RE: [Users] what is causing protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0

From: Joop Marijne (joop_at_marijne.nl)
Date: Tue Jan 14 2003 - 15:06:24 CET

• Next message: John S. Denker: "Re: [Users] Multipath routing with Freeswan, possible?"
• Previous message: psnizek_at_belfin.ch: "[Users] pinging from freeswan box"
• In reply to: Ken Bantoft: "Re: [Users] what is causing protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

here's the sys show crypto logs, ive also included the cisco debug info

hoofddorp#sh crypto ipsec transform-set
Transform set 3DES-MD5: { esp-3des esp-md5-hmac }
   will negotiate = { Tunnel, },

hoofddorp#sh crypto ipsec sa

interface: Ethernet0
    Crypto map tag: test, local addr. 10.0.0.101

   local ident (addr/mask/prot/port): (192.168.253.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.254.0/255.255.255.0/0/0)
   current_peer: 10.0.0.100:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.0.0.101, remote crypto endpt.: 10.0.0.100
     path mtu 1500, media mtu 1500
     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

hoofddorp#sh crypto isakmp policy
Protection suite of priority 1
        encryption algorithm: Three key triple DES
        hash algorithm: Message Digest 5
        authentication method: Pre-Shared Key
        Diffie-Hellman group: #2 (1024 bit)
        lifetime: 28800 seconds, no volume limit
Default protection suite
        encryption algorithm: DES - Data Encryption Standard (56 bit
keys).
        hash algorithm: Secure Hash Standard
        authentication method: Rivest-Shamir-Adleman Signature
        Diffie-Hellman group: #1 (768 bit)
        lifetime: 86400 seconds, no volume limit

00:11:10: ISAKMP (0:3): beginning Main Mode exchange
00:11:10: ISAKMP (0:3): sending packet to 10.0.0.100 my_port 500 peer_port
500 (I) MM_NO_STATE
00:11:10: ISAKMP (0:3): received packet from 10.0.0.100 dport 500 sport 500
(I) MM_NO_STATE
00:11:10: ISAKMP (0:3): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
00:11:10: ISAKMP (0:3): Old State = IKE_I_MM1 New State = IKE_I_MM2

00:11:10: ISAKMP (0:3): processing SA payload. message ID = 0
00:11:10: ISAKMP (0:3): found peer pre-shared key matching 10.0.0.100
00:11:10: ISAKMP (0:3) local preshared key found
00:11:10: ISAKMP (0:3): Checking ISAKMP transform 1 against priority 1
policy
00:11:10: ISAKMP: encryption 3DES-CBC
00:11:10: ISAKMP: hash MD5
00:11:10: ISAKMP: default group 2
00:11:10: ISAKMP: auth pre-share
00:11:10: ISAKMP: life type in seconds
00:11:10: ISAKMP: life duration (basic) of 28800.
00:11:10: ISAKMP (0:3): atts are acceptable. Next payload is 0
00:11:11: ISAKMP (0:3): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
00:11:11: ISAKMP (0:3): Old State = IKE_I_MM2 New State = IKE_I_MM2

00:11:11: ISAKMP (0:3): sending packet to 10.0.0.100 my_port 500 peer_port
500 (I) MM_SA_SETUP
00:11:11: ISAKMP (0:3): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
00:11:11: ISAKMP (0:3): Old State = IKE_I_MM2 New State = IKE_I_MM3

00:11:11: ISAKMP (0:3): received packet from 10.0.0.100 dport 500 sport 500
(I) MM_SA_SETUP
00:11:11: ISAKMP (0:3): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
00:11:11: ISAKMP (0:3): Old State = IKE_I_MM3 New State = IKE_I_MM4

00:11:11: ISAKMP (0:3): processing KE payload. message ID = 0
00:11:11: ISAKMP (0:3): processing NONCE payload. message ID = 0
00:11:11: ISAKMP (0:3): found peer pre-shared key matching 10.0.0.100
00:11:11: ISAKMP (0:3): SKEYID state generated
00:11:11: ISAKMP (0:3): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
00:11:11: ISAKMP (0:3): Old State = IKE_I_MM4 New State = IKE_I_MM4

00:11:12: ISAKMP (0:3): Send initial contact
00:11:12: ISAKMP (0:3): SA is doing pre-shared key authentication using id
type ID_IPV4_ADDR
00:11:12: ISAKMP (3): ID payload
        next-payload : 8
        type : 1
        addr : 10.0.0.101
        protocol : 17
        port : 0
        length : 8
00:11:12: ISAKMP (3): Total payload length: 12
00:11:12: ISAKMP (0:3): sending packet to 10.0.0.100 my_port 500 peer_port
500 (I) MM_KEY_EXCH
00:11:12: ISAKMP (0:3): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
00:11:12: ISAKMP (0:3): Old State = IKE_I_MM4 New State = IKE_I_MM5

-----Oorspronkelijk bericht-----
Van: Ken Bantoft [mailto:ken_at_freeswan.ca]
Verzonden: dinsdag 14 januari 2003 14:28
Aan: Joop Marijne
CC: users_at_lists.freeswan.org
Onderwerp: Re: [Users] what is causing protocol/port in Phase 1 ID
Payload must be 0/0 or 17/500 but are 17/0

-----BEGIN PGP SIGNED MESSAGE-----

On Tue, 14 Jan 2003, Joop Marijne wrote:

> I am trying to connect a cisco 828 router to a freeswan box. the key
> exchange works,
> but phase II is failing, here is the syslog dump
>
> Jan 14 09:54:51 penguin-systems pluto[25237]: "hoofddorp" #1:
protocol/port
> in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0
> Jan 14 09:54:51 penguin-systems pluto[25237]: | state transition function
> for STATE_MAIN_R2 failed: INVALID_ID_INFORMATION
>

Okay, so the Cisco is trying to do a tunnel for *only* UDP traffic
(protocol 17), ala RFC 2407. FreeS/WAN (at least stock FreeS/WAN)
doesn't support this, so it balks and says invalid ID.

The corrosponding Cisco ACL seems to be 102:

> access-list 102 permit ip 192.168.253.0 0.0.0.255 192.168.254.0 0.0.0.255

Which looks correct - tunnel 192.168.254.0/24 <-> 192.168.254.0/24 and
matches the FreeS/WAN config nicely.

So it *should* be working, from what I can see. Can you include part of
the show crypto logs? For some reason, the Cisco seems to be
doing an odd phase 1 proposal.

> conn hoofddorp
> type=tunnel
> left=10.0.0.100
> leftsubnet=192.168.254.0/24
> right=10.0.0.101
> rightsubnet=192.168.253.0/24
> auto=add
> authby=secret
> keylife=24h
>
> Cisco Config
>
> crypto isakmp policy 1
> encr 3des
> hash md5
> authentication pre-share
> group 2
> lifetime 28800
> crypto isakmp key TEST address 10.0.0.100
> !
> !
> crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
>
> !
> crypto map test 1 ipsec-isakmp
> set peer 10.0.0.100
> set transform-set 3DES-MD5
> set pfs group2
> match address 102
> !
> !
> ip classless
> ip route 0.0.0.0 0.0.0.0 10.0.0.100
> no ip http server
> !
> !
> access-list 23 permit 10.10.10.0 0.0.0.255
> access-list 102 permit ip 192.168.253.0 0.0.0.255 192.168.254.0 0.0.0.255

- --
Ken Bantoft The Unoffical FreeS/WAN Site:
ken_at_freeswan.ca http://www.freeswan.ca
                           PGP Key: finger ken_at_bantoft.org
The good thing about standards is that there are so many
to choose from. -- Andrew S. Tanenbaum

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBPiQQYliWUusaxGxpAQFsVgQAhHpPyl3LZCWLdX5NjLY0QwOUR7+w68kq
ojrm0ibLaudMBGuQTNGBm3gM2Oc0mcmZbLLAwpbz5jjM8cypQyfx6GDmmlmlz9iy
h1IxiHAMdwMhy07/1jfIiFWMHjLuP4/2gjCeK2/kZwP70P9ScNytYPsriiY+S71A
qeEXX8uZb40=
=rY/U
-----END PGP SIGNATURE-----

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: John S. Denker: "Re: [Users] Multipath routing with Freeswan, possible?"
• Previous message: psnizek_at_belfin.ch: "[Users] pinging from freeswan box"
• In reply to: Ken Bantoft: "Re: [Users] what is causing protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Wed Jan 15 2003 - 20:11:39 CET