[nsp] IPSec between cisco and D-Link DI-804V?
Marcus Keane
mkeane at microsoft.com
Tue Jan 21 09:09:44 EST 2003
Mart, I would say this is a bug as it seems to be in violation of the
RFC. Just for the hell of it, can you try using FQDN as your ID-type?
You can try this with the command "crypto isakmp identity hostname". It
will probably use the same values for protocol/port as it did before,
but it's worth a try to see what happens.
Marcus.
-----Original Message-----
From: Mart Norman [mailto:mart at estnet.ee]
Sent: 21 January 2003 04:03
To: cisco-nsp at puck.nether.net
Hello,
Is anybody successfully running ipsec between Cisco and D-Link DI-804V?
i'm having a problem with this.
10.1.1.0/24 -- cisco -- internet -- di-804v -- 10.1.2.0/24
1.1.1.1 2.2.2.2
If i replace either of them with FreeBSD box running racoon for isakmp,
everything works fine
Cisco:
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key plapla address 2.2.2.2
!
!
crypto ipsec transform-set mart esp-3des esp-md5-hmac
!
!
!
!
crypto map staticmart 10 ipsec-isakmp
set peer 2.2.2.2
set transform-set mart
set pfs group1
match address 108
[..]
interface Serial2/0
ip address 1.1.1.1 255.255.255.0
crypto map staticmart
[..]
ip route 10.1.2.0 255.255.255.0 Serial2/0
[..]
access-list 108 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
I tracked the problem down to the point where cisco sends ID Payload
which appears to be different than DI-804V expects and this causes
negotiations to fail.
Any hints how to overcome it? Or i just have to accept that cisco's and
D-Link's implementations of ipsec are not compatible?
Cisco debug:
17:25:00: ISAKMP (0:1): SA is doing
pre-shared key authentication using id type ID_IPV4_ADDR
17:25:00: ISAKMP (1): ID payload
next-payload : 8
type : 1
addr : 1.1.1.1
protocol : 17
port : 0
length : 8
17:25:00: ISAKMP (1): Total payload length: 12
17:25:00: CryptoEngine0: generate hmac context for conn id 1
17:25:00: CryptoEngine0: clear dh number for conn id 1
17:25:00: ISAKMP (0:1): sending packet to 2.2.2.2 my_port 500 peer_port
500 (R) MM_KEY_EXCH
17:25:00: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
17:25:00: ISAKMP (0:1): Old State = IKE_R_MM5 New State =
IKE_P1_COMPLETE
17:25:00: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
17:25:00: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State =
IKE_P1_COMPLETE
17:25:07: ISAKMP (0:1): received packet from 2.2.2.2 dport 500 sport 500
(R) QM_IDLE
17:25:07: ISAKMP (0:1): phase 1 packet is a duplicate of a previous
packet.
17:25:07: ISAKMP (0:1): retransmitting due to retransmit phase 1
17:25:07: ISAKMP (0:1): retransmitting phase 1 QM_IDLE ...
17:25:07: ISAKMP (0:1): retransmitting phase 1 QM_IDLE ...
17:25:07: ISAKMP (0:1): incrementing error counter on sa: retransmit
phase 1
17:25:07: ISAKMP (0:1): no outgoing phase 1 packet to retransmit.
QM_IDLE
and DI-804V:
IPsec[26]:Initiating Main Mode
IKE[27]:[estnet] Initializing IKE Main Mode
IKE[28]:[estnet] TX >> MM_I1 : 1.1.1.1
IPsec[29]:Packet retransmission, timeout in 10 seconds for #1
IPsec[30]:NO outbound SA found
IKE[31]:[estnet] RX << MM_R1 : 1.1.1.1
IKE[32]:OAKLEY_PRESHARED_KEY/OAKLEY_3DES_CBC/MODP1024
IKE[33]:[estnet] TX >> MM_I2 : 1.1.1.1
IPsec[34]:Packet retransmission, timeout in 10 seconds for #1
IPsec[35]:Find_outsa() not found
IPsec[36]:NO outbound SA found
IKE[37]:[estnet] RX << MM_R2 : 1.1.1.1
IKE[38]:[estnet] TX >> MM_I3 : 1.1.1.1
IPsec[39]:Packet retransmission, timeout in 10 seconds for #1
IPsec[40]:Find_outsa() not found
IPsec[41]:NO outbound SA found
IKE[42]:[estnet] RX << MM_R3 : 1.1.1.1
IPsec[43]:loglog[3] protocol/port in Phase 1 ID Payload must be 0/0 or
17/500 but are 17/0
IPsec[44]:Find_outsa() not found
IPsec[45]:NO outbound SA found
IPSec[46]:*52*DUMP SA: INBOUND:0/64 OUTBOUND:0/64
IPSec[47]:DUMP ST: 1/64
IPSec[48]:DUMP MEM_ALLOC: 24/75
IPsec[49]:conn_list->estnet(0,0,0,0)->NULL
IPsec[50]:Packet retransmission, timeout in 20 seconds for #1
IPsec[51]:Packet retransmission, timeout in 40 seconds for #1
If i connect DI-804V to fbsd box running racoon, i get
IPsec[50]:Initiating Main Mode
IKE[51]:[estnet] Initializing IKE Main Mode
IKE[52]:[estnet] TX >> MM_I1 : 1.1.1.1
IPsec[53]:Packet retransmission, timeout in 10 seconds for #1
IPsec[54]:NO outbound SA found
IKE[55]:[estnet] RX << MM_R1 : 1.1.1.1
IKE[56]:OAKLEY_PRESHARED_KEY/OAKLEY_3DES_CBC/MODP1024
IKE[57]:[estnet] TX >> MM_I2 : 1.1.1.1
IPsec[58]:Packet retransmission, timeout in 10 seconds for #1
IPsec[59]:Find_outsa() not found
IPsec[60]:NO outbound SA found
IKE[61]:[estnet] RX << MM_R2 : 1.1.1.1
IKE[62]:[estnet] TX >> MM_I3 : 1.1.1.1
IPsec[63]:Packet retransmission, timeout in 10 seconds for #1
IPsec[64]:Find_outsa() not found
IPsec[65]:NO outbound SA found
IKE[66]:[estnet] RX << MM_R3 : 1.1.1.1
IPsec[67]:Decoded Peer's ID is ID_IPV4_ADDR:1.1.1.1 and 1.1.1.1 in st
IPsec[68]:Packet retransmission, timeout in 28700 seconds for #1
IPsec[69]:STATE_MAIN_I4: ISAKMP SA established
IPsec[70]:New State index:1, sno:2
IPsec[71]:New Message ID generated:47af3b4f
IPsec[72]:initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS
IKE[73]:[estnet] TX >> QM_I1 : 1.1.1.1
IPsec[74]:Packet retransmission, timeout in 10 seconds for #2
IPsec[75]:Find_outsa() not found
IPsec[76]:NO outbound SA found
IPsec[77]:Find_outsa() not found
IPsec[78]:NO outbound SA found
IKE[79]:[estnet] RX << XCHG_INFO : 1.1.1.1
IKE[80]:[estnet] RX << QM_R1 : 1.1.1.1
IKE[81]:[ESP_3DES/AUTH_ALGORITHM_HMAC_MD5/In SPI:b95221b4,Out
SPI:909d9e7]
IPsec-keymat[82]:des3_cbc[len=24] 10 c6 a9 58 b3 a5 3e 24 35 a1 c7 53 82
a4 23 43 bc a7 ac 2a 9e c8 db 40
IPsec-keymat[83]:hmac-md5-96[len=16] cf f6 73 c8 f6 c1 6e 64 fa 47 c9 6a
70 4f 72 7b
IPsec-keymat[84]:des3_cbc[len=24] 62 ad e6 c7 cf 98 9a 10 e1 76 6c 42 3a
de 6a f3 d2 3c dd 3e 67 1a 33 28
IPsec-keymat[85]:hmac-md5-96[len=16] b3 1b d7 3a d5 c0 92 84 3 77 a2 c7
83 e 94 56
IKE[86]:[estnet] TX >> QM_I2 : 1.1.1.1
IKE[87]:[estnet] established with 1.1.1.1 successfully
IPsec[88]:Packet retransmission, timeout in 3500 seconds for #2
IPsec[89]:STATE_QUICK_I2: sent QI2, IPsec SA established
IPSec[90]:*48*DUMP SA: INBOUND:1/64 OUTBOUND:1/64
IPSec[91]:DUMP ST: 2/64
IPSec[92]:DUMP MEM_ALLOC: 25/75
IPsec[93]:DUMP_INSA:ESP0xb95221b4[STNO=2]@1.1.1.1+10.1.1.0/255.255.255.0
IPsec[94]:DUMP_OUTSA:ESP0x909d9e7[STNO=2]@1.1.1.1+10.1.1.0/255.255.255.0
IPsec[95]:conn_list->estnet(8,896,6,672)->NULL
IPSec[96]:*48*DUMP SA: INBOUND:1/64 OUTBOUND:1/64
IPSec[97]:DUMP ST: 2/64
IPSec[98]:DUMP MEM_ALLOC: 25/75
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list