Steven Surdock wrote:
Prabhu Gurumurthy wrote:
Steven Surdock wrote:
Prabhu Gurumurthy wrote:
Steven Surdock wrote:
...
Yes, thanks but that was a typo.. sorry for the confusion, still the
tunnel does not come up.
What does your ACL "VPN_ACL" look like? How about the output from a
"debug crypto isakmp" from the PIX?
-Steve S.
Ah.. finally figured it out!
Mismatch on encryption:
On PIX side I had:
crypto ipsec transform-set IPSEC_SET esp-aes-256 esp-sha-hmac
On OpenBSD side I had:
ike esp from 172.30.75.0/24 to 192.168.137.0/24 \
local 10.200.3.7 peer 10.200.3.1 \
main auth hmac-sha1 enc aes \
quick auth hmac-sha1 enc aes \
srcid 10.200.3.7 psk "!PS3c1nf0"
When I enabled debug crypto ipsec and debug crypto isakmp:
crypto_isakmp_process_block:src:10.200.3.7, dest:10.200.3.1 spt:53766 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 0 against priority 1 policyp
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: auth pre-share
ISAKMP: default group 2
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600
ISAKMP: keylength of 256
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload
ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): remote peer supports dead peer detection
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:10.200.3.7, dest:10.200.3.1 spt:53766 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:10.200.3.7, dest:10.200.3.1 spt:53766 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated
ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
ISAKMP (0): sending NOTIFY message 24576 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:10.200.3.7/53766 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:10.200.3.7/53766 Ref cnt incremented to:1 Total VPN
Peers:1
crypto_isakmp_process_block:src:10.200.3.7, dest:10.200.3.1 spt:53766 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 2634506259
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 1200
ISAKMP: encaps is 1
ISAKMP: authenticator is HMAC-SHA
ISAKMP: group is 2
ISAKMP: key length is 128IPSEC(validate_proposal): transform proposal (prot
3, trans 12, hmac_alg 2) not supported
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 0
return status is IKMP_ERR_NO_RETRANS
crypto_isakmp_process_block:src:10.200.3.7, dest:10.200.3.1 spt:53766 dpt:500
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response
IPSec SA failed to form because of mismatch in AES using CBC key length:
PIX expected AES 256 OpenBSD offered AES 128!
*Does anybody know how to fix that in OpenBSD ipsec.conf?*
when I changed my crypto transform-set to:
crypto ipsec transform-set IPSEC_SET esp-aes esp-sha-hmac
IPSec SA gets established
ISAKMP (0): retransmitting phase 2 (1/1)... mess_id 0xb2b675d9
ISAKMP (0): retransmitting phase 2 (2/1)... mess_id 0xb2b675d9
crypto_isakmp_process_block:src:10.200.3.7, dest:10.200.3.1 spt:59402 dpt:500
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISADB: reaper checking SA 0xa2e6ac, conn_id = 0
crypto_isakmp_process_block:src:10.200.3.7, dest:10.200.3.1 spt:52106 dpt:500
ISAKMP (0): processing DELETE payload. message ID = 3959032696, spi size = 4
ISAKMP (0): deleting other-spi 3182850060 message ID = 2998302169
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:10.200.3.7, dest:10.200.3.1 spt:52106 dpt:500
ISAKMP (0): processing DELETE payload. message ID = 2852066664, spi size = 16
ISAKMP (0): deleting SA: src 10.200.3.7, dst 10.200.3.1
return status is IKMP_NO_ERR_NO_TRANS
ISADB: reaper checking SA 0xa2e6ac, conn_id = 0 DELETE IT!
VPN Peer: ISAKMP: Peer ip:10.200.3.7/53766 Ref cnt decremented to:0 Total VPN
Peers:1
VPN Peer: ISAKMP: Deleted peer: ip:10.200.3.7/53766 Total VPN
peers:0IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with 10.200.3.7
crypto_isakmp_process_block:src:10.200.3.7, dest:10.200.3.1 spt:52106 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 0 against priority 1 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: auth pre-share
ISAKMP: default group 2
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600
ISAKMP: keylength of 256
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload
ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): remote peer supports dead peer detection
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:10.200.3.7, dest:10.200.3.1 spt:52106 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:10.200.3.7, dest:10.200.3.1 spt:52106 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
spi 0, message ID = 0
ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue
event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with 10.200.3.7
ISADB: reaper checking SA 0xa2fb9c, conn_id = 0
ISAKMP (0): SA has been authenticated
ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
ISAKMP (0): sending NOTIFY message 24576 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:10.200.3.7/52106 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:10.200.3.7/52106 Ref cnt incremented to:1 Total VPN
Peers:1
crypto_isakmp_process_block:src:10.200.3.7, dest:10.200.3.1 spt:52106 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 3941283929
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 1200
ISAKMP: encaps is 1
ISAKMP: authenticator is HMAC-SHA
ISAKMP: group is 2
ISAKMP: key length is 128
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part
#1,
(key eng. msg.) dest= 10.200.3.1, src= 10.200.3.7,
dest_proxy= 192.168.137.0/255.255.255.0/0/0 (type=4),
src_proxy= 172.30.75.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-aes esp-sha-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x24
ISAKMP (0): processing NONCE payload. message ID = 3941283929
ISAKMP (0): processing KE payload. message ID = 3941283929
ISAKMP (0): processing ID payload. message ID = 3941283929
ISAKMP (0): ID_IPV4_ADDR_SUBNET src 172.30.75.0/255.255.255.0 prot 0 port 0
ISAKMP (0): processing ID payload. message ID = 3941283929
ISAKMP (0): ID_IPV4_ADDR_SUBNET dst 192.168.137.0/255.255.255.0 prot 0 port
0IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x36dc0826(920389670) for SA
from 10.200.3.7 to 10.200.3.1 for prot 3
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:10.200.3.7, dest:10.200.3.1 spt:52106 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_AUTH_AWAIT
ISAKMP (0): Creating IPSec SAs
inbound SA from 10.200.3.7 to 10.200.3.1 (proxy
172.30.75.0 to 192.168.137.0)
has spi 920389670 and conn_id 1 and flags 25
lifetime of 1200 seconds
outbound SA from 10.200.3.1 to 10.200.3.7 (proxy
192.168.137.0 to 172.30.75.0)
has spi 2450334014 and conn_id 2 and flags 25
lifetime of 1200 secondsIPSEC(key_engine): got a queue event...
IPSEC(initialize_sas): ,
(key eng. msg.) dest= 10.200.3.1, src= 10.200.3.7,
dest_proxy= 192.168.137.0/255.255.255.0/0/0 (type=4),
src_proxy= 172.30.75.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-aes esp-sha-hmac ,
lifedur= 1200s and 0kb,
spi= 0x36dc0826(920389670), conn_id= 1, keysize= 128, flags= 0x25
IPSEC(initialize_sas): ,
(key eng. msg.) src= 10.200.3.1, dest= 10.200.3.7,
src_proxy= 192.168.137.0/255.255.255.0/0/0 (type=4),
dest_proxy= 172.30.75.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-aes esp-sha-hmac ,
lifedur= 1200s and 0kb,
spi= 0x920d213e(2450334014), conn_id= 2, keysize= 128, flags= 0x25
VPN Peer: IPSEC: Peer ip:10.200.3.7/52106 Ref cnt incremented to:2 Total VPN
Peers:1
VPN Peer: IPSEC: Peer ip:10.200.3.7/52106 Ref cnt incremented to:3 Total VPN
Peers:1
return status is IKMP_NO_ERROR
But the problem is after loading ipsec.conf when I run ipsecctl -vv -f
/etc/ipsec.conf the tunnel did not get established, I killed the isakmp daemon
and restarted by
kill -TERM `cat /var/run/isakmpd.pid`
isakmpd -K
ipsecctl -vv -f /etc/ipsec.conf
the tunnel is up and running
What am I doing wrong when trying to establish a new VPN tunnel?
Is there a documented procedure that mentions how to do it, so is it simple by
doing ipsecctl -f /etc/ipsec.conf && kill -HUP `cat /var/run/isakmpd.pid`
Thanks for your responses!
Does anybody need any more logs?
Before I forget dmesg from OpenBSD system and PIX 501 running config:
Please do not worry about duplicate IPv6 addresses on dmesg, I am working on
IPv6 too.
OpenBSD 4.0-current (GENERIC) #1278: Sun Dec 17 19:52:22 MST 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Pentium(R) 4 CPU 2.80GHz ("GenuineIntel" 686-class) 2.80 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS
real mem = 267939840 (261660K)
avail mem = 236535808 (230992K)
using 3302 buffers containing 13524992 bytes (13208K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(73) BIOS, date 07/29/05, BIOS32 rev. 0 @ 0xfd880,
SMBIOS rev. 2.31 @ 0xe0010 (45 entries)
bios0: VMware, Inc. VMware Virtual Platform
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xfd880/0x780
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf30/176 (9 entries)
pcibios0: PCI Interrupt Router at 000:07:0 ("Intel 82371FB ISA" rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc0000/0x8000 0xc8000/0x1000 0xc9000/0x1000 0xca000/0x1000
0xdc000/0x4000! 0xe0000/0x4000!
acpi at mainbus0 not configured
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x01
ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x01
pci1 at ppb0 bus 1
pcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x08
pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel 0
configured to compatibility, channel 1 configured to compatibility
wd0 at pciide0 channel 0 drive 0: <VMware Virtual IDE Hard Drive>
wd0: 64-sector PIO, LBA, 8192MB, 16777216 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: <NECVMWar, VMware IDE CDR10, 1.00> SCSI0 5/cdrom
removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
piixpm0 at pci0 dev 7 function 3 "Intel 82371AB Power" rev 0x08: SMBus disabled
vga1 at pci0 dev 15 function 0 "VMware Virtual SVGA II" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
bha3 at pci0 dev 16 function 0 "BusLogic MultiMaster" rev 0x01: irq 11, BusLogic
9xxC SCSI
bha3: model BT-958, firmware 5.07B
bha3: sync, parity
scsibus1 at bha3: 8 targets
pcn0 at pci0 dev 17 function 0 "AMD 79c970 PCnet-PCI" rev 0x10, Am79c970A, rev
0: irq 9, address 00:0c:29:cb:1f:83
pcn1 at pci0 dev 18 function 0 "AMD 79c970 PCnet-PCI" rev 0x10, Am79c970A, rev
0: irq 10, address 00:0c:29:cb:1f:8d
pcn2 at pci0 dev 19 function 0 "AMD 79c970 PCnet-PCI" rev 0x10, Am79c970A, rev
0: irq 5, address 00:0c:29:cb:1f:97
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pmsi0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pmsi0 mux 0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
biomask e945 netmask ef65 ttymask ffe7
pctr: user-level cycle counter enabled
dkcsum: wd0 matches BIOS drive 0x80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302
nd6_na_input: duplicate IP6 address fe80:0008::0200:5eff:fe00:0101
nd6_na_input: duplicate IP6 address 2002:ac1e:4b00:0c29::0001
nd6_na_input: duplicate IP6 address fe80:0008::0200:5eff:fe00:0101
nd6_na_input: duplicate IP6 address 2002:ac1e:4b00:0c29::0001
nd6_na_input: duplicate IP6 address fe80:0008::0200:5eff:fe00:0101
nd6_na_input: duplicate IP6 address 2002:ac1e:4b00:0c29::0001
From PIX:
pixfirewall# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name silverspringnet.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group icmp-type ICMP_ALLOW
icmp-object echo-reply
icmp-object echo
icmp-object unreachable
object-group network LOCAL_SUBNET
network-object 192.168.137.0 255.255.255.0
object-group network REMOTE_SUBNET
network-object 172.30.75.0 255.255.255.0
access-list INTRANET_IN permit ip any any
access-list INTERNET_IN permit icmp any any object-group ICMP_ALLOW
access-list VPN_ACL permit ip object-group LOCAL_SUBNET object-group
REMOTE_SUBNET
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 10.200.3.1 255.255.252.0
ip address inside 192.168.137.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list VPN_ACL
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group INTERNET_IN in interface outside
access-group INTRANET_IN in interface inside
route outside 0.0.0.0 0.0.0.0 10.200.2.0 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
crypto ipsec transform-set IPSEC_SET esp-aes esp-sha-hmac
crypto map VPN_MAP 1 ipsec-isakmp
crypto map VPN_MAP 1 match address VPN_ACL
crypto map VPN_MAP 1 set peer 10.200.3.7
crypto map VPN_MAP 1 set transform-set IPSEC_SET
crypto map VPN_MAP interface outside
isakmp enable outside
isakmp key ******** address 10.200.3.7 netmask 255.255.255.255 no-xauth
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption aes-256
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 1800
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:3105e47344162ca405ed597e41b9a1e6
: end
