Re: Problems with second ipsec(ctl) tunnel

Prabhu Gurumurthy Mon, 23 Apr 2007 10:13:47 -0700

Steven Surdock wrote:

Greetings, I recently converted from isakmpd.conf to ipsec.conf and I
seem to be having problem bringing up a second tunnel to a PIX.  It
_appears_ that the OBSD side is trying to use the default hmac
(sha2_256) even though it is configured to use md5 for the second
tunnel.  Oddly, the first tunnel comes up fine.  Any insight or
trouble-shooting tips would be appreciated.  BTW, Is there anyway to see
what flows have been "configured"?  "ipsecctl -sf" seemed to only show a
flow when phase I was complete.


ipsecctl -sf
--------
flow esp in from 192.168.60.192/28 to 10.10.0.0/16 peer 192.168.40.8
srcid 192.168.13.4/32 dstid 192.168.40.8 type use
flow esp out from 10.10.0.0/16 to 192.168.60.192/28 peer 192.168.40.8
srcid 192.168.13.4/32 dstid 192.168.40.8 type require
++++++++
The local peer (OpenBSD 4.0-stable (GENERIC) #6: Fri Apr 13 07:23:48 EDT
2007) is configured like:
--------
ike esp from { 10.10.0.0/16 , 10.5.0.0/24 } to 192.168.60.192/28 \
        peer  192.168.40.8 \
        local 192.168.13.4 \
        main auth hmac-md5 enc aes group modp1024 \
        psk "Hereismylovelykey"
++++++++
/var/log/messages:
--------
Apr 23 12:28:52 fw1 isakmpd[965]: transport_send_messages: giving up on
exchange IPsec-10.5.0.0/24-192.168.60.192/28, no response from peer
192.168.40.8:500
Apr 23 12:28:52 fw1 isakmpd[965]: message_recv: bad message length
Apr 23 12:28:52 fw1 isakmpd[965]: dropped message from 192.168.40.8 port
500 due to notification type <Unknown 0>
...more of the above
Apr 23 12:29:37 fw1 isakmpd[965]: dropped message from 192.168.40.8 port
500 due to notification type <Unknown 0>
Apr 23 12:30:25 fw1 isakmpd[965]: message_validate_notify: protocol not
supported
Apr 23 12:30:33 fw1 isakmpd[965]: message_recv: bad message length
++++++++
The remote is a PIX configured like:
--------
access-list 100 permit ip 192.168.60.192 255.255.255.240 10.10.0.0
255.255.0.0
access-list 100 permit ip 192.168.60.192 255.255.255.240 10.5.0.0
255.255.255.0
sysopt connection permit-ipsec
crypto ipsec transform-set RMT esp-aes esp-md5-hmac
crypto map RMT 10 ipsec-isakmp
crypto map RMT 10 match address 100
crypto map RMT 10 set peer 192.168.13.4
crypto map RMT 10 set transform-set RMT
crypto map RMT interface outside
isakmp enable outside
isakmp key ******** address 192.168.13.4 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
++++++++
The PIX debug says:
--------
crypto_isakmp_process_block:src:192.168.13.4, dest:192.168.40.8 spt:500
dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 3599058422

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 1200
ISAKMP:      encaps is 1
ISAKMP:      authentication algorithm... What? 5?
ISAKMP:      group is 2
ISAKMP:      key length is 128IPSEC(validate_proposal): transform
proposal (prot 3, trans 12, hmac_alg 5) not supported

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 0
return status is IKMP_ERR_NO_RETRANS
crypto_isakmp_process_block:src:192.168.13.4, dest:192.168.40.8 spt:500
dpt:500
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response
ISAKMP (0): retransmitting phase 2 (0/1)... mess_id 0xd68545f6
crypto_isakmp_process_block:src:192.168.13.4, dest:192.168.40.8 spt:500
dpt:500
ISAKMP: phase 2 packet is a duplicate of a previous packet
crypto_isakmp_process_block:src:192.168.13.4, dest:192.168.40.8 spt:500
dpt:500
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response
ISAKMP (0): retransmitting phase 2 (1/1)... mess_id 0xd68545f6
++++++++


I too have the same problem.

I have a Lan 2 Lan tunnel with pfsync, carp, sasync and it works flawlessly withanother OpenBSD system as the peer.


I tried to enable OpenBSD to PIX tunnel (PIX 501, OS: 6.3(5))

I defined "quick auth hmac-sha enc aes", when I do that I get phase 1 completed.

ipsec.conf
ike esp from 172.30.75.0/24 to 192.168.137.0/24 \
        local 10.200.3.7 peer 10.200.3.1 \
        main auth hmac-sha1 enc aes \
        quick auth hmac-sha enc aes \
        srcid 10.200.3.7 psk "F00F00Bar"

snippet from PIX firewall:

crypto ipsec transform-set IPSEC_SET esp-aes-256 esp-sha-hmac
crypto map VPN_MAP 1 ipsec-isakmp
crypto map VPN_MAP 1 match address VPN_ACL
crypto map VPN_MAP 1 set peer 10.200.3.7
crypto map VPN_MAP 1 set transform-set IPSEC_SET
crypto map VPN_MAP interface outside
isakmp enable outside
isakmp key ******** address 10.200.3.7 netmask 255.255.255.255 no-xauth
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption aes-256
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 1800

pixfirewall# sh crypto isakmp sa
Total     : 1
Embryonic : 0
        dst               src        state     pending     created
      10.200.3.1       10.200.3.7    QM_IDLE         0           0

But phase 2 does not established at all for some reason!

Does anybody need any more logs?

Thanks
Prabhu
-

Re: Problems with second ipsec(ctl) tunnel

Reply via email to