I see IKE peer ID validation requires but you seem to use PSK? Try disabling that? It should only refer to certificates ....
Sent from my iPhone > On Mar 29, 2021, at 09:50, Bruno <[email protected]> wrote: > > > Hi Dmitry. > They sent me some screenshots of their side, but I don't think we can attach > images here on the list, so i'll post the urls: > > https://i.imgur.com/0UKU8i1.png > https://i.imgur.com/UBrdJm0.png > https://i.imgur.com/DlGqT0N.png > > I couldn't find any clue there. If needed I can try asking for a dump of the > configuration from the remote site. > > Thanks for your help! > > >> Em sáb., 27 de mar. de 2021 às 10:31, Dmitry Melekhov <[email protected]> >> escreveu: >> >> 27.03.2021 00:32, Bruno пишет: >>> Hi, >>> I'm trying to connect to a remote site where they're using a Cisco ASA >>> 5555, but I'm consistently receiving the error: INVALID_ID_INFORMATION. >>> Phase 1 seems to be ok, the problem seems to be on phase 2. But I'm pretty >>> confident there isn't much to change on Libreswan side. >>> >>> The admin from the remote site sent me an excerpt from their logs, which >>> follows below. I don't have much experience with Cisco but the message >>> "Rejecting IPSec tunnel: no matching crypto map entry for remote proxy" >>> seems to point to a possible cause of the problem. >>> I know this is the Libreswan list, not Cisco's, but what I'm hoping to find >>> is if anyone with enough experience could tell if there are some special >>> set of settings so the Cisco device would connect to Libreswan, or if there >>> is something to do with the remote site's "crypto map". >> >> There is nothing special here, I run asa 5506 on one side and libreswan on >> another and it works, although I have different configuration. >> >> Looks like configuration problem is on asa side, do you have config? >> >> >> >>> >>> Another thing I'd like to point out that when starting the connection on >>> Libreswan, logs roll out like crazy, something like 300 connection attempts >>> in 10 seconds. >>> >>> On my side I'm using Libreswan 3.25, Linux 4.19.80. >>> >>> Thanks! >>> >>> >>> ---- Local conf >>> >>> conn zebes-tunnel >>> type=tunnel >>> authby=secret >>> left=A.A.A.A >>> leftid=A.A.A.A >>> leftsubnet=10.4.218.0/24 >>> right=B.B.B.B >>> rightid=B.B.B.B >>> rightsubnets={192.168.168.151,192.168.168.152,192.168.168.153} >>> ike=aes256-sha1;modp1536 >>> ikelifetime=86400s >>> ikev2=no >>> esp=aes256-sha1 >>> salifetime=3600s >>> pfs=no >>> auto=start >>> >>> >>> ---- Libreswan logs >>> >>> Mar 26 10:26:26.124744: initiating all conns with alias='zebes-tunnel' >>> Mar 26 10:26:26.160043: "zebes-tunnel/0x3" #2: STATE_MAIN_I2: sent MI2, >>> expecting MR2 >>> Mar 26 10:26:26.193605: "zebes-tunnel/0x3" #2: ignoring unknown Vendor ID >>> payload [e26481be08eae0fded3990cb0fc983cd] >>> Mar 26 10:26:26.195213: "zebes-tunnel/0x3" #2: STATE_MAIN_I3: sent MI3, >>> expecting MR3 >>> Mar 26 10:26:26.227947: | protocol/port in Phase 1 ID Payload is 17/0. >>> accepted with port_floating NAT-T >>> Mar 26 10:26:26.227978: "zebes-tunnel/0x3" #2: Peer ID is ID_IPV4_ADDR: >>> 'B.B.B.B' >>> Mar 26 10:26:26.228027: "zebes-tunnel/0x3" #2: STATE_MAIN_I4: ISAKMP SA >>> established {auth=PRESHARED_KEY cipher=aes_256 integ=sha group=MODP1536} >>> Mar 26 10:26:26.228059: "zebes-tunnel/0x1" #6: initiating Quick Mode >>> PSK+ENCRYPT+TUNNEL+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using >>> isakmp#2 msgid:e90700c1 proposal=AES_CBC_256-HMAC_SHA1_96 pfsgroup=no-pfs} >>> Mar 26 10:26:26.228085: "zebes-tunnel/0x2" #7: initiating Quick Mode >>> PSK+ENCRYPT+TUNNEL+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using >>> isakmp#2 msgid:f15bb82d proposal=AES_CBC_256-HMAC_SHA1_96 pfsgroup=no-pfs} >>> Mar 26 10:26:26.228208: "zebes-tunnel/0x3" #8: initiating Quick Mode >>> PSK+ENCRYPT+TUNNEL+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using >>> isakmp#2 msgid:760985c2 proposal=AES_CBC_256-HMAC_SHA1_96 pfsgroup=no-pfs} >>> Mar 26 10:26:26.262645: "zebes-tunnel/0x3" #2: ignoring informational >>> payload INVALID_ID_INFORMATION, msgid=00000000, length=160 >>> Mar 26 10:26:26.262667: | ISAKMP Notification Payload >>> Mar 26 10:26:26.262674: | 00 00 00 a0 00 00 00 01 03 04 00 12 >>> Mar 26 10:26:26.262680: "zebes-tunnel/0x3" #2: received and ignored >>> informational message >>> Mar 26 10:26:26.263371: "zebes-tunnel/0x3" #2: received Delete SA payload: >>> self-deleting ISAKMP State #2 >>> Mar 26 10:26:26.263431: "zebes-tunnel/0x3" #2: deleting state >>> (STATE_MAIN_I4) and sending notification >>> Mar 26 10:26:26.263546: "zebes-tunnel/0x3" #2: reschedule pending child #8 >>> STATE_QUICK_I1 of connection "zebes-tunnel/0x3" - the parent is going away >>> Mar 26 10:26:26.263578: "zebes-tunnel/0x3" #2: reschedule pending child #7 >>> STATE_QUICK_I1 of connection "zebes-tunnel/0x2" - the parent is going away >>> Mar 26 10:26:26.263594: "zebes-tunnel/0x3" #2: reschedule pending child #6 >>> STATE_QUICK_I1 of connection "zebes-tunnel/0x1" - the parent is going away >>> Mar 26 10:26:26.263603: "zebes-tunnel/0x3" #2: deleting IKE SA for >>> connection 'zebes-tunnel/0x3' but connection is supposed to remain up; >>> schedule EVENT_REVIVE_CONNS >>> Mar 26 10:26:26.263674: packet from B.B.B.B:500: received and ignored empty >>> informational notification payload >>> Mar 26 10:26:26.263818: "zebes-tunnel/0x3" #8: deleting state >>> (STATE_QUICK_I1) and NOT sending notification >>> Mar 26 10:26:26.263875: "zebes-tunnel/0x2" #7: deleting state >>> (STATE_QUICK_I1) and NOT sending notification >>> Mar 26 10:26:26.263900: "zebes-tunnel/0x1" #6: deleting state >>> (STATE_QUICK_I1) and NOT sending notification >>> >>> >>> ---- Cisco ASA logs >>> >>> Group = A.A.A.A, IP = A.A.A.A, Sending p2 'Invalid ID info' notify message >>> with SPI ea69decf. >>> Group = A.A.A.A, IP = A.A.A.A, sending notify message >>> Group = A.A.A.A, IP = A.A.A.A, Rejecting IPSec tunnel: no matching crypto >>> map entry for remote proxy 10.4.218.0/255.255.255.0/0/0 local proxy >>> 192.168.100.0/255.255.255.224/0/0 on interface OUTSIDE >>> Group = A.A.A.A, IP = A.A.A.A, Skipping dynamic map >>> SYSTEM_DEFAULT_CRYPTO_MAP sequence 65535: cannot match peerless map when >>> peer found in previous map entry. >>> IP = A.A.A.A, Received DPD VID >>> IP = A.A.A.A, processing SA payload >>> IP = A.A.A.A, IKE_DECODE_RECEIVED Message (msgid=0) with payloads: HDR + SA >>> (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + >>> VENDOR (13) + NONE (0) total length : 208 >>> IKE Receiver: Packet received on B.B.B.B:500 from A.A.A.A:500 >>> Group = A.A.A.A, Username = A.A.A.A, IP A.A.A.A, Session disconnected. >>> Session Type: LAN-to-LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, >>> Reason: crypto map policy not found >>> Group = A.A.A.A, IP = A.A.A.A, Session is being torn down. Reason: crypto >>> map policy not found >>> IP = A.A.A.A, IKE_DECODE_SENDING Message (msgid=95cd13f8) with payloads : >>> HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80 >>> Group = A.A.A.A, IP = A.A.A.A, constructing qm hash payload >>> Group = A.A.A.A, IP = A.A.A.A, constructing IKE delete payload >>> Group = A.A.A.A, IP = A.A.A.A, constructing blank hash payload >>> Group = A.A.A.A, IP = A.A.A.A, sending delete/delete with reason message >>> Group = A.A.A.A, IP = A.A.A.A, IKE SA MM:25efb702 terminating: flags >>> 0x1000002, refcnt 0, tuncnt 0 >>> Group = A.A.A.A, IP = A.A.A.A, Removing peer from correlator table failed, >>> no match! >>> Group = A.A.A.A, IP = A.A.A.A, Removing peer from correlator table failed, >>> no match! >>> Group = A.A.A.A, IP = A.A.A.A, sending delete/delete with reason message >>> Group = A.A.A.A, IP = A.A.A.A, sending delete/delete with reason message >>> (VPN-Primary) Sending Phase 1 Terminate message (type L2L, remote addr >>> A.A.A.A, my cookie BBBB1111, his cookie AAAA0000) to standby unit >>> Group = A.A.A.A, IP = A.A.A.A, Remove from IKEv1MIB Table succeeded for SA >>> with logical ID 111111111 >>> Group = A.A.A.A, IP = A.A.A.A, Remove from IKEv1 Tunnel Table succeeded for >>> SA with logicalId 111111111 >>> Group = A.A.A.A, IP = A.A.A.A, IKE SA MM: BBBB1111 rcv'd Terminate: state >>> MM_ACTIVE flags 0x00000042, refcnt 1, tuncnt 2 >>> Group = A.A.A.A, IP = A.A.A.A, Removing peer from correlator table failed, >>> no match! >>> IP = A.A.A.A, IKE Responder starting QM: msg id = ba6018a2 >>> Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, map = OUTSIDE_map, >>> seq = 42, ACL does not match proxy IDs src:10.4.218.0 dst:192.168.100.0 >>> Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, checking map = >>> OUTSIDE_map, seq = 42... >>> Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, checking map = >>> OUTSIDE_map, seq = 41... >>> Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, checking map = >>> OUTSIDE_map, seq = 40... >>> >>> >>> >>> >>> _______________________________________________ >>> Swan mailing list >>> [email protected] >>> https://lists.libreswan.org/mailman/listinfo/swan >> _______________________________________________ >> Swan mailing list >> [email protected] >> https://lists.libreswan.org/mailman/listinfo/swan > _______________________________________________ > Swan mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
