IPsec to Cisco ASA - received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built

[Moonshine]

Hello,

I'm trying to establish an IPsec VPN with a remote Cisco ASA.  I use OpenVPN and WireGuard regularly, but unfortunately this is my first IPsec attempt. 

I'm running OPNsense 23.7.11 and using the "newer" connections UI for IPsec configuration.  So far I seem to have the "Phase 1" portion working, as I see connected in the "Status Overview" and the following logged:

Code: [Select]

...
2024-01-23T17:11:56-07:00 Informational charon 14[IKE] <0fa995fb-0f0c-4e64-af3c-481ea320004f|1> maximum IKE_SA lifetime 14550s
2024-01-23T17:11:56-07:00 Informational charon 14[IKE] <0fa995fb-0f0c-4e64-af3c-481ea320004f|1> scheduling rekeying in 13110s
2024-01-23T17:11:56-07:00 Informational charon 14[IKE] <0fa995fb-0f0c-4e64-af3c-481ea320004f|1> IKE_SA 0fa995fb-0f0c-4e64-af3c-481ea320004f[1] established between a.a.a.a[a.a.a.a]...b.b.b.b[b.b.b.b]
2024-01-23T17:11:56-07:00 Informational charon 14[IKE] <0fa995fb-0f0c-4e64-af3c-481ea320004f|1> authentication of 'b.b.b.b' with pre-shared key successful
...
However then it logs:

Code: [Select]

2024-01-23T17:11:56-07:00 Informational charon 14[IKE] <0fa995fb-0f0c-4e64-af3c-481ea320004f|1> failed to establish CHILD_SA, keeping IKE_SA
2024-01-23T17:11:56-07:00 Informational charon 14[IKE] <0fa995fb-0f0c-4e64-af3c-481ea320004f|1> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built

Which from Googling seems to mean some issue/mismatch with the ESP proposal in the children of the connection (?).  Currently i have the ESP proposals set to "default" and have the following from the VPN peer (see attachment).  In looking through the list for ESP proposal the only thing I saw that seemed like it might match is "aes256-sha512-modp1024 [DH2]" just going off the DH2 primarily (Duffie-Hellman #2?) But choosing that doesn't seem to help.

Anyway, looking for any suggestions at this point as I feel like I've jumped into the deep end with IPsec vs WG and OpenVPN.

Thanks!

[Monviech (Cedrik)]

From what it looks like the peer expects (they didnt specify which bit count they want for sha):

For IKE and for ESP:
sha256-aes256-modp1024

That's one thats not selectable in Connections. You can use Tunnel Settings legacy for that.

As alternative, I would ask them if they can offer:
sha256-aes256-modp2048

Which right now is the secure best practice standard.

[netnut]

In looking through the list for ESP proposal the only thing I saw that seemed like it might match is "aes256-sha512-modp1024 [DH2]" just going off the DH2 primarily (Duffie-Hellman #2?) But choosing that doesn't seem to help.

Looking at the "table" from your remote peer I suspect (seeing 3des and md5) their interpretation of SHA is SHA1.

So you could try aes256-sha1-modp1024, but as @Monviech already mentioned you need to use the "old" interface for that.

Be aware that this combo is pretty insecure, funny enough the best part is SHA1 used as HMAC. Although you have AES256 it's in CBC mode, and modp1024 (or even modp2048) well....

You might want to ask the remote peer to look at some available software updates for their VPN appliance, but it might be possible the box is EOL for quite some time. Or is this one of the Cloud Providers you trying to connect to ?

[Moonshine]

Thank you both for the info and hints! 

Not connected yet, but it's definitely helped me track things further. 

Using the old legacy UI and trial and error it seems they are using SHA1 (at least Phase 1 only connects with aes256-sha1-modp1024).

However for Phase 2 using aes256-sha1-modp1024 I still get the same error logged.  So I'm not sure what to think. I guess I'm making other assumptions like the mode set to "tunnel", etc, not knowing IPsec.

It seems it's time to call to call them and discuss options.  This is just to access a "development/testing VPN" of a company we need to do some integration work with -- which will be easier than the VPN config.   They are using a Cisco ASA 5505 which seems to be a little dated from what I can tell. 

[netnut]

They are using a Cisco ASA 5505 which seems to be a little dated from what I can tell.

Well, that's not the most modern appliance ;-) but it definitely could do _much_ better. Looks like the proposal is configured with a default / standard wizard for maximum compatibility (and minimum security ;-)).

They even have a Strongswan inspired documentation page:

https://www.cisco.com/c/en/us/support/docs/interfaces-modules/virtual-private-network-module/221568-vpn-technologies-documentation-reference.html#toc-hId--1867615638

[Moonshine]

Funny.. I was actually looking at that Cisco page for clues until I saw it was using deprecated SS configuration files.  .

Still it didn't seem far off from the configuration I *think* I'm working against, other than the example seemed to show "group 5" being used (1536 bits) instead of 2.

[netnut]

Still it didn't seem far off from the configuration I *think* I'm working against, other than the example seemed to show "group 5" being used (1536 bits) instead of 2.

If you can work with the people on "the other side" you definitely want to work to something like this:

• aes128gcm16 / aes256gcm16 (128 bits should be sufficient for most cases, the important part is using GCM instead of CBC)
• => SHA256  ( SHA384 / SHA512 )
• EC Group => ecp256 ( ecp384 / ecp 521)

[miken32]

Current ASA firmware can do up to DH group 31

[Moonshine]

Thanks everyone..  No chance of getting them to update, but in the end their firewall was misconfigured which was the issue.  I have to use the OPNsense IPsec legacy config for their older options, but hopefully we should be able to toss this VPN after a few weeks of development.