I’m configuring a strongSwan server (x.x.168.87) for a third-party service to connect their Cisco ASA 5525 using PSK auth. Phase one appears to succeed from the gateway/peer (x.x.122.4) but phase two fails when they run a traceroute from the client (x.x.120.3) to our gateway server. The logs mention “expected a virtual IP request, sending FAILED_CP_REQUIRED” and say the “traffic selectors [are] unacceptable”. Is strongSwan misconfigured or is the cisco client failing to request an ip? Does strongSwan require that I manually create a virtual IP tunnel? The virtual IP pool appears to be available.
Thank you.
logs: /var/log/charon.log
05[IKE2] local endpoint changed from 10.0.0.79[500] to 10.0.0.79[4500]
05[IKE2] remote endpoint changed from x.x.122.4[500] to x.x.122.4[4500]
05[CFG1] looking for peer configs matching 10.0.0.79[%any]...x.x.122.4[x.x.122.4]
05[CFG3] peer config "ikev2-vpn", ike match: 28 (%any...%any IKEv2)
05[CFG3] local id match: 1 (ID_ANY: )
05[CFG3] remote id match: 1 (ID_IPV4_ADDR: 17:eb:7a:04)
05[CFG2] candidate "ikev2-vpn", match: 1/1/28 (me/other/ike)
05[CFG1] selected peer config 'ikev2-vpn'
05[IKE1] authentication of 'x.x.122.4' with pre-shared key successful
05[IKE1] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
05[IKE1] authentication of 'x.x.168.87' (myself) with pre-shared key
05[IKE2] successfully created shared key MAC
05[IKE1] expected a virtual IP request, sending FAILED_CP_REQUIRED
05[IKE0] IKE_SA ikev2-vpn[4] established between 10.0.0.79[x.x.168.87]...x.x.122.4[x.x.122.4]
05[IKE2] IKE_SA ikev2-vpn[4] state change: CONNECTING => ESTABLISHED
05[CFG2] looking for a child config for x.x.168.87/32 === x.x.120.3/32
05[CFG2] proposing traffic selectors for us:
05[CFG2] 0.0.0.0/0
05[CFG2] proposing traffic selectors for other:
05[CFG2] dynamic
05[IKE1] traffic selectors x.x.168.87/32 === x.x.120.3/32 unacceptable
05[IKE1] failed to establish CHILD_SA, keeping IKE_SA
05[ENC1] generating IKE_AUTH response 1 [ IDr AUTH N(FAIL_CP_REQ) N(TS_UNACCEPT) ]
status: ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.13, Linux 6.8.0-1012-aws, x86_64):
uptime: 10 days, since Aug 09 13:41:19 2024
malloc: sbrk 2273280, mmap 0, used 1411536, free 861744
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl gcrypt pkcs8 af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac kdf ctr ccm gcm ntru drbg curl attr kernel-netlink resolve socket-default connmark forecast farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
Virtual IP pools (size/online/offline):
10.10.10.0/24: 254/0/0
Listening IP addresses:
10.0.0.79
172.17.0.1
Connections:
ikev2-vpn: %any...%any IKEv2
ikev2-vpn: local: [18.213.168.87] uses pre-shared key authentication
ikev2-vpn: remote: uses pre-shared key authentication
ikev2-vpn: child: 0.0.0.0/0 === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
ikev2-vpn[4]: ESTABLISHED 26 hours ago, 10.0.0.79[x.x.168.87]...x.x.122.4[x.x.122.4]
ikev2-vpn[4]: IKEv2 SPIs: 6ea097f516021b0b_i 9a04fca0e13c4ae6_r*, rekeying disabled
ikev2-vpn[4]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
config: /etc/ipsec.conf
config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no
conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
rekey=no
left=%any
leftid=x.x.168.87
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightsourceip=10.10.10.0/24
rightdns=8.8.8.8,8.8.4.4
authby=secret
ike=aes256-sha256-modp2048!
esp=chacha20poly1305-sha512,aes256gcm16,aes256-sha256-modp2048,aes256-sha1,3des-sha1!
eap_identity=%identity
config: /etc/strongswan.conf
charon {
load_modular = yes
uniqueids=never
plugins {
include strongswan.d/charon/*.conf
}
}
include strongswan.d/*.conf
logs from cisco:
Aug 19 2024 14:14:18: %ASA-5-750001: Local:x.x.122.4:500 Remote:x.x.168.87:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: x.x.120.3-x.x.120.3 Protocol: 0 Port Range: 0-65535 ; remote traffic selector = Address Range: x.x.168.87-x.x.168.87 Protocol: 0 Port Range: 0-65535
Aug 19 2024 14:14:18: %ASA-7-713906: IKE Receiver: Packet received on x.x.122.4:500 from x.x.168.87:500
Aug 19 2024 14:14:18: %ASA-7-713906: IKE Receiver: Packet received on x.x.122.4:500 from x.x.168.87:500
Aug 19 2024 14:14:18: %ASA-7-713906: IKE Receiver: Packet received on x.x.122.4:4500 from x.x.168.87:4500
Aug 19 2024 14:14:18: %ASA-5-750006: Local:x.x.122.4:4500 Remote:x.x.168.87:4500 Username:x.x.168.87 IKEv2 SA UP. Reason: New Connection Established
Aug 19 2024 14:14:18: %ASA-7-713906: IKE Receiver: Packet received on x.x.122.4:4500 from x.x.168.87:4500
Aug 19 2024 14:14:18: %ASA-5-750007: Local:x.x.122.4:4500 Remote:x.x.168.87:4500 Username:x.x.168.87 IKEv2 SA DOWN. Reason: local failure
Aug 19 2024 14:14:19: %ASA-5-750001: Local:x.x.122.4:500 Remote:x.x.168.87:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: x.x.120.3-x.x.120.3 Protocol: 0 Port Range: 0-65535 ; remote traffic selector = Address Range: x.x.168.87-x.x.168.87 Protocol: 0 Port Range: 0-65535
Aug 19 2024 14:14:19: %ASA-7-713906: IKE Receiver: Packet received on x.x.122.4:500 from x.x.168.87:500
Aug 19 2024 14:14:19: %ASA-7-713906: IKE Receiver: Packet received on x.x.122.4:500 from x.x.168.87:500
Aug 19 2024 14:14:19: %ASA-7-713906: IKE Receiver: Packet received on x.x.122.4:4500 from x.x.168.87:4500
Aug 19 2024 14:14:19: %ASA-5-750006: Local:x.x.122.4:4500 Remote:x.x.168.87:4500 Username:x.x.168.87 IKEv2 SA UP. Reason: New Connection Established
Aug 19 2024 14:14:19: %ASA-7-713906: IKE Receiver: Packet received on x.x.122.4:4500 from x.x.168.87:4500
Aug 19 2024 14:14:19: %ASA-5-750007: Local:x.x.122.4:4500 Remote:x.x.168.87:4500 Username:x.x.168.87 IKEv2 SA DOWN. Reason: local failure
I’ve tried a few config changes, including leftsourceip=%config and left- and rightsubnet=10.10.10.0/24, with no progress. I’m expecting strongSwan to successfully assign a virtual IP so the cisco client can connect.