[c-nsp] Cisco 870 Series and Mac OS X 10.4 (Tiger) not playing well w/ L2TP + IPSEC [Long]
Jon Passki
jon.passki at hursk.com
Tue Aug 29 10:06:11 EDT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello All,
I am having problems troubleshooting Apple's Mac OS X (10.4.7/Intel)
Internet Connection VPN (L2TP/IPSEC) to work with a Cisco 870 series
router w/ Advanced IP Services 12.4(9)T. The Mac seems to negotiates
IKE and establishes a SA correctly. The Mac/Remote System (RS) then
starts the call out to the Cisco/NAS w/ a SCCRQ. The NAS sends out a
SCCRP that it seems is not seen by the RS, although it's sent across
the network. Thoughts?
If the below debugging is lacking ;-) please let me know what else I
can provide that will offer clarity!
Cheers,
Jon
Relevant debugging:
NAS External IP: 5.5.5.5 / YY YY YY YY (Vlan555)
NAS Internal IP: 3.3.3.3 (Vlan333)
RS External IP: 8.8.8.8 / XX XX XX XX
RS Internal IP: 6.6.6.6
<nas debugging options>
NAS#sho deb
General OS:
AAA Authentication debugging is on
Generic IP:
ICMP packet debugging is on
IP peer address activity debugging is on
VPN:
L2X protocol events debugging is on
L2X data packets debugging is on
L2X protocol errors debugging is on
VPDN SSS events debugging is on
VPDN SSS errors debugging is on
VPDN call FSM debugging is on
VPDN message debugging is on
VPN author event debugging is on
VPDN events debugging is on
VPDN errors debugging is on
VPDN packet errors debugging is on
VPDN packet details debugging is on
L2TP data sequencing debugging is on
VPN disconnect debugging is on
PPP:
PPP authentication debugging is on
PPP protocol errors debugging is on
PPP protocol negotiation debugging is on
PPP packet display debugging is on
VTEMPLATE:
Virtual Template events debugging is on
Virtual Template errors debugging is on
Virtual Template cloning debugging is on
Cryptographic Subsystem:
Crypto IPSEC Error debugging is on
Condition 1: interface Di0 (1 flags triggered)
Flags: Di0
</nas debugging options>
<nas debugging output date=not-set-correctly>
*Mar 4 16:28:08.450: IPSEC(crypto_ipsec_process_proposal): transform
proposal not supported for identity:
{esp-aes esp-sha-hmac }
*Mar 4 16:28:08.454: IPSEC(crypto_ipsec_process_proposal): transform
proposal not supported for identity:
{esp-aes esp-md5-hmac }
contiguous pak, size 88
45 00 00 58 F7 F3 00 00 2E 11 8B 01 XX XX XX XX
YY YY YY YY 52 17 06 A5 00 44 00 00 C8 02 00 3C
00 00 00 00 00 00 00 00 80 08 00 00 00 00 00 01
80 08 00 00 00 02 01 00 80 0A 00 00 00 03 00 00
00 03 80 06 00 00 00 07 ...
*Mar 4 16:28:09.530: L2X: Punting to L2TP control message queue
*Mar 4 16:28:09.530: L2TP: I SCCRQ from tnl 57
*Mar 4 16:28:09.530: VPN AUTHOR [73]: Authorizing key
*Mar 4 16:28:09.530: VPN AUTHOR [73]: No more authorization item
*Mar 4 16:28:09.530: VPN AUTHOR [73]: Spoofed AAA reply sent for key
*Mar 4 16:28:09.530: Tnl 34432 L2TP: Tunnel Authorization started
for host
*Mar 4 16:28:09.530: Tnl 34432 L2TP: New tunnel created for
remote , address 8.8.8.8
*Mar 4 16:28:09.534: VPN AUTHOR [73]: Received an AAA failure
*Mar 4 16:28:09.534: VPN AUTHOR [73]: No authorization info found
*Mar 4 16:28:09.534: L2X: Tunnel author reply L2X info not found
*Mar 4 16:28:09.534: VPN AUTHOR [73]: Free request
*Mar 4 16:28:09.534: Tnl 34432 L2TP: O SCCRP
*Mar 4 16:28:09.534: Tnl 34432 L2TP: Control channel retransmit
delay set to 1 seconds
*Mar 4 16:28:09.534: Tnl 34432 L2TP: Tunnel state change from idle
to wait-ctl-reply
contiguous pak, size 88
45 00 00 58 F7 F4 00 00 2E 11 8B 00 XX XX XX XX
YY YY YY YY 52 17 06 A5 00 44 00 00 C8 02 00 3C
00 00 00 00 00 00 00 00 80 08 00 00 00 00 00 01
80 08 00 00 00 02 01 00 80 0A 00 00 00 03 00 00
00 03 80 06 00 00 00 07 ...
*Mar 4 16:28:10.530: L2X: Punting to L2TP control message queue
*Mar 4 16:28:10.534: L2TP: I SCCRQ from tnl 57
*Mar 4 16:28:10.534: Tnl 34432 L2TP: Tunnel exists, must be a
duplicate SCCRQ
*Mar 4 16:28:10.534: Tnl 34432 L2TP: O Resend SCCRP, flg TLS, ver
2, len 108, tnl 57, ns 0, nr 1
*Mar 4 16:28:10.534: Tnl 34432 L2TP: Control channel retransmit
delay set to 2 seconds
[snipped]
</nas debugging output>
<nas sho vdpn (from another session)>
L2TP Tunnel and Session Information Total tunnels 1 sessions 0
LocID RemID Remote Name State Remote Address Port Sessions L2TP
Class/
VPDN
Group
32642 59 wt-ctl 5.5.5.5 21047 0 l2tp-macosx
</nas sho vpdn (from another session)>
<a decoded SCCRQ packet ethereal=rules text2pcap=rules>
No. Time Source Destination
Protocol Info
1 0.000000 8.8.8.8 5.5.5.5 L2TP Control
Message - SCCRQ (tunnel id=0, session id=0)[Malformed Packet]
Frame 1 (87 bytes on wire, 87 bytes captured)
Arrival Time: Aug 28, 2006 17:47:03.000000000
Time delta from previous packet: 0.000000000 seconds
Time since reference or first frame: 0.000000000 seconds
Frame Number: 1
Packet Length: 87 bytes
Capture Length: 87 bytes
Protocols in frame: eth:ip:udp:l2tp
Ethernet II, Src: 01:01:01:01:01:01 (01:01:01:01:01:01), Dst:
02:02:02:02:02:02 (02:02:02:02:02:02)
Destination: 02:02:02:02:02:02 (02:02:02:02:02:02)
Source: 01:01:01:01:01:01 (01:01:01:01:01:01)
Type: IP (0x0800)
Internet Protocol, Src: 8.8.8.8 (8.8.8.8), Dst: 5.5.5.5 (5.5.5.5)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 88
Identification: 0x2f42 (12098)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 45
Protocol: UDP (0x11)
Header checksum: 0x54b3 [correct]
Source: 8.8.8.8 (8.8.8.8)
Destination: 5.5.5.5 (5.5.5.5)
User Datagram Protocol, Src Port: 20289 (20289), Dst Port: l2f (1701)
Source port: 20289 (20289)
Destination port: l2f (1701)
Length: 68
Checksum: 0x0000 (none)
Layer 2 Tunneling Protocol
Packet Type: Control Message Tunnel Id=0 Session Id=0
1... .... .... .... = Type: Control Message (1)
.1.. .... .... .... = Length Bit: Length field is present
.... 1... .... .... = Sequence Bit: Ns and Nr fields are
present
.... ..0. .... .... = Offset bit: Offset size field is not
present
.... ...0 .... .... = Priority: No priority
.... .... .... 0010 = Version: 2
Length: 60
Tunnel ID: 0
Session ID: 0
Ns: 0
Nr: 0
Control Message AVP
Mandatory: True
Hidden: False
Length: 8
Vendor ID: Reserved (0)
Type: Control Message (0)
Control Message Type: (1) Start_Control_Request
Protocol Version AVP
Mandatory: True
Hidden: False
Length: 8
Vendor ID: Reserved (0)
Type: Protocol Version (2)
Version: 1
Revision: 0
Framing Capabilities AVP
Mandatory: True
Hidden: False
Length: 10
Vendor ID: Reserved (0)
Type: Framing Capabilities (3)
Async Framing Supported: True
Sync Framing Supported: True
Host Name AVP
Mandatory: True
Hidden: False
Length: 6
Vendor ID: Reserved (0)
Type: Host Name (7)
Host Name:
[Malformed Packet: L2TP]
</a decoded SCCRQ packet>
<rs debugging output>
Tue Aug 29 08:22:22 2006 : L2TP connecting to server
'5.5.5.5' (5.5.5.5)...
Tue Aug 29 08:22:22 2006 : L2TP sent SCCRQ
Tue Aug 29 08:22:30 2006 : Hangup (SIGHUP) [...performed by me]
</rs debugging output>
<nas config, trimmed>
!...
aaa authentication login default local
aaa authentication ppp default local
aaa authorization network default group radius
!
aaa session-id common
!
resource policy
!
no ip cef
!...
no ip dhcp use vrf connected
ip dhcp excluded-address 3.3.3.3
!...
ip dhcp pool dhcp-internal-vlan-pool
network 3.3.3.0 255.255.255.0
default-router 3.3.3.3
!...
no ip domain lookup
ip domain name yourdomain.com
ip name-server 1.2.3.4
ip name-server 1.2.3.5
vpdn enable
vpdn logging
vpdn logging remote
no vpdn ip udp ignore checksum
!
vpdn-group l2tp-macosx
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 5
no l2tp tunnel authentication
!
!... [crypto pki cert stuff]
username vpn-account password 0 nomoresecrets
!...
!
crypto keyring roaming_macosx
pre-shared-key address 0.0.0.0 0.0.0.0 key nomoresecrets
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp profile roaming-macosx-clients
keyring roaming_macosx
match identity address 0.0.0.0
!
!
crypto ipsec transform-set roaming_macosx esp-3des esp-sha-hmac
mode transport
!
!
!
!
crypto dynamic-map dynmap-roaming-macosx 10
set nat demux
set transform-set roaming_macosx
set isakmp-profile roaming-macosx-clients
!
!
!
crypto map crypmap-roaming-macosx 100 ipsec-isakmp dynamic dynmap-
roaming-macosx
!
!
!
!
interface Loopback666
ip address 172.66.6.1 255.255.255.255
!
!... [other interfaces not relevant]
!
interface Virtual-Template5
ip unnumbered Loopback666
peer default ip address dhcp-pool dhcp-internal-vlan-pool
ppp mtu adaptive
ppp authentication ms-chap chap
!
!
interface Vlan333
description Internal
ip address 3.3.3.3 255.255.255.0
!
!
interface Vlan555
description External
ip address 5.5.5.5 255.255.255.248
ip nat outside
ip virtual-reassembly
crypto map crypmap-roaming-macosx
!
!... [remaining stuff]
</nas config, trimmed>
<tcpdump as seen from RS>
sudo tcpdump -i en1 -n 'host 5.5.5.5'
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on en1, link-type EN10MB (Ethernet), capture size 96 bytes
08:22:22.875921 IP 6.6.6.6.500 > 5.5.5.5.500: isakmp: phase 1 I ident
08:22:22.972590 IP 5.5.5.5.500 > 6.6.6.6.500: isakmp: phase 1 R ident
08:22:22.995907 IP 6.6.6.6.500 > 5.5.5.5.500: isakmp: phase 1 I ident
08:22:23.104056 IP 5.5.5.5.500 > 6.6.6.6.500: isakmp: phase 1 R ident
08:22:23.241217 IP 6.6.6.6.4500 > 5.5.5.5.4500: NONESP-encap: isakmp:
phase 1 I ident[E]
08:22:23.335908 IP 5.5.5.5.4500 > 6.6.6.6.4500: NONESP-encap: isakmp:
phase 1 R ident[E]
08:22:24.364679 IP 6.6.6.6.4500 > 5.5.5.5.4500: NONESP-encap: isakmp:
phase 2/others I oakley-quick[E]
08:22:24.464615 IP 5.5.5.5.4500 > 6.6.6.6.4500: NONESP-encap: isakmp:
phase 2/others R oakley-quick[E]
08:22:24.498335 IP 6.6.6.6.4500 > 5.5.5.5.4500: NONESP-encap: isakmp:
phase 2/others I oakley-quick[E]
08:22:25.447663 IP 6.6.6.6.4500 > 5.5.5.5.4500: UDP-encap: ESP
(spi=0x78a4f5c3,seq=0x1), length 100
08:22:26.447858 IP 6.6.6.6.4500 > 5.5.5.5.4500: UDP-encap: ESP
(spi=0x78a4f5c3,seq=0x2), length 100
08:22:27.448064 IP 6.6.6.6.4500 > 5.5.5.5.4500: UDP-encap: ESP
(spi=0x78a4f5c3,seq=0x3), length 100
08:22:28.448299 IP 6.6.6.6.4500 > 5.5.5.5.4500: UDP-encap: ESP
(spi=0x78a4f5c3,seq=0x4), length 100
08:22:29.448504 IP 6.6.6.6.4500 > 5.5.5.5.4500: UDP-encap: ESP
(spi=0x78a4f5c3,seq=0x5), length 100
08:22:30.448689 IP 6.6.6.6.4500 > 5.5.5.5.4500: UDP-encap: ESP
(spi=0x78a4f5c3,seq=0x6), length 100
08:22:30.581565 IP 6.6.6.6.4500 > 5.5.5.5.4500: NONESP-encap: isakmp:
phase 2/others I inf[E]
08:22:30.581724 IP 6.6.6.6.4500 > 5.5.5.5.4500: NONESP-encap: isakmp:
phase 2/others I inf[E]
08:22:30.679121 IP 5.5.5.5.4500 > 6.6.6.6.4500: NONESP-encap: isakmp:
phase 2/others R inf[E]
</tcpdump as seen from RS>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
iD8DBQFE9EnZZpJsLIS+QSIRAi3xAJ4v2fftW50egSxxF1PNBX+ktfnJZQCeNyxR
sqGPEKuJnE1PES2+5yo3B8M=
=nHEk
-----END PGP SIGNATURE-----
More information about the cisco-nsp
mailing list