On Mon, 13 May 2019, Dmitry Melekhov wrote:
To: [email protected]
Subject: Re: [Swan] cisco asa IKEv2 Negotiation aborted due to ERROR: The
peer's KE payload contained the wrong DH group
Well, hit the same problem on EdgeOS which runs strongswan.
Looks like this problem is caused by mobike in all cases.
Disabled.
Odd?
Note that strongswan does not implement the RFC processing of DH group
and KE payload to the letter, unless you set charon.prefer_configured_proposals
to "no". Meaning if the initiator and strongswan responder share some DH
groups including the initiator's prefered pick for which it build the KE
payload, strongswan still rejects the valid proposal and insists the
initiator uses the single prefered responder proposal and its matching
KE payload.
Paul
We'll see...
24.12.2018 9:56, Dmitry Melekhov пишет:
Hello!
I run cisco ASA 5506-X asa992-36 and libreswan on another side - Centos
7.6 ipsec --version
Linux Libreswan 3.25 (netkey) on 3.10.0-957.1.3.el7.x86_64
And sometimes , several times per day, I have rekeying problem.
From libreswan side is looks like:
дек 24 08:55:36 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: local
ESP/AH proposals for peer (ESP/AH initiator emitting proposals):
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;DH=MODP1024;ESN=DISABLED
дек 24 08:55:36 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
STATE_V2_REKEY_CHILD_I: STATE_V2_REKEY_CHILD_I
дек 24 08:55:36 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: dropping
unexpected CREATE_CHILD_SA message containing INVALID_KE_PAYLOAD
notification; message payloads: SK; encrypted payloads: N; missing
payloads: SA,Ni,TSi,TSr
дек 24 08:55:37 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
STATE_V2_REKEY_CHILD_I: retransmission; will wait 0.5 seconds for response
дек 24 08:55:37 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: dropping
unexpected CREATE_CHILD_SA message containing INVALID_KE_PAYLOAD
notification; message payloads: SK; encrypted payloads: N; missing
payloads: SA,Ni,TSi,TSr
дек 24 08:55:37 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
STATE_V2_REKEY_CHILD_I: retransmission; will wait 1 seconds for response
дек 24 08:55:37 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: dropping
unexpected CREATE_CHILD_SA message containing INVALID_KE_PAYLOAD
notification; message payloads: SK; encrypted payloads: N; missing
payloads: SA,Ni,TSi,TSr
дек 24 08:55:38 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
STATE_V2_REKEY_CHILD_I: retransmission; will wait 2 seconds for response
дек 24 08:55:38 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: dropping
unexpected CREATE_CHILD_SA message containing INVALID_KE_PAYLOAD
notification; message payloads: SK; encrypted payloads: N; missing
payloads: SA,Ni,TSi,TSr
дек 24 08:55:40 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
STATE_V2_REKEY_CHILD_I: retransmission; will wait 4 seconds for response
дек 24 08:55:40 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: dropping
unexpected CREATE_CHILD_SA message containing INVALID_KE_PAYLOAD
notification; message payloads: SK; encrypted payloads: N; missing
payloads: SA,Ni,TSi,TSr
дек 24 08:55:44 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
STATE_V2_REKEY_CHILD_I: retransmission; will wait 8 seconds for response
дек 24 08:55:44 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: dropping
unexpected CREATE_CHILD_SA message containing INVALID_KE_PAYLOAD
notification; message payloads: SK; encrypted payloads: N; missing
payloads: SA,Ni,TSi,TSr
дек 24 08:55:52 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
STATE_V2_REKEY_CHILD_I: retransmission; will wait 16 seconds for response
дек 24 08:55:52 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: dropping
unexpected CREATE_CHILD_SA message containing INVALID_KE_PAYLOAD
notification; message payloads: SK; encrypted payloads: N; missing
payloads: SA,Ni,TSi,TSr
дек 24 08:56:08 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
STATE_V2_REKEY_CHILD_I: retransmission; will wait 32 seconds for response
дек 24 08:56:08 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: dropping
unexpected CREATE_CHILD_SA message containing INVALID_KE_PAYLOAD
notification; message payloads: SK; encrypted payloads: N; missing
payloads: SA,Ni,TSi,TSr
дек 24 08:56:40 ast-zab.zab.belkam.com pluto[5971]: "peer" #340:
STATE_V2_REKEY_CHILD_I: 60 second timeout exceeded after 7 retransmits. No
response (or no acceptable response) to our IKEv2 message
дек 24 08:56:40 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: starting
keying attempt 2 of an unlimited number
дек 24 08:56:40 ast-zab.zab.belkam.com pluto[5971]: "peer" #341: local
ESP/AH proposals for peer (ESP/AH initiator emitting proposals):
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;DH=MODP1024;ESN=DISABLED
дек 24 08:56:40 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: deleting
state (STATE_V2_REKEY_CHILD_I) and NOT sending notification
дек 24 08:56:40 ast-zab.zab.belkam.com pluto[5971]: "peer" #341: message
id deadlock? wait sending, add to send next list using parent #337
unacknowledged 1 next message id=1 ike exchange window 1
дек 24 09:00:00 ast-zab.zab.belkam.com pluto[5971]: "peer" #341: deleting
state (STATE_V2_CREATE_I0) and NOT sending notification
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #339: deleting
state (STATE_V2_IPSEC_R) and sending notification
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #339: ESP
traffic information: in=226MB out=117MB
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: expire unused parent SA #337
"peer"
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #337: received
delete request for PROTO_v2_ESP SA(0xf257a6bd) but corresponding state
not found
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #337: ISAKMP
SA expired (LATEST!)
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #337: deleting
state (STATE_PARENT_R2) and sending notification
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: packet from
88.80.32.210:500: INFORMATIONAL message request has no corresponding IKE SA
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: packet from
88.80.32.210:500: ISAKMP_v2_INFORMATIONAL message response has no matching IKE
SA
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: assign_holdpass() no
bare shunt to remove? - mismatch?
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: initiate on demand
from 192.168.200.33:0 to 192.168.200.34:0 proto=47 because: acquire
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #342:
initiating v2 parent SA
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: packet from
asaip:500: ignoring unknown Vendor ID payload
[434953434f28434f505952494748542926436f70797269676874202863292032...]
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: packet from
asaip:500: proposal
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024
chosen from remote proposals
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024[first-match]
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #342:
STATE_PARENT_I1: sent v2I1, expected v2R1
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #343:
STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=aes_256
integ=sha1_96 prf=sha group=MODP1024}
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #342: local
ESP/AH proposals for peer (IKE SA initiator emitting ESP/AH proposals):
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;DH=NONE;ESN=DISABLED
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #344:
STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=aes_256
integ=sha1_96 prf=sha group=MODP1024}
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #343: IKEv2
mode peer ID is ID_IPV4_ADDR: '88.80.32.210'
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #343:
Authenticated using authby=secret
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #343: local
ESP/AH proposals for peer (IKE SA responder matching remote ESP/AH
proposals): 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;DH=NONE;ESN=DISABLED
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #343: proposal
1:ESP:SPI=d98dfdbf;ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;ESN=DISABLED
chosen from remote proposals
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;ESN=DISABLED[first-match]
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #343: received
unsupported NOTIFY v2N_NON_FIRST_FRAGMENTS_ALSO
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #345: negotiated
connection [192.168.200.33-192.168.200.33:0-65535 0] ->
[192.168.200.34-192.168.200.34:0-65535 0]
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #345:
STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0xd98dfdbf <0xd5eba6e1
xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=none NATD=none DPD=active}
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #344: IKEv2
mode peer ID is ID_IPV4_ADDR: 'asaip'
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #344:
Authenticated using authby=secret
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #344: negotiated
connection [192.168.200.33-192.168.200.33:0-65535 0] ->
[192.168.200.34-192.168.200.34:0-65535 0]
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #344:
STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0x3956d69f <0x0b6fe415
xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=none NATD=none DPD=active}
from ASA side :
Dec 24 08:55:36 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet
received on asaip:500 from libreswanip:500
Dec 24 08:55:36 192.168.42.129 %ASA-4-750003: Local:asaip:500
Remote:libreswanip:500 Username:libreswanip IKEv2 Negotiation aborted due to
ERROR:
The peer's KE payload contained the wrong DH group
Dec 24 08:55:37 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet
received on asaip:500 from libreswanip:500
Dec 24 08:55:37 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet
received on asaip:500 from libreswanip:500
Dec 24 08:55:38 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet
received on asaip:500 from libreswanip:500
Dec 24 08:55:40 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet
received on asaip:500 from libreswanip:500
Dec 24 08:55:44 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet
received on asaip:500 from libreswanip:500
Dec 24 08:55:52 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet
received on asaip:500 from libreswanip:500
Dec 24 08:56:08 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet
received on asaip:500 from libreswanip:500
Dec 24 09:00:06 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet
received on asaip:500 from libreswanip:500
Dec 24 09:00:06 192.168.42.129 %ASA-6-602304: IPSEC: An outbound
LAN-to-LAN SA (SPI= 0xBCAAE666) between asaip and libreswanip (user=
libreswanip)
has been deleted.
Dec 24 09:00:06 192.168.42.129 %ASA-6-602304: IPSEC: An inbound
LAN-to-LAN SA (SPI= 0xF257A6BD) between libreswanip and asaip (user=
libreswanip)
has been deleted.
Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request discarded from
libreswanip to outside:asaip
Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: message repeated 2 times: [
ESP request discarded from libreswanip to outside:asaip]
Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request discarded from
libreswanip to outside:asaip
Dec 24 09:00:06 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet
received on asaip:500 from libreswanip:500
Dec 24 09:00:06 192.168.42.129 %ASA-5-750007: Local:asaip:500
Remote:libreswanip:500 Username:libreswanip IKEv2 SA DOWN. Reason: peer request
Dec 24 09:00:06 192.168.42.129 %ASA-4-113019: Group = libreswanip,
Username = libreswanip, IP = libreswanip, Session disconnected. Session Type:
LAN-to-LAN, Duration: 1h:00m:00s, Bytes xmt: 237319950, Bytes rcv:
122586307, Reason: User Requested
Dec 24 09:00:06 192.168.42.129 %ASA-5-750001: Local:asaip:500
Remote:libreswanip:500 Username:Unknown IKEv2 Received request to establish an
IPsec
tunnel; local traffic selector = Address Range:
192.168.200.34-192.168.200.34 Protocol: 0 Port Range: 0-65535 ; remote traffic
selector = Address
Range: 192.168.200.33-192.168.200.33 Protocol: 0 Port Range: 0-65535
Dec 24 09:00:06 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet
received on asaip:500 from libreswanip:500
Dec 24 09:00:06 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet
received on asaip:500 from libreswanip:500
Dec 24 09:00:06 192.168.42.129 %ASA-5-750002: Local:asaip:500
Remote:libreswanip:500 Username:Unknown IKEv2 Received a IKE_INIT_SA request
Dec 24 09:00:06 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet
received on asaip:500 from libreswanip:500
Dec 24 09:00:06 192.168.42.129 %ASA-5-750006: Local:asaip:500
Remote:libreswanip:500 Username:libreswanip IKEv2 SA UP. Reason: New Connection
Established
Dec 24 09:00:06 192.168.42.129 %ASA-6-113009: AAA retrieved default group
policy (DfltGrpPolicy) for user = libreswanip
Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request discarded from
libreswanip to outside:asaip
Dec 24 09:00:06 192.168.42.129 %ASA-6-602303: IPSEC: An outbound
LAN-to-LAN SA (SPI= 0x0B6FE415) between asaip and libreswanip (user=
libreswanip)
has been created.
Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request discarded from
libreswanip to outside:asaip
Dec 24 09:00:06 192.168.42.129 %ASA-6-602303: IPSEC: An inbound
LAN-to-LAN SA (SPI= 0x3956D69F) between asaip and libreswanip (user=
libreswanip)
has been created.
Dec 24 09:00:06 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet
received on asaip:500 from libreswanip:500
Dec 24 09:00:06 192.168.42.129 %ASA-5-750006: Local:asaip:500
Remote:libreswanip:500 Username:libreswanip IKEv2 SA UP. Reason: New Connection
Established
Dec 24 09:00:06 192.168.42.129 %ASA-6-602304: IPSEC: An outbound
LAN-to-LAN SA (SPI= 0x0B6FE415) between asaip and libreswanip (user=
libreswanip)
has been deleted.
Dec 24 09:00:06 192.168.42.129 %ASA-6-602304: IPSEC: An inbound
LAN-to-LAN SA (SPI= 0x3956D69F) between libreswanip and asaip (user=
libreswanip)
has been deleted.
Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request discarded from
libreswanip to outside:asaip
Dec 24 09:00:06 192.168.42.129 %ASA-6-602303: IPSEC: An outbound
LAN-to-LAN SA (SPI= 0xD5EBA6E1) between asaip and libreswanip (user=
libreswanip)
has been created.
Dec 24 09:00:06 192.168.42.129 %ASA-6-602303: IPSEC: An inbound
LAN-to-LAN SA (SPI= 0xD98DFDBF) between asaip and libreswanip (user=
libreswanip)
has been created.
Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request discarded from
libreswanip to outside:asaip
Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: message repeated 2 times: [
ESP request discarded from libreswanip to outside:asaip]
Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request discarded from
libreswanip to outside:asaip
Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: message repeated 3 times: [
ESP request discarded from libreswanip to outside:asaip]
Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request discarded from
libreswanip to outside:asaip
Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request discarded from
libreswanip to outside:asaip
As you can see , connections are created, but ASA drops ESP packets...
Configuration:
libreswan:
conn peer
left=libreswanip
right=asaip
leftsubnet=192.168.200.33/32
rightsubnet=192.168.200.34/32
ike=aes256-sha1;modp1024
ikev2=insist
pfs=yes
ikelifetime=28800s
phase2alg=aes256-sha1
keylife=3600s
rekeymargin=540s
type=tunnel
compress=no
authby=secret
auto=start
keyingtries=%forever
dpddelay=10
dpdtimeout=2
dpdaction=restart
#dpdaction=hold
asa:
crypto ipsec ikev2 ipsec-proposal zabegalovo
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 28800
crypto map russneft-ipsec 50 match address ZABEGALOVO-IPSEC
crypto map russneft-ipsec 50 set peer libreswanip
crypto map russneft-ipsec 50 set ikev2 ipsec-proposal zabegalovo
access-list ZABEGALOVO-IPSEC extended permit ip host 192.168.200.34 host 192.168.200.33
right now I'm solving this by script , which checks if another side is
available by ping and do connection restart if not:
/usr/sbin/ipsec auto --down peer;/usr/sbin/ipsec auto --up peer
Could you tell me is something wrong in my configuration?
Or is this asa or libreswan bug?
Thank you!
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
