Hi, The other peer has some problem with it. Review its logs. > received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Kind regards Noel Am 09.05.20 um 16:20 schrieb Jim Geurts: > Hi, > > I'm new to the world of strongswan and vpns in general, so I apologize if > this is answered elsewhere. I inherited a strongSwan box running Linux > strongSwan U5.7.2/K4.14.177-139.253.amzn2.x86_64. The other end is a Cisco > ASA5585X. The connection was up and running a few days ago, but I've been > trying to get auto=route working (it was previously auto=start) and that > caused the tunnel to go up/down a couple times. Now the tunnel will not > establish a connection. To me, it seems like it's the phase 2 establishment > that is failing, but I'm curious if someone could help clear up what is going > on or which part is failing? > > My understanding (waiting for verification) is that the configured settings > for the tunnel from the cisco side are: > > Phase 1 > Encryption algorithm: AES-256 > Hash algorithm: SHA-512 > DH Group: 14 > Lifetime: 28800 (seconds) > > Phase 2: > Mode: IKE V2 Tunnel > ESP Encryption algorithm: AES-256 > ESP Hash algorithm: SHA-512 > PFS: DH Group 14 > Lifetime: 3600 (seconds) > > I have the following ipsec.conf file for the tunnel: > > config setup > # strictcrlpolicy=yes > # uniqueids = no > charondebug="ike 2, knl 2,esp 2, cfg 2, chd 2, lib 2, net 2" > > conn %default > ikelifetime=480m > keylife=60m > rekeymargin=3m > keyingtries=1 > keyexchange=ikev1 > authby=secret > > conn FOO > leftid=205.251.242.103 > left=172.30.101.187 > leftsubnet=205.251.242.103/32 <http://205.251.242.103/32> > leftupdown=/tmp/vpn/firewall-rules.sh > right=176.32.98.166 > rightsubnet=104.40.92.107/32 <http://104.40.92.107/32> > ike=aes256-sha512-modp2048! > keyexchange=ikev2 > esp=aes256-sha2_512-modp2048! > rekeymargin=9m > type=tunnel > compress=no > authby=secret > auto=route > keyingtries=%forever > forceencaps=yes > mobike=no > > > ipsec statusall gives the following: > > Status of IKE charon daemon (strongSwan 5.7.2, Linux > 4.14.177-139.253.amzn2.x86_64, x86_64): > uptime: 19 hours, since May 08 18:56:20 2020 > malloc: sbrk 1884160, mmap 0, used 828960, free 1055200 > worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, > scheduled: 0 > loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 > random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 > pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly > xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default > farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp > eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls > eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led > duplicheck unity counters > Listening IP addresses: > 172.30.101.187 > Connections: > FOO: 172.30.101.187...176.32.98.166 IKEv2 > FOO: local: [205.251.242.103] uses pre-shared key authentication > FOO: remote: [176.32.98.166] uses pre-shared key authentication > FOO: child: 205.251.242.103/32 <http://205.251.242.103/32> === > 104.40.92.107/32 <http://104.40.92.107/32> TUNNEL > Routed Connections: > FOO{1}: ROUTED, TUNNEL, reqid 1 > FOO{1}: 205.251.242.103/32 <http://205.251.242.103/32> === > 104.40.92.107/32 <http://104.40.92.107/32> > Security Associations (0 up, 0 connecting): > none > > > Sending traffic to 104.40.92.107 does not bring the tunnel up. If I try to > bring the tunnel up manually using ipsec up FOO, I get the following: > > initiating IKE_SA FOO[1] to 176.32.98.166 > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) > N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] > sending packet: from 172.30.101.187[500] to 176.32.98.166[500] (464 bytes) > received packet: from 176.32.98.166[500] to 172.30.101.187[500] (599 bytes) > parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) > CERTREQ N(FRAG_SUP) V ] > received Cisco Delete Reason vendor ID > received Cisco Copyright (c) 2009 vendor ID > received FRAGMENTATION vendor ID > selected proposal: > IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048 > local host is behind NAT, sending keep alives > received 1 cert requests for an unknown ca > authentication of '205.251.242.103' (myself) with pre-shared key > establishing CHILD_SA FOO{2} > generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr > N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] > sending packet: from 172.30.101.187[4500] to 176.32.98.166[4500] (304 bytes) > received packet: from 176.32.98.166[4500] to 172.30.101.187[4500] (208 bytes) > parsed IKE_AUTH response 1 [ V IDr AUTH N(NO_PROP) ] > authentication of '176.32.98.166' with pre-shared key successful > IKE_SA FOO[1] established between > 172.30.101.187[205.251.242.103]...176.32.98.166[176.32.98.166] > scheduling reauthentication in 28116s > maximum IKE_SA lifetime 28656s > received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built > failed to establish CHILD_SA, keeping IKE_SA > establishing connection 'FOO' failed > > > Any help or direction would greatly be appreciated as I'm not really sure > what I can do next. Also, I'm hoping this is the underlying reason for > auto=route not working as expected. Thank you, > > Jim > > *Confidentiality and Privacy Notice: *Information transmitted by this email > is proprietary to [m]pirik and is intended for use only by the individual or > entity to which it is addressed, and may contain information that is private, > privileged, confidential or exempt from disclosure under applicable law. All > personal messages express views solely of the sender, are not to be > attributed to [m]pirik, and may not be copied or distributed without this > disclaimer. If you are not the intended recipient or it appears that this > mail has been forwarded to you without proper authority, you are notified > that any use or dissemination of this information in any manner is strictly > prohibited. In such cases, please delete this mail from your records. >
signature.asc
Description: OpenPGP digital signature
