[nsp] IPSec between cisco and D-Link DI-804V?

Wilson, Dan Dan.Wilson at transamerica.com
Mon Jan 20 16:25:19 EST 2003 

yeah. Microsoft KNOWS security!

-----Original Message-----
From: Marcus Keane [mailto:mkeane at microsoft.com]
Sent: Monday, January 20, 2003 4:10 PM
To: Mart Norman
Cc: cisco-nsp at puck.nether.net
Subject: RE: [nsp] IPSec between cisco and D-Link DI-804V?


Mart, I would say this is a bug as it seems to be in violation of the
RFC. Just for the hell of it, can you try using FQDN as your ID-type?
You can try this with the command "crypto isakmp identity hostname". It
will probably use the same values for protocol/port as it did before,
but it's worth a try to see what happens.
Marcus.
 
-----Original Message-----
From: Mart Norman [mailto:mart at estnet.ee] 
Sent: 21 January 2003 04:03
To: cisco-nsp at puck.nether.net

Hello,

Is anybody successfully running ipsec between Cisco and D-Link DI-804V?
i'm having a problem with this.


10.1.1.0/24 -- cisco -- internet -- di-804v -- 10.1.2.0/24
		1.1.1.1		  2.2.2.2

If i replace either of them with FreeBSD box running racoon for isakmp,
everything works fine

Cisco:

crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key plapla address 2.2.2.2
!
!
crypto ipsec transform-set mart esp-3des esp-md5-hmac
!
!
!
!
crypto map staticmart 10 ipsec-isakmp
 set peer 2.2.2.2
 set transform-set mart
 set pfs group1
 match address 108

[..]

interface Serial2/0
 ip address 1.1.1.1 255.255.255.0
 crypto map staticmart

[..]
ip route 10.1.2.0 255.255.255.0 Serial2/0
[..]
access-list 108 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255


I tracked the problem down to the point where cisco sends ID Payload
which appears to be different than DI-804V expects and this causes
negotiations to fail.

Any hints how to overcome it? Or i just have to accept that cisco's and
D-Link's implementations of ipsec are not compatible?

Cisco debug:

17:25:00: ISAKMP (0:1): SA is doing
pre-shared key authentication using id type ID_IPV4_ADDR
17:25:00: ISAKMP (1): ID payload
	next-payload : 8
	type         : 1
	addr         : 1.1.1.1
	protocol     : 17
	port         : 0
	length       : 8
17:25:00: ISAKMP (1): Total payload length: 12
17:25:00: CryptoEngine0: generate hmac context for conn id 1
17:25:00: CryptoEngine0: clear dh number for conn id 1
17:25:00: ISAKMP (0:1): sending packet to 2.2.2.2 my_port 500 peer_port
500 (R) MM_KEY_EXCH
17:25:00: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
17:25:00: ISAKMP (0:1): Old State = IKE_R_MM5  New State =
IKE_P1_COMPLETE

17:25:00: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
17:25:00: ISAKMP (0:1): Old State = IKE_P1_COMPLETE  New State =
IKE_P1_COMPLETE

17:25:07: ISAKMP (0:1): received packet from 2.2.2.2 dport 500 sport 500
(R) QM_IDLE
17:25:07: ISAKMP (0:1): phase 1 packet is a duplicate of a previous
packet.
17:25:07: ISAKMP (0:1): retransmitting due to retransmit phase 1
17:25:07: ISAKMP (0:1): retransmitting phase 1 QM_IDLE      ...
17:25:07: ISAKMP (0:1): retransmitting phase 1 QM_IDLE      ...
17:25:07: ISAKMP (0:1): incrementing error counter on sa: retransmit
phase 1
17:25:07: ISAKMP (0:1): no outgoing phase 1 packet to retransmit.
QM_IDLE

and DI-804V:

IPsec[26]:Initiating Main Mode
IKE[27]:[estnet] Initializing IKE Main Mode
IKE[28]:[estnet] TX >> MM_I1 : 1.1.1.1
IPsec[29]:Packet retransmission, timeout in 10 seconds for #1
IPsec[30]:NO outbound SA found
IKE[31]:[estnet] RX << MM_R1 : 1.1.1.1
IKE[32]:OAKLEY_PRESHARED_KEY/OAKLEY_3DES_CBC/MODP1024
IKE[33]:[estnet] TX >> MM_I2 : 1.1.1.1
IPsec[34]:Packet retransmission, timeout in 10 seconds for #1
IPsec[35]:Find_outsa() not found
IPsec[36]:NO outbound SA found
IKE[37]:[estnet] RX << MM_R2 : 1.1.1.1
IKE[38]:[estnet] TX >> MM_I3 : 1.1.1.1
IPsec[39]:Packet retransmission, timeout in 10 seconds for #1
IPsec[40]:Find_outsa() not found
IPsec[41]:NO outbound SA found
IKE[42]:[estnet] RX << MM_R3 : 1.1.1.1
IPsec[43]:loglog[3] protocol/port in Phase 1 ID Payload must be 0/0 or
17/500 but are 17/0
IPsec[44]:Find_outsa() not found
IPsec[45]:NO outbound SA found
IPSec[46]:*52*DUMP SA: INBOUND:0/64  OUTBOUND:0/64
IPSec[47]:DUMP ST: 1/64
IPSec[48]:DUMP MEM_ALLOC: 24/75
IPsec[49]:conn_list->estnet(0,0,0,0)->NULL
IPsec[50]:Packet retransmission, timeout in 20 seconds for #1
IPsec[51]:Packet retransmission, timeout in 40 seconds for #1

If i connect DI-804V to fbsd box running racoon, i get

IPsec[50]:Initiating Main Mode
IKE[51]:[estnet] Initializing IKE Main Mode
IKE[52]:[estnet] TX >> MM_I1 : 1.1.1.1
IPsec[53]:Packet retransmission, timeout in 10 seconds for #1
IPsec[54]:NO outbound SA found
IKE[55]:[estnet] RX << MM_R1 : 1.1.1.1
IKE[56]:OAKLEY_PRESHARED_KEY/OAKLEY_3DES_CBC/MODP1024
IKE[57]:[estnet] TX >> MM_I2 : 1.1.1.1
IPsec[58]:Packet retransmission, timeout in 10 seconds for #1
IPsec[59]:Find_outsa() not found
IPsec[60]:NO outbound SA found
IKE[61]:[estnet] RX << MM_R2 : 1.1.1.1
IKE[62]:[estnet] TX >> MM_I3 : 1.1.1.1
IPsec[63]:Packet retransmission, timeout in 10 seconds for #1
IPsec[64]:Find_outsa() not found
IPsec[65]:NO outbound SA found
IKE[66]:[estnet] RX << MM_R3 : 1.1.1.1
IPsec[67]:Decoded Peer's ID is ID_IPV4_ADDR:1.1.1.1 and 1.1.1.1 in st
IPsec[68]:Packet retransmission, timeout in 28700 seconds for #1
IPsec[69]:STATE_MAIN_I4: ISAKMP SA established
IPsec[70]:New State index:1, sno:2
IPsec[71]:New Message ID generated:47af3b4f
IPsec[72]:initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS
IKE[73]:[estnet] TX >> QM_I1 : 1.1.1.1
IPsec[74]:Packet retransmission, timeout in 10 seconds for #2
IPsec[75]:Find_outsa() not found
IPsec[76]:NO outbound SA found
IPsec[77]:Find_outsa() not found
IPsec[78]:NO outbound SA found
IKE[79]:[estnet] RX << XCHG_INFO : 1.1.1.1
IKE[80]:[estnet] RX << QM_R1 : 1.1.1.1
IKE[81]:[ESP_3DES/AUTH_ALGORITHM_HMAC_MD5/In SPI:b95221b4,Out
SPI:909d9e7]
IPsec-keymat[82]:des3_cbc[len=24] 10 c6 a9 58 b3 a5 3e 24 35 a1 c7 53 82
a4 23 43 bc a7 ac 2a 9e c8 db 40
IPsec-keymat[83]:hmac-md5-96[len=16] cf f6 73 c8 f6 c1 6e 64 fa 47 c9 6a
70 4f 72 7b
IPsec-keymat[84]:des3_cbc[len=24] 62 ad e6 c7 cf 98 9a 10 e1 76 6c 42 3a
de 6a f3 d2 3c dd 3e 67 1a 33 28
IPsec-keymat[85]:hmac-md5-96[len=16] b3 1b d7 3a d5 c0 92 84 3 77 a2 c7
83 e 94 56
IKE[86]:[estnet] TX >> QM_I2 : 1.1.1.1
IKE[87]:[estnet] established with 1.1.1.1 successfully
IPsec[88]:Packet retransmission, timeout in 3500 seconds for #2
IPsec[89]:STATE_QUICK_I2: sent QI2, IPsec SA established
IPSec[90]:*48*DUMP SA: INBOUND:1/64  OUTBOUND:1/64
IPSec[91]:DUMP ST: 2/64
IPSec[92]:DUMP MEM_ALLOC: 25/75
IPsec[93]:DUMP_INSA:ESP0xb95221b4[STNO=2]@1.1.1.1+10.1.1.0/255.255.255.0
IPsec[94]:DUMP_OUTSA:ESP0x909d9e7[STNO=2]@1.1.1.1+10.1.1.0/255.255.255.0
IPsec[95]:conn_list->estnet(8,896,6,672)->NULL
IPSec[96]:*48*DUMP SA: INBOUND:1/64  OUTBOUND:1/64
IPSec[97]:DUMP ST: 2/64
IPSec[98]:DUMP MEM_ALLOC: 25/75
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list