View Single Post
  #1   (View Single Post)  
Old 6th March 2012
sparky's Avatar
sparky sparky is offline
Fdisk Soldier
 
Join Date: Mar 2012
Posts: 73
Default IPSEC VPN to Cisco ISR - ISAKMP Phase-2 invalid ID

Hi,

this is my first posting here and actually seems quite a nice place for a mainly *BSD based forum


I have been working for the last couple days trying to learn OpenBSD and create a router/gateway/firewall/VPN system..... from scratch knowledge wise at least in order to build the ultimate Cisco router killer - as they're soooo underpowered (honest opinion as am Cisco fan + qualified engineer).


Ok so after 3 days I got everything working <brag>


But to be serious now I am having issues interfacing with my Cisco router using IPSEPC over GRE.


Basically what I have done is first attempt OpenBSD<->OpenBSD using IPSEC which worked fine.... routing OSPF over gre0 interface - very nice linear and easy.


However, with Cisco I am getting this as error:

Code:
020025.953079 Default isakmpd: phase 1 done (as responder): initiator id 192.168.0.1, responder id 192.168.0.2, src: 192.168.0.2 dst: 192.168.0.1
020025.963221 Default responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 0.0.0.0/0.0.0.0, responder id 0.0.0.0/0.0.0.0
020025.963708 Default dropped message from 192.168.0.1 port 500 due to notification type INVALID_ID_INFORMATION
020116.068136 Default transport_send_messages: giving up on exchange from-192.168.0.2-to-192.168.0.1, no response from peer 192.168.0.1:500

I ran a: debug crypto isakmp on the Cisco box which to show a portion of it gives this information:


Code:
018494: Mar  6 02:02:59.515: ISAKMP:(0):purging SA., sa=8311A39C, delme=8311A39C
018495: Mar  6 02:02:59.515: ISAKMP:(0): SA request profile is (NULL)
018496: Mar  6 02:02:59.515: ISAKMP: Created a peer struct for 192.168.0.2, peer port 500
018497: Mar  6 02:02:59.515: ISAKMP: New peer created peer = 0x82864880 peer_handle = 0x80000574
018498: Mar  6 02:02:59.515: ISAKMP: Locking peer struct 0x82864880, refcount 1 for isakmp_initiator
018499: Mar  6 02:02:59.515: ISAKMP: local port 500, remote port 500
018500: Mar  6 02:02:59.515: ISAKMP: set new node 0 to QM_IDLE      
018501: Mar  6 02:02:59.515: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 8236AA08
018502: Mar  6 02:02:59.515: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
018503: Mar  6 02:02:59.515: ISAKMP:(0):found peer pre-shared key matching 192.168.0.2
018504: Mar  6 02:02:59.515: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
018505: Mar  6 02:02:59.515: ISAKMP:(0): constructed NAT-T vendor-07 ID
018506: Mar  6 02:02:59.515: ISAKMP:(0): constructed NAT-T vendor-03 ID
018507: Mar  6 02:02:59.515: ISAKMP:(0): constructed NAT-T vendor-02 ID
018508: Mar  6 02:02:59.515: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Cisco857W(config)#
018509: Mar  6 02:02:59.515: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1 

018510: Mar  6 02:02:59.519: ISAKMP:(0): beginning Main Mode exchange
018511: Mar  6 02:02:59.519: ISAKMP:(0): sending packet to 192.168.0.2 my_port 500 peer_port 500 (I) MM_NO_STATE
018512: Mar  6 02:02:59.519: ISAKMP:(0):Sending an IKE IPv4 Packet.
018513: Mar  6 02:02:59.839: ISAKMP (0:2620): received packet from 192.168.0.2 dport 500 sport 500 Global (I) MM_NO_STATE
Cisco857W(config)#
018514: Mar  6 02:03:08.851: ISAKMP (0:2620): received packet from 192.168.0.2 dport 500 sport 500 Global (I) MM_NO_STATE
018515: Mar  6 02:03:09.519: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
018516: Mar  6 02:03:09.519: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
018517: Mar  6 02:03:09.519: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
018518: Mar  6 02:03:09.519: ISAKMP:(0): sending packet to 192.168.0.2 my_port 500 peer_port 500 (I) MM_NO_STATE
018519: Mar  6 02:03:09.519: ISAKMP:(0):Sending an IKE IPv4 Packet.

Nothing useful is really shown in the above Cisco debug.


From the more useful OpenBSD logs and debug information and even initial stages of Cisco debug routine.. it seems that ISAKMP Phase-1 is completing without any issues.


I can't figure Phase-2 out though and have tried everything in order to change the ID given by the Cisco or change the way IPSEC on OpenBSD handles that information.


This is Cisco config for site-to-site VPN which works using Cisco<->Cisco without any problems or issues:

Crypto information:

Code:
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 5
crypto isakmp key secret address 192.168.0.2
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set geo-sync-set-01 esp-3des esp-md5-hmac 
!
crypto ipsec profile geo-sync-profile-01
 set transform-set geo-sync-set-01 
!
!
crypto map geo-sync-01 10 ipsec-isakmp 
 set peer 192.168.0.2
 set transform-set geo-sync-set-01 
 match address 101
Tunnel0 interface:

Code:
interface Tunnel0
 bandwidth 1000000
 ip address 10.255.255.102 255.255.255.252
 ip accounting output-packets
 ip accounting access-violations
 ip rip send version 2
 ip rip receive version 2
 tunnel source BVI2
 tunnel destination 192.168.0.2
 tunnel mode ipsec ipv4
 tunnel flow egress-records
 tunnel protection ipsec profile geo-sync-profile-01

Bridge Virtual Interface:

Code:
interface BVI2
 description Bridge between Vlan2 and Dot11Radio0.2 for wireless network
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip rip send version 2
 ip rip receive version 2
 no ip virtual-reassembly
 no ip route-cache
 crypto map geo-sync-01
Access List 101:

Code:
access-list 101 permit udp any host 192.168.0.2 eq isakmp
access-list 101 permit esp any host 192.168.0.1
access-list 101 permit gre host 10.255.255.101 host 10.255.255.102
access-list 101 permit gre any host 192.168.0.1

This is what I have in /etc/ipsec.conf on OpenBSD:

Code:
ike esp from 192.168.0.2 to 192.168.0.1 peer 192.168.0.1 main auth hmac-md5 enc 3des group modp1536 quick auth hmac-md5 enc 3des srcid 192.168.0.2 dstid 192.168.0.1 psk "secret"

I wasn't quite sure if I needed to add another line defining the Tunnel interface in the ipsec.conf file as my BSD to BSD definition is as follows:


Code:
ike esp transport from 192.168.0.2 to 192.168.0.3
so I attempted with this line:


Code:
#ike esp transport from 10.255.255.101/30 to 10.255.255.102/30 peer 192.168.0.1
but then as can be seen commented it out due to the /etc/hostname.gre1 file containing:

Code:
10.255.255.101 10.255.255.102 netmask 255.255.255.252 link0 up
tunnel 192.168.0.2 192.168.0.1

As I'm still quite unfamiliar with OpenBSD and using Cisco IOS mentality a lot of the time I am pretty sure that I've either misunderstood/interpreted the documentation or don't know about some other way to initiate compatibility between both systems.


The reason for the IP addresses being Local are basically that OpenBSD is setup on Virtual Box with bridged interface to my notebooks NIC, as this is a test bed so WAN IP addresses not really important at this stage!


Can anyone give me a hand??

I'd really appreciate any kind of advise or help as I've been racking my brain trying to figure this thing out constantly reading the man pages and trying to Google the errors but with no-luck.... and additionally (don't know why) but OpenBSD howto guides don't seem to work as well as FreeBSD, Linux or Solaris. Actually they don't work period as I've attempted to try to analyze other peoples claims and configs too......

What happened to good old: dummies guide to LAMP


Anyway thanks for any responses in advance
Reply With Quote