Date: Wed, 21 Nov 2001 11:30:03 +1000 From: Nick Slager <ns@BlueSkyFrog.COM> To: freebsd-security@freebsd.org Subject: KAME IPsec <--> cisco Message-ID: <20011121113003.A2610@BlueSkyFrog.COM>
next in thread | raw e-mail | index | archive | help
A similar message to this was posted to -security last week. I've
still not made any progress on why my setup isn't working, so this is
another attempt :)
Trying to setup an IPsec VPN beteween a 4.4-REL box and a Cisco
router. Running racoon 20010126a for key exchange.
My config looks like this:
203.1.1.2 --- 203.1.1.1 --- Internet --- 203.2.2.1 --- 203.2.2.2
202.1.1.2: Host needing to talk to 203.2.2.2
203.1.1.1: FreeBSD VPN host running IPsec and racoon
203.2.2.1: Cisco 3640 router
203.2.2.2: Host with services for 203.1.1.2
Note that 203.1.1.2 and 203.2.2.2 are individual hosts, not networks.
Using Ipsec in tunnel mode.
As noted last week, phase 1 negotiation is not completing. However
I can't see what the problem is; all looks like it is set up
correctly to me.
All the configuration details are below. Any help apprciated.
Nick
The configuration on 203.1.1.1 (FreeBSD host) is like this:
/etc/ipsec.conf:
flush;
spdflush;
spdadd 203.1.1.2/32 203.2.2.2/32 any -P out ipsec esp/tunnel/203.1.1.1-203.2.2.1/require;
spdadd 203.2.2.2/32 203.1.1.2/32 any -P in ipsec esp/tunnel/203.2.2.1-203.1.1.1/require;
ifconfig gif0:
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
tunnel inet 203.1.1.1 --> 203.2.2.1
inet 203.1.1.2 --> 203.2.2.2 netmask 0xffffff00
racoon.conf:
remote 203.2.2.1
{
exchange_mode aggressive,main,base;
doi ipsec_doi;
situation identity_only;
my_identifier address 203.1.1.1;
peers_identifier address 203.2.2.1;
nonce_size 16;
lifetime time 24 hour; # sec,min,hour
initial_contact on;
support_mip6 on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm des;
hash_algorithm md5;
authentication_method pre_shared_key ;
dh_group 1;
}
}
sainfo address 203.1.1.2 any address 203.2.2.0/32 any
{
pfs_group 1;
lifetime time 24 hour;
encryption_algorithm des, 3des, blowfish ;
authentication_algorithm hmac_md5, hmac_sha1 ;
compression_algorithm deflate ;
}
The Cisco's config is like this (203.2.2.1):
crypto isakmp key **password** address 203.1.1.1
crypto map nolan 16 ipsec-isakmp
set peer 203.1.1.1
set transform-set vodafone
set pfs group1
match address 186
crypto ipsec transform-set vodafone esp-des esp-md5-hmac
access-list 186 permit ip 203.2.2.0 0.0.0.255 host 203.1.1.2
When I try to contact 203.2.2.2 from 203.1.1.2, racoon logs the
following:
2001-11-20 10:39:46: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey ACQUIRE message
2001-11-20 10:39:46: DEBUG: pfkey.c:1519:pk_recvacquire(): suitable outbound SP found: 203.1.1.2/32[0] 203.2.2.0/24[0] proto=any dir=out.
2001-11-20 10:39:46: DEBUG: policy.c:183:cmpspidxstrict(): sub:0xbfbff89c: 203.2.2.0/24[0] 203.1.1.2/32[0] proto=any dir=in
2001-11-20 10:39:46: DEBUG: policy.c:184:cmpspidxstrict(): db :0x80a3a08: 203.2.2.0/24[0] 203.1.1.2/32[0] proto=any dir=in
2001-11-20 10:39:46: DEBUG: pfkey.c:1535:pk_recvacquire(): suitable inbound SP found: 203.2.2.0/24[0] 203.1.1.2/32[0] proto=any dir=in.
2001-11-20 10:39:46: DEBUG: pfkey.c:1574:pk_recvacquire(): new acquire 203.1.1.2/32[0] 203.2.2.0/24[0] proto=any dir=out
2001-11-20 10:39:46: DEBUG: proposal.c:822:printsaproto(): (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0)
2001-11-20 10:39:46: DEBUG: proposal.c:856:printsatrns(): (trns_id=DES encklen=0 authtype=1)
2001-11-20 10:39:46: DEBUG: proposal.c:856:printsatrns(): (trns_id=DES encklen=0 authtype=2)
2001-11-20 10:39:46: DEBUG: proposal.c:856:printsatrns(): (trns_id=3DES encklen=0 authtype=1)
2001-11-20 10:39:46: DEBUG: proposal.c:856:printsatrns(): (trns_id=3DES encklen=0 authtype=2)
2001-11-20 10:39:46: DEBUG: proposal.c:856:printsatrns(): (trns_id=BLOWFISH encklen=128 authtype=1)
2001-11-20 10:39:46: DEBUG: proposal.c:856:printsatrns(): (trns_id=BLOWFISH encklen=128 authtype=2)
2001-11-20 10:39:46: DEBUG: remoteconf.c:118:getrmconf(): configuration found for 203.2.2.1.
2001-11-20 10:39:46: INFO: isakmp.c:1726:isakmp_post_acquire(): IPsec-SA request for 203.2.2.1 queued due to no phase1 found.
2001-11-20 10:39:46: DEBUG: isakmp.c:811:isakmp_ph1begin_i(): === 2001-11-20 10:39:46: INFO: isakmp.c:816:isakmp_ph1begin_i(): initiate new phase 1 negotiation: 203.1.1.1[500]<=>203.2.2.1[500]
2001-11-20 10:39:46: INFO: isakmp.c:821:isakmp_ph1begin_i(): begin Aggressive mode.
2001-11-20 10:39:46: DEBUG: isakmp.c:2038:isakmp_newcookie(): new cookie:
91ee566224a1929d
2001-11-20 10:39:46: DEBUG: ipsec_doi.c:3181:ipsecdoi_setid1(): use ID type of IPv4_address
2001-11-20 10:39:46: DEBUG: oakley.c:250:oakley_dh_generate(): compute DH's private.
2001-11-20 10:39:46: DEBUG: plog.c:193:plogdump():
5d5c8244 477c42fa 6e02f17b a808eb1a f6b85730 e22a2860 5f95b418 a1bd0dea
5e6a6c83 a44691b1 f140471a f5af3801 f7f133bb c4b064f1 008bd5c0 ab21ca63
d92f69b7 fb103832 d4cb79b0 6cd5aba0 75203e19 4893bc03 52567e98 5b1ad577
2001-11-20 10:39:46: DEBUG: oakley.c:252:oakley_dh_generate(): compute DH's public.
2001-11-20 10:39:46: DEBUG: plog.c:193:plogdump():
a72df3e6 5047891c 13bd82d3 b85cb341 b6f0ce0c 028aacba b1b34248 44cc0b38
dda955d1 d8084d69 01971b07 9e87bab8 c0e72953 e18c22a8 d880e5de eb1eb23b
e291890f 02ffd197 5c753de3 2bca8a85 d4924a54 bfb09edc 39bc8c00 a69c2a52
2001-11-20 10:39:46: DEBUG: isakmp_agg.c:157:agg_i1send(): authmethod is pre-shared key
2001-11-20 10:39:46: DEBUG: isakmp.c:2155:set_isakmp_payload(): add payload of len 52, next type 4
2001-11-20 10:39:46: DEBUG: isakmp.c:2155:set_isakmp_payload(): add payload of len 96, next type 10
2001-11-20 10:39:46: DEBUG: isakmp.c:2155:set_isakmp_payload(): add payload of len 16, next type 5
2001-11-20 10:39:46: DEBUG: isakmp.c:2155:set_isakmp_payload(): add payload of len 8, next type 0
2001-11-20 10:39:46: DEBUG: isakmp.c:2290:isakmp_printpacket(): begin.
2001-11-20 10:39:46: DEBUG: sockmisc.c:424:sendfromto(): sockname 203.1.1.1[500]
2001-11-20 10:39:46: DEBUG: sockmisc.c:426:sendfromto(): send packet from 203.1.1.1[500]
2001-11-20 10:39:46: DEBUG: sockmisc.c:428:sendfromto(): send packet to 203.2.2.1[500]
2001-11-20 10:39:46: DEBUG: isakmp.c:1462:isakmp_send(): 1 times of 216 bytes message will be sent.
2001-11-20 10:39:46: DEBUG: plog.c:193:plogdump():
91ee5662 24a1929d 00000000 00000000 01100400 00000000 000000d8 04000038
00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 000c0004
00015180 80010001 80030001 80020001 80040001 0a000064 a72df3e6 5047891c
13bd82d3 b85cb341 b6f0ce0c 028aacba b1b34248 44cc0b38 dda955d1 d8084d69
01971b07 9e87bab8 c0e72953 e18c22a8 d880e5de eb1eb23b e291890f 02ffd197
5c753de3 2bca8a85 d4924a54 bfb09edc 39bc8c00 a69c2a52 05000014 ac7ae33c
250a0483 75ed4d2c f8256442 0000000c 01110000 cbb9df13
2001-11-20 10:39:46: DEBUG: isakmp.c:233:isakmp_handler(): ===
2001-11-20 10:39:46: DEBUG: isakmp.c:234:isakmp_handler(): 96 bytes message received from 203.2.2.1[500]
2001-11-20 10:39:46: DEBUG: plog.c:193:plogdump():
91ee5662 24a1929d 19e865f5 b4290dd3 0b100500 00000000 00000060 00000044
00000001 0100000e 04000038 00000001 00000001 323b59e8 00000004 00000000
624c0f4c 611cf22c 00000001 00000000 612ccc00 00000000 01000000 00000000
2001-11-20 10:39:46: DEBUG: isakmp.c:2290:isakmp_printpacket(): begin.
2001-11-20 10:39:46: DEBUG: isakmp_inf.c:114:isakmp_info_recv(): receive Information.
2001-11-20 10:39:46: DEBUG: isakmp.c:1133:isakmp_parsewoh(): begin.
2001-11-20 10:39:46: DEBUG: isakmp.c:1160:isakmp_parsewoh(): seen nptype=11(notify)
2001-11-20 10:39:46: DEBUG: isakmp.c:1198:isakmp_parsewoh(): succeed.
2001-11-20 10:39:46: ERROR: isakmp_inf.c:769:isakmp_info_recv_n(): delete phase1 handle.
2001-11-20 10:39:46: ERROR: schedule.c:210:sched_scrub_param(): insanity schedule found.
2001-11-20 10:39:46: ERROR: isakmp_inf.c:792:isakmp_info_recv_n(): invalid spi_size in notification payload.
2001-11-20 10:39:46: DEBUG: isakmp_inf.c:797:isakmp_info_recv_n(): notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=1 spi=(size=0).
2001-11-20 10:40:18: ERROR: isakmp.c:1818:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 203.2.2.1->203.1.1.1
2001-11-20 10:40:18: INFO: isakmp.c:1823:isakmp_chkph1there(): delete phase 2 handler.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011121113003.A2610>