1. Home
  2. Cisco Systems
  3. Cisco ASA with strongswan

Cisco ASA with strongswan

Hi

I try to connect strongSwan U4.2.11 with Cisco ASA 8.0.(3). I have problem with stability of that link. I sometimes lose connection after 10-20 min, sometimes more often. The link die and i must restart whole ipsec on both sides. I try various options but i cannot set proper configuration. When the link is dead on my SWAN ipsec status show me that ISAKMP and IPSEC are established but Cisco show me that only isakmp is established. I'm not sure that my cisco conf is correct to work with stongswan. Thx for help or some clue

regards Ted

It's my architecture:

LAN:10.10.10.0/24 +

30.30.30/24---SWAN=192.68.1.1/30===192.168.1.2/30=Cisco---50.50.50.0/24

My cisco conf:

access-list e01 extended permit ip 50.50.50.0 255.255.255.0 10.10.10.0

255.255.255.0

access-list e02 extended permit ip 50.50.50.0 255.255.255 30.30.30.0

255.255.255.0

crypto ipsec transform-set e01 esp-3des esp-sha-hmac crypto ipsec transform-set e02 esp-3des esp-sha-hmac

crypto map outside_map 40 match address e01 crypto map outside_map 40 set peer 192.168.1.1 crypto map outside_map 40 set transform-set erwin01_w_wawie crypto map outside_map 40 set security-association lifetime seconds 86400 crypto map outside_map 50 match address e02 crypto map outside_map 50 set peer 192.168.1.1 crypto map outside_map 50 set transform-set erwin01 crypto map outside_map 50 set security-association lifetime seconds 86400

crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 28800

vpn-idle-timeout none vpn-session-timeout none

tunnel-group 192.168.1.1 type ipsec-l2l tunnel-group 192.168.1.1 general-attributes default-group-policy LAN2LAN tunnel-group 192.168.1.1 ipsec-attributes pre-shared-key * isakmp keepalive threshold 20 retry 2

logs from cisco:

a lot of:

Error: Unable to remove PeerTblEntry Error processing payload: Payload ID: 1 Removing peer from peer table failed, no match!

it's my Swan conf config setup interfaces=%defaultroute plutodebug=control crlcheckinterval=180 strictcrlpolicy=no nat_traversal=yes uniqueids=yes conn %default type=tunnel authby=secret ikelifetime=28800 keylife=86400 keyingtries=5 auto=start keyexchange=ike pfs=no auth=esp esp=3des-sha1 #dpdaction=hold #dpddelay=60 #dpdtimeout=500

conn e01-cisco_vpn_asa left=192.168.1.1 leftsubnet=10.10.10.0/24 leftnexthop=192.168.1.2 leftsourceip=10.10.10.1 right=192.168.1.2 rightsubnet=50.50.50.0/24 rightnexthop=192.168.1.1

conn e02-cisco_vpn_asa left=192.168.1.1 leftsubnet=30.30.30.0/24 leftnexthop=192.168.1.2 right=192.168.1.2 rightsubnet=50.50.50.0/24 rightnexthop=192.168.1.1

ipsec statusall

000 %myid = (none) 000 debug control 000 000 "e01-cisco_vpn_asa": erouted; eroute owner: #3 000 "e01-cisco_vpn_asa": ike_life: 28800s; ipsec_life: 86400s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5 000 "e01-cisco_vpn_asa": policy: PSK+ENCRYPT+TUNNEL+UP; prio: 24,26; interface: eth1; 000 "e01-cisco_vpn_asa": newest ISAKMP SA: #0; newest IPsec SA: #3; 000 "e01-cisco_vpn_asa": IKE algorithms wanted: 7_128-2-14, 000 "e01-cisco_vpn_asa": IKE algorithms found: 7_128-2_160-14, 000 "e01-cisco_vpn_asa": ESP algorithms wanted: 3_000-2, 000 "e01-cisco_vpn_asa": ESP algorithms loaded: 3_192-2_160, 000 "e01-cisco_vpn_asa": ESP algorithm newest: 3DES_0-HMAC_SHA1; pfsgroup= 000 "e02-cisco_vpn_asa": erouted; eroute owner: #4 000 "e02-cisco_vpn_asa": ike_life: 28800s; ipsec_life: 86400s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5 000 "e02-cisco_vpn_asa": policy: PSK+ENCRYPT+TUNNEL+UP; prio: 26,26; interface: eth1; 000 "e02-cisco_vpn_asa": newest ISAKMP SA: #2; newest IPsec SA: #4; 000 "e02-cisco_vpn_asa": IKE algorithms wanted: 7_128-2-14, 000 "e02-cisco_vpn_asa": IKE algorithms found: 7_128-2_160-14, 000 "e02-cisco_vpn_asa": IKE algorithm newest: 3DES_CBC_192-SHA-MODP1024 000 "e02-cisco_vpn_asa": ESP algorithms wanted: 3_000-2, 000 "e02-cisco_vpn_asa": ESP algorithms loaded: 3_192-2_160, 000 "e02-cisco_vpn_asa": ESP algorithm newest: 3DES_0-HMAC_SHA1; pfsgroup= 000 000 #3: "e01-cisco_vpn_asa" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 84315s; newest IPSEC; eroute owner 000 #3: "e01-cisco_vpn_asa" esp.a96f310f@192.168.1.2 esp.2b6f7bc5@192.168.1.1; tunnel 000 #4: "e02-cisco_vpn_asa" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 84315s; newest IPSEC; eroute owner 000 #4: "e02-cisco_vpn_asa" esp.d0c44a83@217.74.64.182 esp.dc38acab@192.168.1.1; tunnel 000 #2: "e02-cisco_vpn_asa" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 26714s; newest ISAKMP 000 Performance: uptime: 30 minutes, since Jan 24 22:07:07 2009 worker threads: 10 idle of 16, job queue load: 1, scheduled events: 0 loaded plugins: aes des sha1 sha2 md5 fips-prf random x509 pubkey xcbc hmac gmp kernel-netlink stroke updown Listening IP addresses: 192.168.1.1 Connections: Security Associations: none
Reply to
Ted
Loading thread data ...

Hmmm - working a bit.

Not sure but have a look at the following.

crypto ipsec transform-set e01 esp-3des esp-sha-hmac crypto ipsec transform-set e02 esp-3des esp-sha-hmac

crypto map outside_map 40 match address e01 crypto map outside_map 40 set peer 192.168.1.1 crypto map outside_map 40 set transform-set erwin01_w_wawie crypto map outside_map 40 set security-association lifetime seconds

86400 crypto map outside_map 50 match address e02 crypto map outside_map 50 set peer 192.168.1.1 crypto map outside_map 50 set transform-set erwin01 crypto map outside_map 50 set security-association lifetime seconds 86400

Well you are not referencing the defined transform sets from the crypto map?

As far as I know it is not necesary to defing multiple transform sets, so -

crypto ipsec transform-set my-ts esp-3des esp-sha-hmac

crypto map outside_map 40 match address e01 crypto map outside_map 40 set peer 192.168.1.1 crypto map outside_map 40 set transform-set my-ts crypto map outside_map 40 set security-association lifetime seconds

86400 crypto map outside_map 50 match address e02 crypto map outside_map 50 set peer 192.168.1.1 crypto map outside_map 50 set transform-set my-ts crypto map outside_map 50 set security-association lifetime seconds 86400

For further simplification you mmight consider:-

access-list e01 extended permit ip 50.50.50.0 255.255.255.0

10.10.10.0 255.255.255.0 access-list e01 extended permit ip 50.50.50.0 255.255.255.0 30.30.30.0 255.255.255.0

crypto ipsec transform-set my-ts esp-3des esp-sha-hmac

crypto map outside_map 40 match address e01 crypto map outside_map 40 set peer 192.168.1.1 crypto map outside_map 40 set transform-set my-ts crypto map outside_map 40 set security-association lifetime seconds

86400

This may be telling you what is wrong.

Wanted and Found should probably be the same.

000 "e01-cisco_vpn_asa": IKE algorithms wanted: 7_128-2-14, 000 "e01-cisco_vpn_asa": IKE algorithms found: 7_128-2_160-14,

000 "e01-cisco_vpn_asa": ESP algorithms wanted: 3_000-2,

000 "e01-cisco_vpn_asa": ESP algorithms loaded: 3_192-2_160,
Reply to
bod43

bod43 pisze:

thx for help, i made as You suggest, but i have still problem. My links aren't stable, They works about 1-3 minutes and go down. Sometimes they work together, sometimes only one of them. After restart both links works for a 2-3 minutes

I try to test varius config, eg aes-256, change crypto etc:

crypto map outside_map 40 match address erwin01_w_wawie crypto map outside_map 40 set peer 192.168.1.1 crypto map outside_map 40 set transform-set my_ts crypto map outside_map 40 set security-association lifetime seconds 86400

crypto ipsec transform-set my_ts esp-aes esp-sha-hmac

crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 28800 crypto isakmp policy 20 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400

clear crypto ipsec peer 192.168.1.1 clear crypto isakmp sa 192.168.1.1

but i still have:

IKE Peer: 192.168.1.1 Type : L2L Role : initiator Rekey : no State : MM_ACTIVE Encrypt : 3des Hash : SHA Auth : preshared Lifetime: 28800 Lifetime Remaining: 28678

In my logs i still have:

Error processing payload: Payload ID: 1 Removing peer from peer table failed, no match! Error: Unable to remove PeerTblEntry

Error processing payload: Payload ID: 1 Removing peer from peer table failed, no match! Error: Unable to remove PeerTblEntry

and debug show:

,processing SA payload ,IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11)

  • NONE (0) total length : 96

, All SA proposals found unacceptable , Error processing payload: Payload ID: 1 , IKE MM Responder FSM error history (struct &0xd8b7ac38) , : MM_DONE, EV_ERROR-->MM_START, EV_RCV_MSG-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM

, IKE SA MM:94edd0b6 terminating: flags 0x01000002, refcnt 0, tuncnt 0 , sending delete/delete with reason message

On my other site, strognswan:

ipsec.conf:

config setup interfaces=%defaultroute plutodebug=control crlcheckinterval=180 strictcrlpolicy=no nat_traversal=yes uniqueids=yes

conn %default type=tunnel authby=secret ikelifetime=28800 keylife=86400 keyingtries=5 auto=start keyexchange=ike pfs=no auth=esp esp=aes128-sha1 #esp=3des-sha1 ike=aes256-sha-modp1536 #dpdaction=hold #dpddelay=60 #dpdtimeout=500

ipsec statusall

ike_life: 28800s; ipsec_life: 86400s; rekey_margin: 540s; rekey_fuzz:

100%; keyingtries: 5 policy: PSK+ENCRYPT+TUNNEL+UP; prio: 24,26; interface: eth1; newest ISAKMP SA: #0; newest IPsec SA: #3; IKE algorithms wanted: 7_256-2-5, IKE algorithms found: 7_256-2_160-5, ESP algorithms wanted: 12_128-2, ESP algorithms loaded: 12_128-2_160, ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=
Reply to
ted

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.