IPSec trouble - Phase 2 negotiations with Cisco PIX and NAT-T

Erik Carlseen Thu, 05 May 2005 03:56:48 -0700

I've been banging my head against this problem for a few days and was wondering (hoping) someone around here has an answer. I'm trying to set up a VPN with OpenBSD on my end, and a Cisco PIX on the other. The PIX is hiding behind a NAT firewall (God only knows why - I asked nicely and I'm not in a position politically to push the issue). ASCII Art of proposed network:

DMZ Net   OpenBSD    The      Other     Cisco    DMZ Host
(Ours)      Box    Internet  Firewall    PIX     (Theirs)
X.X.X.X - A.A.A.A ---------- B.B.B.B - N.N.N.N - Y.Y.Y.Y

Some notes:

1) I've tried this on 3.6 (CD), 3.6 (current CVS as of 2005-05-04), and 3.7 (CD). 2) If you're wondering about "ENCAPSULATION_MODE" being set to 61443, that's the value for a NAT-T Tunnel over UDP port 4500 (it seems to be represented in the isakmpd source, and I reference the value in the isakmpd.conf file). 3) As far as I can tell, the "Dubious ID Transformation accepted" is caused by Cisco's insistance on sending 17/0 for the protocol/port when using nat-t. The RFCs are vague on this point - the only valid value for UDP seems to be 17/500, but when using nat-t that would obviously be incorrect (your're using port 4500). Side note - this behavior breaks FreeS/WAN / OpenS/WAN. It's been implied by entries I've seen on various mailing lists that OpenBSD handles this OK. My reading (well scanning) of the source gives me the impression that this is handled properly.


Thanks in advance for any sage advice,

Erik Carlseen

Following this are the (sanitized): 1) isakmpd.conf file, 2) most of the relevant portions of the Cisco config, 3) debug output from isakmpd with the following debug settings: 0=60 2=60 6=99 7=60 8=6 9=60, 4) debug output from the PIX (taken at a different time, but with the same results, so cookie #s, etc may not match), 5) a tcpdump of the packets, and 6) finally a dmesg output in case anyone cares.

--------------------------------------------------------------------
[General]
Listen-on=              A.A.A.A
Policy-file=            /etc/isakmpd/isakmpd.policy
Retransmits=            3
Exchange-max-time=      120
Check-interval=         600
DPD-check-interval=     0

[Phase 1]
B.B.B.B= ISAKMP-OtherCompany

[Phase 2]
Connections=    IPSec-OtherCompany

[ISAKMP-OtherCompany]
Phase=          1
Transport=      udp
Local-address=  A.A.A.A
Address=        B.B.B.B
Remote-ID=      OtherCompany-phase-1-remote-id
#Port=          isakmp
Port=           500
Configuration=  OtherCompany-phase-1-configuration
Authentication= <shhh... our very secret key>
#Flags=

[OtherCompany-phase-1-remote-id]
ID-type=        IPV4_ADDR
Address=        N.N.N.N


[OtherCompany-phase-1-configuration]
PROTOCOL_ID=    IPSEC_ESP
DOI=            IPSEC
EXCHANGE_TYPE=  ID_PROT
Transforms=     OtherCompany-phase-1-transform

[OtherCompany-phase-1-transform]
ENCRYPTION_ALGORITHM=   3DES_CBC
HASH_ALGORITHM=         MD5
AUTHENTICATION_METHOD=  PRE_SHARED
GROUP_DESCRIPTION=      MODP_1536
Life=                   OtherCompany-phase-1-lifetime

[OtherCompany-phase-1-lifetime]
LIFE_TYPE=      SECONDS
LIFE_DURATION=  86400


[IPSec-OtherCompany]
Phase=          2
ISAKMP-peer=    ISAKMP-OtherCompany
Configuration=  OtherCompany-quick-mode
Local-ID=       Net-CMI
Remote-ID=      Net-OtherCompany

[Net-CMI]
ID-type=        IPV4_ADDR_SUBNET
Network=        X.X.X.X
Netmask=        255.255.255.0

[Net-OtherCompany-nat]
ID-type=        IPV4_ADDR
Address=        N.N.N.N

[Net-OtherCompany]
ID-type=        IPV4_ADDR
Address=        Y.Y.Y.Y
#Network=       Y.Y.Y.Y
#Netmask=       255.255.255.255

[OtherCompany-phase-2-lifetime-size]
LIFE_TYPE=      KILOBYTES
LIFE_DURATION=  8192

[OtherCompany-phase-2-lifetime-time]
LIFE_TYPE=      SECONDS
LIFE_DURATION=  1200


[OtherCompany-quick-mode]
EXCHANGE_TYPE=  QUICK_MODE
Suites=         QM-ESP-3DES-MD5-SUITE

#
# ISAKMPD Defaults for Quick mode and Main Mode
#

# Quick mode protection suites
##############################

# 3DES


[QM-ESP-3DES-SHA-SUITE]
Protocols=              QM-ESP-3DES-SHA

[QM-ESP-3DES-SHA-PFS-SUITE]
Protocols=              QM-ESP-3DES-SHA-PFS

[QM-ESP-3DES-MD5-SUITE]
Protocols=              QM-ESP-3DES-MD5

[QM-ESP-3DES-MD5-PFS-SUITE]
Protocols=              QM-ESP-3DES-MD5-PFS


# Quick mode protocols

# 3DES

[QM-ESP-3DES-SHA]
PROTOCOL_ID=            IPSEC_ESP
Transforms=             QM-ESP-3DES-SHA-XF

[QM-ESP-3DES-SHA-PFS]
PROTOCOL_ID=            IPSEC_ESP
Transforms=             QM-ESP-3DES-SHA-PFS-XF

[QM-ESP-3DES-MD5]
PROTOCOL_ID=            IPSEC_ESP
Transforms=             QM-ESP-3DES-MD5-XF

[QM-ESP-3DES-MD5-PFS]
PROTOCOL_ID=            IPSEC_ESP
Transforms=             QM-ESP-3DES-MD5-PFS-XF


# Quick mode transforms

# 3DES

[QM-ESP-3DES-SHA-XF] TRANSFORM_ID= 3DES ENCAPSULATION_MODE= TUNNEL AUTHENTICATION_ALGORITHM= HMAC_SHA Life= OtherCompany-phase-2-lifetime-size,OtherCompany-phase-2-lifetime-time

[QM-ESP-3DES-SHA-PFS-XF] TRANSFORM_ID= 3DES ENCAPSULATION_MODE= TUNNEL GROUP_DESCRIPTION= MODP_1536 Life= OtherCompany-phase-2-lifetime-size,OtherCompany-phase-2-lifetime-time

[QM-ESP-3DES-MD5-XF] TRANSFORM_ID= 3DES ENCAPSULATION_MODE= UDP_ENCAP_TUNNEL AUTHENTICATION_AlGORITHM= HMAC_MD5 Life= OtherCompany-phase-2-lifetime-size,OtherCompany-phase-2-lifetime-time

[QM-ESP-3DES-MD5-PFS-XF] TRANSFORM_ID= 3DES ENCAPSULATION_MODE= TUNNEL AUTHENTICATION_AlGORITHM= HMAC_MD5 GROUP_DESCRIPTION= MODP_1536 Life= OtherCompany-phase-2-lifetime-size,OtherCompany-phase-2-lifetime-time

-----------------------------------------------------------------------------

isakmp key ******** address A.A.A.A netmask 255.255.255.255 no-xauth no-config-mode isakmp nat-traversal 20 isakmp policy 1 authentication pre-share isakmp policy 1 encryption 3des isakmp policy 1 hash md5 isakmp policy 1 group 5 isakmp policy 1 lifetime 86400

crypto ipsec transform-set tsOurTS esp-3des esp-md5-hmac
crypto map cmOurCM 1 ipsec-isakmp
crypto map cmOurCM 1 match address alOurAL
crypto map cmOurCM 1 set peer A.A.A.A
crypto map cmOurCM 1 set transform-set tsOurTS
crypto map cmOurCM interface dsl


-------------------------------------------------------------------------------

024508.336767 Default log_debug_cmd: log level changed from 0 to 60 for class 0 [priv] 024508.349223 Misc 10 monitor_init: privileges dropped for child process 024508.892827 Misc 60 connection_record_passive: passive connection "IPSec-OtherCompany" added 024508.930507 Misc 20 udp_make: transport 0x3c1edd80 socket 8 ip A.A.A.A port 500 024508.932067 Misc 20 udp_encap_make: transport 0x3c1eddc0 socket 9 ip A.A.A.A port 4500 024508.937799 Default log_packet_init: starting IKE packet capture to file "/var/run/isakmpd.pcap" 024509.076967 Misc 20 ipsec_decode_transform: transform 1 chosen 024509.513977 Default ipsec_validate_id_information: dubious ID information accepted 024509.516915 Misc 30 ipsec_responder: phase 2 exchange 5 step 0 025147.146040 Misc 30 ipsec_responder: phase 2 exchange 5 step 0 025509.089944 Misc 20 ipsec_decode_transform: transform 1 chosen 025509.520594 Default ipsec_validate_id_information: dubious ID information accepted 025509.523240 Misc 30 ipsec_responder: phase 2 exchange 5 step 0 030147.116969 Misc 30 ipsec_responder: phase 2 exchange 5 step 0 030509.110698 Misc 20 ipsec_decode_transform: transform 1 chosen 030509.523830 Default ipsec_validate_id_information: dubious ID information accepted 030509.527118 Misc 30 ipsec_responder: phase 2 exchange 5 step 0 031147.063466 Misc 30 ipsec_responder: phase 2 exchange 5 step 0 031509.125889 Misc 20 ipsec_decode_transform: transform 1 chosen 031509.553528 Default ipsec_validate_id_information: dubious ID information accepted 031509.555470 Misc 30 ipsec_responder: phase 2 exchange 5 step 0


--------------------------------------------------------------------------


crypto_isakmp_process_block:src:A.A.A.A, dest:N.N.N.N spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 0 against priority 1 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash MD5
ISAKMP:      auth pre-share
ISAKMP:      default group 5
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3 ISAKMP (0:0): Detected port floating return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:A.A.A.A, dest:N.N.N.N spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): NAT does not match MINE hash
hash received: fe bc 9 b9 95 31 40 fb 23 a3 29 e5 46 f4 c d8
my nat hash  : 4d 4d 7b 2e a f7 9b 64 d5 c9 ed 5b 76 f6 d9 be
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): NAT match HIS hash
ISAKMP (0:0): constructed HIS NAT-D
ISAKMP (0:0): constructed MINE NAT-D
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:A.A.A.A, dest:N.N.N.N spt:4500 dpt:4500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
        spi 0, message ID = 0
ISAKMP (0): processing notify INITIAL_CONTACT
ISAKMP (0): SA has been authenticated

ISAKMP: Locking UDP_ENC struct 0x4a421dc from crypto_ikmp_udp_enc_ike_init, count 2 ISAKMP (0): ID payload next-payload : 8 type : 1 protocol : 17 port : 0 length : 8 ISAKMP (0): Total payload length: 12 return status is IKMP_NO_ERROR VPN Peer: ISAKMP: Peer ip:A.A.A.A/4500 Ref cnt incremented to:2 Total VPN Peers:2 crypto_isakmp_process_block:src:A.A.A.A, dest:N.N.N.N spt:4500 dpt:4500 OAK_QM exchange oakley_process_quick_mode: OAK_QM_IDLE ISAKMP (0): processing SA payload. message ID = 1577812842

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (basic) of 8192
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 1200
ISAKMP:      encaps is 61443
ISAKMP:      authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.
ISAKMP (0): processing NONCE payload. message ID = 1577812842

ISAKMP (0): processing ID payload. message ID = 1577812842
ISAKMP (0): ID_IPV4_ADDR_SUBNET src X.X.X.X/255.255.255.0 prot 0 port 0
ISAKMP (0): processing ID payload. message ID = 1577812842
ISAKMP (0): ID_IPV4_ADDR dst Y.Y.Y.Yh prot 0 port 0
return status is IKMP_NO_ERROR
ISAKMP (0): retransmitting phase 2 (0/0)... mess_id 0x5e0b836a


-----------------------------------------------------------------------------------------------

02:45:08.943349 A.A.A.A.isakmp > B.B.B.B.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: b25fbb855e296add->0000000000000000 msgid: 00000000 len: 164 payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 36 transform: 0 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = 3DES_CBC attribute HASH_ALGORITHM = MD5 attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_1536 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 00015180 payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02) payload: VENDOR len: 20 (supports v3 NAT-T, draft-ietf-ipsec-nat-t-ike-03) payload: VENDOR len: 20 (supports NAT-T, RFC 3947) payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 192)

02:45:09.076582 B.B.B.B.isakmp > A.A.A.A.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: b25fbb855e296add->ab6c618dac0c98a7 msgid: 00000000 len: 124 payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 36 transform: 1 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = 3DES_CBC attribute HASH_ALGORITHM = MD5 attribute GROUP_DESCRIPTION = MODP_1536 attribute AUTHENTICATION_METHOD = PRE_SHARED attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 00015180 payload: VENDOR len: 20 (supports v3 NAT-T, draft-ietf-ipsec-nat-t-ike-03) payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02) [ttl 0] (id 1, len 152)

02:45:09.197115 A.A.A.A.isakmp > B.B.B.B.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: b25fbb855e296add->ab6c618dac0c98a7 msgid: 00000000 len: 284 payload: KEY_EXCH len: 196 payload: NONCE len: 20 payload: NAT-D len: 20 payload: NAT-D len: 20 [ttl 0] (id 1, len 312)

02:45:09.336579 B.B.B.B.isakmp > A.A.A.A.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: b25fbb855e296add->ab6c618dac0c98a7 msgid: 00000000 len: 360 payload: KEY_EXCH len: 196 payload: NONCE len: 24 payload: VENDOR len: 12 payload: VENDOR len: 20 (supports DPD v1.0) payload: VENDOR len: 20 payload: VENDOR len: 20 payload: NAT-D len: 20 payload: NAT-D len: 20 [ttl 0] (id 1, len 388)

02:45:09.472383 A.A.A.A.ipsec-nat-t > B.B.B.B.ipsec-nat-t: [bad udp cksum b933!] udpencap: isakmp v1.0 exchange ID_PROT cookie: b25fbb855e296add->ab6c618dac0c98a7 msgid: 00000000 len: 88 payload: ID len: 12 type: IPV4_ADDR = 68.6.181.44 payload: HASH len: 20 payload: NOTIFICATION len: 28 notification: INITIAL CONTACT (b25fbb855e296add->ab6c618dac0c98a7) [ttl 0] (id 1, len 120)

02:45:09.513938 B.B.B.B.ipsec-nat-t > A.A.A.A.ipsec-nat-t: [bad udp cksum 1261!] udpencap: isakmp v1.0 exchange ID_PROT cookie: b25fbb855e296add->ab6c618dac0c98a7 msgid: 00000000 len: 68 payload: ID len: 12 proto: 17 port: 0 type: IPV4_ADDR = N.N.N.N payload: HASH len: 20 [ttl 0] (id 1, len 100)

02:45:09.515360 A.A.A.A.ipsec-nat-t > B.B.B.B.ipsec-nat-t: [bad udp cksum f0b9!] udpencap: isakmp v1.0 exchange QUICK_MODE cookie: b25fbb855e296add->ab6c618dac0c98a7 msgid: ccaf61af len: 152 payload: HASH len: 20 payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 44 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0x6193abe5 payload: TRANSFORM len: 32 transform: 1 ID: 3DES attribute LIFE_TYPE = KILOBYTES attribute LIFE_DURATION = 8192 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 1200 attribute ENCAPSULATION_MODE = 61443 (unknown) attribute AUTHENTICATION_ALGORITHM = HMAC_MD5 payload: NONCE len: 20 payload: ID len: 16 type: IPV4_ADDR_SUBNET = A.A.A.A/255.255.255.0 payload: ID len: 12 type: IPV4_ADDR = B.B.B.B [ttl 0] (id 1, len 184)

02:45:09.516607 B.B.B.B.ipsec-nat-t > A.A.A.A.isakmp: [bad udp cksum 2a0!] isakmp v0.12 exchange 152 (unknown) encrypted commit cookie: 00000000b25fbb85->5e296addab6c618d msgid: 08100500 len: 449164148 [ttl 0] (id 1, len 116)

02:45:09.578155 B.B.B.B.ipsec-nat-t > A.A.A.A.ipsec-nat-t: [bad udp cksum 6f8d!] udpencap: isakmp v1.0 exchange QUICK_MODE cookie: b25fbb855e296add->ab6c618dac0c98a7 msgid: ccaf61af len: 164 payload: HASH len: 20 payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 44 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0xfae019ce payload: TRANSFORM len: 32 transform: 1 ID: 3DES attribute ENCAPSULATION_MODE = 61443 (unknown) attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 1200 attribute LIFE_TYPE = KILOBYTES attribute LIFE_DURATION = 8192 attribute AUTHENTICATION_ALGORITHM = HMAC_MD5 payload: NONCE len: 24 payload: ID len: 16 type: IPV4_ADDR_SUBNET = A.A.A.A/255.255.255.0 payload: ID len: 12 type: IPV4_ADDR = B.B.B.B [ttl 0] (id 1, len 196)

02:45:24.555982 B.B.B.B.ipsec-nat-t > A.A.A.A.ipsec-nat-t: [bad udp cksum 6f8d!] udpencap: isakmp v1.0 exchange QUICK_MODE cookie: b25fbb855e296add->ab6c618dac0c98a7 msgid: ccaf61af len: 164 payload: HASH len: 20 payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 44 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0xfae019ce payload: TRANSFORM len: 32 transform: 1 ID: 3DES attribute ENCAPSULATION_MODE = 61443 (unknown) attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 1200 attribute LIFE_TYPE = KILOBYTES attribute LIFE_DURATION = 8192 attribute AUTHENTICATION_ALGORITHM = HMAC_MD5 payload: NONCE len: 24 payload: ID len: 16 type: IPV4_ADDR_SUBNET = A.A.A.A/255.255.255.0 payload: ID len: 12 type: IPV4_ADDR = B.B.B.B [ttl 0] (id 1, len 196)

02:45:39.554613 B.B.B.B.ipsec-nat-t > A.A.A.A.ipsec-nat-t: [bad udp cksum 6f8d!] udpencap: isakmp v1.0 exchange QUICK_MODE cookie: b25fbb855e296add->ab6c618dac0c98a7 msgid: ccaf61af len: 164 payload: HASH len: 20 payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 44 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0xfae019ce payload: TRANSFORM len: 32 transform: 1 ID: 3DES attribute ENCAPSULATION_MODE = 61443 (unknown) attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 1200 attribute LIFE_TYPE = KILOBYTES attribute LIFE_DURATION = 8192 attribute AUTHENTICATION_ALGORITHM = HMAC_MD5 payload: NONCE len: 24 payload: ID len: 16 type: IPV4_ADDR_SUBNET = A.A.A.A/255.255.255.0 payload: ID len: 12 type: IPV4_ADDR = B.B.B.B [ttl 0] (id 1, len 196)

02:45:54.553140 B.B.B.B.ipsec-nat-t > A.A.A.A.ipsec-nat-t: [bad udp cksum 6f8d!] udpencap: isakmp v1.0 exchange QUICK_MODE cookie: b25fbb855e296add->ab6c618dac0c98a7 msgid: ccaf61af len: 164 payload: HASH len: 20 payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 44 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0xfae019ce payload: TRANSFORM len: 32 transform: 1 ID: 3DES attribute ENCAPSULATION_MODE = 61443 (unknown) attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 1200 attribute LIFE_TYPE = KILOBYTES attribute LIFE_DURATION = 8192 attribute AUTHENTICATION_ALGORITHM = HMAC_MD5 payload: NONCE len: 24 payload: ID len: 16 type: IPV4_ADDR_SUBNET = A.A.A.A/255.255.255.0 payload: ID len: 12 type: IPV4_ADDR = B.B.B.B [ttl 0] (id 1, len 196)

02:46:09.551346 B.B.B.B.ipsec-nat-t > A.A.A.A.ipsec-nat-t: [bad udp cksum 6f8d!] udpencap: isakmp v1.0 exchange QUICK_MODE cookie: b25fbb855e296add->ab6c618dac0c98a7 msgid: ccaf61af len: 164 payload: HASH len: 20 payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 44 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0xfae019ce payload: TRANSFORM len: 32 transform: 1 ID: 3DES attribute ENCAPSULATION_MODE = 61443 (unknown) attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 1200 attribute LIFE_TYPE = KILOBYTES attribute LIFE_DURATION = 8192 attribute AUTHENTICATION_ALGORITHM = HMAC_MD5 payload: NONCE len: 24 payload: ID len: 16 type: IPV4_ADDR_SUBNET = A.A.A.A/255.255.255.0 payload: ID len: 12 type: IPV4_ADDR = B.B.B.B [ttl 0] (id 1, len 196)

02:46:24.550318 B.B.B.B.ipsec-nat-t > A.A.A.A.ipsec-nat-t: [bad udp cksum 6f8d!] udpencap: isakmp v1.0 exchange QUICK_MODE cookie: b25fbb855e296add->ab6c618dac0c98a7 msgid: ccaf61af len: 164 payload: HASH len: 20 payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 44 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0xfae019ce payload: TRANSFORM len: 32 transform: 1 ID: 3DES attribute ENCAPSULATION_MODE = 61443 (unknown) attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 1200 attribute LIFE_TYPE = KILOBYTES attribute LIFE_DURATION = 8192 attribute AUTHENTICATION_ALGORITHM = HMAC_MD5 payload: NONCE len: 24 payload: ID len: 16 type: IPV4_ADDR_SUBNET = A.A.A.A/255.255.255.0 payload: ID len: 12 type: IPV4_ADDR = B.B.B.B [ttl 0] (id 1, len 196)


---------------------------------------------------------------------------

OpenBSD 3.7 (GENERIC) #50: Sun Mar 20 00:01:57 MST 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium III ("GenuineIntel" 686-class) 535 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE real mem = 268001280 (261720K) avail mem = 237776896 (232204K) using 3297 buffers containing 13504512 bytes (13188K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(42) BIOS, date 03/14/00, BIOS32 rev. 0 @ 0xf0690 apm0 at bios0: Power Management spec V1.2 (BIOS mgmt disabled) apm0: APM power management enable: unrecognized device ID (9) apm0: APM engage (device 1): power management disabled (1) apm0: AC on, battery charge unknown pcibios0 at bios0: rev 2.1 @ 0xf0000/0xf02 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf0e60/160 (8 entries) pcibios0: PCI Interrupt Router at 000:04:0 ("VIA VT82C586 ISA" rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc0000/0x8000 0xc8000/0x4000! 0xcc000/0x1000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 "VIA VT82C691 PCI" rev 0xc4 ppb0 at pci0 dev 1 function 0 "VIA VT82C598 AGP" rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 "NVidia/SGS-Thomson Velocity128" rev 0x10 wsdisplay0 at vga1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pcib0 at pci0 dev 4 function 0 "VIA VT82C596A ISA" rev 0x23 pciide0 at pci0 dev 4 function 1 "VIA VT82C571 IDE" rev 0x10: ATA66, channel 0 configured to compatibility, channel 1 configured to compatibility atapiscsi0 at pciide0 channel 0 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: <TDK, CDRW4800B, S7S5> SCSI0 5/cdrom removable cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 wd0 at pciide0 channel 1 drive 0: <ST380021A> wd0: 16-sector PIO, LBA, 76319MB, 156301488 sectors wd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 4 uhci0 at pci0 dev 4 function 2 "VIA VT83C572 USB" rev 0x11: irq 5 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: VIA UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered "VIA VT82C596 Power Mgmt" rev 0x30 at pci0 dev 4 function 3 not configured fxp0 at pci0 dev 11 function 0 "Intel 82557" rev 0x08, i82559: irq 10, address 00:90:27:cc:e7:0a inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4 fxp1 at pci0 dev 12 function 0 "Intel 82557" rev 0x05, i82558: irq 11, address 00:90:27:12:aa:30 inphy1 at fxp1 phy 1: i82555 10/100 PHY, rev. 0 isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0 (mux 1 ignored for console): console keyboard, using wsdisplay0 pmsi0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pmsi0 mux 0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: <PC speaker> sysbeep0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo biomask e365 netmask ef65 ttymask ffe7 pctr: 686-class user-level performance counters enabled mtrr: Pentium Pro MTRR support dkcsum: wd0 matched BIOS disk 80 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302

IPSec trouble - Phase 2 negotiations with Cisco PIX and NAT-T

Reply via email to