Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
20.1 Legacy Series
»
Can't establish multiple IPSec Phase2 tunnels width Cisco ASA 5540 (solved)
« previous
next »
Print
Pages: [
1
]
2
Author
Topic: Can't establish multiple IPSec Phase2 tunnels width Cisco ASA 5540 (solved) (Read 6803 times)
Jürgen Garbe
Newbie
Posts: 27
Karma: 0
Can't establish multiple IPSec Phase2 tunnels width Cisco ASA 5540 (solved)
«
on:
March 11, 2020, 12:52:51 pm »
Hi,
I am not able to establisch an IPSec connection with more than one Phase2 definition to a Cisco ASA 5540.
Having enabled only one of both Phase2 definitions at once, everthing is working fine.
Please find attached log files:
ipsecOpnSenseCiscoTestFail.log shows the error N(INVAL_SYN),
ipsecOpnSenseCiscoTest1Phase2_1ok.log shows the successful connection with only Phase2 number 1,
ipsecOpnSenseCiscoTest1Phase2_2ok.log shows the successful connection with only Phase2 number 2.
Source and target addresses have been replaced by A.B.C.D and E.F.G.H.
Split tunnel option is enabled.
Any hint is welcome!
«
Last Edit: March 16, 2020, 05:35:19 pm by Jürgen Garbe
»
Logged
mfedv
Newbie
Posts: 43
Karma: 6
Re: Can't establish multiple IPSec Phase2 tunnels width Cisco ASA 5540
«
Reply #1 on:
March 11, 2020, 01:52:40 pm »
Hi,
the remote side does not seem to understand your requests:
charon: 13[IKE] <con5|1> received INVALID_SYNTAX notify error, destroying IKE_SA
charon: 13[ENC] <con5|1> parsed CREATE_CHILD_SA response 2 [ N(INVAL_SYN) ]
Perhaps the remote software/config needs to be upgraded.
Matthias Ferdinand
Logged
Jürgen Garbe
Newbie
Posts: 27
Karma: 0
Re: Can't establish multiple IPSec Phase2 tunnels width Cisco ASA 5540
«
Reply #2 on:
March 11, 2020, 02:26:24 pm »
Hm,
how would you explain, that each Phase2 definition (and its traffic) alone is working, but not, if both Phase2 definitions are enabled?
Jürgen Garbe
Logged
mfedv
Newbie
Posts: 43
Karma: 6
Re: Can't establish multiple IPSec Phase2 tunnels width Cisco ASA 5540
«
Reply #3 on:
March 11, 2020, 05:52:56 pm »
Well, might be a bug on either side, or maybe Cisco limits the number of phase2 SAs per IKE phase1 connection.
You can try with two phase1 proposals, each with a single phase2 entry.
Logged
franco
Administrator
Hero Member
Posts: 17657
Karma: 1611
Re: Can't establish multiple IPSec Phase2 tunnels width Cisco ASA 5540
«
Reply #4 on:
March 11, 2020, 07:16:11 pm »
Without changing the world try "tunnel isolation" in phase 1 settings. Had the same issue with FortiGate compatibility a couple of years ago.
Cheers,
Franco
Logged
Jürgen Garbe
Newbie
Posts: 27
Karma: 0
Re: Can't establish multiple IPSec Phase2 tunnels width Cisco ASA 5540
«
Reply #5 on:
March 12, 2020, 09:34:25 am »
@mfedv: I tried to split into 2 Phase1 connections with only one Phase2 definitions each but ended in the same behaviour (only one of both is working).
@franco: Yes, I am using tunnel isolation and it's not working. That's what I meant with "Split tunnel option is enabled". Sorry for this unclear wording...
Logged
mfedv
Newbie
Posts: 43
Karma: 6
Re: Can't establish multiple IPSec Phase2 tunnels width Cisco ASA 5540
«
Reply #6 on:
March 12, 2020, 05:15:48 pm »
So with separate phase1 definitions, you can establish either one, but not both at the same time?
Can you post a log of one connecting and the other one failing?
Logged
Jürgen Garbe
Newbie
Posts: 27
Karma: 0
Re: Can't establish multiple IPSec Phase2 tunnels width Cisco ASA 5540
«
Reply #7 on:
March 13, 2020, 07:50:09 am »
Yes, please find attached the log which is showing this.
Logged
mfedv
Newbie
Posts: 43
Karma: 6
Re: Can't establish multiple IPSec Phase2 tunnels width Cisco ASA 5540
«
Reply #8 on:
March 14, 2020, 05:41:55 pm »
In this log, only a single IKE connection gets established, and the peer seems unwilling to accept the second CHILD_SA on the same IKE_SA.
Do you actually have both tunnels on separate IKE definitions? If so, then perhaps strongswan is too clever and reuses the IKE_SA that it already has:
https://unix.stackexchange.com/questions/351700/strongswan-several-right-subnets
Someone already posted a workaround:
https://forum.opnsense.org/index.php?topic=11735.0
("IPsec and the Palo Alto Networks PA-3050")
That is a global settings and might have negative impact on other tunnels. The 5540 seems EOL for quite some time (2013!) so they should upgrade anyway, for more reasons than IPsec alone...
Logged
banym
Sr. Member
Posts: 468
Karma: 31
Free Human Being, FreeBSD, Linux and Mac nerd
Re: Can't establish multiple IPSec Phase2 tunnels width Cisco ASA 5540
«
Reply #9 on:
March 14, 2020, 08:40:21 pm »
Well good that you have a OPNsense on one side.. if the box on the other side is EOL since 2013... you may have no luck.
Replace that legacy Cisco box for security and compatibility reasons as soon as possible.
Logged
Twitter: banym
Mastodon: banym@bsd.network
Blog:
https://www.banym.de
Jürgen Garbe
Newbie
Posts: 27
Karma: 0
Re: Can't establish multiple IPSec Phase2 tunnels width Cisco ASA 5540
«
Reply #10 on:
March 16, 2020, 02:50:34 pm »
@mfedv:
This could be the same problem I am observing! Do you have any hint for me, where exactly I should add this mentioned manual configuration line in the file ipsec.inc?
@banym:
It is a big and mighty customer and we are so small...
No chance to change the other sid (and they never ever had any problems before like this)...
Logged
mfedv
Newbie
Posts: 43
Karma: 6
Re: Can't establish multiple IPSec Phase2 tunnels width Cisco ASA 5540
«
Reply #11 on:
March 16, 2020, 03:09:46 pm »
Disclaimer: untested
In line 1088 is the call to generate config text from the nested array. So the assignment should go above it.
--------------------------------------------
1088 $strongswan = generate_strongswan_conf($strongswanTree);
1089 $strongswan .= "\ninclude strongswan.opnsense.d/*.conf\n";
1090 @file_put_contents("/usr/local/etc/strongswan.conf", $strongswan);
1091 unset($strongswan);
--------------------------------------------
But less intrusive and with higher chance of surviving the next opnsense update: create a file /usr/local/etc/strongswan.opnsense.d/noreuse_ikesa.conf with a line
charon { reuse_ikesa=no }
and restart ipsec.
Logged
Jürgen Garbe
Newbie
Posts: 27
Karma: 0
Re: Can't establish multiple IPSec Phase2 tunnels width Cisco ASA 5540 (solved)
«
Reply #12 on:
March 16, 2020, 05:34:41 pm »
@mfedv:
You are my hero of the day!
That solved the issue.
Would be worth to be an option in the OPNsense GUI.
Thank you very, very much
Logged
Jürgen Garbe
Newbie
Posts: 27
Karma: 0
Re: Can't establish multiple IPSec Phase2 tunnels width Cisco ASA 5540 (solved)
«
Reply #13 on:
March 17, 2020, 11:08:07 am »
Important additional information:
using this option, there is not need anymore to use 2 different Phase 1 definitions.
Now it works like it should:
Only 1 Phase 1 definition with 2 individual Phase 2 definitions (each for one seperate network to reach at the other side).
Thank you again for helping me!
Logged
franco
Administrator
Hero Member
Posts: 17657
Karma: 1611
Re: Can't establish multiple IPSec Phase2 tunnels width Cisco ASA 5540 (solved)
«
Reply #14 on:
March 18, 2020, 08:24:03 am »
Would someone be so kind to open a ticket for this and reference this form thread?
https://github.com/opnsense/core/issues/new?assignees=&labels=&template=feature_request.md&title=
Thanks,
Franco
Logged
Print
Pages: [
1
]
2
« previous
next »
OPNsense Forum
»
Archive
»
20.1 Legacy Series
»
Can't establish multiple IPSec Phase2 tunnels width Cisco ASA 5540 (solved)