cisco ASA and iked (OpenBSD-5.4)

Alexei Malinin Thu, 14 Aug 2014 05:34:12 -0700

Hello.

I'm trying to make IKEv2/IPsec tunnel between cisco ASA
and OpenBSD-5.4 iked (see configs & debugs below)...


Self-signed certificate and EAP with MS-CHAPv2 are configured on the ASA.

The result - ASA says "Username:Unknown IKEv2 Negotiation aborted due to
ERROR: Failed to receive the AUTH msg before the timer expired".

Please comment what can be missed in the iked.conf or somewhere else?


--
AlexeiMalinin


#cat /etc/iked.conf
set passive
user "USER" "PASSWORD"
ikev2 "TEST" \
        quick \
        active \
        esp \
        inet \
        from any to 10.0.7.0/24 \
        local 10.0.62.27 peer 212.233.65.1 \
        ikesa enc aes-256 auth hmac-sha2-256 prf hmac-sha2-256 group modp2048 \
        childsa enc aes-256 auth hmac-sha2-256 \
        srcid 10.0.62.27 dstid 212.233.65.1 \
        lifetime 1h bytes 128M \
        eap "mschap-v2" \
        config address 10.249.1.1 \
        tag "$name"

# ls /etc/iked/certs
VPN_gateway.example.com.pem

# clear ; iked -dvv
/etc/iked.conf: loaded 2 configuration rules
ca_reload: loaded cert file VPN_gateway.example.com.pem
config_new_user: inserting new user USER
user "USER" "PASSWORD"
ca_validate_cert: 
/CN=VPN_gateway.example.com/unstructuredName=VPN_gateway.example.com self 
signed certificate
config_getpolicy: received policy
ikev2 "TEST" quick active esp inet from any to 10.0.7.0/24 local 10.0.62.27 
peer 212.233.65.1 ikesa enc aes-256 prf hmac-sha2-256 auth hmac-sha2-256 group 
modp2048 childsa enc aes-256 auth hmac-sha2-256 srcid 10.0.62.27 dstid 
212.233.65.1 lifetime 3600 bytes 134217728 eap "MSCHAP_V2" config address 
10.249.1.1 tag "$name"
config_getpfkey: received pfkey fd 4
config_getcompile: compilation done
config_getsocket: received socket fd 11
config_getsocket: received socket fd 12
config_getsocket: received socket fd 14
config_getsocket: received socket fd 20
config_getmode: mode active -> passive
ikev2_init_ike_sa: initiating "TEST"
ikev2_policy2id: srcid IPV4/10.0.62.27 length 8
ikev2_add_proposals: length 44
ikev2_next_payload: length 48 nextpayload KE
ikev2_next_payload: length 264 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0x164268426ab0c983 0x0000000000000000 
10.0.62.27:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0x164268426ab0c983 0x0000000000000000 
212.233.65.1:500
ikev2_next_payload: length 28 nextpayload NONE
ikev2_pld_parse: header ispi 0x164268426ab0c983 rspi 0x0000000000000000 
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 432 
response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0 
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_xform: more 0 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
ikev2_pld_ke: dh group MODP_2048 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_msg_send: IKE_SA_INIT from 10.0.62.27:500 to 212.233.65.1:500, 432 bytes
sa_state: INIT -> SA_INIT
ikev2_recv: IKE_SA_INIT from responder 212.233.65.1:500 to 10.0.62.27:500 
policy 'TEST' id 0, 585 bytes
ikev2_recv: ispi 0x164268426ab0c983 rspi 0x89da921ef19c99e8
ikev2_recv: updated SA to peer 212.233.65.1:500 local 10.0.62.27:500
ikev2_pld_parse: header ispi 0x164268426ab0c983 rspi 0x89da921ef19c99e8 
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 585 
response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0 
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
ikev2_pld_ke: dh group MODP_2048 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload VENDOR critical 0x00 length 68
ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00 length 23
ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00 length 59
ikev2_pld_payloads: payload VENDOR nextpayload NOTIFY critical 0x00 length 19
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid IKE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_nat_detection: peer source 0x164268426ab0c983 0x89da921ef19c99e8 
212.233.65.1:500
ikev2_pld_payloads: payload NOTIFY nextpayload VENDOR critical 0x00 length 28
ikev2_pld_notify: protoid IKE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_nat_detection: peer destination 0x164268426ab0c983 0x89da921ef19c99e8 
10.0.62.27:500
ikev2_pld_notify: NAT_DETECTION_DESTINATION_IP detected NAT, enabling UDP 
encapsulation
ikev2_pld_payloads: payload VENDOR nextpayload NONE critical 0x00 length 20
ikev2_init_recv: NAT detected, updated SA to peer 212.233.65.1:4500 local 
10.0.62.27:4500
ikev2_sa_negotiate: score 4
sa_stateok: SA_INIT flags 0x00, require 0x05 cert,auth
ikev2_sa_keys: SKEYSEED with 32 bytes
ikev2_sa_keys: S with 112 bytes
ikev2_prfplus: T1 with 32 bytes
ikev2_prfplus: T2 with 32 bytes
ikev2_prfplus: T3 with 32 bytes
ikev2_prfplus: T4 with 32 bytes
ikev2_prfplus: T5 with 32 bytes
ikev2_prfplus: T6 with 32 bytes
ikev2_prfplus: T7 with 32 bytes
ikev2_prfplus: Tn with 224 bytes
ikev2_sa_keys: SK_d with 32 bytes
ikev2_sa_keys: SK_ai with 32 bytes
ikev2_sa_keys: SK_ar with 32 bytes
ikev2_sa_keys: SK_ei with 32 bytes
ikev2_sa_keys: SK_er with 32 bytes
ikev2_sa_keys: SK_pi with 32 bytes
ikev2_sa_keys: SK_pr with 32 bytes
ikev2_msg_auth: initiator auth data length 528
ca_setauth: auth length 528
sa_stateok: SA_INIT flags 0x00, require 0x05 cert,auth
config_free_proposals: free 0x206a62200
ca_setauth: auth length 256
ikev2_getimsgdata: imsg 21 rspi 0x89da921ef19c99e8 ispi 0x164268426ab0c983 
initiator 1 sa valid type 1 data length 256
ikev2_dispatch_cert: AUTH type 1 len 256
sa_stateflags: 0x00 -> 0x04 auth (required 0x05 cert,auth)
sa_stateok: SA_INIT flags 0x04, require 0x05 cert,auth
ikev2_init_ike_sa: "TEST" is already active
...

#cat cisco_ASA-9.2.2.debug
Aug 14 2014 15:26:09: %ASA-7-713906: IKE Receiver: Packet received on 
212.233.65.1:500 from 212.233.65.101:500
Aug 14 2014 15:26:09: %ASA-5-750002: Local:212.233.65.1:500 
Remote:212.233.65.101:500 Username:Unknown IKEv2 Received a IKE_INIT_SA request
IKEv2-PROTO-2: Received Packet [From 212.233.65.101:500/To 212.233.65.1:500/VRF 
i0:f0] Initiator SPI : 164268426AB0C983 - Responder SPI : 0000000000000000 
Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N 
NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) 
IKEv2-PROTO-2: (20): Checking NAT discovery
IKEv2-PROTO-2: (20): Verify SA init message
IKEv2-PROTO-2: (20): Insert SA
IKEv2-PROTO-2: (20): Processing IKE_SA_INIT message
IKEv2-PROTO-2: (20): [IKEv2 -> Crypto Engine] Computing DH public key, DH Group 
14
IKEv2-PROTO-2: (20): Request queued for computation of DH key
IKEv2-PROTO-2: (20): [IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 
14
IKEv2-PROTO-2: (20): Request queued for computation of DH secret
IKEv2-PROTO-2: (20): Generating IKE_SA_INIT message
IKEv2-PROTO-2: (20): IKE Proposal: 1, SPI size: 0 (initial negotiation), Num. 
transforms: 4 (20):    AES-CBC(20):    SHA256(20):    SHA256(20):    
DH_GROUP_2048_MODP/Group 14(20):  
IKEv2-PROTO-2: (20): Sending Packet [To 212.233.65.101:500/From 
212.233.65.1:500/VRF i0:f0] (20): Initiator SPI : 164268426AB0C983 - Responder 
SPI : 89DA921EF19C99E8 Message id: 0(20): IKEv2 IKE_SA_INIT Exchange 
RESPONSE(20):  Payload contents: (20):  SA(20):  KE(20):  N(20):  VID(20):  
VID(20):  VID(20):  NOTIFY(NAT_DETECTION_SOURCE_IP)(20):  
NOTIFY(NAT_DETECTION_DESTINATION_IP)(20):  VID(20):  
IKEv2-PROTO-2: (20): Completed SA init exchange
IKEv2-PROTO-2: (20): Starting timer (30 sec) to wait for auth message
Aug 14 2014 15:26:39: %ASA-4-750003: Local:212.233.65.1:500 
Remote:212.233.65.101:500 Username:Unknown IKEv2 Negotiation aborted due to 
ERROR: Failed to receive the AUTH msg before the timer expired
IKEv2-PROTO-1: (20): Failed to receive the AUTH msg before the timer expired
IKEv2-PROTO-2: (20): Auth exchange failed
IKEv2-PROTO-1: (20): Auth exchange failed
IKEv2-PROTO-1: (20): Auth exchange failed
IKEv2-PROTO-2: (20): Abort exchange
IKEv2-PROTO-2: (20): Deleting SA

cisco ASA and iked (OpenBSD-5.4)

Reply via email to