[c-nsp] Problem with cisco VPN, help please
Mohamed Sadok MOUHA
ms_mouha at yahoo.fr
Fri Aug 12 04:25:53 EDT 2005
thank you for your help. Yes my VPN gateway is nated. The guy in the
other side tell me that he recieves my packet, respond and then he
recieves nothing (time out). It seems that I'm not receiving his
response? I have activated the debug packet from the distant gateway, it
gives :
IPSEC(key_engine_sa_req): setting timer running retry <1>
crypto_ke_process_block:
KEYENG_IKMP_SA_SPEC
isadb_create_sa:
crypto_isakmp_init_phase1_fields: initiator
is_auth_policy_configured: auth 4
gen_cookie:
ipsec_db_add_sa_req:
ipsec_db_get_ipsec_sa_list:
ipsec_db_add_ipsec_sa_list:
ipsec_db_get_ipsec_sa_list:
is_auth_policy_configured: auth 4
construct_header: message_id 0x0
construct_isakmp_sa: auth 1
set_proposal: protocol 0x1, proposal_num 1, extra_info 0x1
init_set_oakley_atts:
begin phase one
sa->state 0x0
ISAKMP (0): beginning Main Mode exchange
throw: mess_id 0x0
send_response:
isakmp_send: ip xxx.xxx.xxx.xxx, port 500
PEER_REAPER_TIMER
P1RETRANS_TIMER
ISAKMP (0): retransmitting phase 1 (0)...
send_response:
isakmp_send: ip xxx.xxx.xxx.xxx, port 500
PEER_REAPER_TIMER--------- PACKET ---------
-- IP --
xxx.xxx.xxx.xxx ==> 192.168.99.250
ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0xac
id = 0x0 flags = 0x40 frag off=0x0
ttl = 0x33 proto=0x11 chksum = 0x8fd5
-- UDP --
source port = 0x1f4 dest port = 0x1f4
len = 0x98 checksum = 0x937c
-- DATA --
00000010: e5 9c 6b
d9 | ..k.
00000020: 4c c6 71 b5 16 04 71 79 cd c8 74 b5 01 10 02
00 | L.q...qy..t.....
00000030: 00 00 00 00 00 00 00 90 0d 00 00 38 00 00 00
01 | ...........8....
00000040: 00 00 00 01 00 00 00 2c 01 01 00 01 00 00 00
24 | .......,.......$
00000050: 01 01 00 00 80 01 00 05 80 02 00 01 80 04 00
02 | ................
00000060: 80 03 00 01 80 0b 00 01 00 0c 00 04 00 01 51
80 | ..............Q.
00000070: 0d 00 00 14 ba eb 23 90 37 e1 77 87 d7 30 ee
d9 | ......#.7.w
IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 192.168.99.250, remote= 213.150.189.50,
local_proxy= 192.168.98.12/255.255.255.255/0/0 (type=1),
remote_proxy= 172.22.130.223/255.255.255.255/0/0 (type=1)
IPSEC(key_engine_sa_req): setting timer running retry <2>
crypto_ke_process_block:
KEYENG_IKMP_SA_SPEC
gen_cookie:
ipsec_db_get_ipsec_sa_list:
ipsec_db_get_ipsec_sa_list:
P1RETRANS_TIMER
ISAKMP (0): retransmitting phase 1 (1)...
send_response:
isakmp_send: ip xxx.xxx.xxx.xxx, port 500
PEER_REAPER_TIMER
QM_TIMER
ISAKMP (0): deleting SA: src 192.168.99.250, dst xxx.xxx.xxx.xxx
REAPER_TIMER
ISADB: reaper checking SA 0xa96264, conn_id = 0 DELETE IT!
crypto_gen_isakmp_delete:
isadb_free_isakmp_sa:
VPN Peer:ISAKMP: Peer Info for xxx.xxx.xxx.xxx/500 not found - peers:0
ipsec_db_delete_sa_list_entry:
ipsec_db_free_ipsec_sa_list:
Any help please?
Thanx
Le jeudi 11 août 2005 à 07:09 -0700, Joel M Snyder a écrit :
> >I have a probleme with my cisco PIX 501. I'm trying to establish a site
> >2 site VPN connection but still blocked in phase 1. any help please ?
>
> Well, the config and debug you've given us is not the one that's needed, but I
> can hazard a guess. (we need the one from the other end, the responder)
>
> First, according to the debug, you're sending out msg 1 of the MM IKE and
> getting basically no response. So that means that the guy at the other end
> doesn't like you. For IKE's anti-DoS reasons, you're not going to get an "I
> don't like you" response, which is why you're seeing nothing. The useful debug
> would be the one at the other end which says why he doesn't like you.
>
> Second, I can hazard a guess. The part of the config that you're exposing
> shows that your external address is an 192.168 address. Since you're not
> giving us the REMOTE address, I am guessing that this means that they have a
> normal routable address, which leads me to surmise that you're being NATed.
>
> There are two reasons why this is probably not working. The most likely is
> that you are appearing on the other side as some other address besides
> 192.168.xxx.xxx, and thus the guy is saying "I have no policy for him," and
> dropping your proposal.
>
> The second possible reason is that you cannot use IKE with pre-shared secrets
> unless you use aggressive mode. It's a long and convoluted argument, but
> basically the guy at the other end doesn't know what your PSS is because he
> can't tell it because he has to look it up based on your ID payload---which he
> doesn't know, because that's one of the things he has to know in order to
> discover your ID payload. The IKE solution is to base the PSS on your IP
> address, which is visible, except in your case, because you're being NATed.
> (Yes, this gets fixed in IKEv2). With aggressive mode, which has its
> own serious security problems, you expose your ID payload in the first message
> so he at least knows how to verify that you know the correct PSS. (This can
> also be solved by using wildcard PSS, but if you use the same password for
> everyone, you really might as well just use clear-text because you're getting
> about the same level of security).
>
> So, you MIGHT be able to get this to work (this is
> VPN-implementation-dependend, and you haven't said what the guy on the other
> end is running) if you have a static NAT and if you are sure that the guy at
> the other end is putting in the correct IP address for you.
>
> In any case, the only way to debug this is to get the guy at the other end to
> provide the vital & missing information about why he doesn't like you, and then
> you'll know and can fix it.
>
> jms
>
>
> Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
> Phone: +1 520 324 0494 x101 (v) +1 520 324 0495 (FAX)
> jms at Opus1.COM http://www.opus1.com/jms Opus One
More information about the cisco-nsp
mailing list