27.03.2021 00:32, Bruno пишет:
Hi,
I'm trying to connect to a remote site where they're using a Cisco ASA
5555, but I'm consistently receiving the error: INVALID_ID_INFORMATION.
Phase 1 seems to be ok, the problem seems to be on phase 2. But I'm
pretty confident there isn't much to change on Libreswan side.
The admin from the remote site sent me an excerpt from their logs,
which follows below. I don't have much experience with Cisco but the
message "Rejecting IPSec tunnel: no matching crypto map entry for
remote proxy" seems to point to a possible cause of the problem.
I know this is the Libreswan list, not Cisco's, but what I'm hoping to
find is if anyone with enough experience could tell if there are some
special set of settings so the Cisco device would connect to
Libreswan, or if there is something to do with the remote site's
"crypto map".
There is nothing special here, I run asa 5506 on one side and libreswan
on another and it works, although I have different configuration.
Looks like configuration problem is on asa side, do you have config?
Another thing I'd like to point out that when starting the connection
on Libreswan, logs roll out like crazy, something like 300 connection
attempts in 10 seconds.
On my side I'm using Libreswan 3.25, Linux 4.19.80.
Thanks!
---- Local conf
conn zebes-tunnel
type=tunnel
authby=secret
left=A.A.A.A
leftid=A.A.A.A
leftsubnet=10.4.218.0/24 <http://10.4.218.0/24>
right=B.B.B.B
rightid=B.B.B.B
rightsubnets={192.168.168.151,192.168.168.152,192.168.168.153}
ike=aes256-sha1;modp1536
ikelifetime=86400s
ikev2=no
esp=aes256-sha1
salifetime=3600s
pfs=no
auto=start
---- Libreswan logs
Mar 26 10:26:26.124744: initiating all conns with alias='zebes-tunnel'
Mar 26 10:26:26.160043: "zebes-tunnel/0x3" #2: STATE_MAIN_I2: sent
MI2, expecting MR2
Mar 26 10:26:26.193605: "zebes-tunnel/0x3" #2: ignoring unknown Vendor
ID payload [e26481be08eae0fded3990cb0fc983cd]
Mar 26 10:26:26.195213: "zebes-tunnel/0x3" #2: STATE_MAIN_I3: sent
MI3, expecting MR3
Mar 26 10:26:26.227947: | protocol/port in Phase 1 ID Payload is 17/0.
accepted with port_floating NAT-T
Mar 26 10:26:26.227978: "zebes-tunnel/0x3" #2: Peer ID is
ID_IPV4_ADDR: 'B.B.B.B'
Mar 26 10:26:26.228027: "zebes-tunnel/0x3" #2: STATE_MAIN_I4: ISAKMP
SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha
group=MODP1536}
Mar 26 10:26:26.228059: "zebes-tunnel/0x1" #6: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
{using isakmp#2 msgid:e90700c1 proposal=AES_CBC_256-HMAC_SHA1_96
pfsgroup=no-pfs}
Mar 26 10:26:26.228085: "zebes-tunnel/0x2" #7: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
{using isakmp#2 msgid:f15bb82d proposal=AES_CBC_256-HMAC_SHA1_96
pfsgroup=no-pfs}
Mar 26 10:26:26.228208: "zebes-tunnel/0x3" #8: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
{using isakmp#2 msgid:760985c2 proposal=AES_CBC_256-HMAC_SHA1_96
pfsgroup=no-pfs}
Mar 26 10:26:26.262645: "zebes-tunnel/0x3" #2: ignoring informational
payload INVALID_ID_INFORMATION, msgid=00000000, length=160
Mar 26 10:26:26.262667: | ISAKMP Notification Payload
Mar 26 10:26:26.262674: | 00 00 00 a0 00 00 00 01 03 04 00 12
Mar 26 10:26:26.262680: "zebes-tunnel/0x3" #2: received and ignored
informational message
Mar 26 10:26:26.263371: "zebes-tunnel/0x3" #2: received Delete SA
payload: self-deleting ISAKMP State #2
Mar 26 10:26:26.263431: "zebes-tunnel/0x3" #2: deleting state
(STATE_MAIN_I4) and sending notification
Mar 26 10:26:26.263546: "zebes-tunnel/0x3" #2: reschedule pending
child #8 STATE_QUICK_I1 of connection "zebes-tunnel/0x3" - the parent
is going away
Mar 26 10:26:26.263578: "zebes-tunnel/0x3" #2: reschedule pending
child #7 STATE_QUICK_I1 of connection "zebes-tunnel/0x2" - the parent
is going away
Mar 26 10:26:26.263594: "zebes-tunnel/0x3" #2: reschedule pending
child #6 STATE_QUICK_I1 of connection "zebes-tunnel/0x1" - the parent
is going away
Mar 26 10:26:26.263603: "zebes-tunnel/0x3" #2: deleting IKE SA for
connection 'zebes-tunnel/0x3' but connection is supposed to remain up;
schedule EVENT_REVIVE_CONNS
Mar 26 10:26:26.263674: packet from B.B.B.B:500: received and ignored
empty informational notification payload
Mar 26 10:26:26.263818: "zebes-tunnel/0x3" #8: deleting state
(STATE_QUICK_I1) and NOT sending notification
Mar 26 10:26:26.263875: "zebes-tunnel/0x2" #7: deleting state
(STATE_QUICK_I1) and NOT sending notification
Mar 26 10:26:26.263900: "zebes-tunnel/0x1" #6: deleting state
(STATE_QUICK_I1) and NOT sending notification
---- Cisco ASA logs
Group = A.A.A.A, IP = A.A.A.A, Sending p2 'Invalid ID info' notify
message with SPI ea69decf.
Group = A.A.A.A, IP = A.A.A.A, sending notify message
Group = A.A.A.A, IP = A.A.A.A, Rejecting IPSec tunnel: no matching
crypto map entry for remote proxy 10.4.218.0/255.255.255.0/0/0
<http://10.4.218.0/255.255.255.0/0/0> local proxy
192.168.100.0/255.255.255.224/0/0
<http://192.168.100.0/255.255.255.224/0/0> on interface OUTSIDE
Group = A.A.A.A, IP = A.A.A.A, Skipping dynamic map
SYSTEM_DEFAULT_CRYPTO_MAP sequence 65535: cannot match peerless map
when peer found in previous map entry.
IP = A.A.A.A, Received DPD VID
IP = A.A.A.A, processing SA payload
IP = A.A.A.A, IKE_DECODE_RECEIVED Message (msgid=0) with payloads: HDR
+ SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) +
VENDOR (13) + VENDOR (13) + NONE (0) total length : 208
IKE Receiver: Packet received on B.B.B.B:500 from A.A.A.A:500
Group = A.A.A.A, Username = A.A.A.A, IP A.A.A.A, Session disconnected.
Session Type: LAN-to-LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes
rcv: 0, Reason: crypto map policy not found
Group = A.A.A.A, IP = A.A.A.A, Session is being torn down. Reason:
crypto map policy not found
IP = A.A.A.A, IKE_DECODE_SENDING Message (msgid=95cd13f8) with
payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Group = A.A.A.A, IP = A.A.A.A, constructing qm hash payload
Group = A.A.A.A, IP = A.A.A.A, constructing IKE delete payload
Group = A.A.A.A, IP = A.A.A.A, constructing blank hash payload
Group = A.A.A.A, IP = A.A.A.A, sending delete/delete with reason message
Group = A.A.A.A, IP = A.A.A.A, IKE SA MM:25efb702 terminating: flags
0x1000002, refcnt 0, tuncnt 0
Group = A.A.A.A, IP = A.A.A.A, Removing peer from correlator table
failed, no match!
Group = A.A.A.A, IP = A.A.A.A, Removing peer from correlator table
failed, no match!
Group = A.A.A.A, IP = A.A.A.A, sending delete/delete with reason message
Group = A.A.A.A, IP = A.A.A.A, sending delete/delete with reason message
(VPN-Primary) Sending Phase 1 Terminate message (type L2L, remote addr
A.A.A.A, my cookie BBBB1111, his cookie AAAA0000) to standby unit
Group = A.A.A.A, IP = A.A.A.A, Remove from IKEv1MIB Table succeeded
for SA with logical ID 111111111
Group = A.A.A.A, IP = A.A.A.A, Remove from IKEv1 Tunnel Table
succeeded for SA with logicalId 111111111
Group = A.A.A.A, IP = A.A.A.A, IKE SA MM: BBBB1111 rcv'd Terminate:
state MM_ACTIVE flags 0x00000042, refcnt 1, tuncnt 2
Group = A.A.A.A, IP = A.A.A.A, Removing peer from correlator table
failed, no match!
IP = A.A.A.A, IKE Responder starting QM: msg id = ba6018a2
Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, map =
OUTSIDE_map, seq = 42, ACL does not match proxy IDs src:10.4.218.0
dst:192.168.100.0
Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, checking map =
OUTSIDE_map, seq = 42...
Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, checking map =
OUTSIDE_map, seq = 41...
Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, checking map =
OUTSIDE_map, seq = 40...
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
