Discussion:
[Ipsec-tools-devel] Problems racoon and cisco vpn
Pier
2010-02-09 13:45:20 UTC
Permalink
Hi.
I'm trying to make an ipsec connection between our linux firewall (debian lenny) with a cisco asa.
We have already some vpns running without problems, but this one is driving me crazy.
We (me and the other sysadmin on the cisco side) paired our conf, we got in some way the vpn running, but after a while i get this error:

1.1.1.1 our end
2.2.2.2 cisco end

Feb 9 13:23:39 srv-fw racoon: INFO: initiate new phase 2 negotiation: 1.1.1.1[500]<=>2.2.2.2[500]
Feb 9 13:23:39 srv-fw racoon: INFO: IPsec-SA expired: ESP/Tunnel 1.1.1.1[0]->2.2.2.2[0] spi=2288584209(0x88690611)
Feb 9 13:23:39 srv-fw racoon: INFO: IPsec-SA established: ESP/Tunnel 2.2.2.2[0]->1.1.1.1[0] spi=214152031(0xcc3b35f)
Feb 9 13:23:39 srv-fw racoon: INFO: IPsec-SA established: ESP/Tunnel 1.1.1.1[500]->2.2.2.2[500] spi=1552653271(0x5c8b9bd7)
Feb 9 13:53:46 srv-fw racoon: INFO: ISAKMP-SA expired 1.1.1.1[500]-2.2.2.2[500] spi:3a918da835e191a6:fd47bdaa16e08d49
Feb 9 13:53:47 srv-fw racoon: INFO: ISAKMP-SA deleted 1.1.1.1[500]-2.2.2.2[500] spi:3a918da835e191a6:fd47bdaa16e08d49

If i don't force a reload of the conf the vpn stays down.
After i forced a reload i get this:

Feb 9 14:13:42 srv-fw racoon: INFO: Flushing all SAs for peer 2.2.2.2
Feb 9 14:13:42 srv-fw racoon: INFO: accept a request to establish IKE-SA: 2.2.2.2
Feb 9 14:13:42 srv-fw racoon: INFO: initiate new phase 1 negotiation: 1.1.1.1[500]<=>2.2.2.2[500]
Feb 9 14:13:42 srv-fw racoon: INFO: begin Identity Protection mode.
Feb 9 14:13:42 srv-fw racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02#012
Feb 9 14:13:42 srv-fw racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Feb 9 14:13:42 srv-fw racoon: INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02#012
Feb 9 14:13:42 srv-fw racoon: INFO: Hashing 2.2.2.2[500] with algo #2
Feb 9 14:13:42 srv-fw racoon: INFO: Hashing 1.1.1.1[500] with algo #2
Feb 9 14:13:42 srv-fw racoon: INFO: Adding remote and local NAT-D payloads.
Feb 9 14:13:42 srv-fw racoon: INFO: received Vendor ID: CISCO-UNITY
Feb 9 14:13:42 srv-fw racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Feb 9 14:13:42 srv-fw racoon: INFO: Hashing 1.1.1.1[500] with algo #2
Feb 9 14:13:42 srv-fw racoon: INFO: NAT-D payload #0 verified
Feb 9 14:13:42 srv-fw racoon: INFO: Hashing 2.2.2.2[500] with algo #2
Feb 9 14:13:42 srv-fw racoon: INFO: NAT-D payload #1 verified
Feb 9 14:13:42 srv-fw racoon: INFO: NAT not detected
Feb 9 14:13:42 srv-fw racoon: INFO: received Vendor ID: DPD
Feb 9 14:13:42 srv-fw racoon: WARNING: port 500 expected, but 0
Feb 9 14:13:42 srv-fw racoon: INFO: ISAKMP-SA established 1.1.1.1[500]-2.2.2.2[500] spi:54e8737b21796817:9987cc564ef98386

And it satys so until at the other end is generated some traffic.
After a ping, i see the phase 2 up:

Feb 9 14:36:53 srv-fw racoon: INFO: respond new phase 2 negotiation: 1.1.1.1[500]<=>2.2.2.2[500]
Feb 9 14:36:53 srv-fw racoon: INFO: IPsec-SA established: ESP/Tunnel 2.2.2.2[0]->1.1.1.1[0] spi=257800228(0xf5db824)
Feb 9 14:36:53 srv-fw racoon: INFO: IPsec-SA established: ESP/Tunnel 1.1.1.1[500]->2.2.2.2[500] spi=580823101(0x229ea83d)

I tried everything but without success.
Help me please :-)

Pier
Milan P. Stanic
2010-02-16 22:57:41 UTC
Permalink
Post by Pier
I'm trying to make an ipsec connection between our linux firewall (debian lenny) with a cisco asa.
We have already some vpns running without problems, but this one is driving me crazy.
1.1.1.1 our end
2.2.2.2 cisco end
Feb 9 13:23:39 srv-fw racoon: INFO: initiate new phase 2 negotiation: 1.1.1.1[500]<=>2.2.2.2[500]
Feb 9 13:23:39 srv-fw racoon: INFO: IPsec-SA expired: ESP/Tunnel 1.1.1.1[0]->2.2.2.2[0] spi=2288584209(0x88690611)
Feb 9 13:23:39 srv-fw racoon: INFO: IPsec-SA established: ESP/Tunnel 2.2.2.2[0]->1.1.1.1[0] spi=214152031(0xcc3b35f)
Feb 9 13:23:39 srv-fw racoon: INFO: IPsec-SA established: ESP/Tunnel 1.1.1.1[500]->2.2.2.2[500] spi=1552653271(0x5c8b9bd7)
Feb 9 13:53:46 srv-fw racoon: INFO: ISAKMP-SA expired 1.1.1.1[500]-2.2.2.2[500] spi:3a918da835e191a6:fd47bdaa16e08d49
Feb 9 13:53:47 srv-fw racoon: INFO: ISAKMP-SA deleted 1.1.1.1[500]-2.2.2.2[500] spi:3a918da835e191a6:fd47bdaa16e08d49
If i don't force a reload of the conf the vpn stays down.
Feb 9 14:13:42 srv-fw racoon: INFO: Flushing all SAs for peer 2.2.2.2
Feb 9 14:13:42 srv-fw racoon: INFO: accept a request to establish IKE-SA: 2.2.2.2
Feb 9 14:13:42 srv-fw racoon: INFO: initiate new phase 1 negotiation: 1.1.1.1[500]<=>2.2.2.2[500]
Feb 9 14:13:42 srv-fw racoon: INFO: begin Identity Protection mode.
Feb 9 14:13:42 srv-fw racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02#012
Feb 9 14:13:42 srv-fw racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Feb 9 14:13:42 srv-fw racoon: INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02#012
Feb 9 14:13:42 srv-fw racoon: INFO: Hashing 2.2.2.2[500] with algo #2
Feb 9 14:13:42 srv-fw racoon: INFO: Hashing 1.1.1.1[500] with algo #2
Feb 9 14:13:42 srv-fw racoon: INFO: Adding remote and local NAT-D payloads.
Feb 9 14:13:42 srv-fw racoon: INFO: received Vendor ID: CISCO-UNITY
Feb 9 14:13:42 srv-fw racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Feb 9 14:13:42 srv-fw racoon: INFO: Hashing 1.1.1.1[500] with algo #2
Feb 9 14:13:42 srv-fw racoon: INFO: NAT-D payload #0 verified
Feb 9 14:13:42 srv-fw racoon: INFO: Hashing 2.2.2.2[500] with algo #2
Feb 9 14:13:42 srv-fw racoon: INFO: NAT-D payload #1 verified
Feb 9 14:13:42 srv-fw racoon: INFO: NAT not detected
Feb 9 14:13:42 srv-fw racoon: INFO: received Vendor ID: DPD
Feb 9 14:13:42 srv-fw racoon: WARNING: port 500 expected, but 0
Feb 9 14:13:42 srv-fw racoon: INFO: ISAKMP-SA established 1.1.1.1[500]-2.2.2.2[500] spi:54e8737b21796817:9987cc564ef98386
And it satys so until at the other end is generated some traffic.
Feb 9 14:36:53 srv-fw racoon: INFO: respond new phase 2 negotiation: 1.1.1.1[500]<=>2.2.2.2[500]
Feb 9 14:36:53 srv-fw racoon: INFO: IPsec-SA established: ESP/Tunnel 2.2.2.2[0]->1.1.1.1[0] spi=257800228(0xf5db824)
Feb 9 14:36:53 srv-fw racoon: INFO: IPsec-SA established: ESP/Tunnel 1.1.1.1[500]->2.2.2.2[500] spi=580823101(0x229ea83d)
I tried everything but without success.
Help me please :-)
Please post your racoon config and SPD config first. I cannot promise
to find solution to your problem but I (and maybe someone more competent
than me) will try.

Also, try to increase verbosity level to debug.
--
Kind regards, Milan
--------------------------------------------------
Arvanta, IT Security http://www.arvanta.net
Please do not send me e-mail containing HTML code.
Pier
2010-02-17 09:59:28 UTC
Permalink
Here is my racoon.conf:

remote 2.2.2.2
{
        exchange_mode main;
        verify_cert on;
        my_identifier address 1.1.1.1;
        lifetime time 86400 seconds ;
#       nat_traversal on;
        dpd_delay 10;
#       proposal_check claim ;
        proposal_check obey ;
        proposal {
               
encryption_algorithm 3des;
               
hash_algorithm sha1;
               
authentication_method pre_shared_key;
               
dh_group 2;
      }

}


And here the spd config:

spdadd 192.168.1.0/24   10.13.137.32/27 any
-P out ipsec esp/tunnel /1.1.1.1-2.2.2.2/require;
spdadd 192.168.1.0/24   2.2.2.2/32  any
-P out ipsec esp/tunnel/1.1.1.1-2.2.2.2/require;
spdadd 1.1.1.1/32   2.2.2.2/32  any -P
out ipsec esp/tunnel/1.1.1.1-2.2.2.2/require;
spdadd 1.1.1.1/32   10.13.137.32/27 
any -P out ipsec esp/tunnel/1.1.1.1-2.2.2.2/require;
spdadd 10.13.137.32/27  192.168.1.0/24 any -P in 
ipsec esp/tunnel 2.2.2.2-1.1.1.1/require;
spdadd 10.13.137.32/27  1.1.1.1/32 any -P in 
ipsec esp/tunnel 2.2.2.2-1.1.1.1/require;
spdadd 2.2.2.2/32 192.168.1.0/24 any -P in  ipsec
esp/tunnel/2.2.2.2-1.1.1.1/require;
spdadd 2.2.2.2/32 1.1.1.1/32 any -P in  ipsec
esp/tunnel/2.2.2.2-1.1.1.1/require;


The other side is doing some troubleshooting as well.
The racoon conf is a little mess cause i tried everything.
This is just the last one i tried.
Thanks

Pier
Silvian Cretu
2010-02-17 11:58:10 UTC
Permalink
What happens if you replace "require" with "unique" in the spd config ?
Post by Pier
remote 2.2.2.2
{
exchange_mode main;
verify_cert on;
my_identifier address 1.1.1.1;
lifetime time 86400 seconds ;
# nat_traversal on;
dpd_delay 10;
# proposal_check claim ;
proposal_check obey ;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
spdadd 192.168.1.0/24 10.13.137.32/27 any
-P out ipsec esp/tunnel /1.1.1.1-2.2.2.2/require;
spdadd 192.168.1.0/24 2.2.2.2/32 any
-P out ipsec esp/tunnel/1.1.1.1-2.2.2.2/require;
spdadd 1.1.1.1/32 2.2.2.2/32 any -P
out ipsec esp/tunnel/1.1.1.1-2.2.2.2/require;
spdadd 1.1.1.1/32 10.13.137.32/27
any -P out ipsec esp/tunnel/1.1.1.1-2.2.2.2/require;
spdadd 10.13.137.32/27 192.168.1.0/24 any -P in
ipsec esp/tunnel 2.2.2.2-1.1.1.1/require;
spdadd 10.13.137.32/27 1.1.1.1/32 any -P in
ipsec esp/tunnel 2.2.2.2-1.1.1.1/require;
spdadd 2.2.2.2/32 192.168.1.0/24 any -P in ipsec
esp/tunnel/2.2.2.2-1.1.1.1/require;
spdadd 2.2.2.2/32 1.1.1.1/32 any -P in ipsec
esp/tunnel/2.2.2.2-1.1.1.1/require;
The other side is doing some troubleshooting as well.
The racoon conf is a little mess cause i tried everything.
This is just the last one i tried.
Thanks
Pier
------------------------------------------------------------------------------
SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
http://p.sf.net/sfu/solaris-dev2dev
_______________________________________________
Ipsec-tools-devel mailing list
https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel
--
Silvian Cretu
http://www.silviancretu.ro/
Milan P. Stanic
2010-02-17 13:41:38 UTC
Permalink
Post by Pier
remote 2.2.2.2
{
        exchange_mode main;
        verify_cert on;
        my_identifier address 1.1.1.1;
        lifetime time 86400 seconds ;
#       nat_traversal on;
        dpd_delay 10;
#       proposal_check claim ;
        proposal_check obey ;
        proposal {
               
encryption_algorithm 3des;
               
hash_algorithm sha1;
               
authentication_method pre_shared_key;
               
dh_group 2;
      }
}
Do you have sainfo section in racoon.conf ?
Post by Pier
spdadd 192.168.1.0/24 10.13.137.32/27 any -P out ipsec esp/tunnel/1.1.1.1-2.2.2.2/require;
spdadd 192.168.1.0/24 2.2.2.2/32 any -P out ipsec esp/tunnel/1.1.1.1-2.2.2.2/require;
spdadd 1.1.1.1/32 2.2.2.2/32 any -P out ipsec esp/tunnel/1.1.1.1-2.2.2.2/require;
spdadd 1.1.1.1/32 10.13.137.32/27 any -P out ipsec esp/tunnel/1.1.1.1-2.2.2.2/require;
spdadd 10.13.137.32/27 192.168.1.0/24 any -P in ipsec esp/tunnel 2.2.2.2-1.1.1.1/require;
spdadd 10.13.137.32/27 1.1.1.1/32 any -P in ipsec esp/tunnel 2.2.2.2-1.1.1.1/require;
spdadd 2.2.2.2/32 192.168.1.0/24 any -P in ipsec esp/tunnel/2.2.2.2-1.1.1.1/require;
spdadd 2.2.2.2/32 1.1.1.1/32 any -P in ipsec esp/tunnel/2.2.2.2-1.1.1.1/require;
The other side is doing some troubleshooting as well.
The racoon conf is a little mess cause i tried everything.
This is just the last one i tried.
If you expect help from mailing list you should post exact config with
relevant debug log.
--
Kind regards, Milan
--------------------------------------------------
Arvanta, IT Security http://www.arvanta.net
Please do not send me e-mail containing HTML code.
Pier
2010-02-17 12:45:52 UTC
Permalink
Post by Silvian Cretu
What happens if you replace
"require" with "unique" in the spd
config ?
It seems to work.
Or at least the vpn now is up and running.
I still have to see if its stays up or fall down after a while.
Anyway, what does unique do different from require? I read the man page but i didn't understand "it allows the policy to match the unique out-bound SA".
Since i have other vpns with other cisco devices, why this one was not working?
Is it safe to substitute all require with unique?
Thanks

Pier
Pier
2010-02-17 13:34:41 UTC
Permalink
I got again the vpn disconnected.
Here the log:

2010-02-17 14:15:33: DEBUG: ===
2010-02-17 14:15:33: DEBUG: 84 bytes message received from 2.2.2.2[500] to 1.1.1.1[500]
2010-02-17 14:15:33: DEBUG:
2010-02-17 14:15:33: DEBUG: receive Information.
2010-02-17 14:15:33: DEBUG: compute IV for phase2
2010-02-17 14:15:33: DEBUG: phase1 last IV:
2010-02-17 14:15:33: DEBUG:
2010-02-17 14:15:33: DEBUG: hash(sha1)
2010-02-17 14:15:33: DEBUG: encryption(3des)
2010-02-17 14:15:33: DEBUG: phase2 IV computed:
2010-02-17 14:15:33: DEBUG:
2010-02-17 14:15:33: DEBUG: begin decryption.
2010-02-17 14:15:33: DEBUG: encryption(3des)
2010-02-17 14:15:33: DEBUG: IV was saved for next processing:
2010-02-17 14:15:33: DEBUG:
2010-02-17 14:15:33: DEBUG: encryption(3des)
2010-02-17 14:15:33: DEBUG: with key:
2010-02-17 14:15:33: DEBUG:
2010-02-17 14:15:33: DEBUG: decrypted payload by IV:
2010-02-17 14:15:33: DEBUG:
2010-02-17 14:15:33: DEBUG: decrypted payload, but not trimed.
2010-02-17 14:15:33: DEBUG:
2010-02-17 14:15:33: DEBUG: padding len=1
2010-02-17 14:15:33: DEBUG: skip to trim padding.
2010-02-17 14:15:33: DEBUG: decrypted.
2010-02-17 14:15:33: DEBUG:
2010-02-17 14:15:33: DEBUG: IV freed
2010-02-17 14:15:33: DEBUG: HASH with:
2010-02-17 14:15:33: DEBUG:
2010-02-17 14:15:33: DEBUG: hmac(hmac_sha1)
2010-02-17 14:15:33: DEBUG: HASH computed:
2010-02-17 14:15:33: DEBUG:
2010-02-17 14:15:33: DEBUG: hash validated.
2010-02-17 14:15:33: DEBUG: begin.
2010-02-17 14:15:33: DEBUG: seen nptype=8(hash)
2010-02-17 14:15:33: DEBUG: seen nptype=12(delete)
2010-02-17 14:15:33: DEBUG: succeed.
2010-02-17 14:15:33: DEBUG: delete payload for protocol ISAKMP
2010-02-17 14:15:33: INFO: ISAKMP-SA expired 1.1.1.1[500]-2.2.2.2[500] spi:0f59a95a8c8bfde6:673dbc6922ad16be
2010-02-17 14:15:33: DEBUG: purged SAs.
2010-02-17 14:15:34: INFO: ISAKMP-SA deleted 1.1.1.1[500]-2.2.2.2[500] spi:0f59a95a8c8bfde6:673dbc6922ad16be
2010-02-17 14:15:34: DEBUG: IV freed

Why is then not reactivated automatically?

Pier
Silvian Cretu
2010-02-17 14:11:38 UTC
Permalink
I use "unique" instead of "require" when the other encrypted domain is not a
continuous network.

Are you sure the lifetime values for both phase 1 and phase 2 are the same
at both ends ?
Post by Pier
I got again the vpn disconnected.
2010-02-17 14:15:33: DEBUG: ===
2010-02-17 14:15:33: DEBUG: 84 bytes message received from 2.2.2.2[500] to 1.1.1.1[500]
2010-02-17 14:15:33: DEBUG: receive Information.
2010-02-17 14:15:33: DEBUG: compute IV for phase2
2010-02-17 14:15:33: DEBUG: hash(sha1)
2010-02-17 14:15:33: DEBUG: encryption(3des)
2010-02-17 14:15:33: DEBUG: begin decryption.
2010-02-17 14:15:33: DEBUG: encryption(3des)
2010-02-17 14:15:33: DEBUG: encryption(3des)
2010-02-17 14:15:33: DEBUG: decrypted payload, but not trimed.
2010-02-17 14:15:33: DEBUG: padding len=1
2010-02-17 14:15:33: DEBUG: skip to trim padding.
2010-02-17 14:15:33: DEBUG: decrypted.
2010-02-17 14:15:33: DEBUG: IV freed
2010-02-17 14:15:33: DEBUG: hmac(hmac_sha1)
2010-02-17 14:15:33: DEBUG: hash validated.
2010-02-17 14:15:33: DEBUG: begin.
2010-02-17 14:15:33: DEBUG: seen nptype=8(hash)
2010-02-17 14:15:33: DEBUG: seen nptype=12(delete)
2010-02-17 14:15:33: DEBUG: succeed.
2010-02-17 14:15:33: DEBUG: delete payload for protocol ISAKMP
2010-02-17 14:15:33: INFO: ISAKMP-SA expired 1.1.1.1[500]-2.2.2.2[500]
spi:0f59a95a8c8bfde6:673dbc6922ad16be
2010-02-17 14:15:33: DEBUG: purged SAs.
2010-02-17 14:15:34: INFO: ISAKMP-SA deleted 1.1.1.1[500]-2.2.2.2[500]
spi:0f59a95a8c8bfde6:673dbc6922ad16be
2010-02-17 14:15:34: DEBUG: IV freed
Why is then not reactivated automatically?
Pier
------------------------------------------------------------------------------
SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
http://p.sf.net/sfu/solaris-dev2dev
_______________________________________________
Ipsec-tools-devel mailing list
https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel
--
Silvian Cretu
http://www.silviancretu.ro/
Pier
2010-02-17 14:37:48 UTC
Permalink
Post by Silvian Cretu
I use "unique" instead of
"require" when the other encrypted domain is not a
continuous network.
Ah, that's why.
So at the end when you use multiple encryption domains you use unique.
Post by Silvian Cretu
Are you sure the lifetime values for both phase 1 and phase
2 are the same at both ends ?
Yes....I don't know right now but last time they were synchronized.
But is it normal that when it disconnects, then it's not available till i force a vpn-connect again?
Shoudn'd a traffic make the vpn available?
Thanks

Pier
Pier
2010-02-17 15:44:14 UTC
Permalink
I post here the sainfos (Milan, i don't get your emails from ipsec ML).

sainfo address 192.168.1.0/24 any address 10.13.137.32/27 any
{
pfs_group 2;
lifetime time 86400 seconds ;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1 ;
compression_algorithm deflate ;

}

sainfo address 192.168.1.0/24 any address 10.13.144.0/24 any
{
pfs_group 2;
lifetime time 86400 seconds ;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1 ;
compression_algorithm deflate ;

}

sainfo address 192.168.1.0/24 any address 10.13.145.0/24 any
{
pfs_group 2;
lifetime time 86400 seconds ;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1 ;
compression_algorithm deflate ;

}

sainfo address 1.1.1.1/32 any address 10.13.137.32/27 any
{
pfs_group 2;
lifetime time 86400 seconds ;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1 ;
compression_algorithm deflate ;
}

sainfo address 1.1.1.1/32 any address 10.13.144.0/24 any
{
pfs_group 2;
lifetime time 86400 seconds ;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1 ;
compression_algorithm deflate ;
}
sainfo address 1.1.1.1/32 any address 10.13.145.0/24 any
{
pfs_group 2;
lifetime time 86400 seconds ;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1 ;
compression_algorithm deflate ;
}


sainfo address 1.1.1.1/32 any address 2.2.2.2/32 any
{
pfs_group 2;
lifetime time 86400 seconds ;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1 ;
compression_algorithm deflate ;
}

sainfo address 192.168.1.0/24 any address 2.2.2.2/32 any
{
pfs_group 2;
lifetime time 86400 seconds ;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1 ;
compression_algorithm deflate ;
}
Neslihan Guler
2010-02-18 21:53:25 UTC
Permalink
Hi Pier,
In your configuration it seems that DPD (dead peer detection) is active. May
be it is not active on the other end. Since you can not get reply to your
dpd packets, the SAs are deleted. Control your dpd activity on both ends.
Just an idea..

Neslihan
Post by Pier
I post here the sainfos (Milan, i don't get your emails from ipsec ML).
sainfo address 192.168.1.0/24 any address 10.13.137.32/27 any
{
pfs_group 2;
lifetime time 86400 seconds ;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1 ;
compression_algorithm deflate ;
}
sainfo address 192.168.1.0/24 any address 10.13.144.0/24 any
{
pfs_group 2;
lifetime time 86400 seconds ;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1 ;
compression_algorithm deflate ;
}
sainfo address 192.168.1.0/24 any address 10.13.145.0/24 any
{
pfs_group 2;
lifetime time 86400 seconds ;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1 ;
compression_algorithm deflate ;
}
sainfo address 1.1.1.1/32 any address 10.13.137.32/27 any
{
pfs_group 2;
lifetime time 86400 seconds ;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1 ;
compression_algorithm deflate ;
}
sainfo address 1.1.1.1/32 any address 10.13.144.0/24 any
{
pfs_group 2;
lifetime time 86400 seconds ;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1 ;
compression_algorithm deflate ;
}
sainfo address 1.1.1.1/32 any address 10.13.145.0/24 any
{
pfs_group 2;
lifetime time 86400 seconds ;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1 ;
compression_algorithm deflate ;
}
sainfo address 1.1.1.1/32 any address 2.2.2.2/32 any
{
pfs_group 2;
lifetime time 86400 seconds ;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1 ;
compression_algorithm deflate ;
}
sainfo address 192.168.1.0/24 any address 2.2.2.2/32 any
{
pfs_group 2;
lifetime time 86400 seconds ;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1 ;
compression_algorithm deflate ;
}
------------------------------------------------------------------------------
SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
http://p.sf.net/sfu/solaris-dev2dev
_______________________________________________
Ipsec-tools-devel mailing list
https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel
Pier
2010-02-19 11:46:53 UTC
Permalink
I removed the DPD but i got again disconnected.
This is the log after a while:

2010-02-19 11:37:23: DEBUG: ===
2010-02-19 11:37:23: DEBUG: 68 bytes message received from 2.2.2.2[500] to 1.1.1.1[500]
2010-02-19 11:37:23: DEBUG:
88fb292b e5991226 655e5792 16abafa6 08100501 ed9b5e1b 00000044 ad912041
9777ee36 c662f51b 9c0d6315 d0452dc3 6a59aeb7 c27ba36f 9bc0fbc2 7044000f
9405e441
2010-02-19 11:37:23: DEBUG: receive Information.
2010-02-19 11:37:23: DEBUG: compute IV for phase2
2010-02-19 11:37:23: DEBUG: phase1 last IV:
2010-02-19 11:37:23: DEBUG:
b210da97 0d4c2c1f ed9b5e1b
2010-02-19 11:37:23: DEBUG: hash(sha1)
2010-02-19 11:37:23: DEBUG: encryption(3des)
2010-02-19 11:37:23: DEBUG: phase2 IV computed:
2010-02-19 11:37:23: DEBUG:
6381bb1e 38ec8206
2010-02-19 11:37:23: DEBUG: begin decryption.
2010-02-19 11:37:23: DEBUG: encryption(3des)
2010-02-19 11:37:23: DEBUG: IV was saved for next processing:
2010-02-19 11:37:23: DEBUG:
7044000f 9405e441
2010-02-19 11:37:23: DEBUG: encryption(3des)
2010-02-19 11:37:23: DEBUG: with key:
2010-02-19 11:37:23: DEBUG:
bf8da677 447a5b07 833411a7 f64d7251 b656808a 20b69bda
2010-02-19 11:37:23: DEBUG: decrypted payload by IV:
2010-02-19 11:37:23: DEBUG:
6381bb1e 38ec8206
2010-02-19 11:37:23: DEBUG: decrypted payload, but not trimed.
2010-02-19 11:37:23: DEBUG:
0b000018 727edb55 b9f268b9 5285a1f6 40c070d5 eeb9ce6c 00000010 00000001
0304000b bde6ee64
2010-02-19 11:37:23: DEBUG: padding len=101
2010-02-19 11:37:23: DEBUG: skip to trim padding.
2010-02-19 11:37:23: DEBUG: decrypted.
2010-02-19 11:37:23: DEBUG:
88fb292b e5991226 655e5792 16abafa6 08100501 ed9b5e1b 00000044 0b000018
727edb55 b9f268b9 5285a1f6 40c070d5 eeb9ce6c 00000010 00000001 0304000b
bde6ee64
2010-02-19 11:37:23: DEBUG: IV freed
2010-02-19 11:37:23: DEBUG: HASH with:
2010-02-19 11:37:23: DEBUG:
ed9b5e1b 00000010 00000001 0304000b bde6ee64
2010-02-19 11:37:23: DEBUG: hmac(hmac_sha1)
2010-02-19 11:37:23: DEBUG: HASH computed:
2010-02-19 11:37:23: DEBUG:
727edb55 b9f268b9 5285a1f6 40c070d5 eeb9ce6c
2010-02-19 11:37:23: DEBUG: hash validated.
2010-02-19 11:37:23: DEBUG: begin.
2010-02-19 11:37:23: DEBUG: seen nptype=8(hash)
2010-02-19 11:37:23: DEBUG: seen nptype=11(notify)
2010-02-19 11:37:23: DEBUG: succeed.
2010-02-19 11:37:23: ERROR: fatal INVALID-SPI notify messsage, phase1 should be deleted.
2010-02-19 11:37:23: DEBUG: notification message 11:INVALID-SPI, doi=1 proto_id=3 spi=bde6ee64(size=4).
2010-02-19 11:37:23: DEBUG: ===


I don't see any other errors messages.

Pier
Oggetto: Re: [Ipsec-tools-devel] Problems racoon and cisco vpn
Data: Giovedì 18 febbraio 2010, 22:53
Hi Pier,
In your configuration it seems that DPD (dead peer
detection) is active. May be it is not active on the other
end. Since you can not get reply to your dpd packets, the
SAs are deleted. Control your dpd activity on both ends.
Just an idea..
Pier
2010-02-19 13:56:52 UTC
Permalink
Another hint. After a while (the vpn tunnel was down) i saw this logs:

2010-02-19 14:45:06: DEBUG: ===
2010-02-19 14:45:06: DEBUG: 308 bytes message received from 2.2.2.2[500] to 1.1.1.1[500]
2010-02-19 14:45:06: DEBUG:
1cf0ada1 7637b641 53c3b883 2cc3e14c 08102001 10cd17fa 00000134 a6c8c081
16a4b931 a3b451a9 5d17d9e7 bfbb0e1c 79be1a01 da7f18a0 5e1b42a5 1a7880d3
61bdaf77 b5e81f8a d57f1b55 47b8951b a52b34eb e0cf3d17 4aa2812e 24585021
c4e6471f 99c178aa 5a844b34 7b7b4439 1b9fc362 4f0e5bf1 4c72fd88 ab543445
fc3e8219 9ce89159 bfe8e7fd 247d3221 33a76029 1d5eb699 afe6c8dc 37730902
56157c44 60cc7c8f a0502b50 886dd87e 100ed5ae 64d73cf6 109428a4 6ed6c1ed
2b8b6db4 feb8a6a4 c4fb6b92 0a13dd57 386d797c 3c3806c3 80e7b97f 4a1b0bf2
bf5b3bf1 2bf29920 c575fa97 5aafa38a 65991d6d c42b5fe6 c7b9aab4 d4f059af
69e72ae2 512d6e04 ef34f873 ac4d7b10 03d856f8 34201e39 54542b2c e83ea255
7f8c63e6 be193b3d b4687911 b563d7d2 447f4146
2010-02-19 14:45:06: DEBUG: compute IV for phase2
2010-02-19 14:45:06: DEBUG: phase1 last IV:
2010-02-19 14:45:06: DEBUG:
041a57fb 5021c153 10cd17fa
2010-02-19 14:45:06: DEBUG: hash(sha1)
2010-02-19 14:45:06: DEBUG: encryption(3des)
2010-02-19 14:45:06: DEBUG: phase2 IV computed:
2010-02-19 14:45:06: DEBUG:
50db7a89 c7fc1539
2010-02-19 14:45:06: DEBUG: ===
2010-02-19 14:45:06: INFO: respond new phase 2 negotiation: 1.1.1.1[500]<=>2.2.2.2[500]
2010-02-19 14:45:06: DEBUG: begin decryption.
2010-02-19 14:45:06: DEBUG: encryption(3des)
2010-02-19 14:45:06: DEBUG: IV was saved for next processing:
2010-02-19 14:45:06: DEBUG:
b563d7d2 447f4146
2010-02-19 14:45:06: DEBUG: encryption(3des)
2010-02-19 14:45:06: DEBUG: with key:
2010-02-19 14:45:06: DEBUG:
97a6e308 4c993c37 0f02cf83 0e66fc9f 1ef4139c d89be473
2010-02-19 14:45:06: DEBUG: decrypted payload by IV:
2010-02-19 14:45:06: DEBUG:
50db7a89 c7fc1539
2010-02-19 14:45:06: DEBUG: decrypted payload, but not trimed.
2010-02-19 14:45:06: DEBUG:
01000018 1e4001f6 30e7cb7e 2733deac 2dc38368 6d696628 0a000044 00000001
00000001 00000038 01030401 274b7f8c 0000002c 01030000 80010001 00020004
00015180 80010002 00020004 7fffffff 80040001 80050002 80030002 04000018
aa279277 b6940eb6 ad12ca04 b2efe078 3dc5df18 05000084 4cfdf8cd e5b89a65
da9436aa 068ef524 77054bb0 35a45733 65f5ffdf 81990a0e 8132a258 f532a37b
8b061a06 8df7353d 8cb8fb55 e54edae4 9a7156aa 1c1988c1 837f2266 52a10ded
3c568a59 fdfbbed4 9a301513 ec7313e2 94aeb7b7 8c3423b3 c2100427 f9b90bbd
7c77571f 290b39a5 5a978c1b eac64ad4 2f08d8ef a1df9f7f 05000010 04000000
0a0d8920 ffffffe0 00000010 04000000 c0a80100 ffffff00
2010-02-19 14:45:06: DEBUG: padding len=1
2010-02-19 14:45:06: DEBUG: skip to trim padding.
2010-02-19 14:45:06: DEBUG: decrypted.
2010-02-19 14:45:06: DEBUG:
1cf0ada1 7637b641 53c3b883 2cc3e14c 08102001 10cd17fa 00000134 01000018
1e4001f6 30e7cb7e 2733deac 2dc38368 6d696628 0a000044 00000001 00000001
00000038 01030401 274b7f8c 0000002c 01030000 80010001 00020004 00015180
80010002 00020004 7fffffff 80040001 80050002 80030002 04000018 aa279277
b6940eb6 ad12ca04 b2efe078 3dc5df18 05000084 4cfdf8cd e5b89a65 da9436aa
068ef524 77054bb0 35a45733 65f5ffdf 81990a0e 8132a258 f532a37b 8b061a06
8df7353d 8cb8fb55 e54edae4 9a7156aa 1c1988c1 837f2266 52a10ded 3c568a59
fdfbbed4 9a301513 ec7313e2 94aeb7b7 8c3423b3 c2100427 f9b90bbd 7c77571f
290b39a5 5a978c1b eac64ad4 2f08d8ef a1df9f7f 05000010 04000000 0a0d8920
ffffffe0 00000010 04000000 c0a80100 ffffff00
2010-02-19 14:45:06: DEBUG: begin.
2010-02-19 14:45:06: DEBUG: seen nptype=8(hash)
2010-02-19 14:45:06: DEBUG: seen nptype=1(sa)
2010-02-19 14:45:06: DEBUG: seen nptype=10(nonce)
2010-02-19 14:45:06: DEBUG: seen nptype=4(ke)
2010-02-19 14:45:06: DEBUG: seen nptype=5(id)
2010-02-19 14:45:06: DEBUG: seen nptype=5(id)
2010-02-19 14:45:06: DEBUG: succeed.
2010-02-19 14:45:06: DEBUG: received IDci2:2010-02-19 14:45:06: DEBUG:
04000000 0a0d8920 ffffffe0
2010-02-19 14:45:06: DEBUG: received IDcr2:2010-02-19 14:45:06: DEBUG:
04000000 c0a80100 ffffff00
2010-02-19 14:45:06: DEBUG: HASH(1) validate:2010-02-19 14:45:06: DEBUG:
1e4001f6 30e7cb7e 2733deac 2dc38368 6d696628
2010-02-19 14:45:06: DEBUG: HASH with:
2010-02-19 14:45:06: DEBUG:
10cd17fa 0a000044 00000001 00000001 00000038 01030401 274b7f8c 0000002c
01030000 80010001 00020004 00015180 80010002 00020004 7fffffff 80040001
80050002 80030002 04000018 aa279277 b6940eb6 ad12ca04 b2efe078 3dc5df18
05000084 4cfdf8cd e5b89a65 da9436aa 068ef524 77054bb0 35a45733 65f5ffdf
81990a0e 8132a258 f532a37b 8b061a06 8df7353d 8cb8fb55 e54edae4 9a7156aa
1c1988c1 837f2266 52a10ded 3c568a59 fdfbbed4 9a301513 ec7313e2 94aeb7b7
8c3423b3 c2100427 f9b90bbd 7c77571f 290b39a5 5a978c1b eac64ad4 2f08d8ef
a1df9f7f 05000010 04000000 0a0d8920 ffffffe0 00000010 04000000 c0a80100
ffffff00
2010-02-19 14:45:06: DEBUG: hmac(hmac_sha1)
2010-02-19 14:45:06: DEBUG: HASH computed:
2010-02-19 14:45:06: DEBUG:
1e4001f6 30e7cb7e 2733deac 2dc38368 6d696628
2010-02-19 14:45:06: DEBUG: configuration found for 2.2.2.2.
2010-02-19 14:45:06: DEBUG: getsainfo params: loc='192.168.1.0/24', rmt='10.13.137.32/27', peer='2.2.2.2', id=0
2010-02-19 14:45:06: DEBUG: getsainfo pass #1
[...]
And after this, the tunnel is up and running.
I still don't understand if it's a problem on my side or not.

Pier

Loading...