N; missing payloads: SA,Ni,TSi,TSr<br clear="none">
дек 24 08:55:38 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
STATE_V2_REKEY_CHILD_I: retransmission; will wait 2 seconds for
response<br clear="none">
дек 24 08:55:38 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
dropping unexpected CREATE_CHILD_SA message containing
INVALID_KE_PAYLOAD notification; message payloads: SK; encrypted
payloads: N; missing payloads: SA,Ni,TSi,TSr<br clear="none">
дек 24 08:55:40 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
STATE_V2_REKEY_CHILD_I: retransmission; will wait 4 seconds for
response<br clear="none">
дек 24 08:55:40 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
dropping unexpected CREATE_CHILD_SA message containing
INVALID_KE_PAYLOAD notification; message payloads: SK; encrypted
payloads: N; missing payloads: SA,Ni,TSi,TSr<br clear="none">
дек 24 08:55:44 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
STATE_V2_REKEY_CHILD_I: retransmission; will wait 8 seconds for
response<br clear="none">
дек 24 08:55:44 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
dropping unexpected CREATE_CHILD_SA message containing
INVALID_KE_PAYLOAD notification; message payloads: SK; encrypted
payloads: N; missing payloads: SA,Ni,TSi,TSr<br clear="none">
дек 24 08:55:52 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
STATE_V2_REKEY_CHILD_I: retransmission; will wait 16 seconds for
response<br clear="none">
дек 24 08:55:52 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
dropping unexpected CREATE_CHILD_SA message containing
INVALID_KE_PAYLOAD notification; message payloads: SK; encrypted
payloads: N; missing payloads: SA,Ni,TSi,TSr<br clear="none">
дек 24 08:56:08 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
STATE_V2_REKEY_CHILD_I: retransmission; will wait 32 seconds for
response<br clear="none">
дек 24 08:56:08 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
dropping unexpected CREATE_CHILD_SA message containing
INVALID_KE_PAYLOAD notification; message payloads: SK; encrypted
payloads: N; missing payloads: SA,Ni,TSi,TSr<br clear="none">
дек 24 08:56:40 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
STATE_V2_REKEY_CHILD_I: 60 second timeout exceeded after 7
retransmits. No response (or no acceptable response) to our
IKEv2 message<br clear="none">
дек 24 08:56:40 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
starting keying attempt 2 of an unlimited number<br clear="none">
дек 24 08:56:40 ast-zab.zab.belkam.com pluto[5971]: "peer" #341:
local ESP/AH proposals for peer (ESP/AH initiator emitting
proposals):
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;DH=MODP1024;ESN=DISABLED<br clear="none">
дек 24 08:56:40 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
deleting state (STATE_V2_REKEY_CHILD_I) and NOT sending
notification<br clear="none">
дек 24 08:56:40 ast-zab.zab.belkam.com pluto[5971]: "peer" #341:
message id deadlock? wait sending, add to send next list using
parent #337 unacknowledged 1 next message id=1 ike exchange
window 1</div>
<div>дек 24 09:00:00 ast-zab.zab.belkam.com pluto[5971]: "peer"
#341: deleting state (STATE_V2_CREATE_I0) and NOT sending
notification<br clear="none">
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #339:
deleting state (STATE_V2_IPSEC_R) and sending notification<br clear="none">
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #339:
ESP traffic information: in=226MB out=117MB<br clear="none">
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: expire
unused parent SA #337 "peer"<br clear="none">
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #337:
received delete request for PROTO_v2_ESP SA(0xf257a6bd) but
corresponding state not found<br clear="none">
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #337:
ISAKMP SA expired (LATEST!)<br clear="none">
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #337:
deleting state (STATE_PARENT_R2) and sending notification<br clear="none">
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: packet from
88.80.32.210:500: INFORMATIONAL message request has no
corresponding IKE SA<br clear="none">
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: packet from
88.80.32.210:500: ISAKMP_v2_INFORMATIONAL message response has
no matching IKE SA<br clear="none">
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]:
assign_holdpass() no bare shunt to remove? - mismatch?<br clear="none">
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: initiate on
demand from 192.168.200.33:0 to 192.168.200.34:0 proto=47
because: acquire<br clear="none">
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #342:
initiating v2 parent SA<br clear="none">
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: packet from
asaip:500: ignoring unknown Vendor ID payload
[434953434f28434f505952494748542926436f70797269676874202863292032...]<br clear="none">
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: packet from
asaip:500: proposal
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024
chosen from remote proposals
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024[first-match]<br clear="none">
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #342:
STATE_PARENT_I1: sent v2I1, expected v2R1<br clear="none">
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #343:
STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2
cipher=aes_256 integ=sha1_96 prf=sha group=MODP1024}<br clear="none">
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #342:
local ESP/AH proposals for peer (IKE SA initiator emitting
ESP/AH proposals):
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;DH=NONE;ESN=DISABLED<br clear="none">
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #344:
STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2
cipher=aes_256 integ=sha1_96 prf=sha group=MODP1024}<br clear="none">
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #343:
IKEv2 mode peer ID is ID_IPV4_ADDR: '88.80.32.210'<br clear="none">
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #343:
Authenticated using authby=secret<br clear="none">
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #343:
local ESP/AH proposals for peer (IKE SA responder matching
remote ESP/AH proposals):
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;DH=NONE;ESN=DISABLED<br clear="none">
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #343:
proposal
1:ESP:SPI=d98dfdbf;ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;ESN=DISABLED
chosen from remote proposals
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;ESN=DISABLED[first-match]<br clear="none">
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #343:
received unsupported NOTIFY v2N_NON_FIRST_FRAGMENTS_ALSO<br clear="none">
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #345:
negotiated connection [192.168.200.33-192.168.200.33:0-65535 0]
-> [192.168.200.34-192.168.200.34:0-65535 0]<br clear="none">
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #345:
STATE_V2_IPSEC_R: IPsec SA established tunnel mode
{ESP=>0xd98dfdbf <0xd5eba6e1 xfrm=AES_CBC_256-HMAC_SHA1_96
NATOA=none NATD=none DPD=active}<br clear="none">
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #344:
IKEv2 mode peer ID is ID_IPV4_ADDR: 'asaip'<br clear="none">
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #344:
Authenticated using authby=secret<br clear="none">
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #344:
negotiated connection [192.168.200.33-192.168.200.33:0-65535 0]
-> [192.168.200.34-192.168.200.34:0-65535 0]<br clear="none">
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #344:
STATE_V2_IPSEC_I: IPsec SA established tunnel mode
{ESP=>0x3956d69f <0x0b6fe415 xfrm=AES_CBC_256-HMAC_SHA1_96
NATOA=none NATD=none DPD=active}<br clear="none">
<br clear="none">
</div>
<div>from ASA side :<br clear="none">
</div>
<div>Dec 24 08:55:36 192.168.42.129 %ASA-7-713906: IKE Receiver:
Packet received on asaip:500 from libreswanip:500<br clear="none">
Dec 24 08:55:36 192.168.42.129 %ASA-4-750003: Local:asaip:500
Remote:libreswanip:500 Username:libreswanip IKEv2 Negotiation
aborted due to ERROR: The peer's KE payload contained the wrong
DH group<br clear="none">
Dec 24 08:55:37 192.168.42.129 %ASA-7-713906: IKE Receiver:
Packet received on asaip:500 from libreswanip:500<br clear="none">
Dec 24 08:55:37 192.168.42.129 %ASA-7-713906: IKE Receiver:
Packet received on asaip:500 from libreswanip:500<br clear="none">
Dec 24 08:55:38 192.168.42.129 %ASA-7-713906: IKE Receiver:
Packet received on asaip:500 from libreswanip:500<br clear="none">
Dec 24 08:55:40 192.168.42.129 %ASA-7-713906: IKE Receiver:
Packet received on asaip:500 from libreswanip:500<br clear="none">
Dec 24 08:55:44 192.168.42.129 %ASA-7-713906: IKE Receiver:
Packet received on asaip:500 from libreswanip:500<br clear="none">
Dec 24 08:55:52 192.168.42.129 %ASA-7-713906: IKE Receiver:
Packet received on asaip:500 from libreswanip:500<br clear="none">
Dec 24 08:56:08 192.168.42.129 %ASA-7-713906: IKE Receiver:
Packet received on asaip:500 from libreswanip:500<br clear="none">
Dec 24 09:00:06 192.168.42.129 %ASA-7-713906: IKE Receiver:
Packet received on asaip:500 from libreswanip:500<br clear="none">
Dec 24 09:00:06 192.168.42.129 %ASA-6-602304: IPSEC: An outbound
LAN-to-LAN SA (SPI= 0xBCAAE666) between asaip and libreswanip
(user= libreswanip) has been deleted.<br clear="none">
Dec 24 09:00:06 192.168.42.129 %ASA-6-602304: IPSEC: An inbound
LAN-to-LAN SA (SPI= 0xF257A6BD) between libreswanip and asaip
(user= libreswanip) has been deleted.<br clear="none">
Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request
discarded from libreswanip to outside:asaip<br clear="none">
Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: message repeated 2
times: [ ESP request discarded from libreswanip to
outside:asaip]<br clear="none">
Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request
discarded from libreswanip to outside:asaip<br clear="none">
Dec 24 09:00:06 192.168.42.129 %ASA-7-713906: IKE Receiver:
Packet received on asaip:500 from libreswanip:500<br clear="none">
Dec 24 09:00:06 192.168.42.129 %ASA-5-750007: Local:asaip:500
Remote:libreswanip:500 Username:libreswanip IKEv2 SA DOWN.
Reason: peer request<br clear="none">
Dec 24 09:00:06 192.168.42.129 %ASA-4-113019: Group =
libreswanip, Username = libreswanip, IP = libreswanip, Session
disconnected. Session Type: LAN-to-LAN, Duration: 1h:00m:00s,
Bytes xmt: 237319950, Bytes rcv: 122586307, Reason: User
Requested<br clear="none">
Dec 24 09:00:06 192.168.42.129 %ASA-5-750001: Local:asaip:500
Remote:libreswanip:500 Username:Unknown IKEv2 Received request
to establish an IPsec tunnel; local traffic selector = Address
Range: 192.168.200.34-192.168.200.34 Protocol: 0 Port Range:
0-65535 ; remote traffic selector = Address Range:
192.168.200.33-192.168.200.33 Protocol: 0 Port Range: 0-65535 <br clear="none">
Dec 24 09:00:06 192.168.42.129 %ASA-7-713906: IKE Receiver:
Packet received on asaip:500 from libreswanip:500<br clear="none">
Dec 24 09:00:06 192.168.42.129 %ASA-7-713906: IKE Receiver:
Packet received on asaip:500 from libreswanip:500<br clear="none">
Dec 24 09:00:06 192.168.42.129 %ASA-5-750002: Local:asaip:500
Remote:libreswanip:500 Username:Unknown IKEv2 Received a
IKE_INIT_SA request<br clear="none">
Dec 24 09:00:06 192.168.42.129 %ASA-7-713906: IKE Receiver:
Packet received on asaip:500 from libreswanip:500<br clear="none">
Dec 24 09:00:06 192.168.42.129 %ASA-5-750006: Local:asaip:500
Remote:libreswanip:500 Username:libreswanip IKEv2 SA UP. Reason:
New Connection Established<br clear="none">
Dec 24 09:00:06 192.168.42.129 %ASA-6-113009: AAA retrieved
default group policy (DfltGrpPolicy) for user = libreswanip<br clear="none">
Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request
discarded from libreswanip to outside:asaip<br clear="none">
Dec 24 09:00:06 192.168.42.129 %ASA-6-602303: IPSEC: An outbound
LAN-to-LAN SA (SPI= 0x0B6FE415) between asaip and libreswanip
(user= libreswanip) has been created.<br clear="none">
Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request
discarded from libreswanip to outside:asaip<br clear="none">
Dec 24 09:00:06 192.168.42.129 %ASA-6-602303: IPSEC: An inbound
LAN-to-LAN SA (SPI= 0x3956D69F) between asaip and libreswanip
(user= libreswanip) has been created.<br clear="none">
Dec 24 09:00:06 192.168.42.129 %ASA-7-713906: IKE Receiver:
Packet received on asaip:500 from libreswanip:500<br clear="none">
Dec 24 09:00:06 192.168.42.129 %ASA-5-750006: Local:asaip:500
Remote:libreswanip:500 Username:libreswanip IKEv2 SA UP. Reason:
New Connection Established<br clear="none">
Dec 24 09:00:06 192.168.42.129 %ASA-6-602304: IPSEC: An outbound
LAN-to-LAN SA (SPI= 0x0B6FE415) between asaip and libreswanip
(user= libreswanip) has been deleted.<br clear="none">
Dec 24 09:00:06 192.168.42.129 %ASA-6-602304: IPSEC: An inbound
LAN-to-LAN SA (SPI= 0x3956D69F) between libreswanip and asaip
(user= libreswanip) has been deleted.<br clear="none">
Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request
discarded from libreswanip to outside:asaip<br clear="none">
Dec 24 09:00:06 192.168.42.129 %ASA-6-602303: IPSEC: An outbound
LAN-to-LAN SA (SPI= 0xD5EBA6E1) between asaip and libreswanip
(user= libreswanip) has been created.<br clear="none">
Dec 24 09:00:06 192.168.42.129 %ASA-6-602303: IPSEC: An inbound
LAN-to-LAN SA (SPI= 0xD98DFDBF) between asaip and libreswanip
(user= libreswanip) has been created.<br clear="none">
Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request
discarded from libreswanip to outside:asaip<br clear="none">
Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: message repeated 2
times: [ ESP request discarded from libreswanip to
outside:asaip]<br clear="none">
Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request
discarded from libreswanip to outside:asaip<br clear="none">
Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: message repeated 3
times: [ ESP request discarded from libreswanip to
outside:asaip]<br clear="none">
Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request
discarded from libreswanip to outside:asaip<br clear="none">
Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request
discarded from libreswanip to outside:asaip<br clear="none">
</div>
<div><br clear="none">
</div>
<div>As you can see , connections are created, but ASA drops ESP
packets...<br clear="none">
</div>
<div><br clear="none">
</div>
<div>Configuration:</div>
<div><br clear="none">
</div>
<div>libreswan:<br clear="none">
</div>
<div>conn peer<br clear="none">
left=libreswanip<br clear="none">
right=asaip<br clear="none">
leftsubnet=192.168.200.33/32<br clear="none">
rightsubnet=192.168.200.34/32<br clear="none">
ike=aes256-sha1;modp1024<br clear="none">
ikev2=insist<br clear="none">
pfs=yes<br clear="none">
ikelifetime=28800s<br clear="none">
phase2alg=aes256-sha1<br clear="none">
keylife=3600s<br clear="none">
rekeymargin=540s<br clear="none">
type=tunnel<br clear="none">
compress=no<br clear="none">
authby=secret<br clear="none">
auto=start<br clear="none">
keyingtries=%forever<br clear="none">
dpddelay=10<br clear="none">
dpdtimeout=2<br clear="none">
dpdaction=restart<br clear="none">
#dpdaction=hold<br clear="none">
</div>
<div><br clear="none">
</div>
<div>asa:<br clear="none">
</div>
<pre>crypto ipsec ikev2 ipsec-proposal zabegalovo
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 28800
crypto map russneft-ipsec 50 match address ZABEGALOVO-IPSEC
crypto map russneft-ipsec 50 set peer libreswanip
crypto map russneft-ipsec 50 set ikev2 ipsec-proposal zabegalovo
access-list ZABEGALOVO-IPSEC extended permit ip host 192.168.200.34 host 192.168.200.33
right now I'm solving this by script , which checks if another side is available by ping and do connection restart if not:
/usr/sbin/ipsec auto --down peer;/usr/sbin/ipsec auto --up peer
Could you tell me is something wrong in my configuration?
Or is this asa or libreswan bug?
Thank you!
</pre>
</blockquote></div>
<div><br clear="none">
</div>
</div></div><div class="yqt8029551191" id="yqt08272">_______________________________________________<br clear="none">Swan mailing list<br clear="none"><a shape="rect" ymailto="mailto:Swan@lists.libreswan.org" href="mailto:Swan@lists.libreswan.org">Swan@lists.libreswan.org</a><br clear="none"><a shape="rect" href="https://lists.libreswan.org/mailman/listinfo/swan" target="_blank">https://lists.libreswan.org/mailman/listinfo/swan</a><br clear="none"></div><br><br></div> </div> </div> </div></div></body></html>