<html><head></head><body><div class="ydp67c987d6yahoo-style-wrap" style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:13px;"><div></div>
<div><br></div></div><div id="ydp20a63632yahoo_quoted_7608489958" class="ydp20a63632yahoo_quoted"><div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:13px;color:#26282a;">
<div><div id="ydp20a63632yiv2709853470"><div><div class="ydp20a63632yiv2709853470ydp48022993yahoo-style-wrap" style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:13px;"><div></div>
<div dir="ltr">Hi All:</div><div dir="ltr"><br clear="none"></div><div dir="ltr">Further to this, I since searched the email lists and found that libreswan does NOT support asymmetric PSK keys. That is "very" disappointing since the ikev2 RFC supports this.</div><div dir="ltr"><br clear="none"></div><div dir="ltr">Any possibility of getting this added?</div><div dir="ltr">Asymmetric keys are a step up from using a common key for all remote hosts.</div><div dir="ltr"><br clear="none"></div><div dir="ltr">Cheers,</div><div dir="ltr">John</div><div><br clear="none"></div>
</div><div class="ydp20a63632yiv2709853470yqt2955083448" id="ydp20a63632yiv2709853470yqt31821"><div class="ydp20a63632yiv2709853470yahoo_quoted" id="ydp20a63632yiv2709853470yahoo_quoted_8444920506">
<div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:13px;color:#26282a;">
<div>
On Wednesday, December 9, 2020, 10:11:21 PM GMT+8, John Serink <jserink2004@yahoo.com> wrote:
</div>
<div><br clear="none"></div>
<div><br clear="none"></div>
<div><div id="ydp20a63632yiv2709853470"><div><div class="ydp20a63632yiv2709853470yahoo-style-wrap" style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:13px;"><div dir="ltr">Hi All:</div><div dir="ltr"><br clear="none"></div><div dir="ltr">My system:</div><div dir="ltr"><div><div>jserink@jserinki7 ~ $ ipsec --version</div><div>Linux Libreswan 3.29 (netkey) on 5.4.80-gentoo-r1</div><div><br clear="none"></div></div>Cisco Version:</div><div dir="ltr"><div><div>Cisco IOS XE Software, Version 16.12.04</div><div>Cisco IOS Software [Gibraltar], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.12.4, RELEASE SOFTWARE (fc5)</div><div><br clear="none"></div></div><br clear="none"></div><div dir="ltr">I am trying to get a session working from my laptop to my IOS router using ikev2. I have it working using ikev1 fine but want to get it up using asymmetric keys to the Cisco.</div><div dir="ltr"><br clear="none"></div><div dir="ltr">Here is the my laptop end:</div><div dir="ltr"><div><div>jserinki7 /home/jserink # ipsec auto --up SOIUKUP2</div><div>002 "SOIUKUP2" #1: initiating v2 parent SA</div><div>133 "SOIUKUP2" #1: initiate</div><div>002 "SOIUKUP2": constructed local IKE proposals for SOIUKUP2 (IKE SA initiator selecting KE): 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048</div><div>133 "SOIUKUP2" #1: STATE_PARENT_I1: sent v2I1, expected v2R1</div><div>002 "SOIUKUP2": constructed local ESP/AH proposals for SOIUKUP2 (IKE SA initiator emitting ESP/AH proposals): 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED</div><div>134 "SOIUKUP2" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}</div><div>002 "SOIUKUP2" #2: IKEv2 mode peer ID is ID_KEY_ID: '@#0x4343726f75746572'</div><div>003 "SOIUKUP2" #2: AUTH mismatch: Received AUTH != computed AUTH</div><div>002 "SOIUKUP2" #2: PSK Authentication failed: AUTH mismatch in R2 Auth Payload!</div><div>036 "SOIUKUP2" #2: encountered fatal error in state STATE_PARENT_I2</div><div><br clear="none"></div></div><br clear="none"></div><div dir="ltr">According to ipsec, the connection failed. </div><div dir="ltr"><br clear="none"></div><div dir="ltr">But look at the Cisco end:</div><div dir="ltr"><div><div>Dec 9 13:40:51.723: IKEv2:(SESSION ID = 95705,SA ID = 53):Get my authentication method</div><div>Dec 9 13:40:51.723: IKEv2:(SESSION ID = 95705,SA ID = 53):My authentication method is 'PSK'</div><div>Dec 9 13:40:51.723: IKEv2:(SESSION ID = 95705,SA ID = 53):Get peer's preshared key for jserink</div><div>Dec 9 13:40:51.723: IKEv2:(SESSION ID = 95705,SA ID = 53):Generate my authentication data</div><div>Dec 9 13:40:51.723: IKEv2:(SESSION ID = 95705,SA ID = 53):Use preshared key for id CCrouter, key len 36</div><div>Dec 9 13:40:51.724: IKEv2:(SESSION ID = 95705,SA ID = 53):[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data</div><div>Dec 9 13:40:51.724: IKEv2:(SESSION ID = 95705,SA ID = 53):[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED</div><div>Dec 9 13:40:51.724: IKEv2:(SESSION ID = 95705,SA ID = 53):Get my authentication method</div><div>Dec 9 13:40:51.724: IKEv2:(SESSION ID = 95705,SA ID = 53):My authentication method is 'PSK'</div><div>Dec 9 13:40:51.724: IKEv2:(SESSION ID = 95705,SA ID = 53):Generating IKE_AUTH message</div><div>Dec 9 13:40:51.724: IKEv2:(SESSION ID = 95705,SA ID = 53):Constructing IDr payload: 'CCrouter' of type 'key ID'</div><div>Dec 9 13:40:51.724: IKEv2:(SESSION ID = 95705,SA ID = 53):ESP Proposal: 1, SPI size: 4 (IPSec negotiation), </div><div>Num. transforms: 3</div><div> AES-CBC SHA256 Don't use ESN</div><div>Dec 9 13:40:51.725: IKEv2:(SESSION ID = 95705,SA ID = 53):Building packet for encryption. </div><div>Payload contents: </div><div> VID IDr AUTH SA TSi TSr NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) </div><div><br clear="none"></div><div>Dec 9 13:40:51.725: IKEv2:(SESSION ID = 95705,SA ID = 53):Sending Packet [To 220.255.242.218:4500/From 103.205.244.106:4500/VRF i0:f0] </div><div>Initiator SPI : FC31A66839097ABB - Responder SPI : D17B8C298659627C Message id: 1</div><div>IKEv2 IKE_AUTH Exchange RESPONSE </div><div>Payload contents: </div><div> ENCR </div><div><br clear="none"></div><div>Dec 9 13:40:51.726: IKEv2:(SESSION ID = 95705,SA ID = 53):IKEV2 SA created; inserting SA into database. SA lifetime timer (14400 sec) started</div><div>Dec 9 13:40:51.726: IKEv2:(SESSION ID = 95705,SA ID = 53):Session with IKE ID PAIR (jserink, CCrouter) is UP</div><div>Dec 9 13:40:51.726: IKEv2:(SESSION ID = 95705,SA ID = 53):Initializing DPD, configured for 0 seconds</div><div>Dec 9 13:40:51.726: IKEv2:(SESSION ID = 0,SA ID = 0):IKEv2 MIB tunnel started, tunnel index 53</div><div>Dec 9 13:40:51.726: IKEv2:(SESSION ID = 95705,SA ID = 53):Load IPSEC key material</div><div>Dec 9 13:40:51.727: IKEv2:(SESSION ID = 95705,SA ID = 53):(SA ID = 53):[IKEv2 -> IPsec] Create IPsec SA into IPsec database</div><div>Dec 9 13:40:51.740: IKEv2:(SESSION ID = 95705,SA ID = 53):(SA ID = 53):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database PASSED</div><div>Dec 9 13:40:51.740: IKEv2:(SESSION ID = 95705,SA ID = 53):Checking for duplicate IKEv2 SA</div><div>Dec 9 13:40:51.741: IKEv2:(SESSION ID = 95705,SA ID = 53):No duplicate IKEv2 SA found</div><div>Dec 9 13:40:51.741: IKEv2:(SESSION ID = 95705,SA ID = 53):Starting timer (8 sec) to delete negotiation context</div></div><br clear="none"></div><div dir="ltr"><br clear="none"></div><div dir="ltr">The Cisco is happy, it thinks the session is up and shows my laptop in the "sh crypto session br" listing.</div><div dir="ltr"><br clear="none"></div><div dir="ltr">Here is my "redacted" ipsec.conf:</div><div dir="ltr"><div><div>conn SOIUKUP2</div><div> keyingtries=0</div><div> left=%defaultroute</div><div> leftsourceip=2.2.22.22</div><div> leftsubnet=2.2.22.22/32</div><div> leftid=@[jserink]</div><div> leftauth=secret</div><div> rightauth=secret</div><div> ike=aes256-sha2;modp2048</div><div> phase2alg=aes256-sha2;modp2048</div><div> auto=add</div><div> type=tunnel</div><div> right=A.B.C.D</div><div> rightsubnet=1.1.1.10/32</div><div> rightsourceip=1.1.1.10</div><div> rightid=@[CCrouter]</div><div> fragmentation=yes</div><div> dpdtimeout=30</div><div> dpdaction=restart</div><div> ikev2=yes</div><div> pfs=yes</div><div><br clear="none"></div></div><br clear="none"></div><div dir="ltr"><br clear="none"></div><div dir="ltr">And the ipsec.secrets:</div><div dir="ltr"><div><div dir="ltr">@[jserink] : PSK "Here is my psk for jserink"</div><div dir="ltr">@[CCrouter] : PSK "Here is my psk for CCrouter"</div><div>include /etc/ipsec.d/*.secrets</div><div><br clear="none"></div></div><div dir="ltr">Note I have a tap0 interface setup:</div><div dir="ltr"><div><div>jserinki7 /home/jserink # ip addr show tap0</div><div>4: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000</div><div> link/ether 56:27:58:1b:bc:e9 brd ff:ff:ff:ff:ff:ff</div><div> inet 192.168.100.1/24 brd 192.168.100.255 scope global tap0</div><div> valid_lft forever preferred_lft forever</div><div> inet 2.2.22.22/32 scope global tap0</div><div> valid_lft forever preferred_lft forever</div><div> inet6 fe80::5427:58ff:fe1b:bce9/64 scope link </div><div> valid_lft forever preferred_lft forever</div></div><br clear="none"></div><div dir="ltr">i use the tap0 2.2.22.22 and the Cisco loopback1 as my ipsec and gre endpoints.</div><div><br clear="none"></div><div><br clear="none"></div><div dir="ltr">Cisco end:</div><div dir="ltr"><div><div>no crypto ikev2 proposal default</div><div>crypto ikev2 proposal ikev2-prop-one </div><div> encryption aes-cbc-256</div><div> integrity sha256</div><div> group 14</div><div><br clear="none"></div></div><div><div>crypto ikev2 policy SOIpolicy </div><div> proposal ikev2-prop-one</div><div>no crypto ikev2 policy default</div><div><br clear="none"></div><div dir="ltr"><span>crypto ikev2 keyring SOIkeyring</span><br clear="none"></div><div dir="ltr"><div><div> peer jserink</div><div> identity key-id jserink</div><div dir="ltr"> pre-shared-key remote Here is my psk for jserink</div><div> !</div><div dir="ltr"><span>crypto ikev2 profile SOIprofile</span><br clear="none"></div></div><div dir="ltr"> match identity remote key-id jserink<br clear="none"></div><div dir="ltr"><div><div> identity local key-id CCrouter</div><div> authentication remote pre-share</div><div> authentication local pre-share key Here is my psk for CCrouter</div><div> keyring local SOIkeyring</div><div> lifetime 14400</div><div> dpd 30 2 on-demand</div><div> nat force-encap</div><div> initial-contact force</div><div><br clear="none"></div></div><div><div>crypto ikev2 window 6</div><div>crypto ikev2 fragmentation mtu 512</div><div><br clear="none"></div><div dir="ltr"><div><div>crypto dynamic-map mainmap 100</div><div> description Dynamic map for the CORS sites using ikev2</div><div> set security-association lifetime kilobytes disable</div><div> set security-association lifetime seconds 14400</div><div> set transform-set mainset </div><div> set pfs group14</div><div> set ikev2-profile SOIprofile</div><div><br clear="none"></div></div><div><div>crypto ipsec transform-set mainset esp-aes 256 esp-sha256-hmac </div><div> mode tunnel</div><div><br clear="none"></div></div><br clear="none"></div><div dir="ltr"><div><div>crypto map soimainmap 100 ipsec-isakmp dynamic mainmap </div><div><br clear="none"></div></div><br clear="none"></div></div><div><div>interface Loopback1</div><div> description new address to use for admin to avoid 1.1.1.1</div><div> ip address 1.1.1.10 255.255.255.255</div><div> no ip redirects</div><div> no ip unreachables</div><div>!</div><div><br clear="none"></div></div><br clear="none"></div><div dir="ltr"><br clear="none"></div><div dir="ltr">So, I've got 62 x Digi WR21s connected using IKEv2 currently on the system and am experimenting with using a small linux based router to replace the Digis as we're have NAT-T issues with the Digis and support problems.</div><div dir="ltr"><br clear="none"></div><div dir="ltr">Anyhow, so.....</div><div dir="ltr">As above, the Cisco thinks we have negotiated a bunch of SAs....libreswan disagrees.</div><div dir="ltr">Can anyone see where my configs for libreswan are wrong? I'm sure there are loads of mistakes.</div><div dir="ltr"><br clear="none"></div><div dir="ltr">Cheers,</div><div dir="ltr">John</div></div><div><br clear="none"></div></div><br clear="none"></div><br clear="none"></div><div dir="ltr"><br clear="none"></div><div dir="ltr"><br clear="none"></div></div></div></div></div>
</div>
</div></div></div></div></div>
</div>
</div></body></html>