cisco to obsd vpn invalid cookie errors

Mon, 10 Apr 2006 13:51:01 -0700 

I am resubmitting this as seems never to have made it onto the list,
with two of us getting similar problems I wonder if we are not both making the same mistake. 

===================
I was about to submit what to to me appears to the same problem
To a
Cisco 7206VXR (NPE400) processor
IOS: c7200-ik9o3s-mz.123-14.T5.bin


I have tried this with a patched 3.7 running on sparc and patched 3.8 
running on x86. Our situation is probably a bit different we have an 
upstream firewall that nats us,  though I do have other tunnels to the 
outside to cisco routers and pixes as well as checkpoints where this works.


we are using preshared key Default-main-mode Default-quick-mode

Below are debugs from the OBSD side as well as the cisco side.

bsd debugs

a dump of the ike packets
-------------------------

14:24:08.999079 10.120.10.50.500 > cisco_ip_addr .500:  [udp sum ok] 
isakmp v1.0 exchange ID_PROT

        cookie: 9cc912b31febedfd->0000000000000000 msgid: 00000000 len: 192
        payload: SA len: 84 DOI: 1(IPSEC) situation: IDENTITY_ONLY

            payload: PROPOSAL len: 72 proposal: 1 proto: ISAKMP spisz: 
0 xforms: 2

                payload: TRANSFORM len: 32
                    transform: 0 ID: ISAKMP
                        attribute ENCRYPTION_ALGORITHM = 3DES_CBC
                        attribute HASH_ALGORITHM = MD5
                        attribute AUTHENTICATION_METHOD = PRE_SHARED
                        attribute GROUP_DESCRIPTION = MODP_1024
                        attribute LIFE_TYPE = SECONDS
                        attribute LIFE_DURATION = 3600
                payload: TRANSFORM len: 32
                    transform: 1 ID: ISAKMP
                        attribute ENCRYPTION_ALGORITHM = 3DES_CBC
                        attribute HASH_ALGORITHM = SHA
                        attribute AUTHENTICATION_METHOD = PRE_SHARED
                        attribute GROUP_DESCRIPTION = MODP_1024
                        attribute LIFE_TYPE = SECONDS
                        attribute LIFE_DURATION = 3600

        payload: VENDOR len: 20 (supports v2 NAT-T, 
draft-ietf-ipsec-nat-t-ike-02)
        payload: VENDOR len: 20 (supports v3 NAT-T, 
draft-ietf-ipsec-nat-t-ike-03)

        payload: VENDOR len: 20 (supports NAT-T, RFC 3947)

        payload: VENDOR len: 20 (supports DPD v1.0) (ttl 64, id 340, 
len 220)
14:24:09.223182 cisco_ip_addr .500 > 10.120.10.50.500:  [udp sum ok] 
isakmp v1.0 exchange ID_PROT

        cookie: 9cc912b31febedfd->5e4848af7d198113 msgid: 00000000 len: 80
        payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY

            payload: PROPOSAL len: 40 proposal: 1 proto: ISAKMP spisz: 
0 xforms: 1

                payload: TRANSFORM len: 32
                    transform: 1 ID: ISAKMP
                        attribute ENCRYPTION_ALGORITHM = 3DES_CBC
                        attribute HASH_ALGORITHM = MD5
                        attribute GROUP_DESCRIPTION = MODP_1024
                        attribute AUTHENTICATION_METHOD = PRE_SHARED
                        attribute LIFE_TYPE = SECONDS

                        attribute LIFE_DURATION = 3600 (ttl 230, id 
39262, len 108)
14:24:09.235444 10.120.10.50.500 > cisco_ip_addr .500:  [udp sum ok] 
isakmp v1.0 exchange ID_PROT

        cookie: 9cc912b31febedfd->5e4848af7d198113 msgid: 00000000 len: 180
        payload: KEY_EXCH len: 132
        payload: NONCE len: 20 (ttl 64, id 25889, len 208)

14:24:09.517509 cisco_ip_addr .500 > 10.120.10.50.500:  [udp sum ok] 
isakmp v1.0 exchange ID_PROT

        cookie: 9cc912b31febedfd->5e4848af7d198113 msgid: 00000000 len: 256
        payload: KEY_EXCH len: 132
        payload: NONCE len: 24
        payload: VENDOR len: 20
        payload: VENDOR len: 20 (supports DPD v1.0)
        payload: VENDOR len: 20
        payload: VENDOR len: 12 (ttl 230, id 39277, len 284)

14:24:09.532283 10.120.10.50.500 > cisco_ip_addr .500:  [udp sum ok] 
isakmp v1.0 exchange ID_PROT encrypted
        cookie: 9cc912b31febedfd->5e4848af7d198113 msgid: 00000000 len: 
92 (ttl 64, id 6347, len 120)
14:24:09.710404 cisco_ip_addr .500 > 10.120.10.50.500:  [udp sum ok] 
isakmp v1.0 exchange INFO encrypted
        cookie: 1d7c9d661fb5a6df->5e4848afbdade7dd msgid: 5d43141f len: 
84 (ttl 230, id 39289, len 112)
14:24:09.711190 10.120.10.50.500 > cisco_ip_addr .500:  [udp sum ok] 
isakmp v1.0 exchange INFO

        cookie: aa9d7727ae647a98->0000000000000000 msgid: 00000000 len: 56
        payload: NOTIFICATION len: 28
            notification: INVALID COOKIE (ttl 64, id 31587, len 84)

14:24:09.717286 cisco_ip_addr .500 > 10.120.10.50.500:  [udp sum ok] 
isakmp v1.0 exchange ID_PROT encrypted
        cookie: 9cc912b31febedfd->5e4848af7d198113 msgid: 00000000 len: 
68 (ttl 230, id 39290, len 96)
14:24:09.721168 10.120.10.50.500 > cisco_ip_addr .500:  [udp sum ok] 
isakmp v1.0 exchange QUICK_MODE encrypted
        cookie: 9cc912b31febedfd->5e4848af7d198113 msgid: 90e41482 len: 
148 (ttl 64, id 20018, len 176)
14:24:09.942654 cisco_ip_addr .500 > 10.120.10.50.500:  [udp sum ok] 
isakmp v1.0 exchange INFO encrypted
        cookie: 9cc912b31febedfd->5e4848af7d198113 msgid: 24183737 len: 
116 (ttl 230, id 39302, len 144)
14:24:16.734239 10.120.10.50.500 > cisco_ip_addr .500:  [udp sum ok] 
isakmp v1.0 exchange QUICK_MODE encrypted
        cookie: 9cc912b31febedfd->5e4848af7d198113 msgid: 90e41482 len: 
148 (ttl 64, id 30555, len 176)


================================================================================






here are debugs from the cisco side
==================

Apr  6 17:37:56 UTC: ISAKMP:(0:0:N/A:0): sending packet to bsd_nat_addr 
my_port 500 peer_port 500 (I) MM_NO_STATE
Apr  6 17:37:57 UTC: ISAKMP (0:0): received packet from bsd_nat_addr 
dport 500 sport 500 Global (I) MM_NO_STATE
Apr  6 17:37:57 UTC: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, 
IKE_MM_EXCH
Apr  6 17:37:57 UTC: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1  New State 
= IKE_I_MM2
Apr  6 17:37:57 UTC: ISAKMP:(0:0:N/A:0): processing SA payload. message 
ID = 0

Apr  6 17:37:57 UTC: ISAKMP:(0:0:N/A:0): processing vendor id payload

Apr  6 17:37:57 UTC: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but 
major 123 mismatch

Apr  6 17:37:57 UTC: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2
Apr  6 17:37:57 UTC: ISAKMP:(0:0:N/A:0): processing vendor id payload

Apr  6 17:37:57 UTC: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but 
major 157 mismatch

Apr  6 17:37:57 UTC: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3
Apr  6 17:37:57 UTC: ISAKMP:(0:0:N/A:0): processing vendor id payload

Apr  6 17:37:57 UTC: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but 
major 69 mismatch

Apr  6 17:37:57 UTC: ISAKMP:(0:0:N/A:0): processing vendor id payload
Apr  6 17:37:57 UTC: ISAKMP:(0:0:N/A:0): vendor ID is DPD
Apr  6 17:37:57 UTC: ISAKMP:(0:0:N/A:0):Found ADDRESS key in keyring USG818
Apr  6 17:37:57 UTC: ISAKMP:(0:0:N/A:0): local preshared key found

Apr  6 17:37:57 UTC: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 5 
against priority 11 policy

Apr  6 17:37:57 UTC: ISAKMP:      encryption 3DES-CBC
Apr  6 17:37:57 UTC: ISAKMP:      hash SHA
Apr  6 17:37:57 UTC: ISAKMP:      default group 2
Apr  6 17:37:57 UTC: ISAKMP:      auth pre-share
Apr  6 17:37:57 UTC: ISAKMP:      life type in seconds
Apr  6 17:37:57 UTC: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

Apr  6 17:37:57 UTC: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not 
match policy!
Apr  6 17:37:57 UTC: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next 
payload is 0
Apr  6 17:37:57 UTC: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 5 
against priority 12 policy

Apr  6 17:37:57 UTC: ISAKMP:      encryption 3DES-CBC
Apr  6 17:37:57 UTC: ISAKMP:      hash SHA
Apr  6 17:37:57 UTC: ISAKMP:      default group 2
Apr  6 17:37:57 UTC: ISAKMP:      auth pre-share
Apr  6 17:37:57 UTC: ISAKMP:      life type in seconds
Apr  6 17:37:57 UTC: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

Apr  6 17:37:57 UTC: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not 
match policy!
Apr  6 17:37:57 UTC: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next 
payload is 0
Apr  6 17:37:57 UTC: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 5 
against priority 13 policy

Apr  6 17:37:57 UTC: ISAKMP:      encryption 3DES-CBC
Apr  6 17:37:57 UTC: ISAKMP:      hash SHA
Apr  6 17:37:57 UTC: ISAKMP:      default group 2
Apr  6 17:37:57 UTC: ISAKMP:      auth pre-share
Apr  6 17:37:57 UTC: ISAKMP:      life type in seconds
Apr  6 17:37:57 UTC: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

Apr  6 17:37:57 UTC: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not 
match policy!
Apr  6 17:37:57 UTC: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next 
payload is 0
Apr  6 17:37:57 UTC: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 5 
against priority 21 policy

Apr  6 17:37:57 UTC: ISAKMP:      encryption 3DES-CBC
Apr  6 17:37:57 UTC: ISAKMP:      hash SHA
Apr  6 17:37:57 UTC: ISAKMP:      default group 2
Apr  6 17:37:57 UTC: ISAKMP:      auth pre-share
Apr  6 17:37:57 UTC: ISAKMP:      life type in seconds
Apr  6 17:37:57 UTC: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

Apr  6 17:37:57 UTC: ISAKMP:(0:0:N/A:0):Diffie-Hellman group offered 
does not match policy!
Apr  6 17:37:57 UTC: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next 
payload is 0
Apr  6 17:37:57 UTC: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 5 
against priority 22 policy

Apr  6 17:37:57 UTC: ISAKMP:      encryption 3DES-CBC
Apr  6 17:37:57 UTC: ISAKMP:      hash SHA
Apr  6 17:37:57 UTC: ISAKMP:      default group 2
Apr  6 17:37:57 UTC: ISAKMP:      auth pre-share
Apr  6 17:37:57 UTC: ISAKMP:      life type in seconds
Apr  6 17:37:57 UTC: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

Apr  6 17:37:57 UTC: ISAKMP:(0:0:N/A:0):atts are acceptable. Next 
payload is 0

Apr  6 17:37:57 UTC: ISAKMP:(0:1998:SW:1): processing vendor id payload

Apr  6 17:37:57 UTC: ISAKMP:(0:1998:SW:1): vendor ID seems Unity/DPD but 
major 123 mismatch

Apr  6 17:37:57 UTC: ISAKMP:(0:1998:SW:1): vendor ID is NAT-T v2
Apr  6 17:37:57 UTC: ISAKMP:(0:1998:SW:1): processing vendor id payload

Apr  6 17:37:57 UTC: ISAKMP:(0:1998:SW:1): vendor ID seems Unity/DPD but 
major 157 mismatch

Apr  6 17:37:57 UTC: ISAKMP:(0:1998:SW:1): vendor ID is NAT-T v3
Apr  6 17:37:57 UTC: ISAKMP:(0:1998:SW:1): processing vendor id payload

Apr  6 17:37:57 UTC: ISAKMP:(0:1998:SW:1): vendor ID seems Unity/DPD but 
major 69 mismatch

Apr  6 17:37:57 UTC: ISAKMP:(0:1998:SW:1): processing vendor id payload
Apr  6 17:37:57 UTC: ISAKMP:(0:1998:SW:1): vendor ID is DPD

Apr  6 17:37:57 UTC: ISAKMP:(0:1998:SW:1):Input = IKE_MESG_INTERNAL, 
IKE_PROCESS_MAIN_MODE
Apr  6 17:37:57 UTC: ISAKMP:(0:1998:SW:1):Old State = IKE_I_MM2  New 
State = IKE_I_MM2
Apr  6 17:37:57 UTC: ISAKMP:(0:1998:SW:1): sending packet to 
bsd_nat_addr my_port 500 peer_port 500 (I) MM_SA_SETUP
Apr  6 17:37:57 UTC: ISAKMP:(0:1998:SW:1):Input = IKE_MESG_INTERNAL, 
IKE_PROCESS_COMPLETE
Apr  6 17:37:57 UTC: ISAKMP:(0:1998:SW:1):Old State = IKE_I_MM2  New 
State = IKE_I_MM3
Apr  6 17:37:57 UTC: ISAKMP (0:134219726): received packet from 
bsd_nat_addr dport 500 sport 500 Global (I) MM_SA_SETUP
Apr  6 17:37:57 UTC: ISAKMP:(0:1998:SW:1):Input = IKE_MESG_FROM_PEER, 
IKE_MM_EXCH
Apr  6 17:37:57 UTC: ISAKMP:(0:1998:SW:1):Old State = IKE_I_MM3  New 
State = IKE_I_MM4
Apr  6 17:37:57 UTC: ISAKMP:(0:1998:SW:1): processing KE payload. 
message ID = 0
Apr  6 17:37:57 UTC: ISAKMP:(0:1998:SW:1): processing NONCE payload. 
message ID = 0
Apr  6 17:37:57 UTC: ISAKMP:(0:1998:SW:1):Found ADDRESS key in keyring 
USG818

Apr  6 17:37:57 UTC: ISAKMP:(0:1998:SW:1):SKEYID state generated

Apr  6 17:37:57 UTC: ISAKMP:(0:1998:SW:1):Input = IKE_MESG_INTERNAL, 
IKE_PROCESS_MAIN_MODE
Apr  6 17:37:57 UTC: ISAKMP:(0:1998:SW:1):Old State = IKE_I_MM4  New 
State = IKE_I_MM4

Apr  6 17:37:57 UTC: ISAKMP:(0:1998:SW:1):Send initial contact

Apr  6 17:37:57 UTC: ISAKMP:(0:1998:SW:1):SA is doing pre-shared key 
authentication using id type ID_IPV4_ADDR

Apr  6 17:37:57 UTC: ISAKMP (0:134219726): ID payload
        next-payload : 8
        type         : 1
        address      : cisco_addr
        protocol     : 17
        port         : 500
        length       : 12
Apr  6 17:37:57 UTC: ISAKMP:(0:1998:SW:1):Total payload length: 12

Apr  6 17:37:57 UTC: ISAKMP:(0:1998:SW:1): sending packet to 
bsd_nat_addr my_port 500 peer_port 500 (I) MM_KEY_EXCH
Apr  6 17:37:57 UTC: ISAKMP:(0:1998:SW:1):Input = IKE_MESG_INTERNAL, 
IKE_PROCESS_COMPLETE
Apr  6 17:37:57 UTC: ISAKMP:(0:1998:SW:1):Old State = IKE_I_MM4  New 
State = IKE_I_MM5
Apr  6 17:37:57 UTC: ISAKMP (0:134219726): received packet from 
bsd_nat_addr dport 500 sport 500 Global (I) MM_KEY_EXCH
Apr  6 17:37:57 UTC: ISAKMP:(0:1998:SW:1): processing ID payload. 
message ID = 0

Apr  6 17:37:57 UTC: ISAKMP (0:134219726): ID payload
        next-payload : 8
        type         : 1
        address      : 10.120.10.50
        protocol     : 0
        port         : 0
        length       : 12

Apr  6 17:37:57 UTC: ISAKMP:(0:1998:SW:1):Expected USG818 profile 
doesn't match, aborting exchange

Apr  6 17:37:57 UTC: ISAKMP (0:134219726): FSM action returned error: 2

Apr  6 17:37:57 UTC: ISAKMP:(0:1998:SW:1):Input = IKE_MESG_FROM_PEER, 
IKE_MM_EXCH
Apr  6 17:37:57 UTC: ISAKMP:(0:1998:SW:1):Old State = IKE_I_MM5  New 
State = IKE_I_MM6
Apr  6 17:37:57 UTC: ISAKMP:(0:1998:SW:1):peer does not do paranoid 
keepalives.
Apr  6 17:37:57 UTC: ISAKMP:(0:1998:SW:1):deleting SA reason 
"IKMP_ERR_NO_RETRANS" state (I) MM_KEY_EXCH (peer 64.166.144.87)
Apr  6 17:37:57 UTC: ISAKMP:(0:1998:SW:1):Input = IKE_MESG_INTERNAL, 
IKE_PROCESS_MAIN_MODE
Apr  6 17:37:57 UTC: ISAKMP:(0:1998:SW:1):Old State = IKE_I_MM6  New 
State = IKE_I_MM6



Apr  6 17:37:57 UTC: ISAKMP:(0:1998:SW:1):peer does not do paranoid 
keepalives.

Apr  6 17:37:57 UTC: ISAKMP (0:134219726): FSM action returned error: 2

Apr  6 17:37:57 UTC: ISAKMP:(0:1998:SW:1):Input = IKE_MESG_INTERNAL, 
IKE_PROCESS_ERROR
Apr  6 17:37:57 UTC: ISAKMP:(0:1998:SW:1):Old State = IKE_I_MM6  New 
State = IKE_I_MM5
Apr  6 17:37:57 UTC: ISAKMP:(0:1998:SW:1):deleting SA reason 
"IKMP_ERR_NO_RETRANS" state (I) MM_KEY_EXCH (peer 64.166.144.87)
Apr  6 17:37:57 UTC: ISAKMP:(0:1998:SW:1):deleting node -1488433700 
error FALSE reason "IKE deleted"
Apr  6 17:37:57 UTC: ISAKMP:(0:1998:SW:1):Input = IKE_MESG_INTERNAL, 
IKE_PHASE1_DEL
Apr  6 17:37:57 UTC: ISAKMP:(0:1998:SW:1):Old State = IKE_I_MM5  New 
State = IKE_DEST_SA
Apr  6 17:38:00 UTC: ISAKMP:(0:1989:SW:1):deleting node -1456026188 
error FALSE reason "Informational (in) state 1"

====================================















    











					Reply via email to