[c-nsp] IPSec between Cisco and D-Link

twisted mac twist3dmac at gmail.com
Fri Dec 12 07:55:07 EST 2008 

Seems fair enough :)

logs from dlink

   2008-12-11 17:30:21: IkeSnoop: Received IKE packet from
82.x.x.x:500 Exchange
type : Informational ISAKMP Version : 1.0 Flags : E (encryption) Cookies :
0x458f51017c4a446 -> 0xa582286a38ab6fb0 Message ID : 0x2f8ad085 Packet
length : 452 bytes # payloads : 2 Payloads: HASH (Hash) Payload data length
: 20 bytes N (Notification) Payload data length : 396 bytes Protocol ID :
ESP Notification : No proposal chosen


logs from cisco:

xxx#debug crypto isakmp
Crypto ISAKMP debugging is on
xxx#
2d23h: ISAKMP (0:134217749): received packet from 217.x.x.x dport 500 sport
500 Global (R) QM_IDLE
2d23h: ISAKMP: set new node -1473959992 to QM_IDLE
2d23h: ISAKMP:(0:21:SW:1): processing HASH payload. message ID = -1473959992
2d23h: ISAKMP:(0:21:SW:1): processing SA payload. message ID = -1473959992
2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
2d23h: ISAKMP: transform 1, ESP_AES
2d23h: ISAKMP:   attributes in transform:
2d23h: ISAKMP:      key length is 128
2d23h: ISAKMP:      authenticator is HMAC-MD5
2d23h: ISAKMP:      SA life type in seconds
2d23h: ISAKMP:      SA life duration (basic) of 3600
2d23h: ISAKMP:      encaps is 1 (Tunnel)
2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
2d23h: ISAKMP: transform 2, ESP_AES
2d23h: ISAKMP:   attributes in transform:
2d23h: ISAKMP:      key length is 128
2d23h: ISAKMP:      authenticator is HMAC-SHA
2d23h: ISAKMP:      SA life type in seconds
2d23h: ISAKMP:      SA life duration (basic) of 3600
2d23h: ISAKMP:      encaps is 1 (Tunnel)
2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
2d23h: ISAKMP: transform 3, ESP_3DES
2d23h: ISAKMP:   attributes in transform:
2d23h: ISAKMP:      authenticator is HMAC-MD5
2d23h: ISAKMP:      SA life type in seconds
2d23h: ISAKMP:      SA life duration (basic) of 3600
2d23h: ISAKMP:      encaps is 1 (Tunnel)
2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
2d23h: ISAKMP: transform 4, ESP_3DES
2d23h: ISAKMP:   attributes in transform:
2d23h: ISAKMP:      authenticator is HMAC-SHA
2d23h: ISAKMP:      SA life type in seconds
2d23h: ISAKMP:      SA life duration (basic) of 3600
2d23h: ISAKMP:      encaps is 1 (Tunnel)
2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
2d23h: ISAKMP: unknown ESP transform!
2d23h: ISAKMP:   attributes in transform:
2d23h: ISAKMP:      authenticator is HMAC-MD5
2d23h: ISAKMP:      SA life type in seconds
2d23h: ISAKMP:      SA life duration (basic) of 3600
2d23h: ISAKMP:      encaps is 1 (Tunnel)
2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
2d23h: ISAKMP: unknown ESP transform!
2d23h: ISAKMP:   attributes in transform:
2d23h: ISAKMP:      authenticator is HMAC-SHA
2d23h: ISAKMP:      SA life type in seconds
2d23h: ISAKMP:      SA life duration (basic) of 3600
2d23h: ISAKMP:      encaps is 1 (Tunnel)
2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
2d23h: ISAKMP: unknown ESP transform!
2d23h: ISAKMP:   attributes in transform:
2d23h: ISAKMP:      key length is 128
2d23h: ISAKMP:      authenticator is HMAC-MD5
2d23h: ISAKMP:      SA life type in seconds
2d23h: ISAKMP:      SA life duration (basic) of 3600
2d23h: ISAKMP:      encaps is 1 (Tunnel)
2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
2d23h: ISAKMP: unknown ESP transform!
2d23h: ISAKMP:   attributes in transform:
2d23h: ISAKMP:      key length is 128
2d23h: ISAKMP:      authenticator is HMAC-SHA
2d23h: ISAKMP:      SA life type in seconds
2d23h: ISAKMP:      SA life duration (basic) of 3600
2d23h: ISAKMP:      encaps is 1 (Tunnel)
2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
2d23h: ISAKMP: unknown ESP transform!
2d23h: ISAKMP:   attributes in transform:
2d23h: ISAKMP:      key length is 128
2d23h: ISAKMP:      authenticator is HMAC-MD5
2d23h: ISAKMP:      SA life type in seconds
2d23h: ISAKMP:      SA life duration (basic) of 3600
2d23h: ISAKMP:      encaps is 1 (Tunnel)
2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
2d23h: ISAKMP: unknown ESP transform!
2d23h: ISAKMP:   attributes in transform:
2d23h: ISAKMP:      key length is 128
2d23h: ISAKMP:      authenticator is HMAC-SHA
2d23h: ISAKMP:      SA life type in seconds
2d23h: ISAKMP:      SA life duration (basic) of 3600
2d23h: ISAKMP:      encaps is 1 (Tunnel)
2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
2d23h: ISAKMP:(0:21:SW:1): phase 2 SA policy not acceptable! (local 82.x.x.x
remote 217.x.x.x)
2d23h: ISAKMP: set new node 326922217 to QM_IDLE
2d23h: ISAKMP:(0:21:SW:1):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 1691668640, message ID = 326922217
2d23h: ISAKMP:(0:21:SW:1): sending packet to 217.x.x.x my_port 500 peer_port
500 (R) QM_IDLE
2d23h: ISAKMP:(0:21:SW:1):purging node 326922217
2d23h: ISAKMP:(0:21:SW:1):deleting node -1473959992 error TRUE reason "QM
rejected"
2d23h: ISAKMP (0:134217749): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH:
for node -1473959992: state = IKE_QM_READY
2d23h: ISAKMP:(0:21:SW:1):Node -1473959992, Input = IKE_MESG_FROM_PEER,
IKE_QM_EXCH
2d23h: ISAKMP:(0:21:SW:1):Old State = IKE_QM_READY  New State = IKE_QM_READY
2d23h: ISAKMP:(0:22:SW:1):purging node 124919870

cisco config

crypto isakmp policy 1
 encr aes
 hash md5
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key 123456 address 217.x.x.x no-xauth
crypto isakmp key 123456 address 85.x.x.x no-xauth
crypto isakmp aggressive-mode disable
!
!
crypto ipsec transform-set VPN esp-aes
!
crypto map xxx 10 ipsec-isakmp
 set peer 217.x.x.x
 set transform-set VPN
 match address 111
crypto map eon 20 ipsec-isakmp
 set peer 85.x.x.x
 set transform-set VPN-EON
 match address 112
!
----//----

xxx#sh crypto map tag xxx
Crypto Map "xxx" 10 ipsec-isakmp
        Peer = 217.x.x.x
        Extended IP access list 111
            access-list 111 permit ip 192.168.200.0 0.0.0.255 192.168.0.0
0.0.0.255
        Current peer: 217.x.x.x
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={
                VPN,
        }
Crypto Map "xxx" 20 ipsec-isakmp
        Peer = 85.x.x.x
        Extended IP access list 112
            access-list 112 permit ip 192.168.200.0 0.0.0.255 192.168.96.0
0.0.7.255
        Current peer: 85.x.x.x
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={
                VPN,
        }
        Interfaces using crypto map xxx:
                FastEthernet0/1

---//---

the dlink is a dfl-1600

any ideas? hammer is not possible because the dlink box is on the other side
of the ocean :)

mac
2008/12/12 Mario Spinthiras <spinthiras.mario at gmail.com>

> How about the actual problem so we can help there? Logs , errors?
>

More information about the cisco-nsp mailing list