Re: [Users] what is causing protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0

From: Ken Bantoft (ken_at_freeswan.ca)
Date: Tue Jan 14 2003 - 14:28:00 CET

• Next message: psnizek_at_belfin.ch: "[Users] pinging from freeswan box"
• Previous message: Emiliano: "Re: [Users] Can't connect from Dinamip IP"
• In reply to: Joop Marijne: "[Users] what is causing protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0"
• Next in thread: Joop Marijne: "RE: [Users] what is causing protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0"
• Reply: Joop Marijne: "RE: [Users] what is causing protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

-----BEGIN PGP SIGNED MESSAGE-----

On Tue, 14 Jan 2003, Joop Marijne wrote:

> I am trying to connect a cisco 828 router to a freeswan box. the key
> exchange works,
> but phase II is failing, here is the syslog dump
>
> Jan 14 09:54:51 penguin-systems pluto[25237]: "hoofddorp" #1: protocol/port
> in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0
> Jan 14 09:54:51 penguin-systems pluto[25237]: | state transition function
> for STATE_MAIN_R2 failed: INVALID_ID_INFORMATION
>

Okay, so the Cisco is trying to do a tunnel for *only* UDP traffic
(protocol 17), ala RFC 2407. FreeS/WAN (at least stock FreeS/WAN)
doesn't support this, so it balks and says invalid ID.

The corrosponding Cisco ACL seems to be 102:

> access-list 102 permit ip 192.168.253.0 0.0.0.255 192.168.254.0 0.0.0.255

Which looks correct - tunnel 192.168.254.0/24 <-> 192.168.254.0/24 and
matches the FreeS/WAN config nicely.

So it *should* be working, from what I can see. Can you include part of
the show crypto logs? For some reason, the Cisco seems to be
doing an odd phase 1 proposal.

> conn hoofddorp
> type=tunnel
> left=10.0.0.100
> leftsubnet=192.168.254.0/24
> right=10.0.0.101
> rightsubnet=192.168.253.0/24
> auto=add
> authby=secret
> keylife=24h
>
> Cisco Config
>
> crypto isakmp policy 1
> encr 3des
> hash md5
> authentication pre-share
> group 2
> lifetime 28800
> crypto isakmp key TEST address 10.0.0.100
> !
> !
> crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
>
> !
> crypto map test 1 ipsec-isakmp
> set peer 10.0.0.100
> set transform-set 3DES-MD5
> set pfs group2
> match address 102
> !
> !
> ip classless
> ip route 0.0.0.0 0.0.0.0 10.0.0.100
> no ip http server
> !
> !
> access-list 23 permit 10.10.10.0 0.0.0.255
> access-list 102 permit ip 192.168.253.0 0.0.0.255 192.168.254.0 0.0.0.255

- --
Ken Bantoft The Unoffical FreeS/WAN Site:
ken_at_freeswan.ca http://www.freeswan.ca
                           PGP Key: finger ken_at_bantoft.org
The good thing about standards is that there are so many
to choose from. -- Andrew S. Tanenbaum

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBPiQQYliWUusaxGxpAQFsVgQAhHpPyl3LZCWLdX5NjLY0QwOUR7+w68kq
ojrm0ibLaudMBGuQTNGBm3gM2Oc0mcmZbLLAwpbz5jjM8cypQyfx6GDmmlmlz9iy
h1IxiHAMdwMhy07/1jfIiFWMHjLuP4/2gjCeK2/kZwP70P9ScNytYPsriiY+S71A
qeEXX8uZb40=
=rY/U
-----END PGP SIGNATURE-----

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: psnizek_at_belfin.ch: "[Users] pinging from freeswan box"
• Previous message: Emiliano: "Re: [Users] Can't connect from Dinamip IP"
• In reply to: Joop Marijne: "[Users] what is causing protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0"
• Next in thread: Joop Marijne: "RE: [Users] what is causing protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0"
• Reply: Joop Marijne: "RE: [Users] what is causing protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Wed Jan 15 2003 - 20:11:39 CET