[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IPSEC woes



Thanks everyone for links on info on setting up IPSEC.

I've been working on this today, and I'm wondering if the problem
I'm having is due to my network setup....

Windows XP <--> Cisco <-- net --> Cisco <--> Firewall --> LAN
10.0.0.203      w/NAT             no nat     OpenBSD/NAT  192.168.10.0

I'm wondering if the NAT on the Cisco is throwing the wrench in
the works.

I've changed the IPs in the traces to 333.333.333.333 and
999.999.999.999.  The 3s address is the public interface on the
1st Cisco (with NAT (Cisco PAT)).  The 9s address is the 
real world IP of the public interface on the OpenBSD Firewall/VPN.

using isakmpd -d -l and then tcpdump, this is the exchange I see:

19:56:12.986094 333.333.333.333.500 > 999.999.999.999.500:  [udp sum ok]
isakmp v1.0 exchange ID_PROT
	cookie: f1295fb4455b4383->0000000000000000 msgid: 00000000 len: 216
	payload: SA len: 164 DOI: 1(IPSEC) situation: IDENTITY_ONLY 
	    payload: PROPOSAL len: 152 proposal: 1 proto: ISAKMP spisz: 0
xforms: 4
	        payload: TRANSFORM len: 36
	            transform: 1 ID: ISAKMP
	                attribute ENCRYPTION_ALGORITHM = 3DES_CBC
	                attribute HASH_ALGORITHM = SHA
	                attribute GROUP_DESCRIPTION = MODP_1024
	                attribute AUTHENTICATION_METHOD = PRE_SHARED
	                attribute LIFE_TYPE = SECONDS
	                attribute LIFE_DURATION = 000070ffffff80
	        payload: TRANSFORM len: 36
	            transform: 2 ID: ISAKMP
	                attribute ENCRYPTION_ALGORITHM = 3DES_CBC
	                attribute HASH_ALGORITHM = MD5
	                attribute GROUP_DESCRIPTION = MODP_1024
	                attribute AUTHENTICATION_METHOD = PRE_SHARED
	                attribute LIFE_TYPE = SECONDS
	                attribute LIFE_DURATION = 000070ffffff80
	        payload: TRANSFORM len: 36
	            transform: 3 ID: ISAKMP
	                attribute ENCRYPTION_ALGORITHM = DES_CBC
	                attribute HASH_ALGORITHM = SHA
	                attribute GROUP_DESCRIPTION = MODP_768
	                attribute AUTHENTICATION_METHOD = PRE_SHARED
	                attribute LIFE_TYPE = SECONDS
	                attribute LIFE_DURATION = 000070ffffff80
	        payload: TRANSFORM len: 36
	            transform: 4 ID: ISAKMP
	                attribute ENCRYPTION_ALGORITHM = DES_CBC
	                attribute HASH_ALGORITHM = MD5
	                attribute GROUP_DESCRIPTION = MODP_768
	                attribute AUTHENTICATION_METHOD = PRE_SHARED
	                attribute LIFE_TYPE = SECONDS
	                attribute LIFE_DURATION = 000070ffffff80
	payload: VENDOR len: 24 [ttl 0] (id 1)

19:56:12.986402 999.999.999.999.500 > 333.333.333.333.500:  [udp sum ok]
isakmp v1.0 exchange ID_PROT
	cookie: f1295fb4455b4383->5de6bed8520439c5 msgid: 00000000 len: 84
	payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY 
	    payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0
xforms: 1
	        payload: TRANSFORM len: 36
	            transform: 1 ID: ISAKMP
	                attribute ENCRYPTION_ALGORITHM = 3DES_CBC
	                attribute HASH_ALGORITHM = SHA
	                attribute GROUP_DESCRIPTION = MODP_1024
	                attribute AUTHENTICATION_METHOD = PRE_SHARED
	                attribute LIFE_TYPE = SECONDS
	                attribute LIFE_DURATION = 000070ffffff80 [ttl 0] (id 1)

19:56:13.114227 333.333.333.333.500 > 999.999.999.999.500:  [udp sum ok]
isakmp v1.0 exchange ID_PROT
	cookie: f1295fb4455b4383->5de6bed8520439c5 msgid: 00000000 len: 184
	payload: KEY_EXCH len: 132
	payload: NONCE len: 24 [ttl 0] (id 1)

19:56:13.142888 999.999.999.999.500 > 333.333.333.333.500:  [udp sum ok]
isakmp v1.0 exchange ID_PROT
	cookie: f1295fb4455b4383->5de6bed8520439c5 msgid: 00000000 len: 184
	payload: KEY_EXCH len: 132
	payload: NONCE len: 24 [ttl 0] (id 1)

19:56:13.208829 333.333.333.333.500 > 999.999.999.999.500:  [udp sum ok]
isakmp v1.0 exchange ID_PROT
	cookie: f1295fb4455b4383->5de6bed8520439c5 msgid: 00000000 len: 68
	payload: ID len: 12 type: IPV4_ADDR = 10.0.0.203
	payload: HASH len: 24 [ttl 0] (id 1)

19:56:13.208937 999.999.999.999.500 > 333.333.333.333.500:  [udp sum ok]
isakmp v1.0 exchange ID_PROT
	cookie: f1295fb4455b4383->5de6bed8520439c5 msgid: 00000000 len: 92
	payload: ID len: 12 type: IPV4_ADDR = 999.999.999.999
	payload: HASH len: 24
	payload: NOTIFICATION len: 28
	    notification: INITIAL CONTACT (f1295fb4455b4383->5de6bed8520439c5)
[ttl 0] (id 1)

19:56:13.247254 333.333.333.333.500 > 999.999.999.999.500:  [udp sum ok]
isakmp v1.0 exchange QUICK_MODE
	cookie: f1295fb4455b4383->5de6bed8520439c5 msgid: adbc08a0 len: 1116
	payload: HASH len: 24
	payload: SA len: 1012 DOI: 1(IPSEC) situation: IDENTITY_ONLY 
	    payload: PROPOSAL len: 92 proposal: 1 proto: IPSEC_ESP spisz: 4
xforms: 2 SPI: 0xf18599a6
	        payload: TRANSFORM len: 40
	            transform: 1 ID: 3DES
	                attribute LIFE_TYPE = SECONDS
	                attribute LIFE_DURATION = 00000e10
	                attribute LIFE_TYPE = KILOBYTES
	                attribute LIFE_DURATION = 0003ffffffd0ffffff90
	                attribute ENCAPSULATION_MODE = TRANSPORT
	                attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
	        payload: TRANSFORM len: 40
	            transform: 2 ID: 3DES
	                attribute LIFE_TYPE = SECONDS
	                attribute LIFE_DURATION = 00000e10
	                attribute LIFE_TYPE = KILOBYTES
	                attribute LIFE_DURATION = 0003ffffffd0ffffff90
	                attribute ENCAPSULATION_MODE = TRANSPORT
	                attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
	    payload: PROPOSAL len: 52 proposal: 2 proto: IPSEC_AH spisz: 4
xforms: 1 SPI: 0xf18599a6
	        payload: TRANSFORM len: 40
	            transform: 1 ID: DES
	                attribute LIFE_TYPE = SECONDS
	                attribute LIFE_DURATION = 00000e10
	                attribute LIFE_TYPE = KILOBYTES
	                attribute LIFE_DURATION = 0003ffffffd0ffffff90
	                attribute ENCAPSULATION_MODE = TRANSPORT
	                attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
	    payload: PROPOSAL len: 48 proposal: 2 proto: IPSEC_ESP spisz: 4
xforms: 1 SPI: 0x0765800d
	        payload: TRANSFORM len: 36
	            transform: 1 ID: 3DES
	                attribute LIFE_TYPE = SECONDS
	                attribute LIFE_DURATION = 00000e10
	                attribute LIFE_TYPE = KILOBYTES
	                attribute LIFE_DURATION = 0003ffffffd0ffffff90
	                attribute ENCAPSULATION_MODE = TRANSPORT
	    payload: PROPOSAL len: 52 proposal: 3 proto: IPSEC_AH spisz: 4
xforms: 1 SPI: 0xf18599a6
	        payload: TRANSFORM len: 40
	            transform: 1 ID: SHA
	                attribute LIFE_TYPE = SECONDS
	                attribute LIFE_DURATION = 00000e10
	                attribute LIFE_TYPE = KILOBYTES
	                attribute LIFE_DURATION = 0003ffffffd0ffffff90
	                attribute ENCAPSULATION_MODE = TRANSPORT
	                attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
	    payload: PROPOSAL len: 48 proposal: 3 proto: IPSEC_ESP spisz: 4
xforms: 1 SPI: 0x0765800d
	        payload: TRANSFORM len: 36
	            transform: 1 ID: 3DES
	                attribute LIFE_TYPE = SECONDS
	                attribute LIFE_DURATION = 00000e10
	                attribute LIFE_TYPE = KILOBYTES
	                attribute LIFE_DURATION = 0003ffffffd0ffffff90
	                attribute ENCAPSULATION_MODE = TRANSPORT
	    payload: PROPOSAL len: 52 proposal: 4 proto: IPSEC_AH spisz: 4
xforms: 1 SPI: 0xf18599a6
	        payload: TRANSFORM len: 40
	            transform: 1 ID: DES
	                attribute LIFE_TYPE = SECONDS
	                attribute LIFE_DURATION = 00000e10
	                attribute LIFE_TYPE = KILOBYTES
	                attribute LIFE_DURATION = 0003ffffffd0ffffff90
	                attribute ENCAPSULATION_MODE = TRANSPORT
	                attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
	    payload: PROPOSAL len: 52 proposal: 4 proto: IPSEC_ESP spisz: 4
xforms: 1 SPI: 0x0765800d
	        payload: TRANSFORM len: 40
	            transform: 1 ID: 3DES
	                attribute LIFE_TYPE = SECONDS
	                attribute LIFE_DURATION = 00000e10
	                attribute LIFE_TYPE = KILOBYTES
	                attribute LIFE_DURATION = 0003ffffffd0ffffff90
	                attribute ENCAPSULATION_MODE = TRANSPORT
	                attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
	    payload: PROPOSAL len: 52 proposal: 5 proto: IPSEC_AH spisz: 4
xforms: 1 SPI: 0xf18599a6
	        payload: TRANSFORM len: 40
	            transform: 1 ID: SHA
	                attribute LIFE_TYPE = SECONDS
	                attribute LIFE_DURATION = 00000e10
	                attribute LIFE_TYPE = KILOBYTES
	                attribute LIFE_DURATION = 0003ffffffd0ffffff90
	                attribute ENCAPSULATION_MODE = TRANSPORT
	                attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
	    payload: PROPOSAL len: 52 proposal: 5 proto: IPSEC_ESP spisz: 4
xforms: 1 SPI: 0x0765800d
	        payload: TRANSFORM len: 40
	            transform: 1 ID: 3DES
	                attribute LIFE_TYPE = SECONDS
	                attribute LIFE_DURATION = 00000e10
	                attribute LIFE_TYPE = KILOBYTES
	                attribute LIFE_DURATION = 0003ffffffd0ffffff90
	                attribute ENCAPSULATION_MODE = TRANSPORT
	                attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
	    payload: PROPOSAL len: 92 proposal: 6 proto: IPSEC_ESP spisz: 4
xforms: 2 SPI: 0xf18599a6
	        payload: TRANSFORM len: 40
	            transform: 1 ID: DES
	                attribute LIFE_TYPE = SECONDS
	                attribute LIFE_DURATION = 00000e10
	                attribute LIFE_TYPE = KILOBYTES
	                attribute LIFE_DURATION = 0003ffffffd0ffffff90
	                attribute ENCAPSULATION_MODE = TRANSPORT
	                attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
	        payload: TRANSFORM len: 40
	            transform: 2 ID: DES
	                attribute LIFE_TYPE = SECONDS
	                attribute LIFE_DURATION = 00000e10
	                attribute LIFE_TYPE = KILOBYTES
	                attribute LIFE_DURATION = 0003ffffffd0ffffff90
	                attribute ENCAPSULATION_MODE = TRANSPORT
	                attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
	    payload: PROPOSAL len: 52 proposal: 7 proto: IPSEC_AH spisz: 4
xforms: 1 SPI: 0xf18599a6
	        payload: TRANSFORM len: 40
	            transform: 1 ID: DES
	                attribute LIFE_TYPE = SECONDS
	                attribute LIFE_DURATION = 00000e10
	                attribute LIFE_TYPE = KILOBYTES
	                attribute LIFE_DURATION = 0003ffffffd0ffffff90
	                attribute ENCAPSULATION_MODE = TRANSPORT
	                attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
	    payload: PROPOSAL len: 48 proposal: 7 proto: IPSEC_ESP spisz: 4
xforms: 1 SPI: 0x0765800d
	        payload: TRANSFORM len: 36
	            transform: 1 ID: DES
	                attribute LIFE_TYPE = SECONDS
	                attribute LIFE_DURATION = 00000e10
	                attribute LIFE_TYPE = KILOBYTES
	                attribute LIFE_DURATION = 0003ffffffd0ffffff90
	                attribute ENCAPSULATION_MODE = TRANSPORT
	    payload: PROPOSAL len: 52 proposal: 8 proto: IPSEC_AH spisz: 4
xforms: 1 SPI: 0xf18599a6
	        payload: TRANSFORM len: 40
	            transform: 1 ID: SHA
	                attribute LIFE_TYPE = SECONDS
	                attribute LIFE_DURATION = 00000e10
	                attribute LIFE_TYPE = KILOBYTES
	                attribute LIFE_DURATION = 0003ffffffd0ffffff90
	                attribute ENCAPSULATION_MODE = TRANSPORT
	                attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
	    payload: PROPOSAL len: 48 proposal: 8 proto: IPSEC_ESP spisz: 4
xforms: 1 SPI: 0x0765800d
	        payload: TRANSFORM len: 36
	            transform: 1 ID: DES
	                attribute LIFE_TYPE = SECONDS
	                attribute LIFE_DURATION = 00000e10
	                attribute LIFE_TYPE = KILOBYTES
	                attribute LIFE_DURATION = 0003ffffffd0ffffff90
	                attribute ENCAPSULATION_MODE = TRANSPORT
	    payload: PROPOSAL len: 52 proposal: 9 proto: IPSEC_AH spisz: 4
xforms: 1 SPI: 0xf18599a6
	        payload: TRANSFORM len: 40
	            transform: 1 ID: DES
	                attribute LIFE_TYPE = SECONDS
	                attribute LIFE_DURATION = 00000e10
	                attribute LIFE_TYPE = KILOBYTES
	                attribute LIFE_DURATION = 0003ffffffd0ffffff90
	                attribute ENCAPSULATION_MODE = TRANSPORT
	                attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
	    payload: PROPOSAL len: 52 proposal: 9 proto: IPSEC_ESP spisz: 4
xforms: 1 SPI: 0x0765800d
	        payload: TRANSFORM len: 40
	            transform: 1 ID: DES
	                attribute LIFE_TYPE = SECONDS
	                attribute LIFE_DURATION = 00000e10
	                attribute LIFE_TYPE = KILOBYTES
	                attribute LIFE_DURATION = 0003ffffffd0ffffff90
	                attribute ENCAPSULATION_MODE = TRANSPORT
	                attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
	    payload: PROPOSAL len: 52 proposal: 10 proto: IPSEC_AH spisz: 4
xforms: 1 SPI: 0xf18599a6
	        payload: TRANSFORM len: 40
	            transform: 1 ID: SHA
	                attribute LIFE_TYPE = SECONDS
	                attribute LIFE_DURATION = 00000e10
	                attribute LIFE_TYPE = KILOBYTES
	                attribute LIFE_DURATION = 0003ffffffd0ffffff90
	                attribute ENCAPSULATION_MODE = TRANSPORT
	                attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
	    payload: PROPOSAL len: 52 proposal: 10 proto: IPSEC_ESP spisz: 4
xforms: 1 SPI: 0x0765800d
	        payload: TRANSFORM len: 40
	            transform: 1 ID: DES
	                attribute LIFE_TYPE = SECONDS
	                attribute LIFE_DURATION = 00000e10
	                attribute LIFE_TYPE = KILOBYTES
	                attribute LIFE_DURATION = 0003ffffffd0ffffff90
	                attribute ENCAPSULATION_MODE = TRANSPORT
	                attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
	payload: NONCE len: 24
	payload: ID len: 12 proto: 17 port: 1701 type: IPV4_ADDR = 10.0.0.203
	payload: ID len: 12 proto: 17 port: 0 type: IPV4_ADDR = 999.999.999.999
[ttl 0] (id 1)

19:56:13.247798 999.999.999.999.500 > 333.333.333.333.500:  [udp sum ok]
isakmp v1.0 exchange QUICK_MODE
	cookie: f1295fb4455b4383->5de6bed8520439c5 msgid: adbc08a0 len: 164
	payload: HASH len: 24
	payload: SA len: 64 DOI: 1(IPSEC) situation: IDENTITY_ONLY 
	    payload: PROPOSAL len: 52 proposal: 1 proto: IPSEC_ESP spisz: 4
xforms: 1 SPI: 0x5e5f1869
	        payload: TRANSFORM len: 40
	            transform: 1 ID: 3DES
	                attribute LIFE_TYPE = SECONDS
	                attribute LIFE_DURATION = 00000e10
	                attribute LIFE_TYPE = KILOBYTES
	                attribute LIFE_DURATION = 0003ffffffd0ffffff90
	                attribute ENCAPSULATION_MODE = TRANSPORT
	                attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
	payload: NONCE len: 24
	payload: ID len: 12 proto: 17 port: 1701 type: IPV4_ADDR = 10.0.0.203
	payload: ID len: 12 proto: 17 port: 0 type: IPV4_ADDR = 999.999.999.999
[ttl 0] (id 1)

19:56:13.276832 333.333.333.333.500 > 999.999.999.999.500:  [udp sum ok]
isakmp v1.0 exchange QUICK_MODE
	cookie: f1295fb4455b4383->5de6bed8520439c5 msgid: adbc08a0 len: 52
	payload: HASH len: 24 [ttl 0] (id 1)

19:56:48.305065 333.333.333.333.500 > 999.999.999.999.500:  [udp sum ok]
isakmp v1.0 exchange INFO
	cookie: f1295fb4455b4383->5de6bed8520439c5 msgid: 106ab99c len: 68
	payload: HASH len: 24
	payload: DELETE len: 16 [ttl 0] (id 1)

19:56:48.311231 333.333.333.333.500 > 999.999.999.999.500:  [udp sum ok]
isakmp v1.0 exchange INFO
	cookie: f1295fb4455b4383->5de6bed8520439c5 msgid: 9c143a0f len: 84
	payload: HASH len: 24
	payload: DELETE len: 28 [ttl 0] (id 1)


The Windows XP box never indicates it connects and finally errors
out saying it was expecting a response from the server.  At that
point it sends the INFO packets with the DELETE requests.

No errors get logged by isakmpd.... 

Here is the policy file (/etc/isakmpd/isakmpd.policy):

KeyNote-version: 2
Comment: This policy accepts ESP SAs from a remote that uses the right
password
Authorizer: "POLICY"
Licensees: "passphrase:bigsecret"
Conditions: app_domain == "IPsec policy" &&
            esp_present == "yes" &&
            esp_enc_alg != "null" -> "true";


Here is the isakmpd.conf file:

[General]
Listen-on=              216.206.161.162
Exchange-max-time=      120
Retransmits=            5

[Phase 1]
Default=                ISAKMP-clients

[Phase 2]
Passive-Connections=    IPsec-clients

[ISAKMP-clients]
Phase=                  1
Transport=              udp
Configuration=          Windows-main-mode
Authentication=         bigsecret

[IPsec-clients]
Phase=                  2
Configuration=          Windows-quick-mode
Local-ID=               Net-office
Remote-ID=              Host-remote

[Net-office]
ID-type=                IPV4_ADDR_SUBNET
Network=                192.168.10.0
Netmask=                255.255.255.0

[Host-remote]
ID-type=                IPV4_ADDR
Address=                0.0.0.0

[Windows-main-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          ID_PROT
Transforms=             3DES-SHA

[Windows-quick-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          QUICK_MODE
Suites=                 QM-ESP-3DES-SHA-SUITE

The last thing that happens before the failure is that
my XP host sends a QUICK_MODE payload HASH... then after
a period of time my XP hosts throws a dialog box saying
it expected a response, and sends two INFO packets with
payloads HASH and DELETE.

This will be fore remote users, many of whom are beind
NATing firwalls (probably many Linksys cable routers).

I hope I haven't come this far to find out it won't work
in this situation.....

If it should work, maybe someone more experienced with isakmpd
will see something I didn't in the traces.

Thanks in advance,

  -- Curt



Visit your host, monkey.org