Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 6th March 2012
sparky's Avatar
sparky sparky is offline
Fdisk Soldier
Join Date: Mar 2012
Posts: 73
Default IPSEC VPN to Cisco ISR - ISAKMP Phase-2 invalid ID


this is my first posting here and actually seems quite a nice place for a mainly *BSD based forum

I have been working for the last couple days trying to learn OpenBSD and create a router/gateway/firewall/VPN system..... from scratch knowledge wise at least in order to build the ultimate Cisco router killer - as they're soooo underpowered (honest opinion as am Cisco fan + qualified engineer).

Ok so after 3 days I got everything working <brag>

But to be serious now I am having issues interfacing with my Cisco router using IPSEPC over GRE.

Basically what I have done is first attempt OpenBSD<->OpenBSD using IPSEC which worked fine.... routing OSPF over gre0 interface - very nice linear and easy.

However, with Cisco I am getting this as error:

020025.953079 Default isakmpd: phase 1 done (as responder): initiator id, responder id, src: dst:
020025.963221 Default responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id, responder id
020025.963708 Default dropped message from port 500 due to notification type INVALID_ID_INFORMATION
020116.068136 Default transport_send_messages: giving up on exchange from-, no response from peer

I ran a: debug crypto isakmp on the Cisco box which to show a portion of it gives this information:

018494: Mar  6 02:02:59.515: ISAKMP:(0):purging SA., sa=8311A39C, delme=8311A39C
018495: Mar  6 02:02:59.515: ISAKMP:(0): SA request profile is (NULL)
018496: Mar  6 02:02:59.515: ISAKMP: Created a peer struct for, peer port 500
018497: Mar  6 02:02:59.515: ISAKMP: New peer created peer = 0x82864880 peer_handle = 0x80000574
018498: Mar  6 02:02:59.515: ISAKMP: Locking peer struct 0x82864880, refcount 1 for isakmp_initiator
018499: Mar  6 02:02:59.515: ISAKMP: local port 500, remote port 500
018500: Mar  6 02:02:59.515: ISAKMP: set new node 0 to QM_IDLE      
018501: Mar  6 02:02:59.515: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 8236AA08
018502: Mar  6 02:02:59.515: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
018503: Mar  6 02:02:59.515: ISAKMP:(0):found peer pre-shared key matching
018504: Mar  6 02:02:59.515: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
018505: Mar  6 02:02:59.515: ISAKMP:(0): constructed NAT-T vendor-07 ID
018506: Mar  6 02:02:59.515: ISAKMP:(0): constructed NAT-T vendor-03 ID
018507: Mar  6 02:02:59.515: ISAKMP:(0): constructed NAT-T vendor-02 ID
018508: Mar  6 02:02:59.515: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
018509: Mar  6 02:02:59.515: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1 

018510: Mar  6 02:02:59.519: ISAKMP:(0): beginning Main Mode exchange
018511: Mar  6 02:02:59.519: ISAKMP:(0): sending packet to my_port 500 peer_port 500 (I) MM_NO_STATE
018512: Mar  6 02:02:59.519: ISAKMP:(0):Sending an IKE IPv4 Packet.
018513: Mar  6 02:02:59.839: ISAKMP (0:2620): received packet from dport 500 sport 500 Global (I) MM_NO_STATE
018514: Mar  6 02:03:08.851: ISAKMP (0:2620): received packet from dport 500 sport 500 Global (I) MM_NO_STATE
018515: Mar  6 02:03:09.519: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
018516: Mar  6 02:03:09.519: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
018517: Mar  6 02:03:09.519: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
018518: Mar  6 02:03:09.519: ISAKMP:(0): sending packet to my_port 500 peer_port 500 (I) MM_NO_STATE
018519: Mar  6 02:03:09.519: ISAKMP:(0):Sending an IKE IPv4 Packet.

Nothing useful is really shown in the above Cisco debug.

From the more useful OpenBSD logs and debug information and even initial stages of Cisco debug routine.. it seems that ISAKMP Phase-1 is completing without any issues.

I can't figure Phase-2 out though and have tried everything in order to change the ID given by the Cisco or change the way IPSEC on OpenBSD handles that information.

This is Cisco config for site-to-site VPN which works using Cisco<->Cisco without any problems or issues:

Crypto information:

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 5
crypto isakmp key secret address
crypto isakmp invalid-spi-recovery
crypto ipsec transform-set geo-sync-set-01 esp-3des esp-md5-hmac 
crypto ipsec profile geo-sync-profile-01
 set transform-set geo-sync-set-01 
crypto map geo-sync-01 10 ipsec-isakmp 
 set peer
 set transform-set geo-sync-set-01 
 match address 101
Tunnel0 interface:

interface Tunnel0
 bandwidth 1000000
 ip address
 ip accounting output-packets
 ip accounting access-violations
 ip rip send version 2
 ip rip receive version 2
 tunnel source BVI2
 tunnel destination
 tunnel mode ipsec ipv4
 tunnel flow egress-records
 tunnel protection ipsec profile geo-sync-profile-01

Bridge Virtual Interface:

interface BVI2
 description Bridge between Vlan2 and Dot11Radio0.2 for wireless network
 ip address
 ip nat inside
 ip rip send version 2
 ip rip receive version 2
 no ip virtual-reassembly
 no ip route-cache
 crypto map geo-sync-01
Access List 101:

access-list 101 permit udp any host eq isakmp
access-list 101 permit esp any host
access-list 101 permit gre host host
access-list 101 permit gre any host

This is what I have in /etc/ipsec.conf on OpenBSD:

ike esp from to peer main auth hmac-md5 enc 3des group modp1536 quick auth hmac-md5 enc 3des srcid dstid psk "secret"

I wasn't quite sure if I needed to add another line defining the Tunnel interface in the ipsec.conf file as my BSD to BSD definition is as follows:

ike esp transport from to
so I attempted with this line:

#ike esp transport from to peer
but then as can be seen commented it out due to the /etc/hostname.gre1 file containing:

Code: netmask link0 up

As I'm still quite unfamiliar with OpenBSD and using Cisco IOS mentality a lot of the time I am pretty sure that I've either misunderstood/interpreted the documentation or don't know about some other way to initiate compatibility between both systems.

The reason for the IP addresses being Local are basically that OpenBSD is setup on Virtual Box with bridged interface to my notebooks NIC, as this is a test bed so WAN IP addresses not really important at this stage!

Can anyone give me a hand??

I'd really appreciate any kind of advise or help as I've been racking my brain trying to figure this thing out constantly reading the man pages and trying to Google the errors but with no-luck.... and additionally (don't know why) but OpenBSD howto guides don't seem to work as well as FreeBSD, Linux or Solaris. Actually they don't work period as I've attempted to try to analyze other peoples claims and configs too......

What happened to good old: dummies guide to LAMP

Anyway thanks for any responses in advance
Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
mount_cd9660 : Invalid argument .. daemonfowl OpenBSD General 5 23rd February 2012 02:40 PM
cat: [file]: Invalid argument pieterverberne OpenBSD General 6 19th November 2011 02:43 PM
isakmp to ipsec badguy OpenBSD Security 3 17th November 2010 10:52 PM
Warning domain_not_set.invalid aleunix OpenBSD General 13 15th December 2009 11:19 AM
Mount DVD - invalid argument. maxrussell FreeBSD General 17 7th January 2009 08:46 AM

All times are GMT. The time now is 07:33 AM.

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick