Re: cisco to netscreen ipsec

brewerts · ‎02-13-2003

hi I'm having trouble getting a cisco 2621 to talk to a netscreen 10 via ipsec. can anyone state if this pair combination will work ?

the relevant bits of my config are

crypto isakmp policy 1

authentication pre-share

group 2

lifetime 14400

crypto isakmp key not-our-real-password address x.x.x.x

!

crypto ipsec transform-set netscreen ah-sha-hmac esp-des

!

crypto map netscreen 1 ipsec-isakmp

set peer x.x.x.x

set transform-set netscreen

set pfs group2

match address 115

interface FastEthernet0/0

description conn to web

ip address z.z.z.z

ip access-group external_in in #this list allows udp 500, ahp and esp

no ip unreachables

no ip proxy-arp

ip nat outside

no ip mroute-cache

keepalive 2

speed 100

full-duplex

service-policy input http_attacks

crypto map netscreen #crypto map applied to this interface

#don't NAT my private network to their private network, NAT everything else

ip access-list extended nat_list

deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 any

permit ip 192.168.99.0 0.0.0.255 any

#encrypt this traffic

access-list 115 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

613: Feb 13 14:16:28.171: ISAKMP (0:1): processing ID payload. message ID = 0

614: Feb 13 14:16:28.171: ISAKMP (0:1): processing HASH payload. message ID = 0

615: Feb 13 14:16:28.171: CryptoEngine0: generate hmac context for conn id 1

616: Feb 13 14:16:28.171: ISAKMP (0:1): SA has been authenticated with x.x.x.x

617: Feb 13 14:16:28.175: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of 1407123716

618: Feb 13 14:16:28.175: CryptoEngine0: generate alg parameter

619: Feb 13 14:16:28.395: CRYPTO_ENGINE: Dh phase 1 status: 0

620: Feb 13 14:16:28.395: CRYPTO_ENGINE: Dh phase 1 status: 0

621: Feb 13 14:16:28.399: CryptoEngine0: generate hmac context for conn id 1

622: Feb 13 14:16:28.399: ISAKMP (0:1): sending packet to x.x.x.x (I) QM_IDLE

623: Feb 13 14:16:28.403: CryptoEngine0: clear dh number for conn id 1

624: Feb 13 14:16:38.403: ISAKMP (0:1): retransmitting phase 2 QM_IDLE 1407123716 ...

625: Feb 13 14:16:38.403: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2

626: Feb 13 14:16:38.403: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2

627: Feb 13 14:16:38.403: ISAKMP (0:1): retransmitting phase 2 1407123716 QM_IDLE

628: Feb 13 14:16:38.403: ISAKMP (0:1): sending packet to x.x.x.x (I) QM_IDLE

631: Feb 13 14:16:48.404: ISAKMP (0:1): retransmitting phase 2 QM_IDLE 1407123716 ...

632: Feb 13 14:16:48.404: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2

633: Feb 13 14:16:48.404: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2

634: Feb 13 14:16:48.404: ISAKMP (0:1): retransmitting phase 2 1407123716 QM_IDLE

635: Feb 13 14:16:48.404: ISAKMP (0:1): sending packet to x.x.x.x (I) QM_IDLE

636: Feb 13 14:16:57.384: IPSEC(key_engine): request timer fired: count = 1,

637: (identity) local= z.z.z.z, remote= x.x.x.x,

638: local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),

639: remote_proxy= 192.168.2.0/255.255.255.0/0/0 (type=4)

640: Feb 13 14:16:57.384: IPSEC(sa_request): ,

641: (key eng. msg.) OUTBOUND local= z.z.z.z, remote= x.x.x.x,

642: local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),

643: remote_proxy= 192.168.2.0/255.255.255.0/0/0 (type=4),

644: protocol= AH, transform= ah-sha-hmac ,

645: lifedur= 3600s and 4608000kb,

646: spi= 0xCE51142F(3461420079), conn_id= 0, keysize= 0, flags= 0x400D

647: Feb 13 14:16:57.384: IPSEC(sa_request):

648: ,

649: (key eng. msg.) OUTBOUND local= z.z.z.z, remote= x.x.x.x,

650: local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),

651: remote_proxy= 192.168.2.0/255.255.255.0/0/0 (type=4),

652: protocol= ESP, transform= esp-des ,

653: lifedur= 3600s and 4608000kb,

654: spi= 0xAB72C88(179776648), conn_id= 0, keysize= 0, flags= 0x400D

655: Feb 13 14:16:57.388: ISAKMP: received ke message (1/2)

656: Feb 13 14:16:57.388: ISAKMP (0:1): sitting IDLE. Starting QM immediately (QM_IDLE )

657: Feb 13 14:16:57.388: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of 92910466

658: Feb 13 14:16:57.392: CryptoEngine0: generate alg parameter

659: Feb 13 14:16:57.608: CRYPTO_ENGINE: Dh phase 1 status: 0

660: Feb 13 14:16:57.608: CRYPTO_ENGINE: Dh phase 1 status: 0

661: Feb 13 14:16:57.612: CryptoEngine0: generate hmac context for conn id 1

662: Feb 13 14:16:57.616: ISAKMP (0:1): sending packet to 160.79.125.66 (I) QM_IDLE

663: Feb 13 14:16:58.404: ISAKMP (0:1): retransmitting phase 2 QM_IDLE 1407123716 ...

664: Feb 13 14:16:58.404: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2

665: Feb 13 14:16:58.404: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2

666: Feb 13 14:16:58.404: ISAKMP (0:1): retransmitting phase 2 1407123716 QM_IDLE

667: Feb 13 14:16:58.404: ISAKMP (0:1): sending packet to 160.79.125.66 (I) QM_IDLE

668: Feb 13 14:17:07.616: ISAKMP (0:1): retransmitting phase 2 QM_IDLE 92910466 ...

669: Feb 13 14:17:07.616: ISAKMP (0:1): peer does not do paranoid keepalives.

670:

671: Feb 13 14:17:07.616: ISAKMP (0:1): deleting SA reason "death by retransmission P2" state (I) QM_IDLE (peer x.x.x.x) input queue 0

672: Feb 13 14:17:07.616: CryptoEngine0: generate hmac context for conn id 1

673: Feb 13 14:17:07.620: ISAKMP (0:1): sending packet to x.x.x.x (I) MM_NO_STATE

674: Feb 13 14:17:07.620: ISAKMP (0:1): purging node 2085085611

675: Feb 13 14:17:07.620: ISAKMP (0:1): deleting node 1407123716 error TRUE reason "death by retransmission P2"

676: Feb 13 14:17:07.620: ISAKMP (0:1): deleting node 92910466 error TRUE reason "death by retransmission P2"

677: Feb 13 14:17:27.385: IPSEC(key_engine): request timer fired: count = 2,

678: (identity) local= z.z.z.z, remote= x.x.x.x,

679: local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),

680: remote_proxy= 192.168.2.0/255.255.255.0/0/0 (type=4)

681: Feb 13 14:17:27.385: ISAKMP: received ke message (3/1)

682: Feb 13 14:17:27.385: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src z.z.z.z dst x.x.x.x for SPI 0x0

684: Feb 13 14:17:57.622: ISAKMP (0:1): purging node 1407123716

685: Feb 13 14:17:57.622: CryptoEngine0: clear dh number for conn id 2

686: Feb 13 14:17:57.622: ISAKMP (0:1): purging node 92910466

687: Feb 13 14:17:57.622: CryptoEngine0: clear dh number for conn id 3

688: Feb 13 14:18:07.622: ISAKMP (0:1): purging SA., sa=826DA278, delme=826DA278

689: Feb 13 14:18:07.622: CryptoEngine0: delete connection 1

from this output, it looks like phase 1 (Main mode ??) is completing fine but Phase 2 (Quick mode ??) is failing ?

Any ideas ?

thanks

_scott

gfullage · ‎02-13-2003

This should work. Can you initiate the tunnel from behind the Netscreen and capture those debugs on the router, we'll get more information that way about what's going wrong.

mart.norman · ‎02-14-2003

Looks similar problem like ipsec between cisco and d-link di-804v.

I got:

17:25:00: ISAKMP (0:1): SA is doing

pre-shared key authentication using id type ID_IPV4_ADDR

17:25:00: ISAKMP (1): ID payload

next-payload : 8

type : 1

addr : 1.1.1.1

protocol : 17

port : 0

length : 8

17:25:00: ISAKMP (1): Total payload length: 12

17:25:00: CryptoEngine0: generate hmac context for conn id 1

17:25:00: CryptoEngine0: clear dh number for conn id 1

17:25:00: ISAKMP (0:1): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH

17:25:00: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

17:25:00: ISAKMP (0:1): Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE

17:25:00: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

17:25:00: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

17:25:07: ISAKMP (0:1): received packet from 2.2.2.2 dport 500 sport 500 (R) QM_IDLE

17:25:07: ISAKMP (0:1): phase 1 packet is a duplicate of a previous packet.

17:25:07: ISAKMP (0:1): retransmitting due to retransmit phase 1

17:25:07: ISAKMP (0:1): retransmitting phase 1 QM_IDLE ...

17:25:07: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1

17:25:07: ISAKMP (0:1): no outgoing phase 1 packet to retransmit. QM_IDLE

and DI-804V:

IPsec[26]:Initiating Main Mode

IKE[27]:[estnet] Initializing IKE Main Mode

IKE[28]:[estnet] TX >> MM_I1 : 1.1.1.1

IPsec[29]:Packet retransmission, timeout in 10 seconds for #1

IPsec[30]:NO outbound SA found

IKE[31]:[estnet] RX << MM_R1 : 1.1.1.1

IKE[32]:OAKLEY_PRESHARED_KEY/OAKLEY_3DES_CBC/MODP1024

IKE[33]:[estnet] TX >> MM_I2 : 1.1.1.1

IPsec[34]:Packet retransmission, timeout in 10 seconds for #1

IPsec[35]:Find_outsa() not found

IPsec[36]:NO outbound SA found

IKE[37]:[estnet] RX << MM_R2 : 1.1.1.1

IKE[38]:[estnet] TX >> MM_I3 : 1.1.1.1

IPsec[39]:Packet retransmission, timeout in 10 seconds for #1

IPsec[40]:Find_outsa() not found

IPsec[41]:NO outbound SA found

IKE[42]:[estnet] RX << MM_R3 : 1.1.1.1

IPsec[43]:loglog[3] protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0

IPsec[44]:Find_outsa() not found

IPsec[45]:NO outbound SA found

IPSec[46]:*52*DUMP SA: INBOUND:0/64 OUTBOUND:0/64

IPSec[47]:DUMP ST: 1/64

IPSec[48]:DUMP MEM_ALLOC: 24/75

IPsec[49]:conn_list->estnet(0,0,0,0)->NULL

IPsec[50]:Packet retransmission, timeout in 20 seconds for #1

IPsec[51]:Packet retransmission, timeout in 40 seconds for #1

rmalally · ‎02-21-2003

I am having the same problem with a netgear FVS318 connecting to a vpn router (ios).

Does anyone have an example config (Pix or IOS) to resolve this issue?

skleber · ‎04-25-2003

Hi,

i have the same Problem to configure a FVS318 to a Pix. Does anyone have a sample for this?

Sebastian