[c-nsp] IPSec between Cisco and D-Link

Gamino, Rogelio (OCTO-Contractor) rogelio.gamino at dc.gov
Fri Dec 12 15:56:55 EST 2008


Also, make sure the acl's used to define interesting traffic are
correct.



Rogelio Gamino
rogelio.gamino at dc.gov
(o) 202-741-5853


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin Shore
Sent: Friday, December 12, 2008 2:33 PM
To: twisted mac
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] IPSec between Cisco and D-Link

It looks like you have a phase 2 problem.  Your IPSec transform-set 
isn't matching up with what the D-Link is offering.  Try changing the 
transform-set to something more useful like this:

crypto ipsec transform-set encraes128md5 esp-aes 128 esp-md5-hmac

It would be better if you used AES256.

crypto ipsec transform-set encraes256md5 esp-aes 256 esp-md5-hmac

These are good fallback transform-sets if need be.

crypto ipsec transform-set encr3dessha esp-3des esp-sha-hmac
crypto ipsec transform-set encr3dessha-gre esp-3des esp-sha-hmac


Don't forget to update your crypto maps with the name of the 
transform-set you chose to use.  Also, I would not recommend messing 
with the lifetime values unless the remote end requires it.

Justin



twisted mac wrote:
> Seems fair enough :)
> 
> logs from dlink
> 
>    2008-12-11 17:30:21: IkeSnoop: Received IKE packet from
> 82.x.x.x:500 Exchange
> type : Informational ISAKMP Version : 1.0 Flags : E (encryption)
Cookies :
> 0x458f51017c4a446 -> 0xa582286a38ab6fb0 Message ID : 0x2f8ad085 Packet
> length : 452 bytes # payloads : 2 Payloads: HASH (Hash) Payload data
length
> : 20 bytes N (Notification) Payload data length : 396 bytes Protocol
ID :
> ESP Notification : No proposal chosen
> 
> 
> logs from cisco:
> 
> xxx#debug crypto isakmp
> Crypto ISAKMP debugging is on
> xxx#
> 2d23h: ISAKMP (0:134217749): received packet from 217.x.x.x dport 500
sport
> 500 Global (R) QM_IDLE
> 2d23h: ISAKMP: set new node -1473959992 to QM_IDLE
> 2d23h: ISAKMP:(0:21:SW:1): processing HASH payload. message ID =
-1473959992
> 2d23h: ISAKMP:(0:21:SW:1): processing SA payload. message ID =
-1473959992
> 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
> 2d23h: ISAKMP: transform 1, ESP_AES
> 2d23h: ISAKMP:   attributes in transform:
> 2d23h: ISAKMP:      key length is 128
> 2d23h: ISAKMP:      authenticator is HMAC-MD5
> 2d23h: ISAKMP:      SA life type in seconds
> 2d23h: ISAKMP:      SA life duration (basic) of 3600
> 2d23h: ISAKMP:      encaps is 1 (Tunnel)
> 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
> 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
> 2d23h: ISAKMP: transform 2, ESP_AES
> 2d23h: ISAKMP:   attributes in transform:
> 2d23h: ISAKMP:      key length is 128
> 2d23h: ISAKMP:      authenticator is HMAC-SHA
> 2d23h: ISAKMP:      SA life type in seconds
> 2d23h: ISAKMP:      SA life duration (basic) of 3600
> 2d23h: ISAKMP:      encaps is 1 (Tunnel)
> 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
> 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
> 2d23h: ISAKMP: transform 3, ESP_3DES
> 2d23h: ISAKMP:   attributes in transform:
> 2d23h: ISAKMP:      authenticator is HMAC-MD5
> 2d23h: ISAKMP:      SA life type in seconds
> 2d23h: ISAKMP:      SA life duration (basic) of 3600
> 2d23h: ISAKMP:      encaps is 1 (Tunnel)
> 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
> 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
> 2d23h: ISAKMP: transform 4, ESP_3DES
> 2d23h: ISAKMP:   attributes in transform:
> 2d23h: ISAKMP:      authenticator is HMAC-SHA
> 2d23h: ISAKMP:      SA life type in seconds
> 2d23h: ISAKMP:      SA life duration (basic) of 3600
> 2d23h: ISAKMP:      encaps is 1 (Tunnel)
> 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
> 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
> 2d23h: ISAKMP: unknown ESP transform!
> 2d23h: ISAKMP:   attributes in transform:
> 2d23h: ISAKMP:      authenticator is HMAC-MD5
> 2d23h: ISAKMP:      SA life type in seconds
> 2d23h: ISAKMP:      SA life duration (basic) of 3600
> 2d23h: ISAKMP:      encaps is 1 (Tunnel)
> 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
> 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
> 2d23h: ISAKMP: unknown ESP transform!
> 2d23h: ISAKMP:   attributes in transform:
> 2d23h: ISAKMP:      authenticator is HMAC-SHA
> 2d23h: ISAKMP:      SA life type in seconds
> 2d23h: ISAKMP:      SA life duration (basic) of 3600
> 2d23h: ISAKMP:      encaps is 1 (Tunnel)
> 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
> 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
> 2d23h: ISAKMP: unknown ESP transform!
> 2d23h: ISAKMP:   attributes in transform:
> 2d23h: ISAKMP:      key length is 128
> 2d23h: ISAKMP:      authenticator is HMAC-MD5
> 2d23h: ISAKMP:      SA life type in seconds
> 2d23h: ISAKMP:      SA life duration (basic) of 3600
> 2d23h: ISAKMP:      encaps is 1 (Tunnel)
> 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
> 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
> 2d23h: ISAKMP: unknown ESP transform!
> 2d23h: ISAKMP:   attributes in transform:
> 2d23h: ISAKMP:      key length is 128
> 2d23h: ISAKMP:      authenticator is HMAC-SHA
> 2d23h: ISAKMP:      SA life type in seconds
> 2d23h: ISAKMP:      SA life duration (basic) of 3600
> 2d23h: ISAKMP:      encaps is 1 (Tunnel)
> 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
> 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
> 2d23h: ISAKMP: unknown ESP transform!
> 2d23h: ISAKMP:   attributes in transform:
> 2d23h: ISAKMP:      key length is 128
> 2d23h: ISAKMP:      authenticator is HMAC-MD5
> 2d23h: ISAKMP:      SA life type in seconds
> 2d23h: ISAKMP:      SA life duration (basic) of 3600
> 2d23h: ISAKMP:      encaps is 1 (Tunnel)
> 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
> 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
> 2d23h: ISAKMP: unknown ESP transform!
> 2d23h: ISAKMP:   attributes in transform:
> 2d23h: ISAKMP:      key length is 128
> 2d23h: ISAKMP:      authenticator is HMAC-SHA
> 2d23h: ISAKMP:      SA life type in seconds
> 2d23h: ISAKMP:      SA life duration (basic) of 3600
> 2d23h: ISAKMP:      encaps is 1 (Tunnel)
> 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
> 2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
> 2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
> 2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
> 2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
> 2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
> 2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
> 2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
> 2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
> 2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
> 2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
> 2d23h: ISAKMP:(0:21:SW:1): phase 2 SA policy not acceptable! (local
82.x.x.x
> remote 217.x.x.x)
> 2d23h: ISAKMP: set new node 326922217 to QM_IDLE
> 2d23h: ISAKMP:(0:21:SW:1):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol
3
>         spi 1691668640, message ID = 326922217
> 2d23h: ISAKMP:(0:21:SW:1): sending packet to 217.x.x.x my_port 500
peer_port
> 500 (R) QM_IDLE
> 2d23h: ISAKMP:(0:21:SW:1):purging node 326922217
> 2d23h: ISAKMP:(0:21:SW:1):deleting node -1473959992 error TRUE reason
"QM
> rejected"
> 2d23h: ISAKMP (0:134217749): Unknown Input IKE_MESG_FROM_PEER,
IKE_QM_EXCH:
> for node -1473959992: state = IKE_QM_READY
> 2d23h: ISAKMP:(0:21:SW:1):Node -1473959992, Input =
IKE_MESG_FROM_PEER,
> IKE_QM_EXCH
> 2d23h: ISAKMP:(0:21:SW:1):Old State = IKE_QM_READY  New State =
IKE_QM_READY
> 2d23h: ISAKMP:(0:22:SW:1):purging node 124919870
> 
> cisco config
> 
> crypto isakmp policy 1
>  encr aes
>  hash md5
>  authentication pre-share
>  group 2
>  lifetime 28800
> crypto isakmp key 123456 address 217.x.x.x no-xauth
> crypto isakmp key 123456 address 85.x.x.x no-xauth
> crypto isakmp aggressive-mode disable
> !
> !
> crypto ipsec transform-set VPN esp-aes
> !
> crypto map xxx 10 ipsec-isakmp
>  set peer 217.x.x.x
>  set transform-set VPN
>  match address 111
> crypto map eon 20 ipsec-isakmp
>  set peer 85.x.x.x
>  set transform-set VPN-EON
>  match address 112
> !
> ----//----
> 
> xxx#sh crypto map tag xxx
> Crypto Map "xxx" 10 ipsec-isakmp
>         Peer = 217.x.x.x
>         Extended IP access list 111
>             access-list 111 permit ip 192.168.200.0 0.0.0.255
192.168.0.0
> 0.0.0.255
>         Current peer: 217.x.x.x
>         Security association lifetime: 4608000 kilobytes/3600 seconds
>         PFS (Y/N): N
>         Transform sets={
>                 VPN,
>         }
> Crypto Map "xxx" 20 ipsec-isakmp
>         Peer = 85.x.x.x
>         Extended IP access list 112
>             access-list 112 permit ip 192.168.200.0 0.0.0.255
192.168.96.0
> 0.0.7.255
>         Current peer: 85.x.x.x
>         Security association lifetime: 4608000 kilobytes/3600 seconds
>         PFS (Y/N): N
>         Transform sets={
>                 VPN,
>         }
>         Interfaces using crypto map xxx:
>                 FastEthernet0/1
> 
> ---//---
> 
> the dlink is a dfl-1600
> 
> any ideas? hammer is not possible because the dlink box is on the
other side
> of the ocean :)
> 
> mac
> 2008/12/12 Mario Spinthiras <spinthiras.mario at gmail.com>
> 
>> How about the actual problem so we can help there? Logs , errors?
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list