Re: problem with IPSec between OpenBSD 5.5 and Cisco 2901

Remi Locherer Tue, 17 Jun 2014 23:53:31 -0700

On Tue, Jun 17, 2014 at 05:34:27PM +0200, Sebastian Reitenbach wrote:
> Hi,
> 
> I'm trying to establish an IPSec tunnel between an OpenBSD 5.5 (amd64)
> box and a Cisco 2901, the whole day, but doesn't seem to
> get it to work. I think I have something wrong with the 
> crypto transforms for phase two, since this NO_PROPOSAL_CHOSEN
> I get in the logs, which I think is in phase two.
> 
> 
> Network looks similar to this one:
> 
> 
> Host behind OBSD (192.168.13.12/24)
>  |
>  |
> OBSD (XXX.191.219.14)  
>  |
>  |
> Internet
>  |
>  |
> NAT FW (XXX.217.33.11)
>  |
>  |
> Internal Network
>  |
>  |
> Cisco 2901 (192.168.14.126)
>  |
>  |
> Host behind Cisco (192.168.13.19/24)
> 
> 
> 
> Yes, they have both the same network behind each VPN Endpoints.
> Something, more or less the same we have up and running between 
> two Cisco 2901.


How is this supposed to work with the same subnet on each site?
Do you add special routes on the hosts behind the VPN gateways?

The -L option from isakmpd helped me often to see what's happening.

> 
> 
> OpenBSD configuration:
> 
> 
> rem_gw="XXX.217.33.11"
> bb_gw="XXX.191.219.14"
> 
> ike active esp from { 192.168.13.12 } to { 192.168.13.19 } \
>         local $bb_gw peer $rem_gw \
>         main auth hmac-sha1 enc aes-128 group modp1024 \
>         quick auth hmac-md5 enc 3des group none \
>         psk "SuperTopSecret"
> 
> 
> 
> crypto isakmp policy 1
>  encr aes
>  authentication pre-share
>  group 2
> crypto isakmp key SuperTopSecret address XXX.191.219.14  no-xauth
> crypto isakmp keepalive 30 5
> 
> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
> 
> crypto map TO_BB 1 ipsec-isakmp 
>  set peer XXX.191.219.14
>  set transform-set ESP-3DES-MD5 
>  match address 101
> 
> 
> interface GigabitEthernet0/1
>  description outside-interface
>  ip address 192.168.14.126 255.255.255.0
>  duplex auto
>  speed auto
>  crypto map TO_BB
> 
> 
> access-list 101 permit ip host 192.168.13.12 host 192.168.13.19
> 
> 
> I think from the logs, see below, Phase one gets established, but then
> it runs into trouble with Phase 2, at least how I would interpret the logs:
> 
> On the Cisco, status looks like:
> 
> 
> # show crypto isakmp sa 
> IPv4 Crypto ISAKMP SA
> dst             src             state          conn-id status
> 192.168.14.126  XXX.191.219.14  QM_IDLE           1442 ACTIVE
> 
> IPv6 Crypto ISAKMP SA
> 
> #show crypto ipsec sa     
> 
> interface: GigabitEthernet0/1
>     Crypto map tag: TO_BBN, local addr 192.168.14.126
> 
>    protected vrf: (none)
>    local  ident (addr/mask/prot/port): (192.168.13.12/255.255.255.255/0/0)
>    remote ident (addr/mask/prot/port): (192.168.13.19/255.255.255.255/0/0)
>    current_peer XXX.191.219.14 port 500
>      PERMIT, flags={origin_is_acl,}
>     #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
>     #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
>     #pkts compressed: 0, #pkts decompressed: 0
>     #pkts not compressed: 0, #pkts compr. failed: 0
>     #pkts not decompressed: 0, #pkts decompress failed: 0
>     #send errors 0, #recv errors 0
> 
>      local crypto endpt.: 192.168.14.126, remote crypto endpt.: XXX.191.219.14
>      path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
>      current outbound spi: 0x0(0)
>      PFS (Y/N): N, DH group: none
> 
>      inbound esp sas:
> 
>      inbound ah sas:
> 
>      inbound pcp sas:
> 
>      outbound esp sas:
> 
>      outbound ah sas:
> 
>      outbound pcp sas:
> 
> On the OpenBSD box it looks like:
> ipsecctl -s all                                                               
>                                                                               
>                                                  
> FLOWS:
> No flows
> 
> SAD:
> No entries
> 
> 
> isakmpd with isakmpd -d -D A=75 -K,
> after loading the configuration, trying to connect to the remote
> endpoint:
> 
> 171646.650413 Timr 10 timer_handle_expirations: event ui_conn_reinit(0x0)
> 171646.650515 Misc 30 connection_reinit: reinitializing connection list
> 171646.650592 Timr 10 timer_add_event: event connection_checker(0x20f87dac0) 
> added last, expiration in 0s
> 171646.650722 Misc 60 connection_record_passive: passive connection 
> "from-192.168.13.12-to-192.168.13.19" added
> 171646.650811 Timr 10 timer_handle_expirations: event 
> connection_checker(0x20f87dac0)
> 171646.650884 Timr 10 timer_add_event: event connection_checker(0x20f87dac0) 
> added last, expiration in 60s
> 171646.650943 Sdep 70 pf_key_v2_connection_check: SA for 
> from-192.168.13.12-to-192.168.13.19 missing
> 171646.651021 Trpt 70 transport_setup: added 0x2018f7680 to transport list
> 171646.651092 Trpt 70 transport_setup: added 0x2018f7280 to transport list
> 171646.651150 Trpt 70 transport_setup: virtual transport 0x2018f7b00
> 171646.651227 Timr 10 timer_add_event: event exchange_free_aux(0x2018f6e00) 
> added last, expiration in 120s
> 171646.651288 Cryp 60 hash_get: requested algorithm 1
> 171646.651356 Exch 10 exchange_establish_p1: 0x2018f6e00 
> peer-XXX.217.33.11-local-XXX.191.219.14 
> phase1-peer-XXX.217.33.11-local-XXX.191.219.14 policy initiator phase 1 doi 1 
> exchange 2 step 0
> 171646.651429 Exch 10 exchange_establish_p1: icookie 7128cf36d74c89f1 rcookie 
> 0000000000000000
> 171646.651492 Exch 10 exchange_establish_p1: msgid 00000000 
> 171646.651554 SA   70 sa_enter: SA 0x2018f6800 added to SA list
> 171646.651606 SA   60 sa_create: sa 0x2018f6800 phase 1 added to exchange 
> 0x2018f6e00 (peer-XXX.217.33.11-local-XXX.191.219.14)
> 171646.651704 Misc 70 attribute_set_constant: no PRF in the 
> phase1-transform-peer-XXX.217.33.11-local-XXX.191.219.14-PRE_SHARED-SHA-AES128-MODP_1024
>  section
> 171646.651773 Cryp 60 hash_get: requested algorithm 1
> 171646.651839 Mesg 70 message_send: message 0x2018f4400
> 171646.651901 Mesg 70 ICOOKIE: 7128cf36d74c89f1
> 171646.651960 Mesg 70 RCOOKIE: 0000000000000000
> 171646.652011 Mesg 70 NEXT_PAYLOAD: SA
> 171646.652068 Mesg 70 VERSION: 16
> 171646.652120 Mesg 70 EXCH_TYPE: ID_PROT
> 171646.652183 Mesg 70 FLAGS: [ ]
> 171646.652240 Mesg 70 MESSAGE_ID: 00000000
> 171646.652294 Mesg 70 LENGTH: 184
> 171646.652370 Mesg 70 message_send: 7128cf36 d74c89f1 00000000 00000000 
> 01100200 00000000 000000b8 0d000038
> 171646.652449 Mesg 70 message_send: 00000001 00000001 0000002c 01010001 
> 00000024 00010000 80010007 80020002
> 171646.652519 Mesg 70 message_send: 80030001 80040002 800b0001 800c7080 
> 800e0080 0d000014 b8f26eaa 4cbf1b9a
> 171646.652595 Mesg 70 message_send: 150a3f12 dd64d183 0d000014 90cb8091 
> 3ebb696e 086381b5 ec427b1f 0d000014
> 171646.652681 Mesg 70 message_send: 7d9419a6 5310ca6f 2c179d92 15529d56 
> 0d000014 4a131c81 07035845 5c5728f2
> 171646.652754 Mesg 70 message_send: 0e95452f 00000014 afcad713 68a1f1c9 
> 6b8696fc 77570100 
> 171646.652827 Exch 40 exchange_run: exchange 0x2018f6e00 finished step 0, 
> advancing...
> 171646.652926 Trpt 30 transport_send_messages: message 0x2018f4400 scheduled 
> for retransmission 1 in 7 secs
> 171646.652991 Timr 10 timer_add_event: event message_send_expire(0x2018f4400) 
> added before connection_checker(0x20f87dac0), expiration in 7s
> 
> 171646.812229 Trpt 70 transport_setup: added 0x2018f7700 to transport list
> 171646.812354 Trpt 70 transport_setup: added 0x2018f7b80 to transport list
> 171646.812423 Trpt 50 virtual_clone: old 0x2018f7e80 new 0x2018f7600 (main is 
> 0x2018f7700)
> 171646.812483 Trpt 70 transport_setup: virtual transport 0x2018f7600
> 171646.812559 Mesg 70 message_recv: message 0x2018f4d00
> 171646.812623 Mesg 70 ICOOKIE: 7128cf36d74c89f1
> 171646.812688 Mesg 70 RCOOKIE: 07fbb815905b1538
> 171646.812746 Mesg 70 NEXT_PAYLOAD: SA
> 171646.812800 Mesg 70 VERSION: 16
> 171646.812853 Mesg 70 EXCH_TYPE: ID_PROT
> 171646.812904 Mesg 70 FLAGS: [ ]
> 171646.812957 Mesg 70 MESSAGE_ID: 00000000
> 171646.813007 Mesg 70 LENGTH: 104
> 171646.813070 Mesg 70 message_recv: 7128cf36 d74c89f1 07fbb815 905b1538 
> 01100200 00000000 00000068 0d000038
> 171646.813134 Mesg 70 message_recv: 00000001 00000001 0000002c 01010001 
> 00000024 01010000 80010007 800e0080
> 171646.813194 Mesg 70 message_recv: 80020002 80040002 80030001 800b0001 
> 800c7080 00000014 4a131c81 07035845
> 171646.813251 Mesg 70 message_recv: 5c5728f2 0e95452f 
> 171646.813309 SA   70 sa_remove: SA 0x2018f6800 removed from SA list
> 171646.813382 SA   70 sa_enter: SA 0x2018f6800 added to SA list
> 171646.813437 Mesg 20 message_free: freeing 0x2018f4400
> 171646.813489 Timr 10 timer_remove_event: removing event 
> message_send_expire(0x2018f4400)
> 171646.813548 Trpt 70 transport_release: freeing 0x2018f7b00
> 171646.813604 Mesg 50 message_parse_payloads: offset 28 payload SA
> 171646.813660 Mesg 50 message_parse_payloads: offset 84 payload VENDOR
> 171646.813716 Mesg 60 message_validate_payloads: payload SA at 0x2018f791c of 
> message 0x2018f4d00
> 171646.813910 Mesg 70 DOI: 1
> 171646.813972 Mesg 70 SIT: 
> 171646.814030 Mesg 50 message_parse_payloads: offset 40 payload PROPOSAL
> 171646.814091 Mesg 50 message_parse_payloads: offset 48 payload TRANSFORM
> 171646.814146 Mesg 50 Transform 1's attributes
> 171646.814203 Mesg 50 Attribute ENCRYPTION_ALGORITHM value 7
> 171646.814258 Mesg 50 Attribute KEY_LENGTH value 128
> 171646.814308 Mesg 50 Attribute HASH_ALGORITHM value 2
> 171646.814411 Mesg 50 Attribute GROUP_DESCRIPTION value 2
> 171646.814476 Mesg 50 Attribute AUTHENTICATION_METHOD value 1
> 171646.814532 Mesg 50 Attribute LIFE_TYPE value 1
> 171646.814586 Mesg 50 Attribute LIFE_DURATION value 28800
> 171646.814641 Mesg 60 message_validate_payloads: payload PROPOSAL at 
> 0x2018f7928 of message 0x2018f4d00
> 171646.814700 Mesg 70 NO: 1
> 171646.814752 Mesg 70 PROTO: ISAKMP
> 171646.814808 Mesg 70 SPI_SZ: 0
> 171646.814862 Mesg 70 NTRANSFORMS: 1
> 171646.814916 Mesg 70 SPI: 
> 171646.814969 Mesg 60 message_validate_payloads: payload TRANSFORM at 
> 0x2018f7930 of message 0x2018f4d00
> 171646.815028 Mesg 70 NO: 1
> 171646.815079 Mesg 70 ID: 1
> 171646.815132 Mesg 70 SA_ATTRS: 
> 171646.815186 Mesg 60 message_validate_payloads: payload VENDOR at 
> 0x2018f7954 of message 0x2018f4d00
> 171646.815241 Mesg 70 ID: 
> 171646.815295 Exch 10 nat_t_check_vendor_payload: NAT-T capable peer detected
> 171646.815396 Cryp 60 hash_get: requested algorithm 1
> 171646.815459 Negt 30 message_negotiate_sa: transform 1 proto 1 proposal 1 ok
> 171646.815590 Negt 20 ike_phase_1_validate_prop: success
> 171646.815657 Negt 30 message_negotiate_sa: proposal 1 succeeded
> 171646.815717 Misc 20 ipsec_decode_transform: transform 1 chosen
> 171646.815936 Cryp 60 hash_get: requested algorithm 1
> 171646.816032 Exch 40 exchange_run: exchange 0x2018f6e00 finished step 1, 
> advancing...
> 171646.817406 Cryp 60 hash_get: requested algorithm 1
> 171646.817473 Cryp 60 hash_get: requested algorithm 1
> 171646.817529 Mesg 70 message_send: message 0x2018f4400
> 171646.817584 Mesg 70 ICOOKIE: 7128cf36d74c89f1
> 171646.817638 Mesg 70 RCOOKIE: 07fbb815905b1538
> 171646.817688 Mesg 70 NEXT_PAYLOAD: KEY_EXCH
> 171646.817742 Mesg 70 VERSION: 16
> 171646.817793 Mesg 70 EXCH_TYPE: ID_PROT
> 171646.817849 Mesg 70 FLAGS: [ ]
> 171646.817901 Mesg 70 MESSAGE_ID: 00000000
> 171646.817952 Mesg 70 LENGTH: 228
> 171646.818009 Mesg 70 message_send: 7128cf36 d74c89f1 07fbb815 905b1538 
> 04100200 00000000 000000e4 0a000084
> 171646.818068 Mesg 70 message_send: d5f5af00 77d9eda0 2f21a2ef bbeed95b 
> c561557d 1eaa171a 99cc256d df1e757b
> 171646.818149 Mesg 70 message_send: 4a82dbff 211ede92 5735151c cefc9249 
> 29a5b280 1e428533 09b5335e f49c9825
> 171646.818220 Mesg 70 message_send: 00587e14 0c0dce89 e8f3c0f8 0767aaef 
> 62c5b9cd cb21674b 8f950264 7a36af34
> 171646.818294 Mesg 70 message_send: f2b257f1 2397d473 49d18198 bed45a0e 
> c132b529 599d01f1 494a3138 43ecce46
> 171646.818407 Mesg 70 message_send: 14000014 f9cde51a 99ca1f15 b5fab297 
> 8b9df6f9 14000018 e6157a6a 6d5ebb67
> 171646.818482 Mesg 70 message_send: 874c3d8b 436d8813 9b654686 00000018 
> e5d98cd1 adba5d7a cbd8632b ef30233a
> 171646.818560 Mesg 70 message_send: 54c3c385 
> 171646.818617 Exch 40 exchange_run: exchange 0x2018f6e00 finished step 2, 
> advancing...
> 171646.818709 Trpt 30 transport_send_messages: message 0x2018f4400 scheduled 
> for retransmission 1 in 7 secs
> 171646.818762 Timr 10 timer_add_event: event message_send_expire(0x2018f4400) 
> added before connection_checker(0x20f87dac0), expiration in 7s
> 171647.004706 Trpt 70 transport_setup: added 0x20e51fa80 to transport list
> 171647.004817 Trpt 70 transport_setup: added 0x20e51fe80 to transport list
> 171647.004875 Trpt 50 virtual_clone: old 0x2018f7e80 new 0x2018f7b00 (main is 
> 0x20e51fa80)
> 171647.004933 Trpt 70 transport_setup: virtual transport 0x2018f7b00
> 171647.004992 Mesg 70 message_recv: message 0x2018f4f00
> 171647.005049 Mesg 70 ICOOKIE: 7128cf36d74c89f1
> 171647.005104 Mesg 70 RCOOKIE: 07fbb815905b1538
> 171647.005151 Mesg 70 NEXT_PAYLOAD: KEY_EXCH
> 171647.005198 Mesg 70 VERSION: 16
> 171647.005254 Mesg 70 EXCH_TYPE: ID_PROT
> 171647.005304 Mesg 70 FLAGS: [ ]
> 171647.005364 Mesg 70 MESSAGE_ID: 00000000
> 171647.005457 Mesg 70 LENGTH: 304
> 171647.005522 Mesg 70 message_recv: 7128cf36 d74c89f1 07fbb815 905b1538 
> 04100200 00000000 00000130 0a000084
> 171647.005590 Mesg 70 message_recv: f9a3db0b 57711a99 f7b2802f 49161a63 
> 8623674c 01bd85b9 b2de5920 8b6ad201
> 171647.005667 Mesg 70 message_recv: 30dd0a40 9647c944 5d30259a c777c968 
> 1e1ea968 7c8c30c9 72089f99 a541d205
> 171647.005752 Mesg 70 message_recv: 5e141152 0c818af1 723005dd 8ad0dad1 
> b0248866 5e001270 5c5882d2 702e266a
> 171647.005830 Mesg 70 message_recv: 89031b8c e51186a6 fbf97e4e 05f6ed58 
> b71f240c 342c407d 72fd54b6 bd172b74
> 171647.005904 Mesg 70 message_recv: 0d000018 8f4c5561 8488b976 2090a1de 
> 2a5fdaf5 6ca1dcf0 0d000014 12f5f28c
> 171647.005976 Mesg 70 message_recv: 457168a9 702d9fe2 74cc0100 0d000014 
> afcad713 68a1f1c9 6b8696fc 77570100
> 171647.006116 Mesg 70 message_recv: 0d000014 f23c1f08 905a1538 84816589 
> 320a0a99 1400000c 09002689 dfd6b712
> 171647.006205 Mesg 70 message_recv: 14000018 e5d98cd1 adba5d7a cbd8632b 
> ef30233a 54c3c385 00000018 0b3ebfe7
> 171647.006272 Mesg 70 message_recv: 99960384 0d99b682 811409dc 377fe1bb 
> 171647.006332 Mesg 20 message_free: freeing 0x2018f4400
> 171647.006443 Timr 10 timer_remove_event: removing event 
> message_send_expire(0x2018f4400)
> 171647.006499 Mesg 50 message_parse_payloads: offset 28 payload KEY_EXCH
> 171647.006547 Mesg 50 message_parse_payloads: offset 160 payload NONCE
> 171647.006598 Mesg 50 message_parse_payloads: offset 184 payload VENDOR
> 171647.006658 Mesg 50 message_parse_payloads: offset 204 payload VENDOR
> 171647.006711 Mesg 50 message_parse_payloads: offset 224 payload VENDOR
> 171647.006764 Mesg 50 message_parse_payloads: offset 244 payload VENDOR
> 171647.006815 Mesg 50 message_parse_payloads: offset 256 payload NAT_D
> 171647.006869 Mesg 50 message_parse_payloads: offset 280 payload NAT_D
> 171647.006935 Mesg 60 message_validate_payloads: payload KEY_EXCH at 
> 0x2018f6a1c of message 0x2018f4f00
> 171647.006993 Mesg 70 DATA: 
> 171647.007046 Mesg 60 message_validate_payloads: payload NONCE at 0x2018f6aa0 
> of message 0x2018f4f00
> 171647.007102 Mesg 70 DATA: 
> 171647.007152 Mesg 60 message_validate_payloads: payload VENDOR at 
> 0x2018f6ab8 of message 0x2018f4f00
> 171647.007206 Mesg 70 ID: 
> 171647.007261 Mesg 60 message_validate_payloads: payload VENDOR at 
> 0x2018f6acc of message 0x2018f4f00
> 171647.007319 Mesg 70 ID: 
> 171647.007394 Exch 10 dpd_check_vendor_payload: DPD capable peer detected
> 171647.007453 Mesg 60 message_validate_payloads: payload VENDOR at 
> 0x2018f6ae0 of message 0x2018f4f00
> 171647.007501 Mesg 70 ID: 
> 171647.007545 Mesg 60 message_validate_payloads: payload VENDOR at 
> 0x2018f6af4 of message 0x2018f4f00
> 171647.007591 Mesg 70 ID: 
> 171647.007642 Mesg 60 message_validate_payloads: payload NAT_D at 0x2018f6b00 
> of message 0x2018f4f00
> 171647.007696 Mesg 70 DATA: 
> 171647.007745 Mesg 60 message_validate_payloads: payload NAT_D at 0x2018f6b18 
> of message 0x2018f4f00
> 171647.007797 Mesg 70 DATA: 
> 171647.007851 Cryp 60 hash_get: requested algorithm 1
> 171647.007906 Cryp 60 hash_get: requested algorithm 1
> 171647.007958 Exch 10 nat_t_exchange_check_nat_d: NAT detected
> 171647.008995 Cryp 60 hash_get: requested algorithm 1
> 171647.009060 Cryp 60 hash_get: requested algorithm 1
> 171647.009125 Cryp 40 crypto_init: key:
> 171647.009188 Cryp 40 e769334f 46e6706e e7fb92e0 908b769a 
> 171647.009255 Cryp 50 crypto_init_iv: initialized IV:
> 171647.009312 Cryp 50 d3965831 044d33f1 138f90d5 08f272a9 
> 171647.009388 Mesg 20 message_free: freeing 0x2018f4d00
> 171647.009447 Trpt 70 transport_release: freeing 0x2018f7600
> 171647.009497 Exch 40 exchange_run: exchange 0x2018f6e00 finished step 3, 
> advancing...
> 171647.009578 Negt 40 ike_phase_1_send_ID: IPV4_ADDR:
> 171647.009637 Negt 40 ccbfdb0e 
> 171647.009702 Cryp 60 hash_get: requested algorithm 1
> 171647.009763 Cryp 70 crypto_encrypt: before encryption:
> 171647.009829 Cryp 70 0800000c 01000000 ccbfdb0e 0b000018 29bfb911 51a68658 
> cd6d8daa 153abda1
> 171647.009904 Cryp 70 9c1c4ecc 0000001c 00000001 01106002 7128cf36 d74c89f1 
> 07fbb815 905b1538
> 171647.009972 Cryp 70 crypto_encrypt: after encryption:
> 171647.010035 Cryp 70 915ce7cb d297afed 8b3205f2 5ecd158b 9ec08ffc 8fb815e5 
> ddacb820 e67dd33a
> 171647.010109 Cryp 70 97fb99ed 8aa2a401 058ccc7b 5b663667 4a06d978 f183e058 
> 8c69aca4 6a7d17dc
> 171647.010169 Cryp 50 crypto_update_iv: updated IV:
> 171647.010227 Cryp 50 4a06d978 f183e058 8c69aca4 6a7d17dc 
> 171647.010286 Mesg 70 message_send: message 0x2018f4300
> 171647.010344 Mesg 70 ICOOKIE: 7128cf36d74c89f1
> 171647.010418 Mesg 70 RCOOKIE: 07fbb815905b1538
> 171647.010472 Mesg 70 NEXT_PAYLOAD: ID
> 171647.010526 Mesg 70 VERSION: 16
> 171647.010577 Mesg 70 EXCH_TYPE: ID_PROT
> 171647.010624 Mesg 70 FLAGS: [ ENC ]
> 171647.010671 Mesg 70 MESSAGE_ID: 00000000
> 171647.010724 Mesg 70 LENGTH: 92
> 171647.010788 Mesg 70 message_send: 7128cf36 d74c89f1 07fbb815 905b1538 
> 05100201 00000000 0000005c 915ce7cb
> 171647.010856 Mesg 70 message_send: d297afed 8b3205f2 5ecd158b 9ec08ffc 
> 8fb815e5 ddacb820 e67dd33a 97fb99ed
> 171647.010919 Mesg 70 message_send: 8aa2a401 058ccc7b 5b663667 4a06d978 
> f183e058 8c69aca4 6a7d17dc 
> 171647.010973 Exch 40 exchange_run: exchange 0x2018f6e00 finished step 4, 
> advancing...
> 171647.011029 Mesg 10 virtual_send_message: enabling NAT-T encapsulation for 
> this exchange
> 171647.011118 Trpt 30 transport_send_messages: message 0x2018f4300 scheduled 
> for retransmission 1 in 7 secs
> 171647.011178 Timr 10 timer_add_event: event message_send_expire(0x2018f4300) 
> added before connection_checker(0x20f87dac0), expiration in 7s
> 171647.169869 Trpt 70 transport_setup: added 0x2018f7b80 to transport list
> 171647.169982 Trpt 70 transport_setup: added 0x2018f7100 to transport list
> 171647.170042 Trpt 50 virtual_clone: old 0x2018f7e80 new 0x2018f7a80 (main is 
> 0x2018f7b80)
> 171647.170111 Trpt 70 transport_setup: virtual transport 0x2018f7a80
> 171647.170219 Mesg 70 message_recv: message 0x2018f4900
> 171647.170285 Mesg 70 ICOOKIE: 7128cf36d74c89f1
> 171647.170342 Mesg 70 RCOOKIE: 07fbb815905b1538
> 171647.170411 Mesg 70 NEXT_PAYLOAD: ID
> 171647.170463 Mesg 70 VERSION: 16
> 171647.170520 Mesg 70 EXCH_TYPE: ID_PROT
> 171647.170574 Mesg 70 FLAGS: [ ENC ]
> 171647.170627 Mesg 70 MESSAGE_ID: 00000000
> 171647.170679 Mesg 70 LENGTH: 76
> 171647.170743 Mesg 70 message_recv: 7128cf36 d74c89f1 07fbb815 905b1538 
> 05100201 00000000 0000004c 2aafdc49
> 171647.170811 Mesg 70 message_recv: 7dc6a262 d5891e2a a326d422 07750f1f 
> aeee7aa6 70f7947f 07f4bcf2 a81a4903
> 171647.170885 Mesg 70 message_recv: df0f5534 55df752e 6ae3c3f0 
> 171647.170945 Mesg 20 message_free: freeing 0x2018f4300
> 171647.170998 Timr 10 timer_remove_event: removing event 
> message_send_expire(0x2018f4300)
> 171647.171071 Cryp 70 crypto_decrypt: before decryption:
> 171647.171142 Cryp 70 2aafdc49 7dc6a262 d5891e2a a326d422 07750f1f aeee7aa6 
> 70f7947f 07f4bcf2
> 171647.171202 Cryp 70 a81a4903 df0f5534 55df752e 6ae3c3f0 
> 171647.171255 Cryp 70 crypto_decrypt: after decryption:
> 171647.171318 Cryp 70 0800000c 01110000 c0a80e7e 00000018 d56f0de1 65779c63 
> 04d4ff29 8b863817
> 171647.171400 Cryp 70 b2639dc9 00000000 00000000 00000000 
> 171647.171463 Mesg 50 message_parse_payloads: offset 28 payload ID
> 171647.171519 Mesg 50 message_parse_payloads: offset 40 payload HASH
> 171647.171568 Mesg 60 message_validate_payloads: payload ID at 0x2018f729c of 
> message 0x2018f4900
> 171647.171621 Mesg 70 TYPE: 1
> 171647.171683 Mesg 70 DOI_DATA: 110000
> 171647.171739 Mesg 70 DATA: 
> 171647.171804 Mesg 40 ipsec_validate_id_information: proto 17 port 0 type 1
> 171647.171871 Mesg 40 ipsec_validate_id_information: IPv4:
> 171647.171940 Mesg 40 c0a80e7e 
> 171647.172000 Default ipsec_validate_id_information: dubious ID information 
> accepted
> 171647.172058 Mesg 60 message_validate_payloads: payload HASH at 0x2018f72a8 
> of message 0x2018f4900
> 171647.172113 Mesg 70 DATA: 
> 171647.172188 Negt 40 ike_phase_1_recv_ID: IPV4_ADDR:
> 171647.172245 Negt 40 c0a80e7e 
> 171647.172298 Cryp 60 hash_get: requested algorithm 1
> 171647.172375 Mesg 20 message_free: freeing 0x2018f4f00
> 171647.172442 Trpt 70 transport_release: freeing 0x2018f7b00
> 171647.172499 Cryp 50 crypto_update_iv: updated IV:
> 171647.172566 Cryp 50 a81a4903 df0f5534 55df752e 6ae3c3f0 
> 171647.172620 Exch 10 exchange_finalize: 0x2018f6e00 
> peer-XXX.217.33.11-local-XXX.191.219.14 
> phase1-peer-XXX.217.33.11-local-XXX.191.219.14 policy initiator phase 1 doi 1 
> exchange 2 step 5
> 171647.172692 Exch 10 exchange_finalize: icookie 7128cf36d74c89f1 rcookie 
> 07fbb815905b1538
> 171647.172738 Exch 10 exchange_finalize: msgid 00000000 
> 171647.172814 Exch 10 exchange_finalize: phase 1 done: initiator id 
> XXX.191.219.14, responder id 192.168.14.126, src: XXX.191.219.14 dst: 
> XXX.217.33.11
> 171647.172890 Timr 10 timer_add_event: event sa_soft_expire(0x2018f6800) 
> added last, expiration in 26467s
> 171647.172964 Timr 10 timer_add_event: event sa_hard_expire(0x2018f6800) 
> added last, expiration in 28800s
> 171647.173033 Exch 20 exchange_establish_finalize: finalizing exchange 
> 0x2018f6e00 with arg 0x2065e92c0 (from-192.168.13.12-to-192.168.13.19) & fail 
> = 0
> 171647.173177 Timr 10 timer_add_event: event exchange_free_aux(0x2018f6a00) 
> added before sa_soft_expire(0x2018f6800), expiration in 120s
> 171647.173255 Exch 10 exchange_establish_p2: 0x2018f6a00 
> from-192.168.13.12-to-192.168.13.19 
> phase2-from-192.168.13.12-to-192.168.13.19 policy initiator phase 2 doi 1 
> exchange 32 step 0
> 171647.173317 Exch 10 exchange_establish_p2: icookie 7128cf36d74c89f1 rcookie 
> 07fbb815905b1538
> 171647.173385 Exch 10 exchange_establish_p2: msgid fb44b61c sa_list 
> 171647.173448 SA   70 sa_enter: SA 0x2018f6c00 added to SA list
> 171647.173502 SA   60 sa_create: sa 0x2018f6c00 phase 2 added to exchange 
> 0x2018f6a00 (from-192.168.13.12-to-192.168.13.19)
> 171647.173566 Cryp 60 hash_get: requested algorithm 1
> 171647.173654 Misc 70 attribute_set_constant: no GROUP_DESCRIPTION in the 
> phase2-transform-from-192.168.13.12-to-192.168.13.19-3DES-MD5-NONE-TUNNEL 
> section
> 171647.173748 Sdep 50 pf_key_v2_get_spi: spi:
> 171647.173811 Sdep 50 ec3a5382 
> 171647.173951 Cryp 60 hash_get: requested algorithm 1
> 171647.174009 Cryp 60 hash_get: requested algorithm 1
> 171647.174079 Cryp 60 hash_get: requested algorithm 1
> 171647.174126 Cryp 50 crypto_init_iv: initialized IV:
> 171647.174182 Cryp 50 917d9792 3a37d1b7 a6c62950 1bc6a3b6 
> 171647.174242 Cryp 70 crypto_encrypt: before encryption:
> 171647.174305 Cryp 70 01000018 7b73dd19 936a127e 74b9851b 8543a098 70a24790 
> 0a000030 00000001
> 171647.174389 Cryp 70 00000001 00000024 01030401 ec3a5382 00000018 01030000 
> 80010001 800204b0
> 171647.174467 Cryp 70 80040001 80050001 05000014 8039669f 38226adc 6baa7dc0 
> 9ccc0c85 0500000c
> 171647.174545 Cryp 70 01000000 c0a80d0c 0000000c 01000000 c0a80d13 00000000 
> 00000000 00000000
> 171647.174606 Cryp 70 crypto_encrypt: after encryption:
> 171647.174670 Cryp 70 20fd001b 43503cc7 4b7a6fef 8f204177 1f56dfbf fb1d185f 
> a3135510 c1e26257
> 171647.174746 Cryp 70 df3d514e e3f4060e 4136110d 8892085a 98fc7ae8 477c115d 
> 0138ea60 03ebdbb8
> 171647.174835 Cryp 70 9d01ea5c 220a5ed4 a5ae56d2 6756f1a0 c682619f 6ce7797d 
> 13cbba30 35ab544e
> 171647.174908 Cryp 70 ce6ec27e af886757 a89f407b ddcb2430 0b499a5e 97394622 
> 7e8bc53f 5e3d38af
> 171647.174971 Cryp 50 crypto_update_iv: updated IV:
> 171647.175028 Cryp 50 0b499a5e 97394622 7e8bc53f 5e3d38af 
> 171647.175080 Mesg 70 message_send: message 0x2018f4f00
> 171647.175138 Mesg 70 ICOOKIE: 7128cf36d74c89f1
> 171647.175193 Mesg 70 RCOOKIE: 07fbb815905b1538
> 171647.175239 Mesg 70 NEXT_PAYLOAD: HASH
> 171647.175285 Mesg 70 VERSION: 16
> 171647.175338 Mesg 70 EXCH_TYPE: QUICK_MODE
> 171647.175408 Mesg 70 FLAGS: [ ENC ]
> 171647.175479 Mesg 70 MESSAGE_ID: fb44b61c
> 171647.175538 Mesg 70 LENGTH: 156
> 171647.175604 Mesg 70 message_send: 7128cf36 d74c89f1 07fbb815 905b1538 
> 08102001 fb44b61c 0000009c 20fd001b
> 171647.175679 Mesg 70 message_send: 43503cc7 4b7a6fef 8f204177 1f56dfbf 
> fb1d185f a3135510 c1e26257 df3d514e
> 171647.175748 Mesg 70 message_send: e3f4060e 4136110d 8892085a 98fc7ae8 
> 477c115d 0138ea60 03ebdbb8 9d01ea5c
> 171647.175813 Mesg 70 message_send: 220a5ed4 a5ae56d2 6756f1a0 c682619f 
> 6ce7797d 13cbba30 35ab544e ce6ec27e
> 171647.175878 Mesg 70 message_send: af886757 a89f407b ddcb2430 0b499a5e 
> 97394622 7e8bc53f 5e3d38af 
> 171647.175932 Exch 40 exchange_run: exchange 0x2018f6a00 finished step 0, 
> advancing...
> 171647.175992 Timr 10 timer_remove_event: removing event 
> exchange_free_aux(0x2018f6e00)
> 171647.176048 Mesg 20 message_free: freeing 0x2018f4900
> 171647.176113 Mesg 10 virtual_send_message: enabling NAT-T encapsulation for 
> this exchange
> 171647.176190 Trpt 30 transport_send_messages: message 0x2018f4f00 scheduled 
> for retransmission 1 in 7 secs
> 171647.176250 Timr 10 timer_add_event: event message_send_expire(0x2018f4f00) 
> added before connection_checker(0x20f87dac0), expiration in 7s
> 171647.334727 Trpt 70 transport_setup: added 0x2018f7280 to transport list
> 171647.334876 Trpt 70 transport_setup: added 0x2018f7f80 to transport list
> 171647.334951 Trpt 50 virtual_clone: old 0x2018f7e80 new 0x2018f7980 (main is 
> 0x2018f7280)
> 171647.335020 Trpt 70 transport_setup: virtual transport 0x2018f7980
> 171647.335088 Mesg 70 message_recv: message 0x2018f4600
> 171647.335146 Mesg 70 ICOOKIE: 7128cf36d74c89f1
> 171647.335203 Mesg 70 RCOOKIE: 07fbb815905b1538
> 171647.335255 Mesg 70 NEXT_PAYLOAD: HASH
> 171647.335309 Mesg 70 VERSION: 16
> 171647.335418 Mesg 70 EXCH_TYPE: INFO
> 171647.335516 Mesg 70 FLAGS: [ ENC ]
> 171647.335573 Mesg 70 MESSAGE_ID: bdcc247d
> 171647.335629 Mesg 70 LENGTH: 92
> 171647.335698 Mesg 70 message_recv: 7128cf36 d74c89f1 07fbb815 905b1538 
> 08100501 bdcc247d 0000005c 327b881c
> 171647.335783 Mesg 70 message_recv: 651d9303 59393f93 73d3321b 608544a5 
> d5e0d83c 474f659c 5f5e0a45 ebb62d0e
> 171647.335874 Mesg 70 message_recv: 272899c1 2707e5c5 76d57308 572f27ac 
> 2c42c224 76c43ee8 8c01c271 
> 171647.335980 Cryp 60 hash_get: requested algorithm 1
> 171647.336053 Cryp 50 crypto_init_iv: initialized IV:
> 171647.336111 Cryp 50 ff27c21d d25837cb fa771ead 8efd3b40 
> 171647.336165 Cryp 70 crypto_decrypt: before decryption:
> 171647.336221 Cryp 70 327b881c 651d9303 59393f93 73d3321b 608544a5 d5e0d83c 
> 474f659c 5f5e0a45
> 171647.336300 Cryp 70 ebb62d0e 272899c1 2707e5c5 76d57308 572f27ac 2c42c224 
> 76c43ee8 8c01c271
> 171647.336370 Cryp 70 crypto_decrypt: after decryption:
> 171647.336495 Cryp 70 0b000018 17300e35 0885490c 548b1a9f 480fd5a7 d62ad011 
> 0000001c 00000001
> 171647.336573 Cryp 70 0304000e ec3a5382 0a000030 00000001 00000001 00000000 
> 00000000 00000000
> 171647.336629 Mesg 50 message_parse_payloads: offset 28 payload HASH
> 171647.336699 Mesg 50 message_parse_payloads: offset 52 payload NOTIFY
> 171647.336757 Mesg 60 message_validate_payloads: payload HASH at 0x2018f7b1c 
> of message 0x2018f4600
> 171647.336811 Mesg 70 DATA: 
> 171647.336878 Cryp 60 hash_get: requested algorithm 1
> 171647.336929 Cryp 60 hash_get: requested algorithm 1
> 171647.336984 Mesg 60 message_validate_payloads: payload NOTIFY at 
> 0x2018f7b34 of message 0x2018f4600
> 171647.337041 Mesg 70 DOI: IPSEC
> 171647.337096 Mesg 70 PROTO: <Unknown 3>
> 171647.337151 Mesg 70 SPI_SZ: 4
> 171647.337204 Mesg 70 MSG_TYPE: NO_PROPOSAL_CHOSEN
> 171647.337263 Mesg 70 SPI: 
> 171647.337330 Timr 10 timer_add_event: event exchange_free_aux(0x2018f6e00) 
> added before sa_soft_expire(0x2018f6800), expiration in 120s
> 171647.337439 Exch 10 exchange_setup_p2: 0x2018f6e00 <unnamed> <no policy> 
> policy responder phase 2 doi 1 exchange 5 step 0
> 171647.337511 Exch 10 exchange_setup_p2: icookie 7128cf36d74c89f1 rcookie 
> 07fbb815905b1538
> 171647.337565 Exch 10 exchange_setup_p2: msgid bdcc247d sa_list 
> 171647.337633 Misc 30 ipsec_responder: phase 2 exchange 5 step 0
> 171647.337691 Exch 10 ipsec_responder: got NOTIFY of type NO_PROPOSAL_CHOSEN
> 171647.337749 Cryp 50 crypto_update_iv: updated IV:
> 171647.337806 Cryp 50 572f27ac 2c42c224 76c43ee8 8c01c271 
> 171647.337858 Exch 10 exchange_finalize: 0x2018f6e00 <unnamed> <no policy> 
> policy responder phase 2 doi 1 exchange 5 step 0
> 171647.337909 Exch 10 exchange_finalize: icookie 7128cf36d74c89f1 rcookie 
> 07fbb815905b1538
> 171647.337975 Exch 10 exchange_finalize: msgid bdcc247d sa_list 
> 171647.338028 Timr 10 timer_remove_event: removing event 
> exchange_free_aux(0x2018f6e00)
> 171647.338080 Mesg 20 message_free: freeing 0x2018f4600
> 171647.338133 Trpt 70 transport_release: freeing 0x2018f7980
> ^C171651.582796 Default isakmpd: shutting down...
> 171651.582841 Timr 10 timer_add_event: event exchange_free_aux(0x2018f6000) 
> added before sa_soft_expire(0x2018f6800), expiration in 120s
> 171651.582849 Exch 10 exchange_establish_p2: 0x2018f6000 <unnamed> <no 
> policy> policy initiator phase 2 doi 1 exchange 5 step 0
> 171651.582854 Exch 10 exchange_establish_p2: icookie 7128cf36d74c89f1 rcookie 
> 07fbb815905b1538
> 171651.582858 Exch 10 exchange_establish_p2: msgid b8380e7e sa_list 
> 171651.582869 Cryp 60 hash_get: requested algorithm 1
> 171651.582876 Cryp 60 hash_get: requested algorithm 1
> 171651.582880 Cryp 60 hash_get: requested algorithm 1
> 171651.582893 Cryp 60 hash_get: requested algorithm 1
> 171651.582897 Cryp 50 crypto_init_iv: initialized IV:
> 171651.582907 Cryp 50 e9fbb460 920582d5 3f1693ee 50bbbbe3 
> 171651.582911 Cryp 70 crypto_encrypt: before encryption:
> 171651.582967 Cryp 70 0c000018 4ce73102 c612da96 46b9306e 4f57b7df 1c635b3f 
> 00000010 00000001
> 171651.582980 Cryp 70 03040001 ec3a5382 00000000 00000000 
> 171651.582989 Cryp 70 crypto_encrypt: after encryption:
> 171651.583009 Cryp 70 8ef50474 a4b1c3b2 668c24a9 353d8711 07b71c18 6c449106 
> 73b0894c 6e3ef257
> 171651.583019 Cryp 70 a7a92d29 8c825cda c08c5197 a83a0e8c 
> 171651.583023 Cryp 50 crypto_update_iv: updated IV:
> 171651.583032 Cryp 50 a7a92d29 8c825cda c08c5197 a83a0e8c 
> 171651.583036 Mesg 70 message_send: message 0x2018f4a00
> 171651.583043 Mesg 70 ICOOKIE: 7128cf36d74c89f1
> 171651.583050 Mesg 70 RCOOKIE: 07fbb815905b1538
> 171651.583054 Mesg 70 NEXT_PAYLOAD: HASH
> 171651.583059 Mesg 70 VERSION: 16
> 171651.583063 Mesg 70 EXCH_TYPE: INFO
> 171651.583068 Mesg 70 FLAGS: [ ENC ]
> 171651.583073 Mesg 70 MESSAGE_ID: b8380e7e
> 171651.583188 Mesg 70 LENGTH: 76
> 171651.583206 Mesg 70 message_send: 7128cf36 d74c89f1 07fbb815 905b1538 
> 08100501 b8380e7e 0000004c 8ef50474
> 171651.583222 Mesg 70 message_send: a4b1c3b2 668c24a9 353d8711 07b71c18 
> 6c449106 73b0894c 6e3ef257 a7a92d29
> 171651.583230 Mesg 70 message_send: 8c825cda c08c5197 a83a0e8c 
> 171651.583235 Exch 40 exchange_run: exchange 0x2018f6000 finished step 0, 
> advancing...
> 171651.583239 SA   70 sa_remove: SA 0x2018f6c00 removed from SA list
> 171651.583252 Timr 10 timer_add_event: event exchange_free_aux(0x2018f6e00) 
> added before sa_soft_expire(0x2018f6800), expiration in 120s
> 171651.583257 Exch 10 exchange_establish_p2: 0x2018f6e00 <unnamed> <no 
> policy> policy initiator phase 2 doi 1 exchange 5 step 0
> 171651.583261 Exch 10 exchange_establish_p2: icookie 7128cf36d74c89f1 rcookie 
> 07fbb815905b1538
> 171651.583392 Exch 10 exchange_establish_p2: msgid 4f9a4b11 sa_list 
> 171651.583403 Cryp 60 hash_get: requested algorithm 1
> 171651.583409 Cryp 60 hash_get: requested algorithm 1
> 171651.583412 Cryp 60 hash_get: requested algorithm 1
> 171651.583439 Cryp 60 hash_get: requested algorithm 1
> 171651.583445 Cryp 50 crypto_init_iv: initialized IV:
> 171651.583454 Cryp 50 ce6e5ac7 bbc15e75 d410b0be d9f2ff7c 
> 171651.583458 Cryp 70 crypto_encrypt: before encryption:
> 171651.583473 Cryp 70 0c000018 3f346523 9135caa5 f8bed113 035a459f 33a32a82 
> 0000001c 00000001
> 171651.583489 Cryp 70 01100001 7128cf36 d74c89f1 07fbb815 905b1538 00000000 
> 00000000 00000000
> 171651.583494 Cryp 70 crypto_encrypt: after encryption:
> 171651.583509 Cryp 70 1b0b093a d0667ccb 0682a33b fc64119d 8d4b1eb9 26f119e4 
> a7b52a08 92260275
> 171651.583524 Cryp 70 df3babdf 93b9edad bce4fa5b 3ed0d763 77a42158 8731f121 
> 6f47894d f2f51dc1
> 171651.583618 Cryp 50 crypto_update_iv: updated IV:
> 171651.583630 Cryp 50 77a42158 8731f121 6f47894d f2f51dc1 
> 171651.583634 Mesg 70 message_send: message 0x2018f4b00
> 171651.583641 Mesg 70 ICOOKIE: 7128cf36d74c89f1
> 171651.583648 Mesg 70 RCOOKIE: 07fbb815905b1538
> 171651.583653 Mesg 70 NEXT_PAYLOAD: HASH
> 171651.583660 Mesg 70 VERSION: 16
> 171651.583664 Mesg 70 EXCH_TYPE: INFO
> 171651.583668 Mesg 70 FLAGS: [ ENC ]
> 171651.583673 Mesg 70 MESSAGE_ID: 4f9a4b11
> 171651.583678 Mesg 70 LENGTH: 92
> 171651.583693 Mesg 70 message_send: 7128cf36 d74c89f1 07fbb815 905b1538 
> 08100501 4f9a4b11 0000005c 1b0b093a
> 171651.583711 Mesg 70 message_send: d0667ccb 0682a33b fc64119d 8d4b1eb9 
> 26f119e4 a7b52a08 92260275 df3babdf
> 171651.583731 Mesg 70 message_send: 93b9edad bce4fa5b 3ed0d763 77a42158 
> 8731f121 6f47894d f2f51dc1 
> 171651.583736 Exch 40 exchange_run: exchange 0x2018f6e00 finished step 0, 
> advancing...
> 171651.583845 Timr 10 timer_remove_event: removing event 
> sa_hard_expire(0x2018f6800)
> 171651.583851 Timr 10 timer_remove_event: removing event 
> sa_soft_expire(0x2018f6800)
> 171651.583855 SA   70 sa_remove: SA 0x2018f6800 removed from SA list
> 171651.583889 Exch 10 exchange_finalize: 0x2018f6000 <unnamed> <no policy> 
> policy initiator phase 2 doi 1 exchange 5 step 1
> 171651.583896 Exch 10 exchange_finalize: icookie 7128cf36d74c89f1 rcookie 
> 07fbb815905b1538
> 171651.583900 Exch 10 exchange_finalize: msgid b8380e7e sa_list 
> 171651.583905 Timr 10 timer_remove_event: removing event 
> exchange_free_aux(0x2018f6000)
> 171651.583910 Mesg 20 message_free: freeing 0x2018f4a00
> 171651.583929 Exch 10 exchange_finalize: 0x2018f6e00 <unnamed> <no policy> 
> policy initiator phase 2 doi 1 exchange 5 step 1
> 171651.583935 Exch 10 exchange_finalize: icookie 7128cf36d74c89f1 rcookie 
> 07fbb815905b1538
> 171651.584032 Exch 10 exchange_finalize: msgid 4f9a4b11 sa_list 
> 171651.584039 Timr 10 timer_remove_event: removing event 
> exchange_free_aux(0x2018f6e00)
> 171651.584045 Mesg 20 message_free: freeing 0x2018f4b00
> 171651.584051 Default isakmpd: exit
> 
> I'm open for any ideas, or any kinds of hints appreciated.
> 
> cheers,
> Sebastian

Re: problem with IPSec between OpenBSD 5.5 and Cisco 2901

Reply via email to