Project

General

Profile

Issue #3692

Failing IPsec Phase 2 connection between Centos 7 VPS and Cisco ASA5540

Added by Evans Vete 2 months ago. Updated 2 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
ikev1
Affected version:
5.9.1
Resolution:

Description

Hello

I am having issues bringing up a VPN connection. This is a site to site IPSec VPN

This is the Scenario

My Peer device (One that is facing my Provider) is a Linux VPS ( Server on the cloud) .... then the 2 Private Subnets on my side are
1. Another VPS on the cloud
2. 1 created a virtual/sub interface on the Peer VPS

Below are the parameters I was given by my service provider who is running the VPN on a CISCO ASA Firewall

Phase 1
Tunnel VPN Gateway ()
Authentication Method :Pre-shared Key
Cryptography Type :IKEv1
Diffie-Hellman Group :Group 2
Cryptography Algorithm :3DES
Hash Algorithm :SHA
Main or Aggressive Mode :Main mode
Lifetime (for renegotiation) :86400 seconds

Phase 2
Tunnel VPN Gateway (ECONET)
Encapsulation (ESP or AH) :ESP
Cryptography Algorithm :3DES
Algorithm Method :SHA
Perfect Forward Secrecy :NO PFS
Lifetime (for renegotiation) :86400 seconds
Lifesize in KB (for renegotiation) : Not specified

My Peering server is running Centos 7 ,
strongswan version
Linux strongSwan U5.7.2/K3.10.0

My configuration is as follows
config setup
charondebug="all"
uniqueids=yes
conn ECO_YOSTORE
type=tunnel
auto=start
keyexchange=ikev1
authby=secret

left= My Internet IP
leftid= My Internet IP
leftsubnets=Virtual Interface created on the LEFT SERVER ABOVE/32 , My Internet IP of 2nd VPS/32
right=Porovider’s Internet IP           
rightsubnet=Private Service Provider IP /32
rightid=Porovider’s Internet IP
ike=3des-sha1-modp1024
esp=3des-sha1
pfs=no
aggressive=no
keyingtries=%forever
ikelifetime=86400s
lifetime=86400s
dpddelay=30s
dpdtimeout=120s
dpdaction=restart

The results I get in trying to bring up the VPN are as below.

[root@shumba2 ~]# strongswan up ECO_YOSTORE
initiating Main Mode IKE_SA ECO_YOSTORE3 to Porovider’s Internet IP
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from My Internet IP500 to Porovider’s Internet IP500 (248 bytes)
received packet: from Porovider’s Internet IP500 to My Internet IP500 (128 bytes)
parsed ID_PROT response 0 [ SA V V ]
received NAT-T (RFC 3947) vendor ID
received FRAGMENTATION vendor ID
selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from My Internet IP500 to Porovider’s Internet IP500 (244 bytes)
received packet: from Porovider’s Internet IP500 to My Internet IP500 (304 bytes)
parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
received Cisco Unity vendor ID
received XAuth vendor ID
received unknown vendor ID: 7e:07:12:38:3a:e9:2e:b4:74:18:9f:79:57:4a:90:89
received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from My Internet IP500 to Porovider’s Internet IP500 (100 bytes)
received packet: from Porovider’s Internet IP500 to My Internet IP500 (84 bytes)
parsed ID_PROT response 0 [ ID HASH V ]
received DPD vendor ID
IKE_SA ECO_YOSTORE3 established between My Internet IP[My Internet IP]...Porovider’s Internet IP[Porovider’s Internet IP]
scheduling reauthentication in 85735s
maximum IKE_SA lifetime 86275s
generating QUICK_MODE request 1213313119 [ HASH SA No ID ID ]
sending packet: from My Internet IP500 to Porovider’s Internet IP500 (204 bytes)
received packet: from Porovider’s Internet IP500 to My Internet IP500 (84 bytes)
parsed INFORMATIONAL_V1 request 3366055023 [ HASH N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
establishing connection 'ECO_YOSTORE' failed

History

#1 Updated by Tobias Brunner 2 months ago

  • Status changed from New to Feedback
  • Assignee deleted (Evans Vete)

received NO_PROPOSAL_CHOSEN error notify

Check the log on the other end to see why it sends that notify back.

Also available in: Atom PDF