Hi Thanks, for your replies. I have some additional information now - the cisco config (below) - though it still looks quite sensibly configured (to someone who doent know any cisco commands ;)), and the errors remain :(
Regards, Richard --- Erik Carlseen <[EMAIL PROTECTED]> wrote: > It would be helpful if you could provide sanitized > configuration files > from both the OpenBSD box and the PIX (just search & > replace out > anything confidential, but pleasebe consistant). > > Also, I've found (at least for me) that a good > command line for debug > purposes is: > > isakmpd -f- -d -L -D0=79 -D1=70 -D2=90 -D3=80 -D4=99 > -D5=99 -D6=99 > -D7=99 -D8=99 -D9=99 > > For Phase 2 debugging, pay extra attention to the > 'SA' debug messages. > > Regards, > > Erik Carlseen and... --- Petr Ruzicka <[EMAIL PROTECTED]> wrote: > Hi, could you get configuration of PIX. Not all of it required, just isakmp > and crypto map stuff. > Do they use xauth ? > > Petr R. >> Cisco config (sanitized): access-list cryptomap_20 permit ip 10.3.3.8 255.255.255.248 192.168.157.0 255.255.255.0 sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto map some_map 20 ipsec-isakmp crypto map some_map 20 match address cryptomap_20 crypto map some_map 20 set peer 10.1.1.17 crypto map some_map 20 set transform-set ESP-3DES-MD5 crypto map some_map 20 set security-association lifetime seconds 1800 kilobytes 4608000 crypto map some_map interface outside isakmp enable outside isakmp key shared-secret address 10.1.1.17 netmask 255.255.255.255 isakmp identity address isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 >> /etc/isakmpd/isakmpd.conf config (sanitized) [Phase 1] 10.0.0.81= peer-machine-WCpix [Phase 2] Connections= VPN-SZ-WCSQL [peer-machine-WCpix] Phase= 1 Transport= udp Address= 10.0.0.81 Local-address= 10.1.1.17 Configuration= Default-main-mode Authentication= shared-secret [VPN-SZ-WCSQL] Phase= 2 ISAKMP-peer= peer-machine-WCpix Configuration= Default-quick-mode Local-ID= SZ-internal-network Remote-ID= WCSQL-subnet [SZ-internal-network] ID-type= IPV4_ADDR_SUBNET Network= 192.168.157.0 Netmask= 255.255.255.0 [WCSQL-subnet] ID-type= IPV4_ADDR_SUBNET Network= 10.3.3.8 Netmask= 255.255.255.248 [Default-main-mode] DIO= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-MD5 [Default-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-3DES-MD5-SUITE [3DES-MD5] GROUP_DESCRIPTION= MODP_1024 [QM-ESP-3DES-MD5-PFS-SUITE] GROUP_DESCRIPTION= MODP_1024 # >> And some parts of the debug log at your suggested debug level, at points >> where errors seem to occur. . . 104124.523585 Exch 90 dpd_check_vendor_payload: bad size 8 != 16 . . 104124.582274 SA 60 sa_create: sa 0x3c067d00 phase 2 added to exchange 0x3c067a00 (VPN-SZ-WCSQL) 104124.582284 Mesg 90 message_alloc: allocated 0x3c06b700 104124.582292 SA 80 sa_reference: SA 0x3c067900 now has 6 references 104124.582301 Cryp 60 hash_get: requested algorithm 0 104124.582399 Misc 70 attribute_set_constant: no GROUP_DESCRIPTION in the QM-ESP-3DES-MD5-XF section 104124.582433 Sdep 80 pf_key_v2_write: iov[0]: 104124.582448 Sdep 80 02010002 0a000000 01000000f2100000 104124.582456 Sdep 80 pf_key_v2_write: iov[1]: 104124.582472 Sdep 80 03000500 00000000 10020000 ca949151 00000000 00000000 104124.582480 Sdep 80 pf_key_v2_write: iov[2]: 104124.582496 Sdep 80 03000600 00000000 10020000 cb304f11 00000000 00000000 104124.582504 Sdep 80 pf_key_v2_write: iov[3]: . . 104124.665321 Cryp 30 crypto_decrypt: after decryption: 104124.665340 Cryp 30 0e000014 54f218d1 81b2fec4 56d1ad13 1006f2c6 0000000c 03000000 80140000 104124.665351 Cryp 30 00000000 00000000 104124.665365 Mesg 50 message_parse_payloads: offset 28 payload HASH 104124.665375 Mesg 50 message_parse_payloads: offset 48 payload ATTRIBUTE 104124.665388 Mesg 60 message_validate_payloads: payload HASH at 0x3c06b81c of message 0x3c06b600 104124.665399 Mesg 60 message_validate_payloads: payload ATTRIBUTE at 0x3c06b830 of message 0x3c06b600 104124.665409 Mesg 70 TYPE: 3 104124.665417 Mesg 70 ID: 0 104124.665428 Exch 90 exchange_validate: checking for required <Unknown -24112> 104124.665438 Exch 90 exchange_validate: checking for required <Unknown 7170> 104124.665447 Mesg 70 exchange_validate: msg 0x3c06b600 requires missing <Unknown 7170> 104124.665455 Default exchange_run: exchange_validate failed 104124.665455 Default exchange_run: exchange_validate failed 104124.665469 Default dropped message from 202.148.145.81 port 500 due to notification type PAYLOAD_MALFORMED 104124.665487 Timr 10 timer_add_event: event exchange_free_aux(0x3c067b00) added before sa_soft_expire(0x3c067900), expiration in 120s 104124.665501 Exch 10 exchange_establish_p2: 0x3c067b00 <unnamed> <no policy> policy initiator phase 2 doi 1 exchange 5 step 0 104124.665512 Exch 10 exchange_establish_p2: icookie 1332ba6460f97397 rcookie 49fdaa74c14081e1 104124.665520 Exch 10 exchange_establish_p2: msgid 2db40593 sa_list 104124.665530 Mesg 90 message_alloc: allocated 0x3c06b880 104124.665539 SA 80 sa_reference: SA 0x3c067900 now has 7 references 104124.665548 Cryp 60 hash_get: requested algorithm 0 104124.665558 Cryp 60 hash_get: requested algorithm 0 104124.665567 Cryp 60 hash_get: requested algorithm 0 104124.665583 Exch 90 exchange_validate: checking for required INFO 104124.665599 Cryp 60 hash_get: requested algorithm 0 104124.665608 Cryp 80 ipsec_get_keystate: final phase 1 IV: 104124.665617 Cryp 80 8ec210f6 c88a6be8 104124.665625 Cryp 80 ipsec_get_keystate: message ID: 104124.665634 Cryp 80 2db40593 104124.665642 Cryp 50 crypto_init_iv: initialized IV: 104124.665653 Cryp 50 5157e037 003668c9 104124.665661 Cryp 80 ipsec_get_keystate: phase 2 IV: 104124.665670 Cryp 80 5157e037 003668c9 104124.665678 Cryp 10 crypto_encrypt: before encryption: 104124.665696 Cryp 10 0b000014 173ebef1 862775e9 08c11690 b82a6a97 0000000c 00000001 01000010 104124.665711 Cryp 30 crypto_encrypt: after encryption: 104124.665728 Cryp 30 24378426 8c104447 1996071d 4eabdff0 61423598 44705fb0 06a80d8f 13d952ff 104124.665736 Cryp 50 crypto_update_iv: updated IV: 104124.665746 Cryp 50 06a80d8f 13d952ff 104124.665754 Mesg 70 message_send: message 0x3c06b880 104124.665765 Mesg 70 ICOOKIE: 0x1332ba6460f97397 104124.665775 Mesg 70 RCOOKIE: 0x49fdaa74c14081e1 104124.665783 Mesg 70 NEXT_PAYLOAD: HASH 104124.665791 Mesg 70 VERSION: 16 104124.665799 Mesg 70 EXCH_TYPE: INFO 104124.665808 Mesg 70 FLAGS: [ ENC ] 104124.665817 Mesg 70 MESSAGE_ID: 0x2db40593 104124.665825 Mesg 70 LENGTH: 60 104124.665843 Mesg 70 message_send: 1332ba64 60f97397 49fdaa74 c14081e1 08100501 2db40593 0000003c 24378426 104124.665859 Mesg 70 message_send: 8c104447 1996071d 4eabdff0 61423598 44705fb0 06a80d8f 13d952ff 104124.665868 Exch 40 exchange_run: exchange 0x3c067b00 finished step 0, advancing... 104124.665877 Mesg 20 message_free: freeing 0x3c06b600 104124.665885 Trpt 70 transport_release: freeing 0x3c06c540 104124.665894 SA 80 sa_release: SA 0x3c067900 had 7 references 104124.665928 Exch 10 exchange_finalize: 0x3c067b00 <unnamed> <no policy> policy initiator phase 2 doi 1 exchange 5 step 1 104124.665953 Exch 10 exchange_finalize: icookie 1332ba6460f97397 rcookie 49fdaa74c14081e1 104124.665963 Exch 10 exchange_finalize: msgid 2db40593 sa_list 104124.665974 Timr 10 timer_remove_event: removing event exchange_free_aux(0x3c067b00) 104124.665983 Exch 80 exchange_free_aux: freeing exchange 0x3c067b00 104124.665993 Mesg 20 message_free: freeing 0x3c06b880 104124.666003 SA 80 sa_release: SA 0x3c067900 had 6 references 104125.577059 Trpt 70 transport_setup: added 0x3c06c640 to transport list 104125.577072 Trpt 70 transport_setup: added 0x3c06c680 to transport list 104125.577082 Trpt 50 virtual_clone: old 0x3c06c0c0 new 0x3c06c540 (main is 0x3c06c640) 104125.577090 Trpt 70 transport_setup: virtual transport 0x3c06c540 104125.577099 Mesg 90 message_alloc: allocated 0x3c06b500 104125.577108 Mesg 70 message_recv: message 0x3c06b500 104125.577122 Mesg 70 ICOOKIE: 0x79749cd36d3e79fd 104125.577133 Mesg 70 RCOOKIE: 0x49fdaa7451d1d35a 104125.577143 Mesg 70 NEXT_PAYLOAD: HASH 104125.577152 Mesg 70 VERSION: 16 104125.577160 Mesg 70 EXCH_TYPE: INFO 104125.577168 Mesg 70 FLAGS: [ ENC ] 104125.577178 Mesg 70 MESSAGE_ID: 0x637f2172 104125.577186 Mesg 70 LENGTH: 84 104125.577203 Mesg 70 message_recv: 79749cd3 6d3e79fd 49fdaa74 51d1d35a 08100501 637f2172 00000054 6f62c961 104125.577220 Mesg 70 message_recv: fc674a97 f3c458d9 3bbf6a1d 6f49600a 083ffd4a e4b49605 22ab8a84 1ca344c1 104125.577233 Mesg 70 message_recv: c5f26aed 7ae6a40c b2c76472 5442dd6b d5833588 104125.577244 Default message_recv: invalid cookie(s) 79749cd36d3e79fd 49fdaa7451d1d35a 104125.577256 Default dropped message from 202.148.145.81 port 500 due to notification type INVALID_COOKIE > Richard Green wrote: > > Hi > > > > I've been struggling with this one for a while, > and > > would appeciate some advice from someone with more > > experiece that I on creating VPN tunnel between an > > OpenBSD (mine) and Cisco PIX (not mine..). > Previously > > I /did/ test this using OpenBSD to OpenBSD in a > test > > environment without problems. > > > > Phase 1 seems to work (at least, if I use a > > deliberatlye incorrect shared secret I don't get > this > > far...) > > > > Seems to fail at at phase 2 of creating a > connection.
