ipsec tunnel obsd 3.8 - cisco pix

Thu, 11 May 2006 01:35:34 -0700 

hi all,

i have problem with ipsec tunnel between obsd 3.8 and cisco pix 506, ios 
6.3.1 - tunnel is stable, for example for 1 or 2 days, after this period, 
tunnel is down for 1 hour or more, this time is accidental :-(, new 
operation is automatic, without manual check

same configuration i had on obsd 3.1 with same pix, without problem
can you help me with this problem please ?

bellow are relevant (i think) debug and cfg:

thank you

regards lukas


obsd:
[General]
Retransmits  = 3
Exchange-max-time = 30
Check-interval = 60
Default-phase-1-lifetime = 3600,60:86400
Default-phase-2-lifetime = 1200,60:86400

[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA

[Default-quick-mode]
DOI = IPSEC
EXCHANGE_TYPE = QUICK_MODE
Suites = QM-ESP-3DES-SHA-PFS-SUITE

[3DES-SHA]
ENCRYPTION_ALGORITHM = 3DES_CBC
ENCAPSULATION_MODE = TUNNEL
HASH_ALGORITHM = SHA
AUTHENTICATION_METHOD = PRE_SHARED
GROUP_DESCRIPTION = MODP_1024

[QM-ESP-3DES-SHA-PFS-SUITE]
Protocols = QM-ESP-3DES-SHA-PFS

pix:
tunnel policy:  esp-3des-sha
sa lifetime:    4608000K and 8 hours
enable PFS, DH group 2
ike: 3des-sha
DH group 2, lifetime 3600s
keep alive: 1200s
nat t: enable, keep alive: 20s

obsd debug without active tunnel:
May 11 08:06:34 bart isakmpd[12443]: exchange_setup_p1: icookie 
ab5a28c03d618c97 rcookie 79d55bd4c0ec5334
May 11 08:06:34 bart isakmpd[12443]: exchange_setup_p1: msgid 00000000 
May 11 08:06:34 bart isakmpd[12443]: message_parse_payloads: offset 40 
payload PROPOSAL
May 11 08:06:34 bart isakmpd[12443]: message_parse_payloads: offset 48 
payload TRANSFORM
May 11 08:06:34 bart isakmpd[12443]: Transform 1's attributes
May 11 08:06:34 bart isakmpd[12443]: Attribute ENCRYPTION_ALGORITHM value 
5
May 11 08:06:34 bart isakmpd[12443]: Attribute HASH_ALGORITHM value 2
May 11 08:06:34 bart isakmpd[12443]: Attribute GROUP_DESCRIPTION value 2
May 11 08:06:34 bart isakmpd[12443]: Attribute AUTHENTICATION_METHOD value 
1
May 11 08:06:34 bart isakmpd[12443]: Attribute LIFE_TYPE value 1
May 11 08:06:34 bart isakmpd[12443]: Attribute LIFE_DURATION value 3600
May 11 08:06:34 bart isakmpd[12443]: ipsec_responder: phase 1 exchange 2 
step 0
May 11 08:06:34 bart isakmpd[12443]: message_negotiate_sa: transform 1 
proto 1 proposal 1 ok
May 11 08:06:34 bart isakmpd[12443]: ike_phase_1_validate_prop: failure
May 11 08:06:34 bart isakmpd[12443]: message_negotiate_sa: proposal 1 
failed
May 11 08:06:34 bart isakmpd[12443]: message_negotiate_sa: no compatible 
proposal found
May 11 08:06:34 bart isakmpd[12443]: dropped message from remote ip port 
500 due to notification type NO_PROPOSAL_CHOSEN

tcpdump:
10:59:29.317686 remote ip.500 > my ip.500:  [udp sum ok] isakmp v1.0 
exchange ID_PROT
        cookie: ab5a28c047f60374->0000000000000000 msgid: 00000000 len: 
120
        payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
            payload: PROPOSAL len: 40 proposal: 1 proto: ISAKMP spisz: 0 
xforms: 1
                payload: TRANSFORM len: 32
                    transform: 1 ID: ISAKMP
                        attribute ENCRYPTION_ALGORITHM = 3DES_CBC
                        attribute HASH_ALGORITHM = SHA
                        attribute GROUP_DESCRIPTION = MODP_1024
                        attribute AUTHENTICATION_METHOD = PRE_SHARED
                        attribute LIFE_TYPE = SECONDS
                        attribute LIFE_DURATION = 3600
        payload: VENDOR len: 20 (supports v3 NAT-T, 
draft-ietf-ipsec-nat-t-ike-03)
        payload: VENDOR len: 20 (supports v2 NAT-T, 
draft-ietf-ipsec-nat-t-ike-02) (ttl 239, id 35366, len 148)
10:59:29.319114 my ip.500 > remote ip.500:  [udp sum ok] isakmp v1.0 
exchange INFO
        cookie: 62c104f0b13012b5->0000000000000000 msgid: 00000000 len: 40
        payload: NOTIFICATION len: 12
            notification: NO PROPOSAL CHOSEN (ttl 64, id 51632, len 68)

obsd debug with active tunnel:
May 11 08:07:15 bart isakmpd[12443]: message_free: freeing 0x7e1bd200
May 11 08:07:16 bart isakmpd[12443]: virtual_clone: old 0x876caac0 new 
0x7c79dc00 (main is 0x7c79de00)
May 11 08:07:16 bart isakmpd[12443]: message_free: freeing 0x7e1bd100
May 11 08:07:16 bart isakmpd[12443]: timer_remove_event: removing event 
message_send_expire(0x7e1bd100)
May 11 08:07:16 bart isakmpd[12443]: message_parse_payloads: offset 28 
payload SA
May 11 08:07:16 bart isakmpd[12443]: message_parse_payloads: offset 40 
payload PROPOSAL
May 11 08:07:16 bart isakmpd[12443]: message_parse_payloads: offset 48 
payload TRANSFORM
May 11 08:07:16 bart isakmpd[12443]: Transform 1's attributes
May 11 08:07:16 bart isakmpd[12443]: Attribute ENCRYPTION_ALGORITHM value 
5
May 11 08:07:16 bart isakmpd[12443]: Attribute HASH_ALGORITHM value 2
May 11 08:07:16 bart isakmpd[12443]: Attribute GROUP_DESCRIPTION value 2
May 11 08:07:16 bart isakmpd[12443]: Attribute AUTHENTICATION_METHOD value 
1
May 11 08:07:16 bart isakmpd[12443]: Attribute LIFE_TYPE value 1
May 11 08:07:16 bart isakmpd[12443]: Attribute LIFE_DURATION value 3600
May 11 08:07:16 bart isakmpd[12443]: message_negotiate_sa: transform 1 
proto 1 proposal 1 ok
May 11 08:07:16 bart isakmpd[12443]: ike_phase_1_validate_prop: success
May 11 08:07:16 bart isakmpd[12443]: message_negotiate_sa: proposal 1 
succeeded
May 11 08:07:16 bart isakmpd[12443]: ipsec_decode_transform: transform 1 
chosen
May 11 08:07:16 bart isakmpd[12443]: exchange_run: exchange 0x7e639d00 
finished step 1, advancing...
May 11 08:07:16 bart isakmpd[12443]: exchange_run: exchange 0x7e639d00 
finished step 2, advancing...

Reply via email to