IPSec between OpenBSD and Cisco

Thu, 28 Oct 2010 07:35:55 -0700 

Hi all,

I have been trying to setup a VPN connection between OpenBSD and a Cisco
router with no success for more than 2 weeks, and I really need some advice
on how to resolve this. Basically, I cannot understand what is going wrong
during the negociation :-S
Any information would be really helpful for me.

The scenario:
==========================================================
OpenBSD 4.7 machine (amd64), fresh install, acting as gateway
Public IP: A.A.A.A
Private IP: 172.22.1.1/16

Cisco Router (IPSec Server)
Public IP: B.B.B.B
Private LAN: 10.20.10.0/24 (Ipsec tunnel configured only to access
10.20.10.38 machine)

Diagram:
==========================================================
               Localization A
Localization B
172.22/16 [OpenBSD] A.A.A.A ------(Internet)------- B.B.B.B [Cisco] --
10.20.10.38 (machine)

Constraints:
==========================================================
1 - The OpenBSD machine should present itself as 10.0.22.221 in the Site B
LAN.
2 - It's not possible to modify Cisco configuration. It's probed to be fully
functional with other Cisco peers (at least that's what they have told to
me)

Cisco Configuration:
==========================================================
name A.A.A.A siteApublicIP
object-group network siteA
access-list outside_cryptomap_23 extended permit ip object-group siteA host
10.0.22.221
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 22 match address outside_cryptomap_23
crypto map outside_map 22 set pfs
crypto map outside_map 22 set peer siteApublicIP
crypto map outside_map 22 set transform-set ESP-3DES-MD5
tunnel-group A.A.A.A type ipsec-l2l
tunnel-group A.A.A.A ipsec-attributes
pre-shared-key theKey

OpenBSD Config:
==========================================================
/etc/ipsec.conf:
==========================================================
ike active esp from 10.0.22.221 (172.22.0.0/16) to 10.20.10.0/24 \
    peer B.B.B.B \
    main auth hmac-md5 enc 3des \
    quick auth hmac-md5 enc 3des group modp1024 \
    psk theKey


/etc/pf.conf:
==========================================================
set skip on lo
match out log on $ext_if from 172.22/16 to 10.20.10.0/24 nat-to 10.0.22.221
match out log on $int_if from 172.22/16 to !172.22/16 nat-to A.A.A.A
pass


isakmpd output (via tcpdump):
==========================================================
0.0.0.0.500 > B.B.B.B.500: [udp sum ok] isakmp v1.0 exchange ID_PROT
 cookie: 8f5627d25c664fa7->0000000000000000 msgid: 00000000 len: 180
 payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
    payload: PROPOSAL len: 40 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1
        payload: TRANSFORM len: 32
            transform: 0 ID: ISAKMP
                attribute ENCRYPTION_ALGORITHM = 3DES_CBC
                attribute HASH_ALGORITHM = MD5
                attribute AUTHENTICATION_METHOD = PRE_SHARED
                attribute GROUP_DESCRIPTION = MODP_1024
                attribute LIFE_TYPE = SECONDS
                attribute LIFE_DURATION = 3600
 payload: VENDOR len: 20 (supports OpenBSD-4.0)
 payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02)
 payload: VENDOR len: 20 (supports v3 NAT-T, draft-ietf-ipsec-nat-t-ike-03)
 payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
 payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 208)
B.B.B.B.500 > A.A.A.A.500: [udp sum ok] isakmp v1.0 exchange ID_PROT
 cookie: 8f5627d25c664fa7->a8427e4dfc02591c msgid: 00000000 len: 124
 payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
    payload: PROPOSAL len: 40 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1
        payload: TRANSFORM len: 32
            transform: 0 ID: ISAKMP
                attribute ENCRYPTION_ALGORITHM = 3DES_CBC
                attribute HASH_ALGORITHM = MD5
                attribute GROUP_DESCRIPTION = MODP_1024
                attribute AUTHENTICATION_METHOD = PRE_SHARED
                attribute LIFE_TYPE = SECONDS
                attribute LIFE_DURATION = 3600
 payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02)
 payload: VENDOR len: 24 [ttl 0] (id 1, len 152)
A.A.A.A.500 > B.B.B.B.500: [udp sum ok] isakmp v1.0 exchange ID_PROT
 cookie: 8f5627d25c664fa7->a8427e4dfc02591c msgid: 00000000 len: 220
 payload: KEY_EXCH len: 132
 payload: NONCE len: 20
 payload: NAT-D-DRAFT len: 20
 payload: NAT-D-DRAFT len: 20 [ttl 0] (id 1, len 248)
B.B.B.B.500 > A.A.A.A.500: [udp sum ok] isakmp v1.0 exchange ID_PROT
 cookie: 8f5627d25c664fa7->a8427e4dfc02591c msgid: 00000000 len: 296
 payload: KEY_EXCH len: 132
 payload: NONCE len: 24
 payload: VENDOR len: 20 (supports Cisco Unity)
 payload: VENDOR len: 12 (supports draft-ietf-ipsra-isakmp-xauth-06.txt)
 payload: VENDOR len: 20
 payload: VENDOR len: 20
 payload: NAT-D-DRAFT len: 20
 payload: NAT-D-DRAFT len: 20 [ttl 0] (id 1, len 324)
A.A.A.A.500 > B.B.B.B.500: [udp sum ok] isakmp v1.0 exchange ID_PROT
 cookie: 8f5627d25c664fa7->a8427e4dfc02591c msgid: 00000000 len: 88
 payload: ID len: 12 type: IPV4_ADDR = A.A.A.A
 payload: HASH len: 20
 payload: NOTIFICATION len: 28
    notification: INITIAL CONTACT (8f5627d25c664fa7->a8427e4dfc02591c) [ttl
0] (id 1, len 116)
B.B.B.B.500 > A.A.A.A.500: [udp sum ok] isakmp v1.0 exchange ID_PROT
 cookie: 8f5627d25c664fa7->a8427e4dfc02591c msgid: 00000000 len: 84
 payload: ID len: 12 proto: 17 port: 0 type: IPV4_ADDR = B.B.B.B
 payload: HASH len: 20
 payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 112)
A.A.A.A.500 > B.B.B.B.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE
 cookie: 8f5627d25c664fa7->a8427e4dfc02591c msgid: d11a9d9b len: 276
 payload: HASH len: 20
 payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
    payload: PROPOSAL len: 40 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms:
1 SPI: 0x6aa9a434
        payload: TRANSFORM len: 28
            transform: 1 ID: 3DES
                attribute LIFE_TYPE = SECONDS
                attribute LIFE_DURATION = 1200
                attribute ENCAPSULATION_MODE = TUNNEL
                attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
                attribute GROUP_DESCRIPTION = 2
 payload: NONCE len: 20
 payload: KEY_EXCH len: 132
 payload: ID len: 12 type: IPV4_ADDR = 10.0.22.221
 payload: ID len: 12 type: IPV4_ADDR = 10.20.10.38 [ttl 0] (id 1, len 304)
B.B.B.B.500 > A.A.A.A.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE
 cookie: 8f5627d25c664fa7->a8427e4dfc02591c msgid: d11a9d9b len: 284
 payload: HASH len: 20
 payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
    payload: PROPOSAL len: 40 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms:
1 SPI: 0xf11d3e40
        payload: TRANSFORM len: 28
            transform: 1 ID: 3DES
                attribute LIFE_TYPE = SECONDS
                attribute LIFE_DURATION = 1200
                attribute ENCAPSULATION_MODE = TUNNEL
                attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
                attribute GROUP_DESCRIPTION = 2
 payload: NONCE len: 24
 payload: KEY_EXCH len: 132
 payload: ID len: 12 type: IPV4_ADDR = 10.0.22.221
 payload: ID len: 12 type: IPV4_ADDR = 10.20.10.38 [ttl 0] (id 1, len 312)
A.A.A.A.500 > B.B.B.B.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE
 cookie: 8f5627d25c664fa7->a8427e4dfc02591c msgid: d11a9d9b len: 48
 payload: HASH len: 20 [ttl 0] (id 1, len 76)
B.B.B.B.500 > A.A.A.A.500: [udp sum ok] isakmp v1.0 exchange INFO
 cookie: 8f5627d25c664fa7->a8427e4dfc02591c msgid: c1f366e9 len: 84
 payload: HASH len: 20
 payload: NOTIFICATION len: 32
    notification: STATUS_DPD_R_U_THERE seq 368398431 [ttl 0] (id 1, len 112)
A.A.A.A.500 > B.B.B.B.500: [udp sum ok] isakmp v1.0 exchange INFO
 cookie: 8f5627d25c664fa7->a8427e4dfc02591c msgid: f2b291c5 len: 80
 payload: HASH len: 20
 payload: NOTIFICATION len: 32
    notification: STATUS_DPD_R_U_THERE_ACK seq 368398431 [ttl 0] (id 1, len
108)
B.B.B.B.500 > A.A.A.A.500: [udp sum ok] isakmp v1.0 exchange INFO
 cookie: 8f5627d25c664fa7->a8427e4dfc02591c msgid: d5775508 len: 84
 payload: HASH len: 20
 payload: NOTIFICATION len: 32
    notification: STATUS_DPD_R_U_THERE seq 368398432 [ttl 0] (id 1, len 112)
A.A.A.A.500 > B.B.B.B.500: [udp sum ok] isakmp v1.0 exchange INFO
 cookie: 8f5627d25c664fa7->a8427e4dfc02591c msgid: 1d14596e len: 80
 payload: HASH len: 20
 payload: NOTIFICATION len: 32
    notification: STATUS_DPD_R_U_THERE_ACK seq 368398432 [ttl 0] (id 1, len
108)

Thank you in advance for your time and patience,

Fer

Reply via email to