On Wednesday, June 18, 2014 08:49 CEST, Remi Locherer <[email protected]>
wrote:
> On Tue, Jun 17, 2014 at 05:34:27PM +0200, Sebastian Reitenbach wrote:
> > Hi,
> >
> > I'm trying to establish an IPSec tunnel between an OpenBSD 5.5 (amd64)
> > box and a Cisco 2901, the whole day, but doesn't seem to
> > get it to work. I think I have something wrong with the
> > crypto transforms for phase two, since this NO_PROPOSAL_CHOSEN
> > I get in the logs, which I think is in phase two.
> >
> >
> > Network looks similar to this one:
> >
> >
> > Host behind OBSD (192.168.13.12/24)
> > |
> > |
> > OBSD (XXX.191.219.14)
> > |
> > |
> > Internet
> > |
> > |
> > NAT FW (XXX.217.33.11)
> > |
> > |
> > Internal Network
> > |
> > |
> > Cisco 2901 (192.168.14.126)
> > |
> > |
> > Host behind Cisco (192.168.13.19/24)
> >
> >
> >
> > Yes, they have both the same network behind each VPN Endpoints.
> > Something, more or less the same we have up and running between
> > two Cisco 2901.
>
> How is this supposed to work with the same subnet on each site?
> Do you add special routes on the hosts behind the VPN gateways?
Yes, the hosts have host routes to the other side set via the VPN hosts.
>
> The -L option from isakmpd helped me often to see what's happening.
Thanks for pointing me to the -L option.
I started afresh, on OpenBSD side:
rem_gw="XXX.217.33.11"
my_gw="XXX.191.219.14"
ike active esp tunnel from { 192.168.13.12 } to { 192.168.13.19 } \
local $my_gw peer $rem_gw \
main auth hmac-md5 enc 3des group modp1024 \
quick auth hmac-md5 enc 3des group none \
psk "MYSECRETKEY"
and in /etc/isakmpd/isakmpd.conf I've defined lifetimes:
[General]
Listen-on=XXX.191.219.14
Default-phase-1-lifetime= 28800,60:86400
Default-phase-2-lifetime= 1200,60:86400
On the cisco side it looks like:
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key MYSECRETKEY address XXX.191.219.14
crypto isakmp nat keepalive 500
!
crypto ipsec security-association lifetime kilobytes disable
crypto ipsec security-association lifetime seconds 1200
!
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
!
set security-association lifetime kilobytes 4608000
set security-association lifetime seconds 3600
!
!
crypto map TO_BB 1 ipsec-isakmp
set peer XXX.191.219.14
set security-association lifetime kilobytes disable
set transform-set ESP-3DES-MD5
match address 101
looking at the captured packets from isakmpd
tcpdump -vvv -r /var/run/isakmpd.pcap -n
I think, phase 1, looks all fine, phase 2, TRANSFORM ID,
LIFE_TYPE, LIFE_DURATION, AUTHENTICATION_ALGORITHM, and
the Payloads with the IPV4_ADDR matches between both.
The only difference I see, but I'm unsure if this is OK or not, is that
the OpenBSD box sends ENCAPSULATION_MODE = TUNNEL, and the
Cisco box sends ENCAPSULATION_MODE = UDP_ENCAP_TUNNEL.
I'm not sure if that is expected, since the Cisco is behind a NAT
gateway.
In the debug output from isakmpd, more below, I see those
packets that came from the cisco:
102303.210480 Mesg 70 DOI: IPSEC
102303.210491 Mesg 70 PROTO: <Unknown 3>
102303.210501 Mesg 70 SPI_SZ: 4
102303.210510 Mesg 70 MSG_TYPE: STATUS_DOI_MIN
Is the "Unknown 3" referring to isakmpd/ipsec_num.cst
UDP_ENCAP_TUNNEL which is 3?
While looking into it, I figured that the cisco was about 15 minutes
behind in time, but setting the clock correctly, didn't helped anything.
So, is the different ENCAPSULATION_MODE now a problem?
Sebastian
10:22:32.494155 XXX.191.219.14.500 > XXX.217.33.11.500: [udp sum ok] isakmp
v1.0 exchange ID_PROT
cookie: c46e426b216a4511->0000000000000000 msgid: 00000000 len: 180
payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 40 proposal: 1 proto: ISAKMP spisz: 0
xforms: 1
payload: TRANSFORM len: 32
transform: 0 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute HASH_ALGORITHM = MD5
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 28800
payload: VENDOR len: 20
payload: VENDOR len: 20 (supports v2 NAT-T,
draft-ietf-ipsec-nat-t-ike-02)
payload: VENDOR len: 20 (supports v3 NAT-T,
draft-ietf-ipsec-nat-t-ike-03)
payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 208)
10:22:32.659144 XXX.217.33.11.500 > XXX.191.219.14.500: [udp sum ok] isakmp
v1.0 exchange ID_PROT
cookie: c46e426b216a4511->39e3aaa2bb11f2cb msgid: 00000000 len: 100
payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 40 proposal: 1 proto: ISAKMP spisz: 0
xforms: 1
payload: TRANSFORM len: 32
transform: 1 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute HASH_ALGORITHM = MD5
attribute GROUP_DESCRIPTION = MODP_1024
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 28800
payload: VENDOR len: 20 (supports NAT-T, RFC 3947) [ttl 0] (id 1, len
128)
10:22:32.667327 XXX.191.219.14.500 > XXX.217.33.11.500: [udp sum ok] isakmp
v1.0 exchange ID_PROT
cookie: c46e426b216a4511->39e3aaa2bb11f2cb msgid: 00000000 len: 220
payload: KEY_EXCH len: 132
payload: NONCE len: 20
payload: NAT-D len: 20
payload: NAT-D len: 20 [ttl 0] (id 1, len 248)
10:22:32.859679 XXX.217.33.11.500 > XXX.191.219.14.500: [udp sum ok] isakmp
v1.0 exchange ID_PROT
cookie: c46e426b216a4511->39e3aaa2bb11f2cb msgid: 00000000 len: 296
payload: KEY_EXCH len: 132
payload: NONCE len: 24
payload: VENDOR len: 20 (supports Cisco Unity)
payload: VENDOR len: 20 (supports DPD v1.0)
payload: VENDOR len: 20
payload: VENDOR len: 12 (supports draft-ietf-ipsra-isakmp-xauth-06.txt)
payload: NAT-D len: 20
payload: NAT-D len: 20 [ttl 0] (id 1, len 324)
10:22:32.868367 XXX.191.219.14.4500 > XXX.217.33.11.4500: [bad udp cksum e355!]
udpencap: isakmp v1.0 exchange ID_PROT
cookie: c46e426b216a4511->39e3aaa2bb11f2cb msgid: 00000000 len: 88
payload: ID len: 12 type: IPV4_ADDR = XXX.191.219.14
payload: HASH len: 20
payload: NOTIFICATION len: 28
notification: INITIAL CONTACT (c46e426b216a4511->39e3aaa2bb11f2cb)
[ttl 0] (id 1, len 120)
10:22:33.035190 XXX.217.33.11.4500 > XXX.191.219.14.4500: [bad udp cksum 1261!]
udpencap: isakmp v1.0 exchange ID_PROT
cookie: c46e426b216a4511->39e3aaa2bb11f2cb msgid: 00000000 len: 68
payload: ID len: 12 proto: 17 port: 0 type: IPV4_ADDR = 192.168.14.126
payload: HASH len: 20 [ttl 0] (id 1, len 100)
10:22:33.040867 XXX.191.219.14.4500 > XXX.217.33.11.4500: [bad udp cksum d86c!]
udpencap: isakmp v1.0 exchange QUICK_MODE
cookie: c46e426b216a4511->39e3aaa2bb11f2cb msgid: 890a9a2a len: 140
payload: HASH len: 20
payload: SA len: 48 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 36 proposal: 1 proto: IPSEC_ESP spisz: 4
xforms: 1 SPI: 0x8cfc4474
payload: TRANSFORM len: 24
transform: 1 ID: 3DES
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 1200
attribute ENCAPSULATION_MODE = TUNNEL
^^^^^^^^^^^^^^^^^^
The OpenBSD side announces TUNNEL as ENCAPSULATION_MODE
attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
payload: NONCE len: 20
payload: ID len: 12 type: IPV4_ADDR = 192.168.13.12
payload: ID len: 12 type: IPV4_ADDR = 192.168.13.19 [ttl 0] (id 1, len
172)
10:22:33.209872 XXX.217.33.11.4500 > XXX.191.219.14.4500: [bad udp cksum 88b1!]
udpencap: isakmp v1.0 exchange QUICK_MODE
cookie: c46e426b216a4511->39e3aaa2bb11f2cb msgid: 890a9a2a len: 180
payload: HASH len: 20
payload: SA len: 48 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 36 proposal: 1 proto: IPSEC_ESP spisz: 4
xforms: 1 SPI: 0xf7473285
payload: TRANSFORM len: 24
transform: 1 ID: 3DES
attribute ENCAPSULATION_MODE = UDP_ENCAP_TUNNEL
^^^^^^^^^^^^^^^^^^^^^^^^^^
The Cisco announced UDP_ENCAP_TUNNEL as ENCAPSULATION_MODE
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 1200
attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
payload: NONCE len: 24
payload: ID len: 12 type: IPV4_ADDR = 192.168.13.12
payload: ID len: 12 type: IPV4_ADDR = 192.168.13.19
payload: NOTIFICATION len: 28
notification: RESPONDER LIFETIME SPI: 0xf7473285
attribute LIFE_TYPE = KILOBYTES
attribute LIFE_DURATION = ffffffff [ttl 0] (id 1, len 212)
10:22:43.205818 XXX.217.33.11.4500 > XXX.191.219.14.4500: [bad udp cksum 88b1!]
udpencap: isakmp v1.0 exchange QUICK_MODE
cookie: c46e426b216a4511->39e3aaa2bb11f2cb msgid: 890a9a2a len: 180
payload: HASH len: 20
payload: SA len: 48 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 36 proposal: 1 proto: IPSEC_ESP spisz: 4
xforms: 1 SPI: 0xf7473285
payload: TRANSFORM len: 24
transform: 1 ID: 3DES
attribute ENCAPSULATION_MODE = UDP_ENCAP_TUNNEL
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 1200
attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
payload: NONCE len: 24
payload: ID len: 12 type: IPV4_ADDR = 192.168.13.12
payload: ID len: 12 type: IPV4_ADDR = 192.168.13.19
payload: NOTIFICATION len: 28
notification: RESPONDER LIFETIME SPI: 0xf7473285
attribute LIFE_TYPE = KILOBYTES
attribute LIFE_DURATION = ffffffff [ttl 0] (id 1, len 212)
10:22:53.205711 XXX.217.33.11.4500 > XXX.191.219.14.4500: [bad udp cksum 88b1!]
udpencap: isakmp v1.0 exchange QUICK_MODE
cookie: c46e426b216a4511->39e3aaa2bb11f2cb msgid: 890a9a2a len: 180
payload: HASH len: 20
payload: SA len: 48 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 36 proposal: 1 proto: IPSEC_ESP spisz: 4
xforms: 1 SPI: 0xf7473285
payload: TRANSFORM len: 24
transform: 1 ID: 3DES
attribute ENCAPSULATION_MODE = UDP_ENCAP_TUNNEL
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 1200
attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
payload: NONCE len: 24
payload: ID len: 12 type: IPV4_ADDR = 192.168.13.12
payload: ID len: 12 type: IPV4_ADDR = 192.168.13.19
payload: NOTIFICATION len: 28
notification: RESPONDER LIFETIME SPI: 0xf7473285
attribute LIFE_TYPE = KILOBYTES
attribute LIFE_DURATION = ffffffff [ttl 0] (id 1, len 212)
10:23:03.205650 XXX.217.33.11.4500 > XXX.191.219.14.4500: [bad udp cksum 88b1!]
udpencap: isakmp v1.0 exchange QUICK_MODE
cookie: c46e426b216a4511->39e3aaa2bb11f2cb msgid: 890a9a2a len: 180
payload: HASH len: 20
payload: SA len: 48 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 36 proposal: 1 proto: IPSEC_ESP spisz: 4
xforms: 1 SPI: 0xf7473285
payload: TRANSFORM len: 24
transform: 1 ID: 3DES
attribute ENCAPSULATION_MODE = UDP_ENCAP_TUNNEL
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 1200
attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
payload: NONCE len: 24
payload: ID len: 12 type: IPV4_ADDR = 192.168.13.12
payload: ID len: 12 type: IPV4_ADDR = 192.168.13.19
payload: NOTIFICATION len: 28
notification: RESPONDER LIFETIME SPI: 0xf7473285
attribute LIFE_TYPE = KILOBYTES
attribute LIFE_DURATION = ffffffff [ttl 0] (id 1, len 212)
10:23:03.776938 XXX.191.219.14.4500 > XXX.217.33.11.4500: [bad udp cksum 405!]
udpencap: isakmp v1.0 exchange INFO
cookie: c46e426b216a4511->39e3aaa2bb11f2cb msgid: c32634db len: 64
payload: HASH len: 20
payload: DELETE len: 16 DOI: 1(IPSEC) proto: IPSEC_ESP nspis: 1
SPI: 0x8cfc4474 [ttl 0] (id 1, len 96)
10:23:03.778204 XXX.191.219.14.4500 > XXX.217.33.11.4500: [bad udp cksum 301!]
udpencap: isakmp v1.0 exchange INFO
cookie: c46e426b216a4511->39e3aaa2bb11f2cb msgid: fef3756d len: 76
payload: HASH len: 20
payload: DELETE len: 28 DOI: 1(IPSEC) proto: ISAKMP nspis: 1
cookie: c46e426b216a4511->39e3aaa2bb11f2cb [ttl 0] (id 1, len 108)
102303.201782 Mesg 70 message_recv: message 0x208accf00
102303.201916 Mesg 70 ICOOKIE: c46e426b216a4511
102303.202062 Mesg 70 RCOOKIE: 39e3aaa2bb11f2cb
102303.202197 Mesg 70 NEXT_PAYLOAD: HASH
102303.202322 Mesg 70 VERSION: 16
102303.202439 Mesg 70 EXCH_TYPE: QUICK_MODE
102303.202561 Mesg 70 FLAGS: [ ENC ]
102303.202681 Mesg 70 MESSAGE_ID: 890a9a2a
102303.202801 Mesg 70 LENGTH: 180
102303.202942 Mesg 70 message_recv: c46e426b 216a4511 39e3aaa2 bb11f2cb
08102001 890a9a2a 000000b4 b9498566
102303.203103 Mesg 70 message_recv: 8404428b 8b0335fe d8276a6b 85c6e0d8
2d7fe01d 2f58bb9d 744d94ba 75aa5994
102303.203262 Mesg 70 message_recv: 082c282f 671b339d 3faa8a6e bae82896
ded88106 e41f0b99 458323e2 15eeed93
102303.203402 Mesg 70 message_recv: 1fc392b6 ceef43ca c9bf1044 9f79ad86
3202c1a4 2c20fd1c f27ee5a4 dbc154d1
102303.203539 Mesg 70 message_recv: 24ad78c6 55f3df28 f32a321f 2b633cb9
c5cd1bae 33e5811e 9c7c5c72 a65505e9
102303.203668 Mesg 70 message_recv: 4ca7f7bf 55381698 7a0c1811 926a8284
c7b451a2
102303.203796 Cryp 70 crypto_decrypt: before decryption:
102303.203934 Cryp 70 b9498566 8404428b 8b0335fe d8276a6b 85c6e0d8 2d7fe01d
2f58bb9d 744d94ba
102303.204093 Cryp 70 75aa5994 082c282f 671b339d 3faa8a6e bae82896 ded88106
e41f0b99 458323e2
102303.204245 Cryp 70 15eeed93 1fc392b6 ceef43ca c9bf1044 9f79ad86 3202c1a4
2c20fd1c f27ee5a4
102303.204383 Cryp 70 dbc154d1 24ad78c6 55f3df28 f32a321f 2b633cb9 c5cd1bae
33e5811e 9c7c5c72
102303.204526 Cryp 70 a65505e9 4ca7f7bf 55381698 7a0c1811 926a8284 c7b451a2
102303.204666 Cryp 70 crypto_decrypt: after decryption:
102303.204831 Cryp 70 01000014 8ce76597 f55126ba 7742ef9f b5ddd2d9 0a000030
00000001 00000001
102303.205031 Cryp 70 00000024 01030401 f7473285 00000018 01030000 80040003
80010001 800204b0
102303.205225 Cryp 70 80050001 05000018 dc86f32e 6a64fce6 323efadd 2a99be8e
d6aa3ab3 0500000c
102303.205370 Cryp 70 01000000 c0a80d0c 0b00000c 01000000 c0a80d13 0000001c
00000001 03046000
102303.205531 Cryp 70 f7473285 80010002 00020004 ffffffff 00000000 00000000
102303.205672 Mesg 50 message_parse_payloads: offset 28 payload HASH
102303.205794 Mesg 50 message_parse_payloads: offset 48 payload SA
102303.205916 Mesg 50 message_parse_payloads: offset 96 payload NONCE
102303.206046 Mesg 50 message_parse_payloads: offset 120 payload ID
102303.206222 Mesg 50 message_parse_payloads: offset 132 payload ID
102303.206332 Mesg 50 message_parse_payloads: offset 144 payload NOTIFY
102303.206478 Mesg 60 message_validate_payloads: payload SA at 0x208acca30 of
message 0x208accf00
102303.206609 Mesg 70 DOI: 1
102303.206728 Mesg 70 SIT:
102303.206847 Mesg 50 message_parse_payloads: offset 60 payload PROPOSAL
102303.206966 Mesg 50 message_parse_payloads: offset 72 payload TRANSFORM
102303.207115 Mesg 50 Transform 1's attributes
102303.207246 Mesg 50 Attribute ENCAPSULATION_MODE value 3
102303.207365 Mesg 50 Attribute SA_LIFE_TYPE value 1
102303.207493 Mesg 50 Attribute SA_LIFE_DURATION value 1200
102303.207698 Mesg 50 Attribute AUTHENTICATION_ALGORITHM value 1
102303.207828 Mesg 60 message_validate_payloads: payload PROPOSAL at
0x208acca3c of message 0x208accf00
102303.207957 Mesg 70 NO: 1
102303.208105 Mesg 70 PROTO: IPSEC_ESP
102303.208239 Mesg 70 SPI_SZ: 4
102303.208361 Mesg 70 NTRANSFORMS: 1
102303.208476 Mesg 70 SPI:
102303.208591 Mesg 60 message_validate_payloads: payload TRANSFORM at
0x208acca48 of message 0x208accf00
102303.208717 Mesg 70 NO: 1
102303.208834 Mesg 70 ID: 3
102303.208949 Mesg 70 SA_ATTRS:
102303.209095 Mesg 60 message_validate_payloads: payload ID at 0x208acca78 of
message 0x208accf00
102303.209229 Mesg 70 TYPE: 1
102303.209313 Mesg 70 DOI_DATA: 000000
102303.209385 Mesg 70 DATA:
102303.209456 Mesg 40 ipsec_validate_id_information: proto 0 port 0 type 1
102303.209556 Mesg 40 ipsec_validate_id_information: IPv4:
102303.209633 Mesg 40 c0a80d0c
102303.209702 Mesg 60 message_validate_payloads: payload ID at 0x208acca84 of
message 0x208accf00
102303.209778 Mesg 70 TYPE: 1
102303.209848 Mesg 70 DOI_DATA: 000000
102303.209916 Mesg 70 DATA:
102303.209983 Mesg 40 ipsec_validate_id_information: proto 0 port 0 type 1
102303.210081 Mesg 40 ipsec_validate_id_information: IPv4:
102303.210188 Mesg 40 c0a80d13
102303.210263 Mesg 60 message_validate_payloads: payload HASH at 0x208acca1c of
message 0x208accf00
102303.210338 Mesg 70 DATA:
102303.210408 Mesg 60 message_validate_payloads: payload NONCE at 0x208acca60
of message 0x208accf00
102303.210458 Mesg 70 DATA:
102303.210470 Mesg 60 message_validate_payloads: payload NOTIFY at 0x208acca90
of message 0x208accf00
102303.210480 Mesg 70 DOI: IPSEC
102303.210491 Mesg 70 PROTO: <Unknown 3>
102303.210501 Mesg 70 SPI_SZ: 4
102303.210510 Mesg 70 MSG_TYPE: STATUS_DOI_MIN
102303.210519 Mesg 70 SPI:
102303.210534 Cryp 60 hash_get: requested algorithm 0
102303.210543 Cryp 60 hash_get: requested algorithm 0
102303.210568 Mesg 20 message_free: freeing 0x208accf00
102303.210581 Trpt 70 transport_release: freeing 0x208acf000
Sebastian
