[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: OpenBSD + Cisco VPN.

To: <misc@openbsd.org>
Subject: RE: OpenBSD + Cisco VPN.
From: "C. Bensend" <benny@bennyvision.com>
Date: Tue, 15 May 2001 15:44:09 -0500 (CDT)
Hey folks,

	I've managed to get Phase 1 of the VPN to
work correctly, but I'm getting hung up on Phase 2.
I have read the FAQ quite a few times, but I'll admit
that I don't 100% understand what I'm reading when it
comes to IPsec.  I've also gone over the archives,
reading every VPN email I could find.  No joy yet.

Here is some of the [hopefully] relevant output from
'isakmpd -d -DA=99 -D1=70':

(if you want the whole thing, let me know - it's very
long and it would take some time to cut-n-paste)

150918.483873 Exch 10 exchange_finalize: 0x105e00 <unnamed> <no policy>
policy initiator phase 1 doi 0 exchange 5 step 1
150918.484612 Exch 10 exchange_finalize: icookie 325933c297afdde8 rcookie
0000000000000000
150918.484829 Exch 10 exchange_finalize: msgid 00000000
150918.485041 Timr 10 timer_remove_event: removing event
exchange_free_aux(0x105e00)
150918.485243 Exch 80 exchange_free_aux: freeing exchange 0x105e00
150918.485807 Mesg 20 message_free: freeing 0x124200
150918.486032 Trpt 70 transport_release: freeing 0x107400
150928.388869 Trpt 70 transport_add: adding 0x107400
150928.389140 Mesg 90 message_alloc: allocated 0x105b00
150928.389344 Mesg 70 message_recv: message 0x105b00
150928.389566 Mesg 70 ICOOKIE: 0x463d38e499bc97d2
150928.389788 Mesg 70 RCOOKIE: 0x3117adc21f83a851
150928.390374 Mesg 70 NEXT_PAYLOAD: ID
150928.390596 Mesg 70 VERSION: 16
150928.390793 Mesg 70 EXCH_TYPE: ID_PROT
150928.391012 Mesg 70 FLAGS: [ ENC ]
150928.391225 Mesg 70 MESSAGE_ID: 0x00000000
150928.391429 Mesg 70 LENGTH: 68
150928.391716 Mesg 70 message_recv: 463d38e4 99bc97d2 3117adc2 1f83a851
05100201 00000000 00000044 b6532602
150928.392400 Mesg 70 message_recv: 9d4422c1 56d5d9fb 2dc5bf86 720a936d
7f2b57a6 8be15f18 ce3365f7 b116ed1a
150928.392705 Mesg 70 message_recv: b6a01a00 6e5bcbdb 88bdf65c 49a49810
c83238a1 16e93225 32abf9b1 0763cdb7
150928.392943 Mesg 70 message_recv: c74bf709 47d0c14c c59a9ecc aaa2
150928.393485 Default message_recv: bad message length
150928.393734 Default dropped message from 100.100.100.100 port 500 due to
notification type UNEQUAL_PAYLOAD_LENGTHS
150928.393967 Misc 60 conf_get_str: [General]:Exchange-max-time->120
150928.394200 Timr 10 timer_add_event: event exchange_free_aux(0x105e00)
added before cookie_reset_event(0x0), expiration in 120s
150928.395357 Exch 10 exchange_establish_p1: 0x105e00 <unnamed> <no
policy> policy initiator phase 1 doi 0 exchange 5 step 0
150928.395600 Exch 10 exchange_establish_p1: icookie 66386cbac6e861e6
rcookie 0000000000000000
150928.395801 Exch 10 exchange_establish_p1: msgid 00000000
150928.396258 Mesg 90 message_alloc: allocated 0x124200
150928.396505 Exch 90 exchange_validate: checking for required INFO
150928.396716 Mesg 70 message_send: message 0x124200
150928.396941 Mesg 70 ICOOKIE: 0x66386cbac6e861e6
150928.397165 Mesg 70 RCOOKIE: 0x0000000000000000
150928.397610 Mesg 70 NEXT_PAYLOAD: NOTIFY
150928.397829 Mesg 70 VERSION: 16
150928.398027 Mesg 70 EXCH_TYPE: INFO
150928.398228 Mesg 70 FLAGS: [ ]
150928.398441 Mesg 70 MESSAGE_ID: 0x00000000
150928.398646 Mesg 70 LENGTH: 40
150928.398954 Mesg 70 message_send: 66386cba c6e861e6 00000000 00000000
0b100500 00000000 00000028 0000000c
150928.399456 Mesg 70 message_send: 00000000 0100001e
150928.399670 Exch 40 exchange_run: exchange 0x105e00 finished step 0,
advancing...
150928.399867 Mesg 20 message_free: freeing 0x105b00
150928.400278 Exch 10 exchange_finalize: 0x105e00 <unnamed> <no policy>
policy initiator phase 1 doi 0 exchange 5 step 1
150928.400794 Exch 10 exchange_finalize: icookie 66386cbac6e861e6 rcookie
0000000000000000
150928.401006 Exch 10 exchange_finalize: msgid 00000000
150928.401208 Timr 10 timer_remove_event: removing event
exchange_free_aux(0x105e00)
150928.401409 Exch 80 exchange_free_aux: freeing exchange 0x105e00
150928.401861 Mesg 20 message_free: freeing 0x124200
150928.402079 Trpt 70 transport_release: freeing 0x107400
150928.773712 Timr 10 timer_handle_expirations: event
message_send_expire(0x124000)
150928.773962 Mesg 70 message_send: message 0x124000
150928.774187 Mesg 70 ICOOKIE: 0x118869c95ece21dd
150928.774409 Mesg 70 RCOOKIE: 0x3117adc2df439412
150928.774612 Mesg 70 NEXT_PAYLOAD: HASH
150928.775192 Mesg 70 VERSION: 16
150928.775404 Mesg 70 EXCH_TYPE: QUICK_MODE
150928.775608 Mesg 70 FLAGS: [ ENC ]
150928.775818 Mesg 70 MESSAGE_ID: 0x81e50fc4
150928.776022 Mesg 70 LENGTH: 252
150928.776307 Mesg 70 message_send: 118869c9 5ece21dd 3117adc2 df439412
08102001 81e50fc4 000000fc c7a440b4
150928.776969 Mesg 70 message_send: 6d869a41 2f565b1c 665d7a87 41d25cbf
3c856b8f 649a4413 b20b6e25 24879b74
150928.777275 Mesg 70 message_send: a38ff9f1 a837c682 a8314435 ec8a65da
4386d93b 33f34fab 3eae25a0 2b0eed79
150928.777563 Mesg 70 message_send: 286faff3 f81de945 4508b432 dd18197b
f0fe87d1 2f426ebd 6a08ce06 5dc86e8c
150928.778229 Mesg 70 message_send: 20aac8f1 e423e7ea 26faed38 32d02c6a
ded43adb 067dae3d 480b6efb 3d1a6524
150928.778534 Mesg 70 message_send: 5d3fadfa 5f823cae 50858e9d f86c5345
a61c79b3 f1f3a9f5 475753b2 a3bb7ba6
150928.778823 Mesg 70 message_send: a1fdde8e f2dd8535 94a6f835 ddcdf99f
5d456f93 cb430d71 f24e7c3c cf2f37a2
150928.779480 Mesg 70 message_send: 199bc275 74b1faf1 7fbc5774 027b2207
d9b4f0f9 853555ba 62c64bcb
150928.779879 Misc 60 conf_get_str: [General]:retransmits->3
150928.780127 Default transport_send_messages: giving up on message
0x124000
150928.780328 Mesg 20 message_free: freeing 0x124000
150928.780910 SA   80 sa_release: SA 0x105d00 had 3 references


I was kinda concerned about the "Default dropped message"
that it spit out.

I was lucky enough to contact someone on the remote end
that can view the Cisco's debugging output.  Here is what
the 7140 thought about the exchange:


May 15 19:56:20: ISAKMP (0): received packet from 200.200.200.200 (N) NEW
SA
May 15 19:56:20: ISAKMP (0:375): processing SA payload. message ID = 0
May 15 19:56:20: ISAKMP (0:375): Checking ISAKMP transform 0 against
priority 1
policy
May 15 19:56:20: ISAKMP:      encryption DES-CBC

May 15 19:56:20: ISAKMP:      hash MD5
May 15 19:56:20: ISAKMP:      auth pre-share
May 15 19:56:20: ISAKMP:      default group 1
May 15 19:56:20: ISAKMP:      life type in seconds
May 15 19:56:20: ISAKMP:      life duration (basic) of 3600
May 15 19:56:20: ISAKMP (0:375): atts are not acceptable. Next payload is
0
May 15 19:56:20: ISAKMP (0:375): Checking ISAKMP transform 0 against
priority 2
policy
May 15 19:56:20: ISAKMP:      encryption DES-CBC
May 15 19:56:20: ISAKMP:      hash MD5
May 15 19:56:20: ISAKMP:      auth pre-share
May 15 19:56:20: ISAKMP:      default group 1
May 15 19:56:20: ISAKMP:      life type in seconds
May 15 19:56:20: ISAKMP:      life duration (basic) of 3600
May 15 19:56:20: ISAKMP (0:375): atts are acceptable. Next payload is 0
May 15 19:56:20: ISAKMP (0:375): SA is doing pre-shared key authentication
May 15 19:56:20: ISAKMP (375): SA is doing pre-shared key authentication
using id type ID_IPV4_ADDR
May 15 19:56:20: ISAKMP (375): sending packet to 200.200.200.200 (R)
MM_SA_SETUP
May 15 19:56:20: ISAKMP (375): received packet from 200.200.200.200 (R)
MM_SA_SETUP
May 15 19:56:20: ISAKMP (0:375): processing KE payload. message ID = 0
May 15 19:56:20: ISAKMP (0:375): processing NONCE payload. message ID = 0
May 15 19:56:20: ISAKMP (0:375): SKEYID state generated
May 15 19:56:20: ISAKMP (375): sending packet to 200.200.200.200 (R)
MM_KEY_EXCH
May 15 19:56:20: ISAKMP (375): received packet from 200.200.200.200 (R)
MM_KEY_EXCH
May 15 19:56:20: ISAKMP (0:375): processing ID payload. message ID = 0
May 15 19:56:20: ISAKMP (0:375): processing HASH payload. message ID = 0
May 15 19:56:20: ISAKMP (375): processing NOTIFY payload 24578 protocol 1
        spi 0, message ID = 0
May 15 19:56:20: ISAKMP (0:375): SA has been authenticated with
200.200.200.200
May 15 19:56:20: ISAKMP (375): ID payload
        next-payload : 8
        type         : 1
        protocol     : 17

        port         : 500
        length       : 8
May 15 19:56:20: ISAKMP (375): Total payload length: 12
May 15 19:56:20: ISAKMP (375): sending packet to 200.200.200.200 (R)
QM_IDLE
May 15 19:56:21: ISAKMP (375): received packet from 200.200.200.200 (R)
QM_IDLE
May 15 19:56:21: ISAKMP (0:375): processing SA payload. message ID =
-2070276903
May 15 19:56:21: ISAKMP (0:375): Checking IPSec proposal 1
May 15 19:56:21: ISAKMP: transform 1, ESP_DES
May 15 19:56:21: ISAKMP:   attributes in transform:
May 15 19:56:21: ISAKMP:      SA life type in seconds
May 15 19:56:21: ISAKMP:      SA life duration (basic) of 1200

May 15 19:56:21: ISAKMP:      encaps is 1
May 15 19:56:21: ISAKMP:      authenticator is HMAC-MD5
May 15 19:56:21: ISAKMP:      group is 1
May 15 19:56:21: ISAKMP (0:375): atts are acceptable.
May 15 19:56:21: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) dest= 100.100.100.100, src= 200.200.200.200,
    dest_proxy= 10.10.1.0/255.255.255.0/0/0 (type=4),
    src_proxy= 200.200.200.200/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-des esp-md5-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x14
May 15 19:56:21: IPSEC(validate_transform_proposal): proxy identities not
suppor
ted
May 15 19:56:21: ISAKMP: IPSec policy invalidated proposal
May 15 19:56:21: ISAKMP (0:375): SA not acceptable!
May 15 19:56:21: ISAKMP (375): sending packet to 200.200.200.200 (R)
QM_IDLE
May 15 19:56:21: ISAKMP (0:375): purging node 631780459
May 15 15:56:21: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode
failed with peer at 200.200.200.200
May 15 19:56:21: ISAKMP (0:375): deleting node -2070276903 error FALSE
reason "I
KMP_NO_ERR_NO_TRANS"
May 15 19:56:28: ISAKMP (375): received packet from 200.200.200.200 (R)
QM_IDLE

May 15 19:56:28: ISAKMP (0:375): phase 2 packet is a duplicate of a
previous packet.
May 15 19:56:28: ISAKMP (0:375): retransmitting due to retransmit phase 2
May 15 19:56:28: ISAKMP (0:375): time remaining never
May 15 19:56:28: ISAKMP (0:375): current time 00:00:00
May 15 19:56:28: ISAKMP (0:375): retransmitting phase 2 -2070276903 ...
May 15 19:56:28: ISAKMP (0:375): retransmitting phase 2 -2070276903 ...
May 15 19:56:28: ISAKMP (0:375): incrementing error counter on sa:
retransmit phase 2
May 15 19:56:28: ISAKMP (0:375): incrementing error counter on sa:
retransmit phase 2
May 15 19:56:28: ISAKMP (375): sending packet to 200.200.200.200 (R)
QM_IDLE
May 15 19:56:28: ISAKMP (0): received packet from 200.200.200.200 (N) NEW
SA
May 15 15:56:28: %CRYPTO-4-IKMP_NO_SA: IKE message from 200.200.200.200
has no SA and is not an initialization offer
May 15 19:56:37: ISAKMP (375): received packet from 200.200.200.200 (R)
QM_IDLE

May 15 19:56:37: ISAKMP (0:375): phase 2 packet is a duplicate of a
previous packet.
May 15 19:56:37: ISAKMP (0:375): retransmitting due to retransmit phase 2
May 15 19:56:37: ISAKMP (0:375): time remaining 584942417y18w
May 15 19:56:37: ISAKMP (0:375): current time 00:00:00
May 15 19:56:37: ISAKMP (0:375): retransmitting phase 2 -2070276903 ...
May 15 19:56:37: ISAKMP (0:375): retransmitting phase 2 -2070276903 ...
May 15 19:56:37: ISAKMP (0:375): incrementing error counter on sa:
retransmit phase 2
May 15 19:56:37: ISAKMP (0:375): incrementing error counter on sa:
retransmit phase 2


OK, so I'm definately not doing something right.  Here is
my isakmpd.policy file:


KeyNote-Version: 2
Authorizer: "POLICY"
Licensees: "passphrase:<removed>"
Conditions: app_domain == "IPSec Policy" &&
            esp_present == "yes" -> "true";


And my isakmpd.conf file:

# Only listen on external interface
[General]
Retransmits:            5
Exchange-max-time:      120
Listen-on=              200.200.200.200

[Phase 1]
100.100.100.100=        Covisint

[Phase 2]
Connections=            EAI-Covisint

[Covisint]
Phase=                  1
Transport=              udp
Local-address=          200.200.200.200
Address=                100.100.100.100
Configuration=          Default-main-mode
Authentication=         <removed>

[EAI-Covisint]
Phase=                  2
ISAKMP-peer=            Covisint
Configuration=          Default-quick-mode
Local-ID=               Net-east
Remote-ID=              Net-west

[Net-west]
ID-type=                IPV4_ADDR_SUBNET
Network=                10.10.1.0
Netmask=                255.255.255.0

[Net-east]
ID-type=                IPV4_ADDR
Address=                200.200.200.200

[Default-main-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          ID_PROT
Transforms=             DES-MD5
ENCRYPTION_ALGORITHM=   DES

[Default-quick-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          QUICK_MODE
Suites=                 QM-ESP-DES-MD5-PFS-SUITE


Their end can do DES encryption, MD5 hash, and
IKE for encryption scheme (these are Cisco's terms).

If anyone has insight, I would very much appreciate
any help you can give me.  Likewise, if you need
more information, I can provide the entire debug
file from the OpenBSD machine.

(sorry about the length of this email BTW)

Thanks much!

Benny


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'SYN! .. SYN|ACK! .. ACK!' - the mating call of the internet
                                -Bert Hubert
Prev by Date: PPPoE
Next by Date: Re: SMDR
Prev by thread: RE: OpenBSD + Cisco VPN.
Next by thread: problem with 3com network card
Index(es):
- Date
- Thread