strongSwan IKEv2 server connection from Cisco client fails with “traffic selectors… unacceptable”, FAIL_CP_REQ, TS_UNACCEPT

  Kiến thức lập trình

I’m configuring a strongSwan server (x.x.168.87) for a third-party service to connect their Cisco ASA 5525 using PSK auth. Phase one appears to succeed from the gateway/peer (x.x.122.4) but phase two fails when they run a traceroute from the client (x.x.120.3) to our gateway server. The logs mention “expected a virtual IP request, sending FAILED_CP_REQUIRED” and say the “traffic selectors [are] unacceptable”. Is strongSwan misconfigured or is the cisco client failing to request an ip? Does strongSwan require that I manually create a virtual IP tunnel? The virtual IP pool appears to be available.

Thank you.

logs: /var/log/charon.log

05[IKE2] local endpoint changed from 10.0.0.79[500] to 10.0.0.79[4500]
05[IKE2] remote endpoint changed from x.x.122.4[500] to x.x.122.4[4500]
05[CFG1] looking for peer configs matching 10.0.0.79[%any]...x.x.122.4[x.x.122.4]
05[CFG3] peer config "ikev2-vpn", ike match: 28 (%any...%any IKEv2)
05[CFG3]   local id match: 1 (ID_ANY: )
05[CFG3]   remote id match: 1 (ID_IPV4_ADDR: 17:eb:7a:04)
05[CFG2]   candidate "ikev2-vpn", match: 1/1/28 (me/other/ike)
05[CFG1] selected peer config 'ikev2-vpn'
05[IKE1] authentication of 'x.x.122.4' with pre-shared key successful
05[IKE1] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
05[IKE1] authentication of 'x.x.168.87' (myself) with pre-shared key
05[IKE2] successfully created shared key MAC
05[IKE1] expected a virtual IP request, sending FAILED_CP_REQUIRED
05[IKE0] IKE_SA ikev2-vpn[4] established between 10.0.0.79[x.x.168.87]...x.x.122.4[x.x.122.4]
05[IKE2] IKE_SA ikev2-vpn[4] state change: CONNECTING => ESTABLISHED
05[CFG2] looking for a child config for x.x.168.87/32 === x.x.120.3/32
05[CFG2] proposing traffic selectors for us:
05[CFG2]  0.0.0.0/0
05[CFG2] proposing traffic selectors for other:
05[CFG2]  dynamic
05[IKE1] traffic selectors x.x.168.87/32 === x.x.120.3/32 unacceptable
05[IKE1] failed to establish CHILD_SA, keeping IKE_SA
05[ENC1] generating IKE_AUTH response 1 [ IDr AUTH N(FAIL_CP_REQ) N(TS_UNACCEPT) ]

status: ipsec statusall

Status of IKE charon daemon (strongSwan 5.9.13, Linux 6.8.0-1012-aws, x86_64):
  uptime: 10 days, since Aug 09 13:41:19 2024
  malloc: sbrk 2273280, mmap 0, used 1411536, free 861744
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
  loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl gcrypt pkcs8 af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac kdf ctr ccm gcm ntru drbg curl attr kernel-netlink resolve socket-default connmark forecast farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
Virtual IP pools (size/online/offline):
  10.10.10.0/24: 254/0/0
Listening IP addresses:
  10.0.0.79
  172.17.0.1
Connections:
   ikev2-vpn:  %any...%any  IKEv2
   ikev2-vpn:   local:  [18.213.168.87] uses pre-shared key authentication
   ikev2-vpn:   remote: uses pre-shared key authentication
   ikev2-vpn:   child:  0.0.0.0/0 === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
   ikev2-vpn[4]: ESTABLISHED 26 hours ago, 10.0.0.79[x.x.168.87]...x.x.122.4[x.x.122.4]
   ikev2-vpn[4]: IKEv2 SPIs: 6ea097f516021b0b_i 9a04fca0e13c4ae6_r*, rekeying disabled
   ikev2-vpn[4]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048

config: /etc/ipsec.conf

config setup
        charondebug="ike 1, knl 1, cfg 0"
        uniqueids=no
conn ikev2-vpn
        auto=add
        compress=no
        type=tunnel
        keyexchange=ikev2
        fragmentation=yes
        forceencaps=yes
        rekey=no
        left=%any
        leftid=x.x.168.87
        leftsubnet=0.0.0.0/0
        right=%any
        rightid=%any
        rightsourceip=10.10.10.0/24
        rightdns=8.8.8.8,8.8.4.4
        authby=secret
        ike=aes256-sha256-modp2048!
        esp=chacha20poly1305-sha512,aes256gcm16,aes256-sha256-modp2048,aes256-sha1,3des-sha1!
        eap_identity=%identity

config: /etc/strongswan.conf

charon {
        load_modular = yes
        uniqueids=never
        plugins {
                include strongswan.d/charon/*.conf
        }
}

include strongswan.d/*.conf

logs from cisco:

Aug 19 2024 14:14:18: %ASA-5-750001: Local:x.x.122.4:500 Remote:x.x.168.87:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: x.x.120.3-x.x.120.3 Protocol: 0 Port Range: 0-65535 ; remote traffic selector = Address Range: x.x.168.87-x.x.168.87 Protocol: 0 Port Range: 0-65535
Aug 19 2024 14:14:18: %ASA-7-713906: IKE Receiver: Packet received on x.x.122.4:500 from x.x.168.87:500
Aug 19 2024 14:14:18: %ASA-7-713906: IKE Receiver: Packet received on x.x.122.4:500 from x.x.168.87:500
Aug 19 2024 14:14:18: %ASA-7-713906: IKE Receiver: Packet received on x.x.122.4:4500 from x.x.168.87:4500
Aug 19 2024 14:14:18: %ASA-5-750006: Local:x.x.122.4:4500 Remote:x.x.168.87:4500 Username:x.x.168.87 IKEv2 SA UP. Reason: New Connection Established
Aug 19 2024 14:14:18: %ASA-7-713906: IKE Receiver: Packet received on x.x.122.4:4500 from x.x.168.87:4500
Aug 19 2024 14:14:18: %ASA-5-750007: Local:x.x.122.4:4500 Remote:x.x.168.87:4500 Username:x.x.168.87 IKEv2 SA DOWN. Reason: local failure
Aug 19 2024 14:14:19: %ASA-5-750001: Local:x.x.122.4:500 Remote:x.x.168.87:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: x.x.120.3-x.x.120.3 Protocol: 0 Port Range: 0-65535 ; remote traffic selector = Address Range: x.x.168.87-x.x.168.87 Protocol: 0 Port Range: 0-65535
Aug 19 2024 14:14:19: %ASA-7-713906: IKE Receiver: Packet received on x.x.122.4:500 from x.x.168.87:500
Aug 19 2024 14:14:19: %ASA-7-713906: IKE Receiver: Packet received on x.x.122.4:500 from x.x.168.87:500
Aug 19 2024 14:14:19: %ASA-7-713906: IKE Receiver: Packet received on x.x.122.4:4500 from x.x.168.87:4500
Aug 19 2024 14:14:19: %ASA-5-750006: Local:x.x.122.4:4500 Remote:x.x.168.87:4500 Username:x.x.168.87 IKEv2 SA UP. Reason: New Connection Established
Aug 19 2024 14:14:19: %ASA-7-713906: IKE Receiver: Packet received on x.x.122.4:4500 from x.x.168.87:4500
Aug 19 2024 14:14:19: %ASA-5-750007: Local:x.x.122.4:4500 Remote:x.x.168.87:4500 Username:x.x.168.87 IKEv2 SA DOWN. Reason: local failure

I’ve tried a few config changes, including leftsourceip=%config and left- and rightsubnet=10.10.10.0/24, with no progress. I’m expecting strongSwan to successfully assign a virtual IP so the cisco client can connect.

Theme wordpress giá rẻ Theme wordpress giá rẻ Thiết kế website

strongSwan IKEv2 server connection from Cisco client fails with “traffic selectors… unacceptable”, FAIL_CP_REQ, TS_UNACCEPT

I’m configuring a strongSwan server (x.x.168.87) for a third-party service to connect their Cisco ASA 5525 using PSK auth. Phase one appears to succeed from the gateway/peer (x.x.122.4) but phase two fails when they run a traceroute from the client (x.x.120.3) to our gateway server. The logs mention “expected a virtual IP request, sending FAILED_CP_REQUIRED” and say the “traffic selectors [are] unacceptable”. Is strongSwan misconfigured or is the cisco client failing to request an ip? Does strongSwan require that I manually create a virtual IP tunnel? The virtual IP pool appears to be available.

Thank you.

logs: /var/log/charon.log

05[IKE2] local endpoint changed from 10.0.0.79[500] to 10.0.0.79[4500]
05[IKE2] remote endpoint changed from x.x.122.4[500] to x.x.122.4[4500]
05[CFG1] looking for peer configs matching 10.0.0.79[%any]...x.x.122.4[x.x.122.4]
05[CFG3] peer config "ikev2-vpn", ike match: 28 (%any...%any IKEv2)
05[CFG3]   local id match: 1 (ID_ANY: )
05[CFG3]   remote id match: 1 (ID_IPV4_ADDR: 17:eb:7a:04)
05[CFG2]   candidate "ikev2-vpn", match: 1/1/28 (me/other/ike)
05[CFG1] selected peer config 'ikev2-vpn'
05[IKE1] authentication of 'x.x.122.4' with pre-shared key successful
05[IKE1] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
05[IKE1] authentication of 'x.x.168.87' (myself) with pre-shared key
05[IKE2] successfully created shared key MAC
05[IKE1] expected a virtual IP request, sending FAILED_CP_REQUIRED
05[IKE0] IKE_SA ikev2-vpn[4] established between 10.0.0.79[x.x.168.87]...x.x.122.4[x.x.122.4]
05[IKE2] IKE_SA ikev2-vpn[4] state change: CONNECTING => ESTABLISHED
05[CFG2] looking for a child config for x.x.168.87/32 === x.x.120.3/32
05[CFG2] proposing traffic selectors for us:
05[CFG2]  0.0.0.0/0
05[CFG2] proposing traffic selectors for other:
05[CFG2]  dynamic
05[IKE1] traffic selectors x.x.168.87/32 === x.x.120.3/32 unacceptable
05[IKE1] failed to establish CHILD_SA, keeping IKE_SA
05[ENC1] generating IKE_AUTH response 1 [ IDr AUTH N(FAIL_CP_REQ) N(TS_UNACCEPT) ]

status: ipsec statusall

Status of IKE charon daemon (strongSwan 5.9.13, Linux 6.8.0-1012-aws, x86_64):
  uptime: 10 days, since Aug 09 13:41:19 2024
  malloc: sbrk 2273280, mmap 0, used 1411536, free 861744
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
  loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl gcrypt pkcs8 af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac kdf ctr ccm gcm ntru drbg curl attr kernel-netlink resolve socket-default connmark forecast farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
Virtual IP pools (size/online/offline):
  10.10.10.0/24: 254/0/0
Listening IP addresses:
  10.0.0.79
  172.17.0.1
Connections:
   ikev2-vpn:  %any...%any  IKEv2
   ikev2-vpn:   local:  [18.213.168.87] uses pre-shared key authentication
   ikev2-vpn:   remote: uses pre-shared key authentication
   ikev2-vpn:   child:  0.0.0.0/0 === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
   ikev2-vpn[4]: ESTABLISHED 26 hours ago, 10.0.0.79[x.x.168.87]...x.x.122.4[x.x.122.4]
   ikev2-vpn[4]: IKEv2 SPIs: 6ea097f516021b0b_i 9a04fca0e13c4ae6_r*, rekeying disabled
   ikev2-vpn[4]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048

config: /etc/ipsec.conf

config setup
        charondebug="ike 1, knl 1, cfg 0"
        uniqueids=no
conn ikev2-vpn
        auto=add
        compress=no
        type=tunnel
        keyexchange=ikev2
        fragmentation=yes
        forceencaps=yes
        rekey=no
        left=%any
        leftid=x.x.168.87
        leftsubnet=0.0.0.0/0
        right=%any
        rightid=%any
        rightsourceip=10.10.10.0/24
        rightdns=8.8.8.8,8.8.4.4
        authby=secret
        ike=aes256-sha256-modp2048!
        esp=chacha20poly1305-sha512,aes256gcm16,aes256-sha256-modp2048,aes256-sha1,3des-sha1!
        eap_identity=%identity

config: /etc/strongswan.conf

charon {
        load_modular = yes
        uniqueids=never
        plugins {
                include strongswan.d/charon/*.conf
        }
}

include strongswan.d/*.conf

logs from cisco:

Aug 19 2024 14:14:18: %ASA-5-750001: Local:x.x.122.4:500 Remote:x.x.168.87:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: x.x.120.3-x.x.120.3 Protocol: 0 Port Range: 0-65535 ; remote traffic selector = Address Range: x.x.168.87-x.x.168.87 Protocol: 0 Port Range: 0-65535
Aug 19 2024 14:14:18: %ASA-7-713906: IKE Receiver: Packet received on x.x.122.4:500 from x.x.168.87:500
Aug 19 2024 14:14:18: %ASA-7-713906: IKE Receiver: Packet received on x.x.122.4:500 from x.x.168.87:500
Aug 19 2024 14:14:18: %ASA-7-713906: IKE Receiver: Packet received on x.x.122.4:4500 from x.x.168.87:4500
Aug 19 2024 14:14:18: %ASA-5-750006: Local:x.x.122.4:4500 Remote:x.x.168.87:4500 Username:x.x.168.87 IKEv2 SA UP. Reason: New Connection Established
Aug 19 2024 14:14:18: %ASA-7-713906: IKE Receiver: Packet received on x.x.122.4:4500 from x.x.168.87:4500
Aug 19 2024 14:14:18: %ASA-5-750007: Local:x.x.122.4:4500 Remote:x.x.168.87:4500 Username:x.x.168.87 IKEv2 SA DOWN. Reason: local failure
Aug 19 2024 14:14:19: %ASA-5-750001: Local:x.x.122.4:500 Remote:x.x.168.87:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: x.x.120.3-x.x.120.3 Protocol: 0 Port Range: 0-65535 ; remote traffic selector = Address Range: x.x.168.87-x.x.168.87 Protocol: 0 Port Range: 0-65535
Aug 19 2024 14:14:19: %ASA-7-713906: IKE Receiver: Packet received on x.x.122.4:500 from x.x.168.87:500
Aug 19 2024 14:14:19: %ASA-7-713906: IKE Receiver: Packet received on x.x.122.4:500 from x.x.168.87:500
Aug 19 2024 14:14:19: %ASA-7-713906: IKE Receiver: Packet received on x.x.122.4:4500 from x.x.168.87:4500
Aug 19 2024 14:14:19: %ASA-5-750006: Local:x.x.122.4:4500 Remote:x.x.168.87:4500 Username:x.x.168.87 IKEv2 SA UP. Reason: New Connection Established
Aug 19 2024 14:14:19: %ASA-7-713906: IKE Receiver: Packet received on x.x.122.4:4500 from x.x.168.87:4500
Aug 19 2024 14:14:19: %ASA-5-750007: Local:x.x.122.4:4500 Remote:x.x.168.87:4500 Username:x.x.168.87 IKEv2 SA DOWN. Reason: local failure

I’ve tried a few config changes, including leftsourceip=%config and left- and rightsubnet=10.10.10.0/24, with no progress. I’m expecting strongSwan to successfully assign a virtual IP so the cisco client can connect.

Theme wordpress giá rẻ Theme wordpress giá rẻ Thiết kế website

LEAVE A COMMENT