IKEv2 vpn between OpenBSD 6.2 and Cisco ASA 5510 using PSK

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

IKEv2 vpn between OpenBSD 6.2 and Cisco ASA 5510 using PSK

danial
This post was updated on .
Hi,

I feel that I've tried just about every permutation of the various iked and
Cisco crypto settings to get this tunnel up and it just won't work.

One endpoint is a OpenBSD 6.2 and the other is a Cisco ASA 5510 9.1(7).

LAN------------------OpenBSD========Cisco--------LAN
10.11.12.0/24        1.1.1.1        2.2.2.2      192.168.66.0/24

I started out with high crypto settings but have adjusted down along the
way. I've also tried initiating from both sides but the result is pretty
much the same: OpenBSD stops responding when receiving the Cisco proposal
(and pf does not block any packets).

The iked config:

ikev2 "DO-test" \
        passive esp \
from 10.11.12.0/24 to 192.168.66.0/24 \
local any peer any \
ikesa auth hmac-sha1 enc aes-256 prf hmac-sha1 group modp1024 \
childsa auth hmac-sha1 enc aes-256  \
lifetime 86400 \
psk "12345678"


The Cisco config:

crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set peer 1.1.1.1
crypto map outside_map 2 set ikev2 ipsec-proposal AES256
crypto map outside_map 2 set ikev2 pre-shared-key *****
crypto map outside_map 2 set security-association lifetime seconds 3600
crypto map outside_map 2 set security-association lifetime kilobytes unlimited
crypto map outside_map 2 set df-bit clear-df
crypto map outside_map 2 set nat-t-disable
crypto map outside_map interface outside

crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5

crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 2
 prf sha
 lifetime seconds 86400

crypto ikev2 enable outside

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
 peer-id-validate nocheck
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****

access-list outside_cryptomap_1 extended permit ip 192.168.66.0 255.255.255.0 10.11.12.0 255.255.255.0


It seems to me, from the output below, that iked is bent on using
certificates instead of pre-shared keys. Here is iked output when acting as
passive:

# iked -dvvT
ikev2 "DO-test" passive esp from 10.11.12.0/24 to 192.168.66.0/24 local any
peer any ikesa enc aes-256 prf hmac-sha1 auth hmac-sha1 group modp1024
childsa enc aes-256 auth hmac-sha1 lifetime 86400 bytes 536870912 psk
0x3132333435363738
/etc/iked.conf: loaded 1 configuration rules
ca_privkey_serialize: type RSA_KEY length 1191
ca_pubkey_serialize: type RSA_KEY length 270
ca_privkey_to_method: type RSA_KEY method RSA_SIG
ca_getkey: received private key type RSA_KEY length 1191
config_getpolicy: received policy
ca_getkey: received public key type RSA_KEY length 270
config_getpfkey: received pfkey fd 3
ca_dispatch_parent: config reset
config_getcompile: compilation done
config_getsocket: received socket fd 4
ca_reload: local cert type RSA_KEY
config_getsocket: received socket fd 5
config_getocsp: ocsp_url none
ikev2_dispatch_cert: updated local CERTREQ type RSA_KEY length 0
ikev2_recv: IKE_SA_INIT request from initiator 2.2.2.2:500 to 1.1.1.1:500
policy 'DO-test' id 0, 657 bytes
ikev2_recv: ispi 0xaf51a28350f1c918 rspi 0x0000000000000000
ikev2_policy2id: srcid FQDN/vpn-gw.openbsd.fo length 25
ikev2_pld_parse: header ispi 0xaf51a28350f1c918 rspi 0x0000000000000000
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length
657 response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 248
ikev2_pld_sa: more than one proposal specified
ikev2_pld_sa: more 2 reserved 0 length 44 proposal #1 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136
ikev2_pld_ke: dh group MODP_1024 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload VENDOR critical 0x00 length 68
ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00 length
23
ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00 length
59
ikev2_pld_payloads: payload VENDOR nextpayload NOTIFY critical 0x00 length
19
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
28
ikev2_pld_notify: protoid IKE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_nat_detection: peer source 0xaf51a28350f1c918 0x0000000000000000
2.2.2.2:500
ikev2_pld_payloads: payload NOTIFY nextpayload VENDOR critical 0x00 length
28
ikev2_pld_notify: protoid IKE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_nat_detection: peer destination 0xaf51a28350f1c918 0x0000000000000000
1.1.1.1:500
ikev2_pld_payloads: payload VENDOR nextpayload NONE critical 0x00 length 20
sa_state: INIT -> SA_INIT
ikev2_sa_negotiate: score 4
sa_stateok: SA_INIT flags 0x0000, require 0x0000
sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 )
ikev2_sa_keys: SKEYSEED with 20 bytes
ikev2_sa_keys: S with 112 bytes
ikev2_prfplus: T1 with 20 bytes
ikev2_prfplus: T2 with 20 bytes
ikev2_prfplus: T3 with 20 bytes
ikev2_prfplus: T4 with 20 bytes
ikev2_prfplus: T5 with 20 bytes
ikev2_prfplus: T6 with 20 bytes
ikev2_prfplus: T7 with 20 bytes
ikev2_prfplus: T8 with 20 bytes
ikev2_prfplus: T9 with 20 bytes
ikev2_prfplus: Tn with 180 bytes
ikev2_sa_keys: SK_d with 20 bytes
ikev2_sa_keys: SK_ai with 20 bytes
ikev2_sa_keys: SK_ar with 20 bytes
ikev2_sa_keys: SK_ei with 32 bytes
ikev2_sa_keys: SK_er with 32 bytes
ikev2_sa_keys: SK_pi with 20 bytes
ikev2_sa_keys: SK_pr with 20 bytes
ikev2_add_proposals: length 44
ikev2_next_payload: length 48 nextpayload KE
ikev2_next_payload: length 136 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NONE
ikev2_pld_parse: header ispi 0xaf51a28350f1c918 rspi 0xac9649f5b88d71a9
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length
248 response 1
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136
ikev2_pld_ke: dh group MODP_1024 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NONE critical 0x00 length 36
ikev2_msg_send: IKE_SA_INIT response from 1.1.1.1:500 to 2.2.2.2:500 msgid
0, 248 bytes
config_free_proposals: free 0x796f5700
ikev2_recv: IKE_AUTH request from initiator 2.2.2.2:500 to 1.1.1.1:500
policy 'DO-test' id 1, 332 bytes
ikev2_recv: ispi 0xaf51a28350f1c918 rspi 0xac9649f5b88d71a9
ikev2_recv: updated SA to peer 2.2.2.2:500 local 1.1.1.1:500
ikev2_pld_parse: header ispi 0xaf51a28350f1c918 rspi 0xac9649f5b88d71a9
nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 332
response 0
ikev2_pld_payloads: payload SK nextpayload VENDOR critical 0x00 length 304
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 272
ikev2_msg_decrypt: integrity checksum length 12
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 272/272 padding 4
ikev2_pld_payloads: decrypted payload VENDOR nextpayload IDi critical 0x00
length 20
ikev2_pld_payloads: decrypted payload IDi nextpayload CERTREQ critical 0x00
length 18
ikev2_pld_id: id FQDN/vpn.cisco.fo length 14
ikev2_pld_payloads: decrypted payload CERTREQ nextpayload AUTH critical 0x00
length 45
ikev2_pld_certreq: type X509_CERT length 40
ikev2_policy2id: srcid FQDN/vpn-gw.openbsd.fo length 25
sa_stateflags: 0x0020 -> 0x0024 certreq,sa (required 0x0000 )
ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00
length 28
ikev2_pld_auth: method SHARED_KEY_MIC length 20
sa_state: SA_INIT -> AUTH_REQUEST
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00
length 52
ikev2_pld_sa: more 0 reserved 0 length 48 proposal #1 protoid ESP spisize 4
xforms 4 spi 0xcd5c647e
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_MD5_96
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00
length 40
ikev2_pld_ts: count 2 length 32
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 192.168.66.249 end 192.168.66.249
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 192.168.66.0 end 192.168.66.255
ikev2_pld_payloads: decrypted payload TSr nextpayload NOTIFY critical 0x00
length 40
ikev2_pld_ts: count 2 length 32
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 10.11.12.5 end 10.11.12.5
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 10.11.12.0 end 10.11.12.255
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical
0x00 length 8
ikev2_pld_notify: protoid IKE spisize 0 type INITIAL_CONTACT
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical
0x00 length 8
ikev2_pld_notify: protoid IKE spisize 0 type ESP_TFC_PADDING_NOT_SUPPORTED
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NONE critical 0x00
length 8
ikev2_pld_notify: protoid IKE spisize 0 type NON_FIRST_FRAGMENTS_ALSO
sa_stateok: SA_INIT flags 0x0000, require 0x0000
policy_lookup: peerid 'vpn.cisco.fo'
ikev2_msg_auth: responder auth data length 332
ikev2_msg_auth: initiator auth data length 709
ikev2_msg_authverify: method SHARED_KEY_MIC keylen 20 type NONE
*ikev2_msg_authverify: authentication successful
sa_state: AUTH_REQUEST -> AUTH_SUCCESS
sa_stateflags: 0x002c -> 0x003c certreq,auth,authvalid,sa (required 0x0039
cert,auth,authvalid,sa)
ikev2_sa_negotiate: score 4
sa_stateflags: 0x003c -> 0x003c certreq,auth,authvalid,sa (required 0x0039
cert,auth,authvalid,sa)
sa_stateok: VALID flags 0x0038, require 0x0039 cert,auth,authvalid,sa
sa_state: cannot switch: AUTH_SUCCESS -> VALID
config_free_proposals: free 0x75dbd740
ca_getreq: no valid local certificate found*
ikev2_getimsgdata: imsg 19 rspi 0xac9649f5b88d71a9 ispi 0xaf51a28350f1c918
initiator 0 sa valid type 0 data length 0
ikev2_dispatch_cert: cert type NONE length 0, ignored
ikev2_recv: IKE_AUTH request from initiator 2.2.2.2:500 to 1.1.1.1:500
policy 'DO-test' id 1, 332 bytes
ikev2_recv: ispi 0xaf51a28350f1c918 rspi 0xac9649f5b88d71a9
ikev2_recv: IKE_AUTH request from initiator 2.2.2.2:500 to 1.1.1.1:500
policy 'DO-test' id 1, 332 bytes
ikev2_recv: ispi 0xaf51a28350f1c918 rspi 0xac9649f5b88d71a9
ikev2_recv: IKE_AUTH request from initiator 2.2.2.2:500 to 1.1.1.1:500
policy 'DO-test' id 1, 332 bytes
ikev2_recv: ispi 0xaf51a28350f1c918 rspi 0xac9649f5b88d71a9
ikev2_recv: IKE_AUTH request from initiator 2.2.2.2:500 to 1.1.1.1:500
policy 'DO-test' id 1, 332 bytes
ikev2_recv: ispi 0xaf51a28350f1c918 rspi 0xac9649f5b88d71a9
^Ccontrol exiting, pid 27599
ikev2 exiting, pid 62350
ca exiting, pid 73320
parent terminating


To me it looks like it has authenticated but still requires a certificate?!?
I can post the Cisco debugging output if required but in order to not make
this post too verbose I'll defer with that.

Hopefully somebody has a solution or even suggestions are much appreciated.

Thanks,

Danial



--
Sent from: http://openbsd-archive.7691.n7.nabble.com/openbsd-user-misc-f3.html

/ Danial
Reply | Threaded
Open this post in threaded view
|

Re: IKEv2 vpn between OpenBSD 6.2 and Cisco ASA 5510 using PSK

danial
I'll answer my own post.

I've come to the conclusion that the OpenBSD IKEv2 implementation in iked is
incompatible with Cisco. It works between OpenBSD boxes but none of the
several Cisco ASA devices I've tried with did I get it to work. Switching to
IKEv1, i.e. ISAKMPd, works immediately.


/ Danial



-----
/ Danial
--
Sent from: http://openbsd-archive.7691.n7.nabble.com/openbsd-user-misc-f3.html

/ Danial