Also, make sure the acl's used to define interesting traffic are correct.
Rogelio Gamino [email protected] (o) 202-741-5853 -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Justin Shore Sent: Friday, December 12, 2008 2:33 PM To: twisted mac Cc: [email protected] Subject: Re: [c-nsp] IPSec between Cisco and D-Link It looks like you have a phase 2 problem. Your IPSec transform-set isn't matching up with what the D-Link is offering. Try changing the transform-set to something more useful like this: crypto ipsec transform-set encraes128md5 esp-aes 128 esp-md5-hmac It would be better if you used AES256. crypto ipsec transform-set encraes256md5 esp-aes 256 esp-md5-hmac These are good fallback transform-sets if need be. crypto ipsec transform-set encr3dessha esp-3des esp-sha-hmac crypto ipsec transform-set encr3dessha-gre esp-3des esp-sha-hmac Don't forget to update your crypto maps with the name of the transform-set you chose to use. Also, I would not recommend messing with the lifetime values unless the remote end requires it. Justin twisted mac wrote: > Seems fair enough :) > > logs from dlink > > 2008-12-11 17:30:21: IkeSnoop: Received IKE packet from > 82.x.x.x:500 Exchange > type : Informational ISAKMP Version : 1.0 Flags : E (encryption) Cookies : > 0x458f51017c4a446 -> 0xa582286a38ab6fb0 Message ID : 0x2f8ad085 Packet > length : 452 bytes # payloads : 2 Payloads: HASH (Hash) Payload data length > : 20 bytes N (Notification) Payload data length : 396 bytes Protocol ID : > ESP Notification : No proposal chosen > > > logs from cisco: > > xxx#debug crypto isakmp > Crypto ISAKMP debugging is on > xxx# > 2d23h: ISAKMP (0:134217749): received packet from 217.x.x.x dport 500 sport > 500 Global (R) QM_IDLE > 2d23h: ISAKMP: set new node -1473959992 to QM_IDLE > 2d23h: ISAKMP:(0:21:SW:1): processing HASH payload. message ID = -1473959992 > 2d23h: ISAKMP:(0:21:SW:1): processing SA payload. message ID = -1473959992 > 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1 > 2d23h: ISAKMP: transform 1, ESP_AES > 2d23h: ISAKMP: attributes in transform: > 2d23h: ISAKMP: key length is 128 > 2d23h: ISAKMP: authenticator is HMAC-MD5 > 2d23h: ISAKMP: SA life type in seconds > 2d23h: ISAKMP: SA life duration (basic) of 3600 > 2d23h: ISAKMP: encaps is 1 (Tunnel) > 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable. > 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1 > 2d23h: ISAKMP: transform 2, ESP_AES > 2d23h: ISAKMP: attributes in transform: > 2d23h: ISAKMP: key length is 128 > 2d23h: ISAKMP: authenticator is HMAC-SHA > 2d23h: ISAKMP: SA life type in seconds > 2d23h: ISAKMP: SA life duration (basic) of 3600 > 2d23h: ISAKMP: encaps is 1 (Tunnel) > 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable. > 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1 > 2d23h: ISAKMP: transform 3, ESP_3DES > 2d23h: ISAKMP: attributes in transform: > 2d23h: ISAKMP: authenticator is HMAC-MD5 > 2d23h: ISAKMP: SA life type in seconds > 2d23h: ISAKMP: SA life duration (basic) of 3600 > 2d23h: ISAKMP: encaps is 1 (Tunnel) > 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable. > 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1 > 2d23h: ISAKMP: transform 4, ESP_3DES > 2d23h: ISAKMP: attributes in transform: > 2d23h: ISAKMP: authenticator is HMAC-SHA > 2d23h: ISAKMP: SA life type in seconds > 2d23h: ISAKMP: SA life duration (basic) of 3600 > 2d23h: ISAKMP: encaps is 1 (Tunnel) > 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable. > 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1 > 2d23h: ISAKMP: unknown ESP transform! > 2d23h: ISAKMP: attributes in transform: > 2d23h: ISAKMP: authenticator is HMAC-MD5 > 2d23h: ISAKMP: SA life type in seconds > 2d23h: ISAKMP: SA life duration (basic) of 3600 > 2d23h: ISAKMP: encaps is 1 (Tunnel) > 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable. > 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1 > 2d23h: ISAKMP: unknown ESP transform! > 2d23h: ISAKMP: attributes in transform: > 2d23h: ISAKMP: authenticator is HMAC-SHA > 2d23h: ISAKMP: SA life type in seconds > 2d23h: ISAKMP: SA life duration (basic) of 3600 > 2d23h: ISAKMP: encaps is 1 (Tunnel) > 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable. > 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1 > 2d23h: ISAKMP: unknown ESP transform! > 2d23h: ISAKMP: attributes in transform: > 2d23h: ISAKMP: key length is 128 > 2d23h: ISAKMP: authenticator is HMAC-MD5 > 2d23h: ISAKMP: SA life type in seconds > 2d23h: ISAKMP: SA life duration (basic) of 3600 > 2d23h: ISAKMP: encaps is 1 (Tunnel) > 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable. > 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1 > 2d23h: ISAKMP: unknown ESP transform! > 2d23h: ISAKMP: attributes in transform: > 2d23h: ISAKMP: key length is 128 > 2d23h: ISAKMP: authenticator is HMAC-SHA > 2d23h: ISAKMP: SA life type in seconds > 2d23h: ISAKMP: SA life duration (basic) of 3600 > 2d23h: ISAKMP: encaps is 1 (Tunnel) > 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable. > 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1 > 2d23h: ISAKMP: unknown ESP transform! > 2d23h: ISAKMP: attributes in transform: > 2d23h: ISAKMP: key length is 128 > 2d23h: ISAKMP: authenticator is HMAC-MD5 > 2d23h: ISAKMP: SA life type in seconds > 2d23h: ISAKMP: SA life duration (basic) of 3600 > 2d23h: ISAKMP: encaps is 1 (Tunnel) > 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable. > 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1 > 2d23h: ISAKMP: unknown ESP transform! > 2d23h: ISAKMP: attributes in transform: > 2d23h: ISAKMP: key length is 128 > 2d23h: ISAKMP: authenticator is HMAC-SHA > 2d23h: ISAKMP: SA life type in seconds > 2d23h: ISAKMP: SA life duration (basic) of 3600 > 2d23h: ISAKMP: encaps is 1 (Tunnel) > 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable. > 2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal > 2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal > 2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal > 2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal > 2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal > 2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal > 2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal > 2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal > 2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal > 2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal > 2d23h: ISAKMP:(0:21:SW:1): phase 2 SA policy not acceptable! (local 82.x.x.x > remote 217.x.x.x) > 2d23h: ISAKMP: set new node 326922217 to QM_IDLE > 2d23h: ISAKMP:(0:21:SW:1):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 > spi 1691668640, message ID = 326922217 > 2d23h: ISAKMP:(0:21:SW:1): sending packet to 217.x.x.x my_port 500 peer_port > 500 (R) QM_IDLE > 2d23h: ISAKMP:(0:21:SW:1):purging node 326922217 > 2d23h: ISAKMP:(0:21:SW:1):deleting node -1473959992 error TRUE reason "QM > rejected" > 2d23h: ISAKMP (0:134217749): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH: > for node -1473959992: state = IKE_QM_READY > 2d23h: ISAKMP:(0:21:SW:1):Node -1473959992, Input = IKE_MESG_FROM_PEER, > IKE_QM_EXCH > 2d23h: ISAKMP:(0:21:SW:1):Old State = IKE_QM_READY New State = IKE_QM_READY > 2d23h: ISAKMP:(0:22:SW:1):purging node 124919870 > > cisco config > > crypto isakmp policy 1 > encr aes > hash md5 > authentication pre-share > group 2 > lifetime 28800 > crypto isakmp key 123456 address 217.x.x.x no-xauth > crypto isakmp key 123456 address 85.x.x.x no-xauth > crypto isakmp aggressive-mode disable > ! > ! > crypto ipsec transform-set VPN esp-aes > ! > crypto map xxx 10 ipsec-isakmp > set peer 217.x.x.x > set transform-set VPN > match address 111 > crypto map eon 20 ipsec-isakmp > set peer 85.x.x.x > set transform-set VPN-EON > match address 112 > ! > ----//---- > > xxx#sh crypto map tag xxx > Crypto Map "xxx" 10 ipsec-isakmp > Peer = 217.x.x.x > Extended IP access list 111 > access-list 111 permit ip 192.168.200.0 0.0.0.255 192.168.0.0 > 0.0.0.255 > Current peer: 217.x.x.x > Security association lifetime: 4608000 kilobytes/3600 seconds > PFS (Y/N): N > Transform sets={ > VPN, > } > Crypto Map "xxx" 20 ipsec-isakmp > Peer = 85.x.x.x > Extended IP access list 112 > access-list 112 permit ip 192.168.200.0 0.0.0.255 192.168.96.0 > 0.0.7.255 > Current peer: 85.x.x.x > Security association lifetime: 4608000 kilobytes/3600 seconds > PFS (Y/N): N > Transform sets={ > VPN, > } > Interfaces using crypto map xxx: > FastEthernet0/1 > > ---//--- > > the dlink is a dfl-1600 > > any ideas? hammer is not possible because the dlink box is on the other side > of the ocean :) > > mac > 2008/12/12 Mario Spinthiras <[email protected]> > >> How about the actual problem so we can help there? Logs , errors? >> > _______________________________________________ > cisco-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
