Project

General

Profile

Issue #3543

Unable to connect to Cisco ASA IPSec/L2TP IKEv1 server

Added by Alex Biddulph 2 months ago. Updated 23 days ago.

Status:
Closed
Priority:
Normal
Category:
ikev1
Affected version:
5.8.2
Resolution:
No change required

Description

I am trying to connect to a IKEv1 IPSec/L2TP Cisco ASA server from my Arch Linux box. Phase 1 is successful, but the connection fails shortly after.

The error that is reported in the server logs is "Xauth required but selected Proposal does not support xauth, Check priorities of ike xauth proposals in ike proposal list". Which, apparently, means "The peer wanted to perform a XAUTH, but the ASA did not choose the XAUTH IKE proposal.". From what the guys who set up the server tell me, I should not be using XAuth for the connection and nowhere in my config (that I am aware of) have I asked strongswan to use XAuth.

What is going on here and how do I fix it?

strongswan.log (5.42 KB) strongswan.log Left and right logs Alex Biddulph, 17.08.2020 13:33
ipsec.conf (439 Bytes) ipsec.conf Alex Biddulph, 17.08.2020 13:35
ipsec.secrets (26 Bytes) ipsec.secrets Alex Biddulph, 17.08.2020 13:35
charon.log (7.21 KB) charon.log Alex Biddulph, 18.08.2020 14:17
charon_debug.log (24.4 KB) charon_debug.log client logs Alex Biddulph, 19.08.2020 06:15
cisco.log (9.85 KB) cisco.log server logs Alex Biddulph, 19.08.2020 06:15
ipsec.conf (335 Bytes) ipsec.conf Alex Biddulph, 19.08.2020 06:16

History

#1 Updated by Tobias Brunner 2 months ago

  • Category set to ikev1
  • Status changed from New to Feedback

The error that is reported in the server logs is "Xauth required but selected Proposal does not support xauth, Check priorities of ike xauth proposals in ike proposal list".

Why it would report that during Quick Mode, no idea. Also don't know if it's actually relevant or how it relates to the message right before that (Tunnel Rejected: Conflicting protocols specified by tunnel-group and group-policy), which could indicate mismatching traffic selectors (leftprotoport).

From what the guys who set up the server tell me, I should not be using XAuth for the connection and nowhere in my config (that I am aware of) have I asked strongswan to use XAuth.

You haven't, which might be the reason for the error (i.e. if the Cisco box actually expects XAuth from the client).

What is going on here and how do I fix it?

No idea, you have to discuss this with the server admins (IKEv1 is very picky, you have to configure everything to match exactly).

#2 Updated by Alex Biddulph 2 months ago

You haven't, which might be the reason for the error (i.e. if the Cisco box actually expects XAuth from the client).

Server admins assure me that I am not meant to be using XAuth.

I have made some changes to my config and (I think) I am making some progress

conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret

conn fourtel
keyexchange=ikev1
ike=3des-sha1-modp1024!
esp=3des-sha1!
auto=route
authby=secret
type=tunnel
left=%any
leftprotoport=udp/%any
right=<right ip>
rightprotoport=udp/l2tp

Am I correct in assuming that the "received NO_PROPOSAL_CHOSEN error notify" is because ESP is wrong somehow? Is it strange that I have received no proposals for ESP, or am I not up to that part of the process yet?

The server admins have shown me the cisco config, is there a guide somewhere that will walk me through taking a cisco config and creating a strongswan connection from it? Or even a mapping between cisco keywords and strongswan keywords?

#3 Updated by Tobias Brunner 2 months ago

Am I correct in assuming that the "received NO_PROPOSAL_CHOSEN error notify" is because ESP is wrong somehow?

Since you received it during Quick Mode that's a possibility (but could also be the mode or something else about the proposal), only the responder really knows why it sent the notify back.

The server admins have shown me the cisco config, is there a guide somewhere that will walk me through taking a cisco config and creating a strongswan connection from it? Or even a mapping between cisco keywords and strongswan keywords?

I'm not aware of any.

#4 Updated by Alex Biddulph 2 months ago

So I am still stuck with Phase 1 complete, but I seem to be getting close to Phase 2 complete (I think). On the local (client) side I am seeing

Wed, 2020-08-19, 14:08:04 07[CFG] <fourtel|1> selecting proposal:
Wed, 2020-08-19, 14:08:04 07[CFG] <fourtel|1>   proposal matches
Wed, 2020-08-19, 14:08:04 07[CFG] <fourtel|1> received proposals: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
Wed, 2020-08-19, 14:08:04 07[CFG] <fourtel|1> configured proposals: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
Wed, 2020-08-19, 14:08:04 07[CFG] <fourtel|1> selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
Wed, 2020-08-19, 14:08:04 07[CHD] <fourtel|1> CHILD_SA fourtel{3} state change: CREATED => INSTALLING
Wed, 2020-08-19, 14:08:04 07[IKE] <fourtel|1> no acceptable traffic selectors found
Wed, 2020-08-19, 14:08:04 07[CHD] <fourtel|1> CHILD_SA fourtel{3} state change: INSTALLING => DESTROYING

and on the server side I am seeing

Aug 19 13:36:17 [IKEv1]Group = DefaultRAGroup, IP = <left public ip>, Received non-routine Notify message: No proposal chosen (14)
Aug 19 13:36:19 [IKEv1]IKE Receiver: Packet received on <right ip>:4500 from 134.148.191.139:4500
Aug 19 13:36:19 [IKEv1]Group = DefaultRAGroup, IP = <left public ip>, Connection terminated for peer .  Reason: Peer Terminate  Remote Proxy 0.0.0.0, Local Proxy 0.0.0.0

How can I debug this further?

#5 Updated by Alex Biddulph 2 months ago

The "Received non-routine Notify message: No proposal chosen (14)" error on the cisco side seems to be related to a transform-set mismatch (https://www.thinknetsec.com/asa-ipsec-vpn-no-proposal-chosen/). However, it seems that strongswan has found matching proposals for the ESP transform-set. What does "no acceptable traffic selectors found" actually mean?

#6 Updated by Tobias Brunner 2 months ago

However, it seems that strongswan has found matching proposals for the ESP transform-set.

Yes, strongSwan sends the notify because it fails to install the CHILD_SA due to...

What does "no acceptable traffic selectors found" actually mean?

This could be due to the unity plugin, I'd try disabling that.

#7 Updated by Alex Biddulph about 2 months ago

This could be due to the unity plugin, I'd try disabling that.

Disabling unity fixed the issue. Is it possible to disable plugins on a per-connection basis? I could only figure out how to do it globally.

#8 Updated by Tobias Brunner about 2 months ago

Is it possible to disable plugins on a per-connection basis?

No.

#9 Updated by Tobias Brunner 23 days ago

  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to No change required

Also available in: Atom PDF