I'm trying to setup an IPSEC connection between OpenBSD3.9 & Cisco IOS
12.3 using pre-shared keys authentication the "old fashioned way". (One
step at a time)
However, I can't get the tunnel to come up.
Looking at the output from isakmpd -DA=90 (Full text below) I *suspect*
the culprit is about here:
222811.703944 Exch 90 exchange_validate: checking for required SA
222811.703992 Misc 30 ipsec_responder: phase 1 exchange 2 step 0
222811.704041 Cryp 60 hash_get: requested algorithm 1
222811.704094 Negt 30 message_negotiate_sa: transform 1 proto 1 proposal
1 ok
222811.704160 SA 80 sa_add_transform: proto 0x7f166d00 no 1 proto 1
chosen 0x82746e00 sa 0x7c2f1e00 id 1
222811.704298 Negt 70 attribute_unacceptable: attr GROUP_DESCRIPTION
does not exist in 3DES-SHA-SHARED
222811.704348 Negt 20 ike_phase_1_validate_prop: failure
222811.704396 Negt 30 message_negotiate_sa: proposal 1 failed
222811.704441 Default message_negotiate_sa: no compatible proposal found
222811.704508 Default dropped message from 192.168.246.247 port 500 due
to notification type NO_PROPOSAL_CHOSEN
However, I don't know what to do to fix it. A google on some of these
messages doesn't appear to reveal anything relavent (apart from the
config is wrong !)
Can someone help me by telling me what I should do to try to correct
this, please ?
Thank you,
GTG
Below is the full output from ISAKMPD -DA=90, the isakmpd.conf, the
debug output from the Cisco, plus the relavent parts of the Cisco conf.
222752.784361 Misc 20 udp_make: transport 0x7f58dfc0 socket 7 ip
192.168.247.28 port 500
222752.784419 Trpt 70 transport_setup: added 0x7f58dfc0 to transport
list
222752.784493 Misc 80 monitor_loop: MONITOR_SETSOCKOPT [priv]
222752.784669 Misc 80 monitor_loop: MONITOR_SETSOCKOPT [priv]
222752.784839 Misc 80 monitor_loop: MONITOR_SETSOCKOPT [priv]
222752.785008 Misc 80 monitor_loop: MONITOR_SETSOCKOPT [priv]
222752.785180 Misc 80 monitor_loop: MONITOR_BIND [priv]
222752.785336 Misc 20 udp_encap_make: transport 0x7f166b80 socket 8 ip
192.168.247.28 port 4500
222752.785392 Trpt 70 transport_setup: added 0x7f166b80 to transport
list
222752.785439 Trpt 70 transport_setup: virtual transport 0x7f58df40
222752.785511 Trpt 90 virtual_bind_if: interface rl1 family v6 address
fe80:2::240:f4ff:feb8:db4c
222752.785598 Trpt 40 virtual_listen_lookup: no match
222752.785773 Trpt 90 virtual_bind_if: interface rl2 family <unknown>
address <invalid>
222752.785829 Trpt 90 virtual_bind_if: interface pflog0 family <unknown>
address <invalid>
222752.785880 Trpt 90 virtual_bind_if: interface pfsync0 family
<unknown> address <invalid>
222752.785930 Trpt 90 virtual_bind_if: interface enc0 family <unknown>
address <invalid>
222752.786014 Trpt 50 virtual_init: not binding ISAKMP port(s) to
ADDR_ANY
222752.786064 Cryp 60 hash_get: requested algorithm 0
222752.786142 Exch 50 nat_t_setup_hashes:
MD5("draft-ietf-ipsec-nat-t-ike-02
") (16 bytes)
222752.786186 Exch 50 nat_t_setup_hashes:
222752.786270 Exch 50 90cb8091 3ebb696e 086381b5 ec427b1f
222752.786322 Exch 50 nat_t_setup_hashes:
MD5("draft-ietf-ipsec-nat-t-ike-03") (16 bytes)
222752.786365 Exch 50 nat_t_setup_hashes:
222752.786446 Exch 50 7d9419a6 5310ca6f 2c179d92 15529d56
222752.786497 Exch 50 nat_t_setup_hashes: MD5("RFC 3947") (16 bytes)
222752.786538 Exch 50 nat_t_setup_hashes:
222752.786620 Exch 50 4a131c81 07035845 5c5728f2 0e95452f
222752.786686 Misc 80 monitor_loop: MONITOR_UI_INIT [priv]
222752.787156 Misc 80 monitor_loop: MONITOR_INIT_DONE [priv]
222752.787265 Timr 10 timer_handle_expirations: event
connection_checker(0x7e9ece80)
222752.787353 Timr 10 timer_add_event: event
connection_checker(0x7e9ece80) added last, expiration in 60s
222752.787414 SA 90 sa_find: no SA matched query
222752.787460 Sdep 70 pf_key_v2_connection_check: SA for IPSec-remote
missing
222752.787557 SA 90 sa_find: no SA matched query
222752.787754 Trpt 70 transport_setup: added 0x7f166bc0 to transport
list
222752.787891 Trpt 70 transport_setup: added 0x7f166c00 to transport
list
222752.787942 Trpt 70 transport_setup: virtual transport 0x7f166c40
222752.788078 Timr 10 timer_add_event: event
exchange_free_aux(0x7c2f1b00) added last, expiration in 120s
222752.788148 Cryp 60 hash_get: requested algorithm 1
222752.788413 Exch 10 exchange_establish_p1: 0x7c2f1b00
ISAKMP-peer-cisco secret-main-mode policy initiator phase 1 doi 1
exchange 2 step 0
222752.788516 Exch 10 exchange_establish_p1: icookie 84df2e923942654e
rcookie 0000000000000000
222752.788563 Exch 10 exchange_establish_p1: msgid 00000000
222752.788644 Mesg 90 message_alloc: allocated 0x88c5e500
222752.788714 SA 80 sa_reference: SA 0x7c2f1c00 now has 1 references
222752.788760 SA 70 sa_enter: SA 0x7c2f1c00 added to SA list
222752.788808 SA 80 sa_reference: SA 0x7c2f1c00 now has 2 references
222752.788860 SA 60 sa_create: sa 0x7c2f1c00 phase 1 added to exchange
0x7c2f1b00 (ISAKMP-peer-cisco)
222752.788910 SA 80 sa_reference: SA 0x7c2f1c00 now has 3 references
222752.789093 Misc 70 attribute_set_constant: no GROUP_DESCRIPTION in
the 3DES-SHA-SHARED section
222752.789154 Misc 70 attribute_set_constant: no GROUP_TYPE in the
3DES-SHA-SHARED section
222752.789210 Default exchange_run: doi->initiator (0x88c5e500) failed
222752.789253 Mesg 20 message_free: freeing 0x88c5e500
222752.789324 Trpt 70 transport_release: freeing 0x7f166c40
222752.789378 Trpt 90 udp_remove: removed transport 0x7f166c00
222752.789434 Trpt 90 udp_remove: removed transport 0x7f166bc0
222752.789479 Trpt 90 virtual_remove: removed 0x7f166c40
222752.789527 SA 80 sa_release: SA 0x7c2f1c00 had 3 references
222752.789586 Exch 90 exchange_lookup_by_name: ISAKMP-peer-cisco ==
ISAKMP-peer-cisco && 1 == 1?
222811.700605 Trpt 70 transport_setup: added 0x7f166c00 to transport
list
222811.700707 Trpt 70 transport_setup: added 0x7f166c40 to transport
list
222811.700761 Trpt 50 virtual_clone: old 0x7f58df40 new 0x7f166bc0 (main
is 0x7f166c00)
222811.700809 Trpt 70 transport_setup: virtual transport 0x7f166bc0
222811.700898 Mesg 90 message_alloc: allocated 0x88c5e500
222811.700961 Mesg 70 message_recv: message 0x88c5e500
222811.701029 Mesg 70 ICOOKIE: a5fec4648ae6532f
222811.701097 Mesg 70 RCOOKIE: 0000000000000000
222811.701142 Mesg 70 NEXT_PAYLOAD: SA
222811.701206 Mesg 70 VERSION: 16
222811.701250 Mesg 70 EXCH_TYPE: ID_PROT
222811.701335 Mesg 70 FLAGS: [ ]
222811.701388 Mesg 70 MESSAGE_ID: 00000000
222811.701435 Mesg 70 LENGTH: 84
222811.701567 Mesg 70 message_recv: a5fec464 8ae6532f 00000000 00000000
01100200 00000000 00000054 00000038
222811.701705 Mesg 70 message_recv: 00000001 00000001 0000002c 01010001
00000024 01010000 80010005 80020002
222811.701807 Mesg 70 message_recv: 80040002 80030001 800b0001 000c0004
00015180
222811.701860 SA 90 sa_find: no SA matched query
222811.701920 Mesg 50 message_parse_payloads: offset 28 payload SA
222811.701989 Mesg 60 message_validate_payloads: payload SA at
0x88c5e59c of message 0x88c5e500
222811.702041 Mesg 70 DOI: 1
222811.702083 Mesg 70 SIT:
222811.702174 Exch 90 exchange_lookup_active: ISAKMP-peer-cisco ==
ISAKMP-peer-cisco && 1 == 1?
222811.702224 Exch 80 exchange_lookup_active: avoided early (pre-step 1)
exchange 0x7c2f1b00
222811.702379 Timr 10 timer_add_event: event
exchange_free_aux(0x7c2f1d00) added last, expiration in 120s
222811.702444 Cryp 60 hash_get: requested algorithm 1
222811.702561 Exch 10 exchange_setup_p1: 0x7c2f1d00 ISAKMP-peer-cisco
secret-main-mode policy responder phase 1 doi 1 exchange 2 step 0
222811.702619 Exch 10 exchange_setup_p1: icookie a5fec4648ae6532f
rcookie 91aa9faf579e02d9
222811.702665 Exch 10 exchange_setup_p1: msgid 00000000
222811.702721 SA 80 sa_reference: SA 0x7c2f1e00 now has 1 references
222811.702767 SA 70 sa_enter: SA 0x7c2f1e00 added to SA list
222811.702814 SA 80 sa_reference: SA 0x7c2f1e00 now has 2 references
222811.702865 SA 60 sa_create: sa 0x7c2f1e00 phase 1 added to exchange
0x7c2f1d00 (ISAKMP-peer-cisco)
222811.702916 SA 80 sa_reference: SA 0x7c2f1e00 now has 3 references
222811.702966 Mesg 50 message_parse_payloads: offset 40 payload PROPOSAL
222811.703016 Mesg 50 message_parse_payloads: offset 48 payload
TRANSFORM
222811.703064 Mesg 50 Transform 1's attributes
222811.703113 Mesg 50 Attribute ENCRYPTION_ALGORITHM value 5
222811.703159 Mesg 50 Attribute HASH_ALGORITHM value 2
222811.703206 Mesg 50 Attribute GROUP_DESCRIPTION value 2
222811.703283 Mesg 50 Attribute AUTHENTICATION_METHOD value 1
222811.703331 Mesg 50 Attribute LIFE_TYPE value 1
222811.703379 Mesg 50 Attribute LIFE_DURATION value 86400
222811.703430 Mesg 60 message_validate_payloads: payload PROPOSAL at
0x88c5e5a8 of message 0x88c5e500
222811.703519 Mesg 70 NO: 1
222811.703561 Mesg 70 PROTO: ISAKMP
222811.703607 Mesg 70 SPI_SZ: 0
222811.703653 Mesg 70 NTRANSFORMS: 1
222811.703695 Mesg 70 SPI:
222811.703746 Mesg 60 message_validate_payloads: payload TRANSFORM at
0x88c5e5b0 of message 0x88c5e500
222811.703795 Mesg 70 NO: 1
222811.703841 Mesg 70 ID: 1
222811.703882 Mesg 70 SA_ATTRS:
222811.703944 Exch 90 exchange_validate: checking for required SA
222811.703992 Misc 30 ipsec_responder: phase 1 exchange 2 step 0
222811.704041 Cryp 60 hash_get: requested algorithm 1
222811.704094 Negt 30 message_negotiate_sa: transform 1 proto 1 proposal
1 ok
222811.704160 SA 80 sa_add_transform: proto 0x7f166d00 no 1 proto 1
chosen 0x82746e00 sa 0x7c2f1e00 id 1
222811.704298 Negt 70 attribute_unacceptable: attr GROUP_DESCRIPTION
does not exist in 3DES-SHA-SHARED
222811.704348 Negt 20 ike_phase_1_validate_prop: failure
222811.704396 Negt 30 message_negotiate_sa: proposal 1 failed
222811.704441 Default message_negotiate_sa: no compatible proposal found
222811.704508 Default dropped message from 192.168.246.247 port 500 due
to notification type NO_PROPOSAL_CHOSEN
222811.704589 Timr 10 timer_add_event: event
exchange_free_aux(0x7c2f1f00) added last, expiration in 120s
222811.704636 Cryp 60 hash_get: requested algorithm 1
222811.704715 Exch 10 exchange_establish_p1: 0x7c2f1f00 <unnamed> <no
policy> policy initiator phase 1 doi 1 exchange 5 step 0
222811.704770 Exch 10 exchange_establish_p1: icookie 29e020b22dc5b89e
rcookie 0000000000000000
222811.704817 Exch 10 exchange_establish_p1: msgid 00000000
222811.704890 Mesg 90 message_alloc: allocated 0x88c5e700
222811.704949 Exch 90 exchange_validate: checking for required INFO
222811.704996 Mesg 70 message_send: message 0x88c5e700
222811.705087 Mesg 70 ICOOKIE: 29e020b22dc5b89e
222811.705162 Mesg 70 RCOOKIE: 0000000000000000
222811.705206 Mesg 70 NEXT_PAYLOAD: NOTIFY
222811.705257 Mesg 70 VERSION: 16
222811.705299 Mesg 70 EXCH_TYPE: INFO
222811.705343 Mesg 70 FLAGS: [ ]
222811.705396 Mesg 70 MESSAGE_ID: 00000000
222811.705443 Mesg 70 LENGTH: 40
222811.705572 Mesg 70 message_send: 29e020b2 2dc5b89e 00000000 00000000
0b100500 00000000 00000028 0000000c
222811.705640 Mesg 70 message_send: 00000001 0100000e
222811.705712 Exch 40 exchange_run: exchange 0x7c2f1f00 finished step 0,
advancing...
222811.705758 Mesg 20 message_free: freeing 0x88c5e500
222811.705824 SA 80 sa_release: SA 0x7c2f1e00 had 3 references
222811.706024 Exch 10 exchange_finalize: 0x7c2f1f00 <unnamed> <no
policy> policy initiator phase 1 doi 1 exchange 5 step 1
222811.706083 Exch 10 exchange_finalize: icookie 29e020b22dc5b89e
rcookie 0000000000000000
222811.706130 Exch 10 exchange_finalize: msgid 00000000
222811.706181 Timr 10 timer_remove_event: removing event
exchange_free_aux(0x7c2f1f00)
222811.706235 Exch 80 exchange_free_aux: freeing exchange 0x7c2f1f00
222811.706312 Mesg 20 message_free: freeing 0x88c5e700
222821.705327 Trpt 70 transport_setup: added 0x7f166d80 to transport
list
222821.705421 Trpt 70 transport_setup: added 0x7f166dc0 to transport
list
222821.705475 Trpt 50 virtual_clone: old 0x7f58df40 new 0x7f166d40 (main
is 0x7f166d80)
222821.705524 Trpt 70 transport_setup: virtual transport 0x7f166d40
222821.705604 Mesg 90 message_alloc: allocated 0x88c5e500
222821.705653 Mesg 70 message_recv: message 0x88c5e500
222821.705738 Mesg 70 ICOOKIE: a5fec4648ae6532f
222821.705807 Mesg 70 RCOOKIE: 0000000000000000
222821.705852 Mesg 70 NEXT_PAYLOAD: SA
222821.705913 Mesg 70 VERSION: 16
222821.705957 Mesg 70 EXCH_TYPE: ID_PROT
222821.706002 Mesg 70 FLAGS: [ ]
222821.706055 Mesg 70 MESSAGE_ID: 00000000
222821.706102 Mesg 70 LENGTH: 84
222821.706235 Mesg 70 message_recv: a5fec464 8ae6532f 00000000 00000000
01100200 00000000 00000054 00000038
222821.706374 Mesg 70 message_recv: 00000001 00000001 0000002c 01010001
00000024 01010000 80010005 80020002
222821.706535 Mesg 70 message_recv: 80040002 80030001 800b0001 000c0004
00015180
222821.706586 Mesg 90 message_recv: dropping setup for existing SA
222821.706630 Mesg 20 message_free: freeing 0x88c5e500
222821.706700 Trpt 70 transport_release: freeing 0x7f166d40
222821.706753 Trpt 90 udp_remove: removed transport 0x7f166dc0
222821.706810 Trpt 90 udp_remove: removed transport 0x7f166d80
222821.706855 Trpt 90 virtual_remove: removed 0x7f166d40
222831.720187 Trpt 70 transport_setup: added 0x7f166d80 to transport
list
222831.720275 Trpt 70 transport_setup: added 0x7f166dc0 to transport
list
222831.720328 Trpt 50 virtual_clone: old 0x7f58df40 new 0x7f166d40 (main
is 0x7f166d80)
222831.720377 Trpt 70 transport_setup: virtual transport 0x7f166d40
222831.720464 Mesg 90 message_alloc: allocated 0x88c5e500
222831.720512 Mesg 70 message_recv: message 0x88c5e500
222831.720579 Mesg 70 ICOOKIE: a5fec4648ae6532f
222831.720648 Mesg 70 RCOOKIE: 0000000000000000
222831.720694 Mesg 70 NEXT_PAYLOAD: SA
222831.720749 Mesg 70 VERSION: 16
222831.720793 Mesg 70 EXCH_TYPE: ID_PROT
222831.720838 Mesg 70 FLAGS: [ ]
222831.720892 Mesg 70 MESSAGE_ID: 00000000
222831.720939 Mesg 70 LENGTH: 84
222831.721073 Mesg 70 message_recv: a5fec464 8ae6532f 00000000 00000000
01100200 00000000 00000054 00000038
222831.721212 Mesg 70 message_recv: 00000001 00000001 0000002c 01010001
00000024 01010000 80010005 80020002
222831.721316 Mesg 70 message_recv: 80040002 80030001 800b0001 000c0004
00015180
222831.721367 Mesg 90 message_recv: dropping setup for existing SA
222831.721412 Mesg 20 message_free: freeing 0x88c5e500
222831.721480 Trpt 70 transport_release: freeing 0x7f166d40
222831.721533 Trpt 90 udp_remove: removed transport 0x7f166dc0
222831.721592 Trpt 90 udp_remove: removed transport 0x7f166d80
222831.721638 Trpt 90 virtual_remove: removed 0x7f166d40
222841.714391 Trpt 70 transport_setup: added 0x7f166d80 to transport
list
222841.714467 Trpt 70 transport_setup: added 0x7f166dc0 to transport
list
222841.714581 Trpt 50 virtual_clone: old 0x7f58df40 new 0x7f166d40 (main
is 0x7f166d80)
222841.714628 Trpt 70 transport_setup: virtual transport 0x7f166d40
222841.714712 Mesg 90 message_alloc: allocated 0x88c5e500
222841.714759 Mesg 70 message_recv: message 0x88c5e500
222841.714825 Mesg 70 ICOOKIE: a5fec4648ae6532f
222841.714895 Mesg 70 RCOOKIE: 0000000000000000
222841.714939 Mesg 70 NEXT_PAYLOAD: SA
222841.714993 Mesg 70 VERSION: 16
222841.715037 Mesg 70 EXCH_TYPE: ID_PROT
222841.715081 Mesg 70 FLAGS: [ ]
222841.715134 Mesg 70 MESSAGE_ID: 00000000
222841.715181 Mesg 70 LENGTH: 84
222841.715313 Mesg 70 message_recv: a5fec464 8ae6532f 00000000 00000000
01100200 00000000 00000054 00000038
222841.715450 Mesg 70 message_recv: 00000001 00000001 0000002c 01010001
00000024 01010000 80010005 80020002
222841.715553 Mesg 70 message_recv: 80040002 80030001 800b0001 000c0004
00015180
222841.715601 Mesg 90 message_recv: dropping setup for existing SA
222841.715645 Mesg 20 message_free: freeing 0x88c5e500
222841.715730 Trpt 70 transport_release: freeing 0x7f166d40
222841.715781 Trpt 90 udp_remove: removed transport 0x7f166dc0
222841.715840 Trpt 90 udp_remove: removed transport 0x7f166d80
222841.715885 Trpt 90 virtual_remove: removed 0x7f166d40
222851.713118 Trpt 70 transport_setup: added 0x7f166d80 to transport
list
222851.713204 Trpt 70 transport_setup: added 0x7f166dc0 to transport
list
222851.713258 Trpt 50 virtual_clone: old 0x7f58df40 new 0x7f166d40 (main
is 0x7f166d80)
222851.713307 Trpt 70 transport_setup: virtual transport 0x7f166d40
222851.713399 Mesg 90 message_alloc: allocated 0x88c5e500
222851.713447 Mesg 70 message_recv: message 0x88c5e500
222851.713513 Mesg 70 ICOOKIE: a5fec4648ae6532f
222851.713582 Mesg 70 RCOOKIE: 0000000000000000
222851.713628 Mesg 70 NEXT_PAYLOAD: SA
222851.713684 Mesg 70 VERSION: 16
222851.713729 Mesg 70 EXCH_TYPE: ID_PROT
222851.713774 Mesg 70 FLAGS: [ ]
222851.713828 Mesg 70 MESSAGE_ID: 00000000
222851.713876 Mesg 70 LENGTH: 84
222851.714009 Mesg 70 message_recv: a5fec464 8ae6532f 00000000 00000000
01100200 00000000 00000054 00000038
222851.714193 Mesg 70 message_recv: 00000001 00000001 0000002c 01010001
00000024 01010000 80010005 80020002
222851.714296 Mesg 70 message_recv: 80040002 80030001 800b0001 000c0004
00015180
222851.714345 Mesg 90 message_recv: dropping setup for existing SA
222851.714390 Mesg 20 message_free: freeing 0x88c5e500
222851.714460 Trpt 70 transport_release: freeing 0x7f166d40
222851.714511 Trpt 90 udp_remove: removed transport 0x7f166dc0
222851.714568 Trpt 90 udp_remove: removed transport 0x7f166d80
222851.714614 Trpt 90 virtual_remove: removed 0x7f166d40
222852.795722 Timr 10 timer_handle_expirations: event
connection_checker(0x7e9ece80)
222852.795837 Timr 10 timer_add_event: event
connection_checker(0x7e9ece80) added before
exchange_free_aux(0x7c2f1d00), expiration in 60s
222852.795892 SA 90 sa_find: no SA matched query
222852.795937 Sdep 70 pf_key_v2_connection_check: SA for IPSec-remote
missing
222852.796021 Exch 90 exchange_lookup_by_name: IPSec-remote ==
ISAKMP-peer-cisco && 2 == 1?
222852.796075 Exch 90 exchange_lookup_by_name: IPSec-remote ==
ISAKMP-peer-cisco && 2 == 1?
222852.796131 SA 90 sa_find: no SA matched query
222852.796219 Exch 90 exchange_lookup_by_name: ISAKMP-peer-cisco ==
ISAKMP-peer-cisco && 1 == 1?
222852.796271 Exch 40 exchange_establish: ISAKMP-peer-cisco exchange
already exists as 0x7c2f1d00
222852.796324 Exch 90 exchange_lookup_by_name: ISAKMP-peer-cisco ==
ISAKMP-peer-cisco && 1 == 1?
222901.713746 Trpt 70 transport_setup: added 0x7f166d80 to transport
list
222901.713839 Trpt 70 transport_setup: added 0x7f166dc0 to transport
list
222901.713893 Trpt 50 virtual_clone: old 0x7f58df40 new 0x7f166d40 (main
is 0x7f166d80)
222901.713941 Trpt 70 transport_setup: virtual transport 0x7f166d40
222901.714026 Mesg 90 message_alloc: allocated 0x88c5e500
222901.714075 Mesg 70 message_recv: message 0x88c5e500
222901.714141 Mesg 70 ICOOKIE: a5fec4648ae6532f
222901.714207 Mesg 70 RCOOKIE: 0000000000000000
222901.714252 Mesg 70 NEXT_PAYLOAD: SA
222901.714361 Mesg 70 VERSION: 16
222901.714405 Mesg 70 EXCH_TYPE: ID_PROT
222901.714450 Mesg 70 FLAGS: [ ]
222901.714502 Mesg 70 MESSAGE_ID: 00000000
222901.714549 Mesg 70 LENGTH: 84
222901.714716 Mesg 70 message_recv: a5fec464 8ae6532f 00000000 00000000
01100200 00000000 00000054 00000038
222901.714854 Mesg 70 message_recv: 00000001 00000001 0000002c 01010001
00000024 01010000 80010005 80020002
222901.714956 Mesg 70 message_recv: 80040002 80030001 800b0001 000c0004
00015180
222901.715005 Mesg 90 message_recv: dropping setup for existing SA
222901.715048 Mesg 20 message_free: freeing 0x88c5e500
222901.715116 Trpt 70 transport_release: freeing 0x7f166d40
222901.715167 Trpt 90 udp_remove: removed transport 0x7f166dc0
222901.715226 Trpt 90 udp_remove: removed transport 0x7f166d80
222901.715271 Trpt 90 virtual_remove: removed 0x7f166d40
222952.795746 Timr 10 timer_handle_expirations: event
exchange_free_aux(0x7c2f1b00)
222952.795842 Exch 80 exchange_free_aux: freeing exchange 0x7c2f1b00
222952.795925 Exch 20 exchange_establish_finalize: finalizing exchange
0x7c2f1b00 with arg 0x89f1d4a0 (IPSec-remote) & fail = 1
222952.795987 SA 90 sa_find: no SA matched query
222952.796136 SA 80 sa_release: SA 0x7c2f1c00 had 2 references
222952.796184 SA 70 sa_remove: SA 0x7c2f1c00 removed from SA list
222952.796232 SA 80 sa_release: SA 0x7c2f1c00 had 1 references
222952.796277 SA 60 sa_release: freeing SA 0x7c2f1c00
222952.796380 Timr 10 timer_handle_expirations: event
connection_checker(0x7e9ece80)
222952.796483 Timr 10 timer_add_event: event
connection_checker(0x7e9ece80) added last, expiration in 60s
222952.796532 SA 90 sa_find: no SA matched query
222952.796577 Sdep 70 pf_key_v2_connection_check: SA for IPSec-remote
missing
222952.796644 Exch 90 exchange_lookup_by_name: IPSec-remote ==
ISAKMP-peer-cisco && 2 == 1?
222952.796703 SA 90 sa_find: no SA matched query
222952.796790 Exch 90 exchange_lookup_by_name: ISAKMP-peer-cisco ==
ISAKMP-peer-cisco && 1 == 1?
222952.796843 Exch 40 exchange_establish: ISAKMP-peer-cisco exchange
already exists as 0x7c2f1d00
222952.796951 Exch 90 exchange_lookup_by_name: ISAKMP-peer-cisco ==
ISAKMP-peer-cisco && 1 == 1?
223011.715735 Timr 10 timer_handle_expirations: event
exchange_free_aux(0x7c2f1d00)
223011.715817 Exch 80 exchange_free_aux: freeing exchange 0x7c2f1d00
223011.715894 Exch 20 exchange_establish_finalize: finalizing exchange
0x7c2f1d00 with arg 0x89f1d500 (IPSec-remote) & fail = 1
223011.715953 SA 90 sa_find: no SA matched query
223011.716067 Exch 20 exchange_establish_finalize: finalizing exchange
0x7c2f1d00 with arg 0x89f1d4a0 (IPSec-remote) & fail = 1
223011.716118 SA 90 sa_find: no SA matched query
223011.716205 SA 80 sa_release: SA 0x7c2f1e00 had 2 references
223011.716285 SA 70 sa_remove: SA 0x7c2f1e00 removed from SA list
223011.716333 SA 80 sa_release: SA 0x7c2f1e00 had 1 references
223011.716377 SA 60 sa_release: freeing SA 0x7c2f1e00
223011.716436 Trpt 70 transport_release: freeing 0x7f166bc0
223011.716486 Trpt 90 udp_remove: removed transport 0x7f166c40
223011.716533 Trpt 90 udp_remove: removed transport 0x7f166c00
223011.716579 Trpt 90 virtual_remove: removed 0x7f166bc0
223023.685900 Default isakmpd: shutting down...
223023.685996 SA 90 sa_find: no SA matched query
223023.686041 SA 90 sa_find: no SA matched query
223023.686082 Default isakmpd: exit
[General]
Listen-On= 192.168.247.28
Policy-File= /etc/isakmpd/isakmpd.policy
[Phase 1]
192.168.246.247= ISAKMP-peer-cisco
[Phase 2]
Connections= IPSec-remote
[ISAKMP-peer-cisco]
Phase= 1
Transport= udp
Address= 192.168.246.247
Local-address= 192.168.247.28
Configuration= secret-main-mode
Authentication= MYSECRETPHRASE
[IPsec-remote]
Phase= 2
ISAKMP-peer= ISAKMP-peer-cisco
Configuration= Default-quick-mode
Local-ID= Net-internal
Remote-ID= Net-remote
[Net-internal]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.43.0
Netmask= 255.255.255.0
[Net-remote]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.26.0
Netmask= 255.255.255.0
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-PFS-SUITE,
QM-ESP-3DES-MD5-PFS-SUITE
[secret-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA-SHARED
[3DES-SHA-SHARED]
ENCRYPTION_ALGORITHM= 3DES_CBC
HASH_ALGORITHM= SHA
AUTHENTICATION_METHOD= PRE_SHARED
*Oct 3 17:32:40.970: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 192.168.246.247, remote=
192.168.247.28,
local_proxy= 192.168.26.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.43.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0xECE82073(3974635635), conn_id= 0, keysize= 0, flags= 0x400B
*Oct 3 17:32:40.978: ISAKMP: received ke message (1/1)
*Oct 3 17:32:40.978: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
*Oct 3 17:32:40.978: ISAKMP: Created a peer struct for 192.168.247.28,
peer por
t 500
*Oct 3 17:32:40.978: ISAKMP: New peer created peer = 0x821C37FC
peer_handle = 0
x8000000E
*Oct 3 17:32:40.978: ISAKMP: Locking peer struct 0x821C37FC, IKE
refcount 1 for
isakmp_initiator
*Oct 3 17:32:40.978: ISAKMP: local port 500, remote port 500
*Oct 3 17:32:40.978: ISAKMP: set new node 0 to QM_IDLE
*Oct 3 17:32:40.982: insert sa successfully sa = 81F99A28
*Oct 3 17:32:40.982: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode,
trying Main mode.
*Oct 3 17:32:40.982: ISAKMP:(0:0:N/A:0):Looking for a matching key for
192.168.247.28 in default
*Oct 3 17:32:40.982: ISAKMP:(0:0:N/A:0): : success
*Oct 3 17:32:40.982: ISAKMP:(0:0:N/A:0):found peer pre-shared key
matching 192.168.247.28
*Oct 3 17:32:40.982: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC,
IKE_SA_REQ_MM
*Oct 3 17:32:40.986: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New
State = IKE_I_MM1
*Oct 3 17:32:40.986: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
*Oct 3 17:32:40.986: ISAKMP:(0:0:N/A:0): sending packet to
192.168.247.28 my_port 500 peer_port 500 (I) MM_NO_STATE
*Oct 3 17:32:41.026: ISAKMP (0:0): received packet from 192.168.247.28
dport 500 sport 500 Global (N) NEW SA
*Oct 3 17:32:41.026: %CRYPTO-4-IKMP_NO_SA: IKE message from
192.168.247.28 has no SA and is not an initialization offer.....
*Oct 3 17:32:50.986: ISAKMP:(0:0:N/A:0): retransmitting phase 1
MM_NO_STATE...
*Oct 3 17:32:50.986: ISAKMP:(0:0:N/A:0):incrementing error counter on
sa: retransmit phase 1
*Oct 3 17:32:50.986: ISAKMP:(0:0:N/A:0): retransmitting phase 1
MM_NO_STATE
*Oct 3 17:32:50.986: ISAKMP:(0:0:N/A:0): sending packet to
192.168.247.28 my_port 500 peer_port 500 (I) MM_NO_STATE
*Oct 3 17:33:00.998: ISAKMP:(0:0:N/A:0): retransmitting phase 1
MM_NO_STATE...
*Oct 3 17:33:00.998: ISAKMP:(0:0:N/A:0):incrementing error counter on
sa: retransmit phase 1
*Oct 3 17:33:00.998: ISAKMP:(0:0:N/A:0): retransmitting phase 1
MM_NO_STATE
*Oct 3 17:33:00.998: ISAKMP:(0:0:N/A:0): sending packet to
192.168.247.28 my_port 500 peer_port 500 (I) MM_NO_STATE
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key MYSECRETPHRASE address 192.168.247.28
no crypto isakmp ccm
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
no crypto ipsec nat-transparency udp-encaps
!
crypto map TUNNEL 1 ipsec-isakmp
set peer 192.168.247.28
set transform-set ESP-3DES-SHA
set pfs group2
match address 100
interface Dialer1
ip address negotiated
encapsulation ppp
crypto map TUNNEL
!
access-list 100 permit ip 192.168.26.0 0.0.0.255 192.168.43.0 0.0.0.255
