[c-nsp] IPSec between Cisco and D-Link
Gamino, Rogelio (OCTO-Contractor)
rogelio.gamino at dc.gov
Fri Dec 12 15:56:55 EST 2008
Also, make sure the acl's used to define interesting traffic are
correct.
Rogelio Gamino
rogelio.gamino at dc.gov
(o) 202-741-5853
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin Shore
Sent: Friday, December 12, 2008 2:33 PM
To: twisted mac
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] IPSec between Cisco and D-Link
It looks like you have a phase 2 problem. Your IPSec transform-set
isn't matching up with what the D-Link is offering. Try changing the
transform-set to something more useful like this:
crypto ipsec transform-set encraes128md5 esp-aes 128 esp-md5-hmac
It would be better if you used AES256.
crypto ipsec transform-set encraes256md5 esp-aes 256 esp-md5-hmac
These are good fallback transform-sets if need be.
crypto ipsec transform-set encr3dessha esp-3des esp-sha-hmac
crypto ipsec transform-set encr3dessha-gre esp-3des esp-sha-hmac
Don't forget to update your crypto maps with the name of the
transform-set you chose to use. Also, I would not recommend messing
with the lifetime values unless the remote end requires it.
Justin
twisted mac wrote:
> Seems fair enough :)
>
> logs from dlink
>
> 2008-12-11 17:30:21: IkeSnoop: Received IKE packet from
> 82.x.x.x:500 Exchange
> type : Informational ISAKMP Version : 1.0 Flags : E (encryption)
Cookies :
> 0x458f51017c4a446 -> 0xa582286a38ab6fb0 Message ID : 0x2f8ad085 Packet
> length : 452 bytes # payloads : 2 Payloads: HASH (Hash) Payload data
length
> : 20 bytes N (Notification) Payload data length : 396 bytes Protocol
ID :
> ESP Notification : No proposal chosen
>
>
> logs from cisco:
>
> xxx#debug crypto isakmp
> Crypto ISAKMP debugging is on
> xxx#
> 2d23h: ISAKMP (0:134217749): received packet from 217.x.x.x dport 500
sport
> 500 Global (R) QM_IDLE
> 2d23h: ISAKMP: set new node -1473959992 to QM_IDLE
> 2d23h: ISAKMP:(0:21:SW:1): processing HASH payload. message ID =
-1473959992
> 2d23h: ISAKMP:(0:21:SW:1): processing SA payload. message ID =
-1473959992
> 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
> 2d23h: ISAKMP: transform 1, ESP_AES
> 2d23h: ISAKMP: attributes in transform:
> 2d23h: ISAKMP: key length is 128
> 2d23h: ISAKMP: authenticator is HMAC-MD5
> 2d23h: ISAKMP: SA life type in seconds
> 2d23h: ISAKMP: SA life duration (basic) of 3600
> 2d23h: ISAKMP: encaps is 1 (Tunnel)
> 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
> 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
> 2d23h: ISAKMP: transform 2, ESP_AES
> 2d23h: ISAKMP: attributes in transform:
> 2d23h: ISAKMP: key length is 128
> 2d23h: ISAKMP: authenticator is HMAC-SHA
> 2d23h: ISAKMP: SA life type in seconds
> 2d23h: ISAKMP: SA life duration (basic) of 3600
> 2d23h: ISAKMP: encaps is 1 (Tunnel)
> 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
> 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
> 2d23h: ISAKMP: transform 3, ESP_3DES
> 2d23h: ISAKMP: attributes in transform:
> 2d23h: ISAKMP: authenticator is HMAC-MD5
> 2d23h: ISAKMP: SA life type in seconds
> 2d23h: ISAKMP: SA life duration (basic) of 3600
> 2d23h: ISAKMP: encaps is 1 (Tunnel)
> 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
> 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
> 2d23h: ISAKMP: transform 4, ESP_3DES
> 2d23h: ISAKMP: attributes in transform:
> 2d23h: ISAKMP: authenticator is HMAC-SHA
> 2d23h: ISAKMP: SA life type in seconds
> 2d23h: ISAKMP: SA life duration (basic) of 3600
> 2d23h: ISAKMP: encaps is 1 (Tunnel)
> 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
> 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
> 2d23h: ISAKMP: unknown ESP transform!
> 2d23h: ISAKMP: attributes in transform:
> 2d23h: ISAKMP: authenticator is HMAC-MD5
> 2d23h: ISAKMP: SA life type in seconds
> 2d23h: ISAKMP: SA life duration (basic) of 3600
> 2d23h: ISAKMP: encaps is 1 (Tunnel)
> 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
> 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
> 2d23h: ISAKMP: unknown ESP transform!
> 2d23h: ISAKMP: attributes in transform:
> 2d23h: ISAKMP: authenticator is HMAC-SHA
> 2d23h: ISAKMP: SA life type in seconds
> 2d23h: ISAKMP: SA life duration (basic) of 3600
> 2d23h: ISAKMP: encaps is 1 (Tunnel)
> 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
> 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
> 2d23h: ISAKMP: unknown ESP transform!
> 2d23h: ISAKMP: attributes in transform:
> 2d23h: ISAKMP: key length is 128
> 2d23h: ISAKMP: authenticator is HMAC-MD5
> 2d23h: ISAKMP: SA life type in seconds
> 2d23h: ISAKMP: SA life duration (basic) of 3600
> 2d23h: ISAKMP: encaps is 1 (Tunnel)
> 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
> 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
> 2d23h: ISAKMP: unknown ESP transform!
> 2d23h: ISAKMP: attributes in transform:
> 2d23h: ISAKMP: key length is 128
> 2d23h: ISAKMP: authenticator is HMAC-SHA
> 2d23h: ISAKMP: SA life type in seconds
> 2d23h: ISAKMP: SA life duration (basic) of 3600
> 2d23h: ISAKMP: encaps is 1 (Tunnel)
> 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
> 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
> 2d23h: ISAKMP: unknown ESP transform!
> 2d23h: ISAKMP: attributes in transform:
> 2d23h: ISAKMP: key length is 128
> 2d23h: ISAKMP: authenticator is HMAC-MD5
> 2d23h: ISAKMP: SA life type in seconds
> 2d23h: ISAKMP: SA life duration (basic) of 3600
> 2d23h: ISAKMP: encaps is 1 (Tunnel)
> 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
> 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
> 2d23h: ISAKMP: unknown ESP transform!
> 2d23h: ISAKMP: attributes in transform:
> 2d23h: ISAKMP: key length is 128
> 2d23h: ISAKMP: authenticator is HMAC-SHA
> 2d23h: ISAKMP: SA life type in seconds
> 2d23h: ISAKMP: SA life duration (basic) of 3600
> 2d23h: ISAKMP: encaps is 1 (Tunnel)
> 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
> 2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
> 2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
> 2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
> 2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
> 2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
> 2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
> 2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
> 2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
> 2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
> 2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
> 2d23h: ISAKMP:(0:21:SW:1): phase 2 SA policy not acceptable! (local
82.x.x.x
> remote 217.x.x.x)
> 2d23h: ISAKMP: set new node 326922217 to QM_IDLE
> 2d23h: ISAKMP:(0:21:SW:1):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol
3
> spi 1691668640, message ID = 326922217
> 2d23h: ISAKMP:(0:21:SW:1): sending packet to 217.x.x.x my_port 500
peer_port
> 500 (R) QM_IDLE
> 2d23h: ISAKMP:(0:21:SW:1):purging node 326922217
> 2d23h: ISAKMP:(0:21:SW:1):deleting node -1473959992 error TRUE reason
"QM
> rejected"
> 2d23h: ISAKMP (0:134217749): Unknown Input IKE_MESG_FROM_PEER,
IKE_QM_EXCH:
> for node -1473959992: state = IKE_QM_READY
> 2d23h: ISAKMP:(0:21:SW:1):Node -1473959992, Input =
IKE_MESG_FROM_PEER,
> IKE_QM_EXCH
> 2d23h: ISAKMP:(0:21:SW:1):Old State = IKE_QM_READY New State =
IKE_QM_READY
> 2d23h: ISAKMP:(0:22:SW:1):purging node 124919870
>
> cisco config
>
> crypto isakmp policy 1
> encr aes
> hash md5
> authentication pre-share
> group 2
> lifetime 28800
> crypto isakmp key 123456 address 217.x.x.x no-xauth
> crypto isakmp key 123456 address 85.x.x.x no-xauth
> crypto isakmp aggressive-mode disable
> !
> !
> crypto ipsec transform-set VPN esp-aes
> !
> crypto map xxx 10 ipsec-isakmp
> set peer 217.x.x.x
> set transform-set VPN
> match address 111
> crypto map eon 20 ipsec-isakmp
> set peer 85.x.x.x
> set transform-set VPN-EON
> match address 112
> !
> ----//----
>
> xxx#sh crypto map tag xxx
> Crypto Map "xxx" 10 ipsec-isakmp
> Peer = 217.x.x.x
> Extended IP access list 111
> access-list 111 permit ip 192.168.200.0 0.0.0.255
192.168.0.0
> 0.0.0.255
> Current peer: 217.x.x.x
> Security association lifetime: 4608000 kilobytes/3600 seconds
> PFS (Y/N): N
> Transform sets={
> VPN,
> }
> Crypto Map "xxx" 20 ipsec-isakmp
> Peer = 85.x.x.x
> Extended IP access list 112
> access-list 112 permit ip 192.168.200.0 0.0.0.255
192.168.96.0
> 0.0.7.255
> Current peer: 85.x.x.x
> Security association lifetime: 4608000 kilobytes/3600 seconds
> PFS (Y/N): N
> Transform sets={
> VPN,
> }
> Interfaces using crypto map xxx:
> FastEthernet0/1
>
> ---//---
>
> the dlink is a dfl-1600
>
> any ideas? hammer is not possible because the dlink box is on the
other side
> of the ocean :)
>
> mac
> 2008/12/12 Mario Spinthiras <spinthiras.mario at gmail.com>
>
>> How about the actual problem so we can help there? Logs , errors?
>>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list