<div dir="ltr"><div>Hi Dmitry.</div><div>They sent me some screenshots of their side, but I don't think we can attach images here on the list, so i'll post the urls:</div><div><br></div><div><a href="https://i.imgur.com/0UKU8i1.png">https://i.imgur.com/0UKU8i1.png</a></div><div><a href="https://i.imgur.com/UBrdJm0.png">https://i.imgur.com/UBrdJm0.png</a></div><div><a href="https://i.imgur.com/DlGqT0N.png">https://i.imgur.com/DlGqT0N.png</a></div><div><br></div><div>I couldn't find any clue there. If needed I can try asking for a dump of the configuration from the remote site.</div><div><br></div><div>Thanks for your help!<br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Em sáb., 27 de mar. de 2021 às 10:31, Dmitry Melekhov <<a href="mailto:dm@belkam.com">dm@belkam.com</a>> escreveu:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p><br>
</p>
<div>27.03.2021 00:32, Bruno пишет:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
Hi,<br>
I'm trying to connect to a remote site where they're using a
Cisco ASA 5555, but I'm consistently receiving the error:
INVALID_ID_INFORMATION.<br>
Phase 1 seems to be ok, the problem seems to be on phase 2. But
I'm pretty confident there isn't much to change on Libreswan
side.<br>
<br>
The admin from the remote site sent me an <span lang="en"><span><span>excerpt from their logs, which follows
below. I don't have much experience with Cisco but the
message "Rejecting IPSec tunnel: no matching crypto map
entry for remote proxy" seems to point to a possible cause
of the problem.<br>
I know this is the Libreswan list, not Cisco's, but what
I'm hoping to find is if anyone with enough experience
could tell if there are some special set of settings so
the Cisco device would connect to Libreswan, or if there
is something to do with the remote site's "crypto map".<br>
</span></span></span></div>
</blockquote>
<p><br>
</p>
<p>There is nothing special here, I run asa 5506 on one side and
libreswan on another and it works, although I have different
configuration.<br>
</p>
<p>Looks like configuration problem is on asa side, do you have
config?</p>
<p><br>
</p>
<blockquote type="cite">
<div dir="ltr"><span lang="en"><span><span> <br>
Another thing I'd like to point out that when starting the
connection on Libreswan, logs roll out like crazy,
something like 300 connection attempts in 10 seconds.<br>
</span></span></span><br>
On my side I'm using Libreswan 3.25, Linux 4.19.80.<br>
<br>
Thanks!<br>
<br>
<br>
---- Local conf<br>
<br>
conn zebes-tunnel<br>
type=tunnel<br>
authby=secret<br>
left=A.A.A.A<br>
leftid=A.A.A.A<br>
leftsubnet=<a href="http://10.4.218.0/24" target="_blank">10.4.218.0/24</a><br>
right=B.B.B.B<br>
rightid=B.B.B.B<br>
rightsubnets={192.168.168.151,192.168.168.152,192.168.168.153}<br>
ike=aes256-sha1;modp1536<br>
ikelifetime=86400s<br>
ikev2=no<br>
esp=aes256-sha1<br>
salifetime=3600s<br>
pfs=no<br>
auto=start<br>
<br>
<br>
---- Libreswan logs<br>
<br>
Mar 26 10:26:26.124744: initiating all conns with
alias='zebes-tunnel'<br>
Mar 26 10:26:26.160043: "zebes-tunnel/0x3" #2: STATE_MAIN_I2:
sent MI2, expecting MR2<br>
Mar 26 10:26:26.193605: "zebes-tunnel/0x3" #2: ignoring unknown
Vendor ID payload [e26481be08eae0fded3990cb0fc983cd]<br>
Mar 26 10:26:26.195213: "zebes-tunnel/0x3" #2: STATE_MAIN_I3:
sent MI3, expecting MR3<br>
Mar 26 10:26:26.227947: | protocol/port in Phase 1 ID Payload is
17/0. accepted with port_floating NAT-T<br>
Mar 26 10:26:26.227978: "zebes-tunnel/0x3" #2: Peer ID is
ID_IPV4_ADDR: 'B.B.B.B'<br>
Mar 26 10:26:26.228027: "zebes-tunnel/0x3" #2: STATE_MAIN_I4:
ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256
integ=sha group=MODP1536}<br>
Mar 26 10:26:26.228059: "zebes-tunnel/0x1" #6: initiating Quick
Mode
PSK+ENCRYPT+TUNNEL+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
{using isakmp#2 msgid:e90700c1 proposal=AES_CBC_256-HMAC_SHA1_96
pfsgroup=no-pfs}<br>
Mar 26 10:26:26.228085: "zebes-tunnel/0x2" #7: initiating Quick
Mode
PSK+ENCRYPT+TUNNEL+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
{using isakmp#2 msgid:f15bb82d proposal=AES_CBC_256-HMAC_SHA1_96
pfsgroup=no-pfs}<br>
Mar 26 10:26:26.228208: "zebes-tunnel/0x3" #8: initiating Quick
Mode
PSK+ENCRYPT+TUNNEL+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
{using isakmp#2 msgid:760985c2 proposal=AES_CBC_256-HMAC_SHA1_96
pfsgroup=no-pfs}<br>
Mar 26 10:26:26.262645: "zebes-tunnel/0x3" #2: ignoring
informational payload INVALID_ID_INFORMATION, msgid=00000000,
length=160<br>
Mar 26 10:26:26.262667: | ISAKMP Notification Payload<br>
Mar 26 10:26:26.262674: | 00 00 00 a0 00 00 00 01 03 04 00
12<br>
Mar 26 10:26:26.262680: "zebes-tunnel/0x3" #2: received and
ignored informational message<br>
Mar 26 10:26:26.263371: "zebes-tunnel/0x3" #2: received Delete
SA payload: self-deleting ISAKMP State #2<br>
Mar 26 10:26:26.263431: "zebes-tunnel/0x3" #2: deleting state
(STATE_MAIN_I4) and sending notification<br>
Mar 26 10:26:26.263546: "zebes-tunnel/0x3" #2: reschedule
pending child #8 STATE_QUICK_I1 of connection "zebes-tunnel/0x3"
- the parent is going away<br>
Mar 26 10:26:26.263578: "zebes-tunnel/0x3" #2: reschedule
pending child #7 STATE_QUICK_I1 of connection "zebes-tunnel/0x2"
- the parent is going away<br>
Mar 26 10:26:26.263594: "zebes-tunnel/0x3" #2: reschedule
pending child #6 STATE_QUICK_I1 of connection "zebes-tunnel/0x1"
- the parent is going away<br>
Mar 26 10:26:26.263603: "zebes-tunnel/0x3" #2: deleting IKE SA
for connection 'zebes-tunnel/0x3' but connection is supposed to
remain up; schedule EVENT_REVIVE_CONNS<br>
Mar 26 10:26:26.263674: packet from B.B.B.B:500: received and
ignored empty informational notification payload<br>
Mar 26 10:26:26.263818: "zebes-tunnel/0x3" #8: deleting state
(STATE_QUICK_I1) and NOT sending notification<br>
Mar 26 10:26:26.263875: "zebes-tunnel/0x2" #7: deleting state
(STATE_QUICK_I1) and NOT sending notification<br>
Mar 26 10:26:26.263900: "zebes-tunnel/0x1" #6: deleting state
(STATE_QUICK_I1) and NOT sending notification<br>
<br>
<br>
---- Cisco ASA logs<br>
<br>
Group = A.A.A.A, IP = A.A.A.A, Sending p2 'Invalid ID info'
notify message with SPI ea69decf.<br>
Group = A.A.A.A, IP = A.A.A.A, sending notify message<br>
Group = A.A.A.A, IP = A.A.A.A, Rejecting IPSec tunnel: no
matching crypto map entry for remote proxy <a href="http://10.4.218.0/255.255.255.0/0/0" target="_blank">10.4.218.0/255.255.255.0/0/0</a> local
proxy <a href="http://192.168.100.0/255.255.255.224/0/0" target="_blank">192.168.100.0/255.255.255.224/0/0</a>
on interface OUTSIDE<br>
Group = A.A.A.A, IP = A.A.A.A, Skipping dynamic map
SYSTEM_DEFAULT_CRYPTO_MAP sequence 65535: cannot match peerless
map when peer found in previous map entry.<br>
IP = A.A.A.A, Received DPD VID<br>
IP = A.A.A.A, processing SA payload<br>
IP = A.A.A.A, IKE_DECODE_RECEIVED Message (msgid=0) with
payloads: HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13)
+ VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total
length : 208<br>
IKE Receiver: Packet received on B.B.B.B:500 from A.A.A.A:500<br>
Group = A.A.A.A, Username = A.A.A.A, IP A.A.A.A, Session
disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:00s,
Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found<br>
Group = A.A.A.A, IP = A.A.A.A, Session is being torn down.
Reason: crypto map policy not found<br>
IP = A.A.A.A, IKE_DECODE_SENDING Message (msgid=95cd13f8) with
payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length
: 80<br>
Group = A.A.A.A, IP = A.A.A.A, constructing qm hash payload<br>
Group = A.A.A.A, IP = A.A.A.A, constructing IKE delete payload<br>
Group = A.A.A.A, IP = A.A.A.A, constructing blank hash payload<br>
Group = A.A.A.A, IP = A.A.A.A, sending delete/delete with reason
message<br>
Group = A.A.A.A, IP = A.A.A.A, IKE SA MM:25efb702 terminating:
flags 0x1000002, refcnt 0, tuncnt 0<br>
Group = A.A.A.A, IP = A.A.A.A, Removing peer from correlator
table failed, no match!<br>
Group = A.A.A.A, IP = A.A.A.A, Removing peer from correlator
table failed, no match!<br>
Group = A.A.A.A, IP = A.A.A.A, sending delete/delete with reason
message<br>
Group = A.A.A.A, IP = A.A.A.A, sending delete/delete with reason
message<br>
(VPN-Primary) Sending Phase 1 Terminate message (type L2L,
remote addr A.A.A.A, my cookie BBBB1111, his cookie AAAA0000) to
standby unit<br>
Group = A.A.A.A, IP = A.A.A.A, Remove from IKEv1MIB Table
succeeded for SA with logical ID 111111111<br>
Group = A.A.A.A, IP = A.A.A.A, Remove from IKEv1 Tunnel Table
succeeded for SA with logicalId 111111111<br>
Group = A.A.A.A, IP = A.A.A.A, IKE SA MM: BBBB1111 rcv'd
Terminate: state MM_ACTIVE flags 0x00000042, refcnt 1, tuncnt 2<br>
Group = A.A.A.A, IP = A.A.A.A, Removing peer from correlator
table failed, no match!<br>
IP = A.A.A.A, IKE Responder starting QM: msg id = ba6018a2<br>
Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, map =
OUTSIDE_map, seq = 42, ACL does not match proxy IDs
src:10.4.218.0 dst:192.168.100.0<br>
Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, checking
map = OUTSIDE_map, seq = 42...<br>
Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, checking
map = OUTSIDE_map, seq = 41...<br>
Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, checking
map = OUTSIDE_map, seq = 40...<br>
<br>
<br>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
Swan mailing list
<a href="mailto:Swan@lists.libreswan.org" target="_blank">Swan@lists.libreswan.org</a>
<a href="https://lists.libreswan.org/mailman/listinfo/swan" target="_blank">https://lists.libreswan.org/mailman/listinfo/swan</a>
</pre>
</blockquote>
</div>
_______________________________________________<br>
Swan mailing list<br>
<a href="mailto:Swan@lists.libreswan.org" target="_blank">Swan@lists.libreswan.org</a><br>
<a href="https://lists.libreswan.org/mailman/listinfo/swan" rel="noreferrer" target="_blank">https://lists.libreswan.org/mailman/listinfo/swan</a><br>
</blockquote></div>