Hello,
I've set up an OpenBSD box as vpn gateway. The tunnel I have to establish is
with a Cisco ASA 5505, which is not under my administration.
Here is the ipsec.conf
ike esp from { 172.30.77.0/24, 10.70.0.0/24, 10.83.0.0/24, 10.77.4.0/24 } to {
172.16.70.0/24, 172.16.71.0/24, 172.16.72.0/24 } \
peer a.b.102.219 \
local c.d.3.254 \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des group none \
psk password
If I try to ping one host on cisco side from OpenBSD side the tunnel doesn't
come up. If I look with tcpdump on the external interface or in the tcpdump
logging of isakmpd OpenBSD doesn't try to establish the tunnel. If I ping from
the Cisco side an host on OpenBSD side the tunnel comes up. In the logging of
isakmpd I see this loglines
20:57:40.389157 a.b.102.219.500 > c.d.3.254.500: [udp sum ok] isakmp v1.0
exchange ID_PROT
cookie: c5fe8a243e380ce2->0000000000000000 msgid: 00000000 len: 188
payload: SA len: 96 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 84 proposal: 1 proto: ISAKMP spisz: 0
xforms: 2
payload: TRANSFORM len: 40
transform: 1 ID: ISAKMP
attribute GROUP_DESCRIPTION = MODP_1024
attribute ENCRYPTION_ALGORITHM = AES_CBC
attribute KEY_LENGTH = 256
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 00007080
payload: TRANSFORM len: 36
transform: 2 ID: ISAKMP
attribute GROUP_DESCRIPTION = MODP_1024
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 00007080
payload: VENDOR len: 20 (supports v2 NAT-T,
draft-ietf-ipsec-nat-t-ike-02)
payload: VENDOR len: 20 (supports v3 NAT-T,
draft-ietf-ipsec-nat-t-ike-03)
payload: VENDOR len: 24 [ttl 0] (id 1, len 216)
20:57:40.389644 c.d.3.254.500 > a.b.102.219.500: [udp sum ok] isakmp v1.0
exchange ID_PROT
cookie: c5fe8a243e380ce2->ad0c72b886cfb802 msgid: 00000000 len: 184
payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0
xforms: 1
payload: TRANSFORM len: 36
transform: 2 ID: ISAKMP
attribute GROUP_DESCRIPTION = MODP_1024
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 00007080
payload: VENDOR len: 20 (supports OpenBSD-4.0)
payload: VENDOR len: 20 (supports v2 NAT-T,
draft-ietf-ipsec-nat-t-ike-02)
payload: VENDOR len: 20 (supports v3 NAT-T,
draft-ietf-ipsec-nat-t-ike-03)
payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 212)
20:57:40.414762 a.b.102.219.500 > c.d.3.254.500: [udp sum ok] isakmp v1.0
exchange ID_PROT
cookie: c5fe8a243e380ce2->ad0c72b886cfb802 msgid: 00000000 len: 304
payload: KEY_EXCH len: 132
payload: NONCE len: 24
payload: VENDOR len: 20 (supports Cisco Unity)
payload: VENDOR len: 12 (supports
draft-ietf-ipsra-isakmp-xauth-06.txt)
payload: VENDOR len: 20
payload: VENDOR len: 20
payload: NAT-D-DRAFT len: 24
payload: NAT-D-DRAFT len: 24 [ttl 0] (id 1, len 332)
20:57:40.416442 c.d.3.254.500 > a.b.102.219.500: [udp sum ok] isakmp v1.0
exchange ID_PROT
cookie: c5fe8a243e380ce2->ad0c72b886cfb802 msgid: 00000000 len: 232
payload: KEY_EXCH len: 132
payload: NONCE len: 24
payload: NAT-D-DRAFT len: 24
payload: NAT-D-DRAFT len: 24 [ttl 0] (id 1, len 260)
20:57:40.440675 a.b.102.219.500 > c.d.3.254.500: [udp sum ok] isakmp v1.0
exchange ID_PROT
cookie: c5fe8a243e380ce2->ad0c72b886cfb802 msgid: 00000000 len: 84
payload: ID len: 12 proto: 17 port: 0 type: IPV4_ADDR =
37.188.102.219
payload: HASH len: 24
payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 112)
20:57:40.440740 c.d.3.254.500 > a.b.102.219.500: [udp sum ok] isakmp v1.0
exchange ID_PROT
cookie: c5fe8a243e380ce2->ad0c72b886cfb802 msgid: 00000000 len: 64
payload: ID len: 12 type: IPV4_ADDR = 87.79.3.254
payload: HASH len: 24 [ttl 0] (id 1, len 92)
20:57:40.465988 a.b.102.219.500 > c.d.3.254.500: [udp sum ok] isakmp v1.0
exchange QUICK_MODE
cookie: c5fe8a243e380ce2->ad0c72b886cfb802 msgid: affb732a len: 196
payload: HASH len: 24
payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 48 proposal: 1 proto: IPSEC_ESP spisz: 4
xforms: 1 SPI: 0x44230db2
payload: TRANSFORM len: 36
transform: 1 ID: 3DES
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600
attribute LIFE_TYPE = KILOBYTES
attribute LIFE_DURATION = 00465000
attribute ENCAPSULATION_MODE = TUNNEL
attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
payload: NONCE len: 24
payload: ID len: 16 type: IPV4_ADDR_SUBNET =
172.16.71.0/255.255.255.0
payload: ID len: 16 type: IPV4_ADDR_SUBNET = 10.70.0.0/255.255.255.0
payload: NOTIFICATION len: 28
notification: INITIAL CONTACT (c5fe8a243e380ce2->ad0c72b886cfb802)
[ttl 0] (id 1, len 224)
20:57:40.466133 c.d.3.254.500 > a.b.102.219.500: [udp sum ok] isakmp v1.0
exchange QUICK_MODE
cookie: c5fe8a243e380ce2->ad0c72b886cfb802 msgid: affb732a len: 168
payload: HASH len: 24
payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 48 proposal: 1 proto: IPSEC_ESP spisz: 4
xforms: 1 SPI: 0x0d09b388
payload: TRANSFORM len: 36
transform: 1 ID: 3DES
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600
attribute LIFE_TYPE = KILOBYTES
attribute LIFE_DURATION = 00465000
attribute ENCAPSULATION_MODE = TUNNEL
attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
payload: NONCE len: 24
payload: ID len: 16 type: IPV4_ADDR_SUBNET =
172.16.71.0/255.255.255.0
payload: ID len: 16 type: IPV4_ADDR_SUBNET = 10.70.0.0/255.255.255.0
[ttl 0] (id 1, len 196)
20:57:40.492960 a.b.102.219.500 > c.d.3.254.500: [udp sum ok] isakmp v1.0
exchange QUICK_MODE
cookie: c5fe8a243e380ce2->ad0c72b886cfb802 msgid: affb732a len: 76
payload: HASH len: 24 [ttl 0] (id 1, len 104)
On the Cisco side port 500/udp is open.
Does anybody know why my side doesn't try to set the tunnel up?
Thanks,
Regards,
Erwin
