[Users] freeswan cisco 828 interop

From: Joop Marijne (jmarijne_at_penguin-systems.nl)
Date: Thu Jan 09 2003 - 22:38:28 CET

Hi all,

I am trying to connect a cisco 828 sdsl router to a linux freeswan box. I am
not very experienced with cisco ios, but there are some examples on the net.
below are the freeswan config, cisco config and the debug info. I am using
cisco IOS 12.2 with 3des option pack, freeswan 1.98b with kernel 2.4.19

the problem is when I start the connection, freeswan logs:
hoofddorp" #1: protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but
are 17/0

the cisco reports succesfull exchange of the preshared keys, but then it
fails with the same problem. I am not sure which side is sending this
packet.

Hope somebody can shed some light on this.

config of the freeswan box:

conn hoofddorp
        # Left security gateway, subnet behind it, next hop toward right.
        left=64.65.66.146
        leftsubnet=10.124.207.0/24
        leftnexthop=%defaultroute
        # Right security gateway, subnet behind it, next hop toward left.
        right=41.42.43.49
        rightsubnet=10.110.1.0/24
        rightnexthop=
        # To authorize this connection, but not actually start it, at
startup,
        # uncomment this.
        auto=start
        authby=secret

and the cisco:

!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname "hoofddorp"
!
enable secret 0 pwd
!
ip subnet-zero
no ip domain lookup
!
!
crypto isakmp policy 1
 encr 3des
 hash sha
 authentication pre-share
 group 2
crypto isakmp key SECRETKEY 64.65.66.146
!
!
crypto ipsec transform-set linux esp-3des esp-sha-hmac
!
crypto map TEST 1 ipsec-isakmp
 set peer 64.65.66.146
 set transform-set linux
 set pfs group2
 match address 102
!
!
!
!
interface Ethernet0
 ip address 10.110.1.254 255.255.255.0
 no ip proxy-arp
 ip nat inside
 hold-queue 100 out
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 pvc 0 0/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl equipment-type CPE
 dsl operating-mode GSHDSL symmetric annex B
 dsl linerate AUTO
!
interface Dialer0
 ip address negotiated
 ip nat outside
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no peer default ip address
 ppp authentication pap callin
 ppp pap sent-username webxpar12 password 0 pwd
 crypto map TEST
!
ip nat inside source list 101 interface Dialer0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
no ip http server
!
!
access-list 101 permit ip 10.110.1.0 0.0.0.255 any
access-list 102 permit ip 10.124.207.0 0.0.0.255 10.110.1.0 0.0.0.255
dialer-list 1 protocol ip permit
!
line con 0
 stopbits 1
line vty 0 4
 password 0 pwd
 login
!
scheduler max-task-time 5000
end

syslog freeswan:

Jan 9 21:49:51 linux-01 ipsec_setup: ...FreeS/WAN IPsec started
Jan 9 21:49:51 linux-01 pluto[15172]: Starting Pluto (FreeS/WAN Version
1.98b)
Jan 9 21:49:51 linux-01 pluto[15172]: added connection description
"hoofddorp"
Jan 9 21:49:51 linux-01 pluto[15172]: listening for IKE messages
Jan 9 21:49:51 linux-01 pluto[15172]: adding interface ipsec0/eth1
64.65.66.146
Jan 9 21:49:51 linux-01 pluto[15172]: loading secrets from
"/etc/ipsec.secrets"
Jan 9 21:49:51 linux-01 pluto[15172]: "hoofddorp" #1: initiating Main Mode
Jan 9 21:49:52 linux-01 pluto[15172]: "hoofddorp" #1: ignoring Vendor ID
payload
Jan 9 21:49:52 linux-01 last message repeated 3 times
Jan 9 21:49:52 linux-01 pluto[15172]: "hoofddorp" #1: protocol/port in
Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0

ISAKMP debug output:

9.bbeyond.nl 479: 00:08:36: ISAKMP (0:6): Checking ISAKMP transform 2
against priority 1 policy
Jan 9 21:47:25 remote-cisco 480: 00:08:36: ISAKMP: life type in
seconds
Jan 9 21:47:25 remote-cisco 481: 00:08:36: ISAKMP: life duration
(basic) of 3600
Jan 9 21:47:25 remote-cisco 482: 00:08:36: ISAKMP: encryption 3DES-CBC
Jan 9 21:47:25 remote-cisco 483: 00:08:36: ISAKMP: hash SHA
Jan 9 21:47:25 remote-cisco 484: 00:08:36: ISAKMP: auth pre-share
Jan 9 21:47:25 remote-cisco 485: 00:08:36: ISAKMP: default group 2
Jan 9 21:47:25 remote-cisco 486: 00:08:36: ISAKMP (0:6): atts are
acceptable. Next payload is 3
Jan 9 21:47:25 remote-cisco 487: 00:08:36: ISAKMP (0:6): Input =
IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jan 9 21:47:25 remote-cisco 488: 00:08:36: ISAKMP (0:6): Old State =
IKE_R_MM1 New State = IKE_R_MM1
Jan 9 21:47:25 remote-cisco 489:
Jan 9 21:47:25 remote-cisco 490: 00:08:36: ISAKMP (0:6): sending packet to
64.65.66.146 my_port 500 peer_port 500 (R) MM_SA_SETUP
Jan 9 21:47:25 remote-cisco 491: 00:08:36: ISAKMP (0:6): Input =
IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jan 9 21:47:25 remote-cisco 492: 00:08:36: ISAKMP (0:6): Old State =
IKE_R_MM1 New State = IKE_R_MM2
Jan 9 21:47:25 remote-cisco 493:
Jan 9 21:47:25 remote-cisco 494: 00:08:36: ISAKMP (0:6): received packet
from 64.65.66.146 dport 500 sport 500 (R) MM_SA_SETUP
Jan 9 21:47:25 remote-cisco 495: 00:08:36: ISAKMP (0:6): Input =
IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jan 9 21:47:25 remote-cisco 496: 00:08:36: ISAKMP (0:6): Old State =
IKE_R_MM2 New State = IKE_R_MM3
Jan 9 21:47:25 remote-cisco 497:
Jan 9 21:47:25 remote-cisco 498: 00:08:36: ISAKMP (0:6): processing KE
payload. message ID = 0
Jan 9 21:47:25 remote-cisco 499: 00:08:37: ISAKMP (0:6): processing NONCE
payload. message ID = 0
Jan 9 21:47:25 remote-cisco 500: 00:08:37: ISAKMP (0:6): found peer
pre-shared key matching 64.65.66.146
Jan 9 21:47:26 remote-cisco 501: 00:08:37: ISAKMP (0:6): SKEYID state
generated
Jan 9 21:47:26 remote-cisco 502: 00:08:37: ISAKMP (0:6): Input =
IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jan 9 21:47:26 remote-cisco 503: 00:08:37: ISAKMP (0:6): Old State =
IKE_R_MM3 New State = IKE_R_MM3
Jan 9 21:47:26 remote-cisco 504:
Jan 9 21:47:26 remote-cisco 505: 00:08:37: ISAKMP (0:6): sending packet to
64.65.66.146 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Jan 9 21:47:26 remote-cisco 506: 00:08:37: ISAKMP (0:6): Input =
IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jan 9 21:47:26 remote-cisco 507: 00:08:37: ISAKMP (0:6): Old State =
IKE_R_MM3 New State = IKE_R_MM4
Jan 9 21:47:26 remote-cisco 508:
Jan 9 21:47:26 remote-cisco 509: 00:08:37: ISAKMP (0:6): received packet
from 64.65.66.146 dport 500 sport 500 (R) MM_KEY_EXCH
Jan 9 21:47:26 remote-cisco 510: 00:08:37: ISAKMP (0:6): Input =
IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jan 9 21:47:26 remote-cisco 511: 00:08:37: ISAKMP (0:6): Old State =
IKE_R_MM4 New State = IKE_R_MM5
Jan 9 21:47:26 remote-cisco 512:
Jan 9 21:47:26 remote-cisco 513: 00:08:37: ISAKMP (0:6): processing ID
payload. message ID = 0
Jan 9 21:47:26 remote-cisco 514: 00:08:37: ISAKMP (0:6): processing HASH
payload. message ID = 0
Jan 9 21:47:26 remote-cisco 515: 00:08:37: ISAKMP (0:6): SA has been
authenticated with 64.65.66.146
Jan 9 21:47:26 remote-cisco 516: 00:08:37: ISAKMP (0:6): Input =
IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jan 9 21:47:26 remote-cisco 517: 00:08:37: ISAKMP (0:6): Old State =
IKE_R_MM5 New State = IKE_R_MM5
Jan 9 21:47:26 remote-cisco 518:
Jan 9 21:47:26 remote-cisco 519: 00:08:37: ISAKMP (0:6): SA is doing
pre-shared key authentication using id type ID_IPV4_ADDR
Jan 9 21:47:26 remote-cisco 520: 00:08:37: ISAKMP (6): ID payload
Jan 9 21:47:26 remote-cisco 521: ^Inext-payload : 8
Jan 9 21:47:26 remote-cisco 522: ^Itype : 1
Jan 9 21:47:26 remote-cisco 523: ^Iaddr : 41.42.43.49
Jan 9 21:47:26 remote-cisco 524: ^Iprotocol : 17
!!!!This must be the problem !!!
Jan 9 21:47:26 remote-cisco 525: ^Iport : 0

Jan 9 21:47:26 remote-cisco 526: ^Ilength : 8
Jan 9 21:47:26 remote-cisco 527: 00:08:37: ISAKMP (6): Total payload
length: 12
Jan 9 21:47:27 remote-cisco 528: 00:08:37: ISAKMP (0:6): sending packet to
64.65.66.146 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Jan 9 21:47:27 remote-cisco 529: 00:08:37: ISAKMP (0:6): Input =
IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jan 9 21:47:27 remote-cisco 530: 00:08:37: ISAKMP (0:6): Old State =
IKE_R_MM5 New State = IKE_P1_COMPLETE
Jan 9 21:47:27 remote-cisco 531:
Jan 9 21:47:27 remote-cisco 532: 00:08:37: ISAKMP (0:6): Input =
IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Jan 9 21:47:27 remote-cisco 533: 00:08:37: ISAKMP (0:6): Old State =
IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Jan 9 21:47:27 remote-cisco 534:

more debugging

hoofddorp#show crypto ipsec sa

interface: Dialer0
    Crypto map tag: TEST, local addr. 41.42.43.49

   local ident (addr/mask/prot/port): (10.124.207.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.110.1.0/255.255.255.0/0/0)
   current_peer: 64.65.66.146:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 41.42.43.49, remote crypto endpt.: 64.65.66.146
     path mtu 1500, media mtu 1500
     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.5 : Sat Jan 11 2003 - 05:21:13 CET