[strongSwan] Issues with Cisco ASA S2S tunnels with StrongSwan IN AWS EC2

Sun, 29 Nov 2015 13:53:35 -0800 

Hey All,
I had much success when running Cisco ASA tunnels with StrongSwan for one subnet only. Ever since I had requirement to tunnel multiple networks I started to have problems with stability of tunnel for one of the networks. 


Where traffic is initiated from Cisco ASA for any of the networks the 
tunnel comes up and works, but re-keying or traffic initiated from 
secondary networks
behind StrongSwan won't bring the tunnel up. Restarting ipsec sometimes 
helps.

For each of those networks I've created separate net-net listing.


Then I figured I put all networks in rightsubnet, though in this mode 
tunnels break every few minutes and then come back.


Here is some debug:

Nat instance:

root@nat01:~# ipsec statusall

Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.16.0-4-amd64, 
x86_64):

  uptime: 4 days, since Nov 24 22:02:44 2015
  malloc: sbrk 1548288, mmap 0, used 613744, free 934544

  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
scheduled: 1047
  loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce x509 
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey 
pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve 
socket-default stroke updown

Listening IP addresses:
  10.0.1.101
Connections:
    net-net0:  10.0.1.101...94.1.1.1  IKEv2, dpddelay=60s
    net-net0:   local:  [52.1.1.1] uses pre-shared key authentication
    net-net0:   remote: [94.1.1.1] uses pre-shared key authentication

    net-net0:   child:  10.0.0.0/20 === 94.1.1.1/32 172.30.0.0/22 
192.168.20.0/24 192.168.0.0/20 TUNNEL, dpdaction=restart

Security Associations (1 up, 0 connecting):

    net-net0[2566]: ESTABLISHED 93 seconds ago, 
10.0.1.101[52.17.234.13]...94.236.82.4[94.236.82.4]
    net-net0[2566]: IKEv2 SPIs: 610364da30e6ed96_i* 6c1f5e43b997c3f7_r, 
pre-shared key reauthentication in 23 hours
    net-net0[2566]: IKE proposal: 
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
    net-net0[2566]: Tasks queued: CHILD_CREATE CHILD_CREATE 
CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE 
CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE 
CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE 
CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE 
CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE 
CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE 
CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE 
CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE 
CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE 
CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE 
CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE 
CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE 
CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE 
CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE 
CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE 
CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE 
CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE 
CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE 
CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE 
CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE 
CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE 
CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE 
CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE

    net-net0[2566]: Tasks active: CHILD_CREATE

    net-net0{486}:  INSTALLED, TUNNEL, ESP in UDP SPIs: c9ac47e3_i 
6a76157d_o
    net-net0{486}:  AES_CBC_256/HMAC_SHA1_96, 216200 bytes_i (303 pkts, 
84s ago), 6660 bytes_o (126 pkts, 84s ago), rekeying in 54 minutes

    net-net0{486}:   10.0.0.0/20 === 192.168.0.0/20

    net-net0{2573}:  INSTALLED, TUNNEL, ESP in UDP SPIs: c152d731_i 
42f2f40b_o
    net-net0{2573}:  AES_CBC_256/HMAC_SHA1_96, 11016 bytes_i (109 pkts, 
0s ago), 8016 bytes_o (73 pkts, 10s ago), rekeying in 55 minutes

    net-net0{2573}:   10.0.0.0/20 === 172.30.0.0/22
root@nat01:~#


Cisco ASA

asa# show crypto isakmp sa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:13470, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote Status         Role
1369521805      94.1.1.1/4500     52.1.1.1/4500      READY RESPONDER

      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: 
PSK, Auth verify: PSK

      Life/Active Time: 86400/6 sec
Child sa: local selector  192.168.0.0/0 - 192.168.15.255/65535
          remote selector 10.0.0.0/0 - 10.0.15.255/65535
          ESP spi in/out: 0xa4abb9cb/0xc6ed72a9
asa#



asa# show crypto ipsec sa
interface: outside
    Crypto map tag: outside_map, seq num: 1, local addr: 94.1.1.1


      access-list outside_cryptomap extended permit ip 192.168.0.0 
255.255.240.0 10.0.0.0 255.255.0.0

      local ident (addr/mask/prot/port): (192.168.0.0/255.255.240.0/0/0)
      remote ident (addr/mask/prot/port): (10.0.0.0/255.255.240.0/0/0)
      current_peer: 52.1.1.1


      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing 
reassembly: 0

      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0


      local crypto endpt.: 94.1.1.1/4500, remote crypto endpt.: 
52.1.1.1/4500

      path mtu 1500, ipsec overhead 82(52), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: clear-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: C6ED72A9
      current inbound spi : A4ABB9CB

    inbound esp sas:
      spi: 0xA4ABB9CB (2762717643)
         transform: esp-aes-256 esp-sha-hmac no compression

         in use settings ={L2L, Tunnel,  NAT-T-Encaps, PFS Group 5, 
IKEv2, }

         slot: 0, conn_id: 58875904, crypto-map: outside_map
         sa timing: remaining key lifetime (sec): 3554
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0xC6ED72A9 (3337450153)
         transform: esp-aes-256 esp-sha-hmac no compression

         in use settings ={L2L, Tunnel,  NAT-T-Encaps, PFS Group 5, 
IKEv2, }

         slot: 0, conn_id: 58875904, crypto-map: outside_map
         sa timing: remaining key lifetime (sec): 3553
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001



And my configs:

EC2 Nat instance:

# basic configuration

config setup
        # plutodebug=all
#        strictcrlpolicy=yes
#        cachecrls=yes
        charondebug="ike 1, knl 1, cfg 1"

# Add connections here.

# Sample VPN connections

conn %default
  ikelifetime=86400s # Phase 1
  lifetime=3600s # Phase 2
  margintime=180s
  keyexchange=ikev2
  rekey=yes
  keyingtries=0
  type=tunnel
  authby=secret
  dpdaction=restart
  dpddelay=60s
  dpdtimeout=60

conn net-net0
  leftfirewall = yes
  left=10.0.1.101
  leftsubnet=10.0.0.0/20
  leftid=52.1.1.1
  right=94.1.1.1
  rightid=94.1.1.1
  rightsubnet=94.1.1.1,172.30.0.0/22,192.168.20.0/24,192.168.0.0/20
  ike=aes256-sha1-modp1536
  esp=aes256-sha1-modp1536
  authby=secret
  auto=start

include /var/lib/strongswan/ipsec.conf.inc


Cisco ASA:
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 sa-strength-enforcement
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes unlimited
crypto ipsec security-association pmtu-aging infinite
crypto ipsec fragmentation after-encryption dmz
crypto ipsec fragmentation after-encryption dmz_backbone
crypto ipsec fragmentation after-encryption Management
crypto ipsec fragmentation after-encryption inside
crypto dynamic-map rack 65000 set ikev1 transform-set ESP-AES-SHA

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set ikev1 transform-set 
TRANS_ESP_AES128_SHA TRANS_ESP_3DES_SHA trans1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set ikev2 ipsec-proposal 
AES256 AES192 AES 3DES DES

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set df-bit clear-df
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set reverse-route
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer 52.1.1.1
crypto map outside_map 1 set ikev2 ipsec-proposal AES256
crypto map outside_map 1 set security-association lifetime seconds 3600

crypto map outside_map 1 set security-association lifetime kilobytes 
unlimited

crypto map outside_map 1 set df-bit clear-df
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside


crypto isakmp identity address
crypto isakmp nat-traversal 60
crypto ikev2 policy 1
crypto ikev2 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
tunnel-group 52.1.1.1 type ipsec-l2l
tunnel-group 52.1.1.1 general-attributes
 default-group-policy GroupPolicy_52.1.1.1
tunnel-group 52.1.1.1 ipsec-attributes
 ikev1 pre-shared-key *****
 isakmp keepalive threshold 10 retry 3


Any help appreciated :)
Thanks

_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users














    











					Reply via email to