A late follow-up, just in case this helps anyone else while searching the archives of this list etc., this turned out to be a pix configuration issue...
Since we also have an easy vpn on the same pix (for Cisco's software VPN client), we had to add two extra attributes at the end of the line on which we defined the pre-shared key, as shown below: isakmp key ******** address <openbsd-peer-ip> netmask 255.255.255.255 no-xauth no-config-mode Cheers Richard On Wed, 11 May 2005 11:59 am, you wrote: > NAT is not in use, the two peers are in direct contact > with each other. > > OS version: Cisco PIX Firewall Version 6.3(4)120 > PIX model: Hardware: PIX-515E > > Regards > Richard > > --- Petr Ruzicka <[EMAIL PROTECTED]> wrote: > > two more questions > > - pix version ? > > - is nat in use ? > > > > Petr R. > > > > --- Richard Green <[EMAIL PROTECTED]> wrote: > > > > Hi > > > > Thanks, for your replies. I have some additional > > information now - > > the cisco config (below) - though it still looks > > quite sensibly configured > > (to someone who doent know any cisco commands ;)), > > and > > the errors remain :( > > > > Regards, Richard > > > > --- Erik Carlseen <[EMAIL PROTECTED]> wrote: > > > It would be helpful if you could provide sanitized > > > configuration files > > > from both the OpenBSD box and the PIX (just search > > > > & > > > > > replace out > > > anything confidential, but pleasebe consistant). > > > > > > Also, I've found (at least for me) that a good > > > command line for debug > > > purposes is: > > > > > > isakmpd -f- -d -L -D0=79 -D1=70 -D2=90 -D3=80 > > > > -D4=99 > > > > > -D5=99 -D6=99 > > > -D7=99 -D8=99 -D9=99 > > > > > > For Phase 2 debugging, pay extra attention to the > > > 'SA' debug messages. > > > > > > Regards, > > > > > > Erik Carlseen > > > > and... > > > > --- Petr Ruzicka <[EMAIL PROTECTED]> wrote: > > > Hi, could you get configuration of PIX. Not all of > > > > it required, just isakmp and crypto map stuff. > > > > > Do they use xauth ? > > > > > > Petr R. > > > > > >> Cisco config (sanitized): > > > > access-list cryptomap_20 permit ip 10.3.3.8 > > 255.255.255.248 192.168.157.0 255.255.255.0 > > > > sysopt connection permit-ipsec > > > > crypto ipsec transform-set ESP-3DES-MD5 esp-3des > > esp-md5-hmac > > > > crypto map some_map 20 ipsec-isakmp > > crypto map some_map 20 match address cryptomap_20 > > crypto map some_map 20 set peer 10.1.1.17 > > crypto map some_map 20 set transform-set > > ESP-3DES-MD5 > > crypto map some_map 20 set security-association > > lifetime seconds 1800 kilobytes 4608000 > > crypto map some_map interface outside > > > > isakmp enable outside > > isakmp key shared-secret address 10.1.1.17 netmask > > 255.255.255.255 > > isakmp identity address > > > > isakmp policy 20 authentication pre-share > > isakmp policy 20 encryption 3des > > isakmp policy 20 hash md5 > > isakmp policy 20 group 2 > > isakmp policy 20 lifetime 86400 > > > > >> /etc/isakmpd/isakmpd.conf config (sanitized) > > > > [Phase 1] > > 10.0.0.81= peer-machine-WCpix > > > > [Phase 2] > > Connections= VPN-SZ-WCSQL > > > > [peer-machine-WCpix] > > Phase= 1 > > Transport= udp > > Address= 10.0.0.81 > > Local-address= 10.1.1.17 > > Configuration= Default-main-mode > > Authentication= shared-secret > > > > [VPN-SZ-WCSQL] > > Phase= 2 > > ISAKMP-peer= peer-machine-WCpix > > Configuration= Default-quick-mode > > Local-ID= SZ-internal-network > > Remote-ID= WCSQL-subnet > > > > [SZ-internal-network] > > ID-type= IPV4_ADDR_SUBNET > > Network= 192.168.157.0 > > Netmask= 255.255.255.0 > > > > [WCSQL-subnet] > > ID-type= IPV4_ADDR_SUBNET > > Network= 10.3.3.8 > > Netmask= 255.255.255.248 > > > > [Default-main-mode] > > DIO= IPSEC > > EXCHANGE_TYPE= ID_PROT > > Transforms= 3DES-MD5 > > > > [Default-quick-mode] > > DOI= IPSEC > > EXCHANGE_TYPE= QUICK_MODE > > Suites= QM-ESP-3DES-MD5-SUITE > > > > [3DES-MD5] > > GROUP_DESCRIPTION= MODP_1024 > > > > [QM-ESP-3DES-MD5-PFS-SUITE] > > GROUP_DESCRIPTION= MODP_1024 > > > > # > > > > >> And some parts of the debug log at your suggested > > > > debug level, at points where errors seem to occur. > > . > > . > > 104124.523585 Exch 90 dpd_check_vendor_payload: bad > > size 8 != 16 > > . > > . > > 104124.582274 SA 60 sa_create: sa 0x3c067d00 phase > > 2 added to exchange 0x3c067a00 (VPN-SZ-WCSQL) > > 104124.582284 Mesg 90 message_alloc: allocated > > 0x3c06b700 > > 104124.582292 SA 80 sa_reference: SA 0x3c067900 > > now has 6 references 104124.582301 Cryp 60 hash_get: > > requested algorithm 0 > > 104124.582399 Misc 70 attribute_set_constant: no > > GROUP_DESCRIPTION in the QM-ESP-3DES-MD5-XF section > > 104124.582433 Sdep 80 pf_key_v2_write: iov[0]: > > 104124.582448 Sdep 80 02010002 0a000000 > > 01000000f2100000 > > 104124.582456 Sdep 80 pf_key_v2_write: iov[1]: > > 104124.582472 Sdep 80 03000500 00000000 10020000 > > ca949151 00000000 00000000 > > 104124.582480 Sdep 80 pf_key_v2_write: iov[2]: > > 104124.582496 Sdep 80 03000600 00000000 10020000 > > cb304f11 00000000 00000000 > > 104124.582504 Sdep 80 pf_key_v2_write: iov[3]: > > . > > . > > 104124.665321 Cryp 30 crypto_decrypt: after > > decryption: > > 104124.665340 Cryp 30 0e000014 54f218d1 81b2fec4 > > 56d1ad13 1006f2c6 0000000c 03000000 80140000 > > 104124.665351 Cryp 30 00000000 00000000 > > 104124.665365 Mesg 50 message_parse_payloads: offset > > 28 payload HASH > > 104124.665375 Mesg 50 message_parse_payloads: offset > > 48 payload ATTRIBUTE > > 104124.665388 Mesg 60 message_validate_payloads: > > payload HASH at 0x3c06b81c of message 0x3c06b600 > > 104124.665399 Mesg 60 message_validate_payloads: > > payload ATTRIBUTE at 0x3c06b830 of message > > 0x3c06b600 > > 104124.665409 Mesg 70 TYPE: 3 > > 104124.665417 Mesg 70 ID: 0 > > 104124.665428 Exch 90 exchange_validate: checking > > for required <Unknown -24112> > > 104124.665438 Exch 90 exchange_validate: checking > > for required <Unknown 7170> > > 104124.665447 Mesg 70 exchange_validate: msg > > 0x3c06b600 requires missing <Unknown 7170> > > 104124.665455 Default exchange_run: > > exchange_validate failed > > 104124.665455 Default exchange_run: > > exchange_validate failed > > 104124.665469 Default dropped message from > > 202.148.145.81 port 500 due to notification type > > PAYLOAD_MALFORMED > > 104124.665487 Timr 10 timer_add_event: event > > exchange_free_aux(0x3c067b00) added before > > sa_soft_expire(0x3c067900), expiration in 120s > > 104124.665501 Exch 10 exchange_establish_p2: > > 0x3c067b00 <unnamed> <no policy> policy initiator > > phase 2 doi 1 exchange 5 step 0 > > 104124.665512 Exch 10 exchange_establish_p2: icookie > > 1332ba6460f97397 rcookie 49fdaa74c14081e1 > > 104124.665520 Exch 10 exchange_establish_p2: msgid > > 2db40593 sa_list > > 104124.665530 Mesg 90 message_alloc: allocated > > 0x3c06b880 > > 104124.665539 SA 80 sa_reference: SA 0x3c067900 > > now has 7 references > > 104124.665548 Cryp 60 hash_get: requested algorithm > > 0 > > 104124.665558 Cryp 60 hash_get: requested algorithm > > 0 > > 104124.665567 Cryp 60 hash_get: requested algorithm > > 0 > > 104124.665583 Exch 90 exchange_validate: checking > > for required INFO > > 104124.665599 Cryp 60 hash_get: requested algorithm > > 0 > > 104124.665608 Cryp 80 ipsec_get_keystate: final > > phase 1 IV: > > 104124.665617 Cryp 80 8ec210f6 c88a6be8 > > 104124.665625 Cryp 80 ipsec_get_keystate: message > > ID: > > 104124.665634 Cryp 80 2db40593 > > 104124.665642 Cryp 50 crypto_init_iv: initialized > > IV: > > 104124.665653 Cryp 50 5157e037 003668c9 > > 104124.665661 Cryp 80 ipsec_get_keystate: phase 2 > > IV: > > 104124.665670 Cryp 80 5157e037 003668c9 > > 104124.665678 Cryp 10 crypto_encrypt: before > > encryption: > > 104124.665696 Cryp 10 0b000014 173ebef1 862775e9 > > 08c11690 b82a6a97 0000000c 00000001 01000010 > > 104124.665711 Cryp 30 crypto_encrypt: after > > encryption: > > 104124.665728 Cryp 30 24378426 8c104447 1996071d > > 4eabdff0 61423598 44705fb0 06a80d8f 13d952ff > > 104124.665736 Cryp 50 crypto_update_iv: updated IV: > > 104124.665746 Cryp 50 06a80d8f 13d952ff > > 104124.665754 Mesg 70 message_send: message > > 0x3c06b880 > > 104124.665765 Mesg 70 ICOOKIE: 0x1332ba6460f97397 > > 104124.665775 Mesg 70 RCOOKIE: 0x49fdaa74c14081e1 > > 104124.665783 Mesg 70 NEXT_PAYLOAD: HASH > > 104124.665791 Mesg 70 VERSION: 16 > > 104124.665799 Mesg 70 EXCH_TYPE: INFO > > 104124.665808 Mesg 70 FLAGS: [ ENC ] > > 104124.665817 Mesg 70 MESSAGE_ID: 0x2db40593 > > 104124.665825 Mesg 70 LENGTH: 60 > > 104124.665843 Mesg 70 message_send: 1332ba64 > > 60f97397 49fdaa74 c14081e1 08100501 2db40593 > > 0000003c 24378426 > > 104124.665859 Mesg 70 message_send: 8c104447 > > 1996071d 4eabdff0 61423598 44705fb0 06a80d8f > > 13d952ff > > 104124.665868 Exch 40 exchange_run: exchange > > 0x3c067b00 finished step 0, advancing... > > 104124.665877 Mesg 20 message_free: freeing > > 0x3c06b600 > > 104124.665885 Trpt 70 transport_release: freeing > > 0x3c06c540 > > 104124.665894 SA 80 sa_release: SA 0x3c067900 had > > 7 references > > 104124.665928 Exch 10 exchange_finalize: 0x3c067b00 > > <unnamed> <no policy> policy initiator phase 2 doi 1 > > exchange 5 step 1 > > 104124.665953 Exch 10 exchange_finalize: icookie > > 1332ba6460f97397 rcookie 49fdaa74c14081e1 > > 104124.665963 Exch 10 exchange_finalize: msgid > > 2db40593 sa_list > > 104124.665974 Timr 10 timer_remove_event: removing > > event exchange_free_aux(0x3c067b00) > > 104124.665983 Exch 80 exchange_free_aux: freeing > > exchange 0x3c067b00 > > 104124.665993 Mesg 20 message_free: freeing > > 0x3c06b880 > > 104124.666003 SA 80 sa_release: SA 0x3c067900 had > > 6 references > > 104125.577059 Trpt 70 transport_setup: added > > 0x3c06c640 to transport list > > 104125.577072 Trpt 70 transport_setup: added > > 0x3c06c680 to transport list > > 104125.577082 Trpt 50 virtual_clone: old 0x3c06c0c0 > > new 0x3c06c540 (main is 0x3c06c640) > > 104125.577090 Trpt 70 transport_setup: virtual > > transport 0x3c06c540 > > 104125.577099 Mesg 90 message_alloc: allocated > > 0x3c06b500 > > 104125.577108 Mesg 70 message_recv: message > > 0x3c06b500 > > 104125.577122 Mesg 70 ICOOKIE: 0x79749cd36d3e79fd > > 104125.577133 Mesg 70 RCOOKIE: 0x49fdaa7451d1d35a > > 104125.577143 Mesg 70 NEXT_PAYLOAD: HASH > > 104125.577152 Mesg 70 VERSION: 16 > > 104125.577160 Mesg 70 EXCH_TYPE: INFO > > 104125.577168 Mesg 70 FLAGS: [ ENC ] > > 104125.577178 Mesg 70 MESSAGE_ID: 0x637f2172 > > 104125.577186 Mesg 70 LENGTH: 84 > > 104125.577203 Mesg 70 message_recv: 79749cd3 > > 6d3e79fd 49fdaa74 51d1d35a 08100501 637f2172 > > 00000054 6f62c961 > > 104125.577220 Mesg 70 message_recv: fc674a97 > > f3c458d9 3bbf6a1d 6f49600a 083ffd4a e4b49605 > > 22ab8a84 1ca344c1 > > 104125.577233 Mesg 70 message_recv: c5f26aed > > 7ae6a40c b2c76472 5442dd6b d5833588 > > 104125.577244 Default message_recv: invalid > > cookie(s) 79749cd36d3e79fd 49fdaa7451d1d35a > > 104125.577256 Default dropped message from > > 202.148.145.81 port 500 due to notification type > > INVALID_COOKIE > > > > > Richard Green wrote: > > > > Hi > > > > > > > > I've been struggling with this one for a while, > > > > > > and > > > > > > > would appeciate some advice from someone with > > > > more > > > > > > experiece that I on creating VPN tunnel between > > > > an > > > > > > OpenBSD (mine) and Cisco PIX (not mine..). > > > > > > Previously > > > > > > > I /did/ test this using OpenBSD to OpenBSD in a > > > > > > test > > > > > > > environment without problems. > > > > > > > > Phase 1 seems to work (at least, if I use a > > > > deliberatlye incorrect shared secret I don't get > > > > > > this > > > > > > > far...) > > > > > > > > Seems to fail at at phase 2 of creating a > > > > > > connection. > > Find local movie times and trailers on Yahoo! Movies. > http://au.movies.yahoo.com
