<div dir="ltr"><div dir="ltr"><div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(7,55,99)">Hi everyone,</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(7,55,99)"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(7,55,99)">I hope this is the right place to contact for a connection problem on phase 1 and there is enough information to expose the problem.</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(7,55,99)"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(7,55,99)">I am working on a VPN connection between two peers, a Cisco ASA and a Libreswan over Amazon Linux 2 (RHEL based).</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(7,55,99)"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(7,55,99)">The peer I am configuring is the Libreswan because the Cisco peer has a defined configuration shared with other connections.</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(7,55,99)"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(7,55,99)">I think we are facing issues with the IKE algorithms.</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(7,55,99)"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(7,55,99)">The Cisco peer has the next configuration:</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(7,55,99)">- pfs group14</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(7,55,99)">- ikev2 ipsec-proposal AES256-SHA256</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(7,55,99)">- security-association lifetime seconds 28800</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(7,55,99)"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(7,55,99)">So the libreswan side is configured in the ipsec.d/vpn.conf with similar parameters using the yum repository last version 3.25:</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(7,55,99)"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(7,55,99)">conn vpn<br> type=tunnel<br><b> authby=secret<br></b> auto=start<br> left=%defaultroute<br> leftid=xxx.xxx.xxx.120<br> leftsubnets=10.xxx.xxx.xxx/28<br> right=xxx.xxx.xxx.45</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(7,55,99)"> rightsubnets=xxx.xxx.xxx.17/32<br> leftsourceip=xxx.xxx.xxx.92<br> leftnexthop=%defaultroute<br><b> ikev2=insist<br></b> <b>ike=aes256-sha2;dh14</b><br> keyexchange=ike<br> <b>ikelifetime=28800s</b><br> salifetime=28800s<br> dpddelay=30<br> dpdtimeout=120<br> dpdaction=restart<br> remote_peer_type=cisco<br> aggrmode=yes<br> initial-contact=yes<br> encapsulation=no </div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(7,55,99)"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(7,55,99)">You can find attached the log file where the next failure message is showed:<br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(7,55,99)"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(7,55,99)">Mar 8 12:33:25.539914: | #2 ikev2 ISAKMP_v2_AUTH decrypt success<br>Mar 8 12:33:25.539968: | Now let's proceed with payload (ISAKMP_NEXT_v2N)<br>Mar 8 12:33:25.540003: | **parse IKEv2 Notify Payload:<br>Mar 8 12:33:25.540034: | next payload type: ISAKMP_NEXT_v2NONE (0x0)<br>Mar 8 12:33:25.540105: | flags: none (0x0)<br>Mar 8 12:33:25.540140: | length: 8 (0x8)<br>Mar 8 12:33:25.540170: | Protocol ID: PROTO_v2_IKE (0x1)<br>Mar 8 12:33:25.540238: | SPI size: 0 (0x0)<br>Mar 8 12:33:25.540275: | Notify Message Type: v2N_AUTHENTICATION_FAILED (0x18)<br>Mar 8 12:33:25.540301: | processing payload: ISAKMP_NEXT_v2N (len=8)<br>Mar 8 12:33:25.540325: | selected state microcode Initiator: process AUTHENTICATION_FAILED AUTH notification<br>Mar 8 12:33:25.540349: | Now lets proceed with state specific processing<br>Mar 8 12:33:25.540407: | calling processor Initiator: process AUTHENTICATION_FAILED AUTH notification<br>Mar 8 12:33:25.540444: "vpn/1x1" #2: IKE SA authentication request rejected: AUTHENTICATION_FAILED<br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(7,55,99)"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(7,55,99)">In the other side, the Cisco Peer shows a problem in the IKE negotiation step 4, it continues negotiating until step 7 when there is a message referring to the failure in step 4.</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(7,55,99)"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(7,55,99)">If you could provide me some help with this issue.</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(7,55,99)"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(7,55,99)">Thanks in advance,</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(7,55,99)"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(7,55,99)">Best regards</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(7,55,99)"><br></div><br>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div>
<div><div>
<div><div>
<div><div>
<div><br>
<img alt="Logo Especialidad" src="https://webs.paradigmadigital.com/pd-signature/img/Sistemaschico.png" width="60">
<p><b><span style="margin-top:10px;font-size:17px;color:black">Miguel Ponce Antolín</span><span style="color:rgb(255,69,67);font-size:16px">.</span></b><br>
<span style="font-size:11px;color:black">Sistemas</span>
<span style="font-size:11px;color:black"> · +34 670 360 655</span><br>
<img style="margin-top: 10px; margin-bottom: 10px;" alt="Linea" src="https://webs.paradigmadigital.com/pd-signature/img/linea.png"><br>
<img alt="Logo Paradigma" src="https://webs.paradigmadigital.com/pd-signature/img/logo.png" width="14">
<span style="color:rgb(24,31,44);font-size:11px">·</span>
<a style="color:rgb(24,31,44);text-decoration:none" href="https://www.paradigmadigital.com/" target="_blank"><font size="1">paradig.ma</font></a>
<span style="color:rgb(24,31,44);font-size:11px">·</span>
<a style="color:rgb(24,31,44);text-decoration:none" href="https://www.paradigmadigital.com/contacto" target="_blank"><font size="1">contáctanos</font></a>
<span style="color:rgb(24,31,44);font-size:11px">·</span>
<a href="https://twitter.com/paradigmate" target="_blank"><img style="margin-top: 2px;" alt="Twitter" src="https://webs.paradigmadigital.com/pd-signature/img/twitter.png" width="13"></a>
<a href="https://www.youtube.com/user/ParadigmaTe?feature=watch" target="_blank"><img style="margin-top: 2px;" alt="Youtube" src="https://webs.paradigmadigital.com/pd-signature/img/youtube.png" width="13"></a>
<a href="https://www.linkedin.com/company/paradigma-digital/" target="_blank"><img style="margin-top: 2px;" alt="Linkedin" src="https://webs.paradigmadigital.com/pd-signature/img/linkedin.png" width="13"></a>
<a href="https://www.instagram.com/paradigma_digital/?hl=es" target="_blank"><img style="margin-top: 2px;" alt="Instagram" src="https://webs.paradigmadigital.com/pd-signature/img/instagram.png" width="13"></a>
</p>
</div>
</div></div>
</div></div>
</div></div>
</div></div></div></div></div></div></div></div>