miken32

ASA <-> Strongswan VPN failure

Dec 9th, 2014
976
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. (73):
  2. IKEv2-PROTO-2: (73): Received Packet [From 1.2.3.4:4500/To 9.8.7.6:4500/VRF i0:f0]
  3. (73): Initiator SPI : 68A239EC0B4B7A8F - Responder SPI : 79FAD91CB54FFC66 Message id: 57
  4. (73): IKEv2 CREATE_CHILD_SA Exchange REQUESTIKEv2-PROTO-3: (73): Next payload: ENCR, version: 2.0 (73): Exchange type: CREATE_CHILD_SA, flags: INITIATOR (73): Message id: 57, length: 704(73):
  5. Payload contents:
  6. (73): REAL Decrypted packet:(73): Data: 608 bytes
  7. IKEv2-PROTO-5: Parse Notify Payload: ESP_TFC_NO_SUPPORT(73): NOTIFY(ESP_TFC_NO_SUPPORT)(73): Next payload: SA, reserved: 0x0, length: 8
  8. (73): Security protocol id: Unknown - 0, spi size: 0, type: ESP_TFC_NO_SUPPORT
  9. (73): SA(73): Next payload: N, reserved: 0x0, length: 220
  10. (73): last proposal: 0x2, reserved: 0x0, length: 48
  11. Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 4(73): last transform: 0x3, reserved: 0x0: length: 12
  12. type: 1, reserved: 0x0, id: AES-CBC
  13. (73): last transform: 0x3, reserved: 0x0: length: 8
  14. type: 3, reserved: 0x0, id: SHA512
  15. (73): last transform: 0x3, reserved: 0x0: length: 8
  16. type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14
  17. (73): last transform: 0x0, reserved: 0x0: length: 8
  18. type: 5, reserved: 0x0, id: Don't use ESN
  19. (73): last proposal: 0x2, reserved: 0x0, length: 48
  20. Proposal: 2, Protocol id: ESP, SPI size: 4, #trans: 4(73): last transform: 0x3, reserved: 0x0: length: 12
  21. type: 1, reserved: 0x0, id: AES-CBC
  22. (73): last transform: 0x3, reserved: 0x0: length: 8
  23. type: 3, reserved: 0x0, id: AES XCBC 96
  24. (73): last transform: 0x3, reserved: 0x0: length: 8
  25. type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14
  26. (73): last transform: 0x0, reserved: 0x0: length: 8
  27. type: 5, reserved: 0x0, id: Don't use ESN
  28. (73): last proposal: 0x2, reserved: 0x0, length: 40
  29. Proposal: 3, Protocol id: ESP, SPI size: 4, #trans: 3(73): last transform: 0x3, reserved: 0x0: length: 12
  30. type: 1, reserved: 0x0, id: AES-GCM
  31. (73): last transform: 0x3, reserved: 0x0: length: 8
  32. type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14
  33. (73): last transform: 0x0, reserved: 0x0: length: 8
  34. type: 5, reserved: 0x0, id: Don't use ESN
  35. (73): last proposal: 0x2, reserved: 0x0, length: 40
  36. Proposal: 4, Protocol id: ESP, SPI size: 4, #trans: 3(73): last transform: 0x3, reserved: 0x0: length: 12
  37. type: 1, reserved: 0x0, id: Unknown - 19
  38. (73): last transform: 0x3, reserved: 0x0: length: 8
  39. type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14
  40. (73): last transform: 0x0, reserved: 0x0: length: 8
  41. type: 5, reserved: 0x0, id: Don't use ESN
  42. (73): last proposal: 0x0, reserved: 0x0, length: 40
  43. Proposal: 5, Protocol id: ESP, SPI size: 4, #trans: 3(73): last transform: 0x3, reserved: 0x0: length: 12
  44. type: 1, reserved: 0x0, id: Unknown - 18
  45. (73): last transform: 0x3, reserved: 0x0: length: 8
  46. type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14
  47. (73): last transform: 0x0, reserved: 0x0: length: 8
  48. type: 5, reserved: 0x0, id: Don't use ESN
  49. (73): N(73): Next payload: KE, reserved: 0x0, length: 36
  50. (73):
  51. (73): e4 01 be f3 cf 6a 68 fd 5b 73 e2 c8 18 25 3a 32
  52. (73): 06 6f d4 c0 70 bf 5f ff f0 7a 58 f4 0a 82 33 c2
  53. (73): KE(73): Next payload: TSi, reserved: 0x0, length: 264
  54. (73): DH group: 14, Reserved: 0x0
  55. (73):
  56. (73): ab 79 0e 39 a1 b6 12 15 9d b0 5e 10 5c 78 e0 cd
  57. (73): 61 b0 de 87 3e d0 3f 31 c6 55 0c ed ac c4 8f 9a
  58. (73): ee 5f ed 1b 73 86 7a 95 c8 42 59 b0 b9 10 91 6d
  59. (73): cb 0a 70 a8 ef 36 3c 8f fb 2e 77 dc d3 9e 76 66
  60. (73): 76 be 24 0d 2d 88 3c ee d9 4a 89 6b 26 c6 5e 46
  61. (73): f0 32 0f 55 ef 90 4b 79 a6 a3 20 bf 32 aa 44 ee
  62. (73): 5a 3b f2 02 f9 4f d1 0f 11 91 7f e8 2d ca 8a 78
  63. (73): 94 85 46 29 5f 6d 31 91 f8 bc 09 88 36 c1 b1 0a
  64. (73): db 0b 6b b0 4a 0f af 31 3b 93 3e 30 16 18 ab 89
  65. (73): 95 32 9a cd 46 03 d5 06 29 bf a8 fe b1 d2 57 b2
  66. (73): e5 32 5b da 97 35 4c 44 33 05 6d d4 99 15 9c 00
  67. (73): fc 13 19 48 42 ac 69 f1 2b e2 46 d8 22 1a da 72
  68. (73): 8c 6a 0a d1 60 d8 d1 a0 31 34 ea d8 7c 28 01 e3
  69. (73): a3 2c 69 76 76 5b 6d 75 2f 14 ce 8b 5b 75 00 60
  70. (73): f7 33 0f 35 cf cd df 71 4b 2e e1 7c 76 3e 5f 74
  71. (73): db e1 dd 57 bd f9 b5 42 fb 2e 6e f9 6b 26 d7 2c
  72. (73): TSi(73): Next payload: TSr, reserved: 0x0, length: 40
  73. (73): Num of TSs: 2, reserved 0x0, reserved 0x0
  74. (73): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
  75. (73): start port: 0, end port: 65535
  76. (73): start addr: 1.2.3.4, end addr: 1.2.3.4
  77. (73): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
  78. (73): start port: 0, end port: 65535
  79. (73): start addr: 192.168.244.0, end addr: 192.168.244.255
  80. (73): TSr(73): Next payload: NONE, reserved: 0x0, length: 40
  81. (73): Num of TSs: 2, reserved 0x0, reserved 0x0
  82. (73): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
  83. (73): start port: 0, end port: 65535
  84. (73): start addr: 9.8.7.6, end addr: 9.8.7.6
  85. (73): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
  86. (73): start port: 0, end port: 65535
  87. (73): start addr: 192.168.242.0, end addr: 192.168.242.255
  88. (73):
  89. (73): Decrypted packet:(73): Data: 704 bytes
  90. IKEv2-PROTO-5: (73): SM Trace-> SA: I_SPI=68A239EC0B4B7A8F R_SPI=79FAD91CB54FFC66 (R) MsgID = 00000039 CurState: READY Event: EV_RECV_CREATE_CHILD
  91. IKEv2-PROTO-5: (73): Action: Action_Null
  92. IKEv2-PROTO-5: (73): SM Trace-> SA: I_SPI=68A239EC0B4B7A8F R_SPI=79FAD91CB54FFC66 (R) MsgID = 00000039 CurState: CHILD_R_INIT Event: EV_RECV_CREATE_CHILD
  93. IKEv2-PROTO-5: (73): Action: Action_Null
  94. IKEv2-PROTO-5: (73): SM Trace-> SA: I_SPI=68A239EC0B4B7A8F R_SPI=79FAD91CB54FFC66 (R) MsgID = 00000039 CurState: CHILD_R_INIT Event: EV_VERIFY_MSG
  95. IKEv2-PROTO-2: (73): Validating create child message
  96. IKEv2-PROTO-5: (73): SM Trace-> SA: I_SPI=68A239EC0B4B7A8F R_SPI=79FAD91CB54FFC66 (R) MsgID = 00000039 CurState: CHILD_R_INIT Event: EV_CHK_CC_TYPE
  97. IKEv2-PROTO-2: (73): Check for create child response message type
  98. IKEv2-PROTO-5: (73): SM Trace-> SA: I_SPI=68A239EC0B4B7A8F R_SPI=79FAD91CB54FFC66 (R) MsgID = 00000039 CurState: CHILD_R_IPSEC Event: EV_PROC_MSG
  99. IKEv2-PROTO-2: (73): Processing CREATE_CHILD_SA exchange
  100. IKEv2-PLAT-2: Crypto Map: No proxy match on map OUTSIDE_map seq 1
  101. IKEv2-PLAT-2: Crypto Map: No proxy match on map OUTSIDE_map seq 2
  102. IKEv2-PROTO-1: (73): Failed to find a matching policy
  103. IKEv2-PROTO-1: (73): Received Policies:
  104. ESP: Proposal 1: AES-CBC-256 SHA512 DH_GROUP_2048_MODP/Group 14 Don't use ESN
  105.  
  106. ESP: Proposal 2: AES-GCM-256 DH_GROUP_2048_MODP/Group 14 Don't use ESN
  107.  
  108. IKEv2-PROTO-1: (73): Failed to find a matching policy
  109. IKEv2-PROTO-1: (73): Expected Policies:
  110. IKEv2-PROTO-5: (73): Failed to verify the proposed policies
  111. IKEv2-PROTO-1: (73): Failed to find a matching policy
  112. IKEv2-PROTO-1: (73):
  113. IKEv2-PROTO-5: (73): SM Trace-> SA: I_SPI=68A239EC0B4B7A8F R_SPI=79FAD91CB54FFC66 (R) MsgID = 00000039 CurState: CHILD_R_IPSEC Event: EV_NO_PROP_CHOSEN
  114. IKEv2-PROTO-2: (73): Sending no proposal chosen notify
  115. IKEv2-PROTO-5: Construct Notify Payload: NO_PROPOSAL_CHOSENIKEv2-PROTO-2: (73): Building packet for encryption.
  116. (73):
  117. Payload contents:
  118. (73): NOTIFY(NO_PROPOSAL_CHOSEN)(73): Next payload: NONE, reserved: 0x0, length: 8
  119. (73): Security protocol id: ESP, spi size: 0, type: NO_PROPOSAL_CHOSEN
  120. (73):
  121. IKEv2-PROTO-2: (73): Sending Packet [To 1.2.3.4:4500/From 9.8.7.6:4500/VRF i0:f0]
  122. (73): Initiator SPI : 68A239EC0B4B7A8F - Responder SPI : 79FAD91CB54FFC66 Message id: 57
  123. (73): IKEv2 CREATE_CHILD_SA Exchange RESPONSEIKEv2-PROTO-3: (73): Next payload: ENCR, version: 2.0 (73): Exchange type: CREATE_CHILD_SA, flags: RESPONDER MSG-RESPONSE (73): Message id: 57, length: 96(73):
  124. Payload contents:
  125. (73): ENCR(73): Next payload: NOTIFY, reserved: 0x0, length: 68
  126. (73): Encrypted data: 64 bytes
  127. (73):
  128. IKEv2-PLAT-3: (73): SENT PKT [CREATE_CHILD_SA] [9.8.7.6]:4500->[1.2.3.4]:4500 InitSPI=0x68A239EC0B4B7A8F RespSPI=0x79FAD91CB54FFC66 MID=00000039
  129. IKEv2-PROTO-5: (73): SM Trace-> SA: I_SPI=68A239EC0B4B7A8F R_SPI=79FAD91CB54FFC66 (R) MsgID = 00000039 CurState: CHILD_R_DONE Event: EV_FAIL
  130. IKEv2-PROTO-1: (73): Create child exchange failed
  131. IKEv2-PROTO-1: (73):
  132. IKEv2-PROTO-2: (73): IPSec SA create failed
  133. IKEv2-PROTO-5: (73): SM Trace-> SA: I_SPI=68A239EC0B4B7A8F R_SPI=79FAD91CB54FFC66 (R) MsgID = 00000039 CurState: EXIT Event: EV_ABORT
  134. IKEv2-PROTO-5: (73): Sent response with message id 57, Requests can be accepted from range 58 to 58
  135. IKEv2-PROTO-5: (73): SM Trace-> SA: I_SPI=68A239EC0B4B7A8F R_SPI=79FAD91CB54FFC66 (R) MsgID = 00000039 CurState: EXIT Event: EV_CHK_PENDING_ABORT
  136. IKEv2-PLAT-5: Negotiating SA request deleted
  137. IKEv2-PLAT-1: Failed to decrement count for incoming negotiating
  138. IKEv2-PROTO-5: (73): SM Trace-> SA: I_SPI=68A239EC0B4B7A8F R_SPI=79FAD91CB54FFC66 (R) MsgID = 00000039 CurState: EXIT Event: EV_UPDATE_CAC_STATS
  139. IKEv2-PROTO-2: (73): Abort exchange
  140. IKEv2-PROTO-5: (73): Deleting negotiation context for peer message ID: 0x39
  141. IKEv2-PROTO-5: (73): SM Trace-> SA: I_SPI=68A239EC0B4B7A8F R_SPI=79FAD91CB54FFC66 (R) MsgID = 00000038 CurState: EXIT Event: EV_FREE_NEG
  142. IKEv2-PROTO-5: (73): Deleting negotiation context for peer message ID: 0x38
  143. IKEv2-PLAT-3: RECV PKT [CREATE_CHILD_SA] [1.2.3.4]:4500->[9.8.7.6]:4500 InitSPI=0x68A239EC0B4B7A8F RespSPI=0x79FAD91CB54FFC66 MID=0000003a
  144. IKEv2-PROTO-5: (73): Request has mess_id 58; expected 58 through 58
RAW Paste Data