IPSEC VPN to Cisco ISR - ISAKMP Phase-2 invalid ID
this is my first posting here and actually seems quite a nice place for a mainly *BSD based forum
I have been working for the last couple days trying to learn OpenBSD and create a router/gateway/firewall/VPN system..... from scratch knowledge wise at least in order to build the ultimate Cisco router killer - as they're soooo underpowered (honest opinion as am Cisco fan + qualified engineer).
Ok so after 3 days I got everything working <brag>
But to be serious now I am having issues interfacing with my Cisco router using IPSEPC over GRE.
Basically what I have done is first attempt OpenBSD<->OpenBSD using IPSEC which worked fine.... routing OSPF over gre0 interface - very nice linear and easy.
However, with Cisco I am getting this as error:
020025.953079 Default isakmpd: phase 1 done (as responder): initiator id 192.168.0.1, responder id 192.168.0.2, src: 192.168.0.2 dst: 192.168.0.1 020025.963221 Default responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 0.0.0.0/0.0.0.0, responder id 0.0.0.0/0.0.0.0 020025.963708 Default dropped message from 192.168.0.1 port 500 due to notification type INVALID_ID_INFORMATION 020116.068136 Default transport_send_messages: giving up on exchange from-192.168.0.2-to-192.168.0.1, no response from peer 192.168.0.1:500
I ran a: debug crypto isakmp on the Cisco box which to show a portion of it gives this information:
018494: Mar 6 02:02:59.515: ISAKMP:(0):purging SA., sa=8311A39C, delme=8311A39C 018495: Mar 6 02:02:59.515: ISAKMP:(0): SA request profile is (NULL) 018496: Mar 6 02:02:59.515: ISAKMP: Created a peer struct for 192.168.0.2, peer port 500 018497: Mar 6 02:02:59.515: ISAKMP: New peer created peer = 0x82864880 peer_handle = 0x80000574 018498: Mar 6 02:02:59.515: ISAKMP: Locking peer struct 0x82864880, refcount 1 for isakmp_initiator 018499: Mar 6 02:02:59.515: ISAKMP: local port 500, remote port 500 018500: Mar 6 02:02:59.515: ISAKMP: set new node 0 to QM_IDLE 018501: Mar 6 02:02:59.515: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 8236AA08 018502: Mar 6 02:02:59.515: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. 018503: Mar 6 02:02:59.515: ISAKMP:(0):found peer pre-shared key matching 192.168.0.2 018504: Mar 6 02:02:59.515: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID 018505: Mar 6 02:02:59.515: ISAKMP:(0): constructed NAT-T vendor-07 ID 018506: Mar 6 02:02:59.515: ISAKMP:(0): constructed NAT-T vendor-03 ID 018507: Mar 6 02:02:59.515: ISAKMP:(0): constructed NAT-T vendor-02 ID 018508: Mar 6 02:02:59.515: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM Cisco857W(config)# 018509: Mar 6 02:02:59.515: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1 018510: Mar 6 02:02:59.519: ISAKMP:(0): beginning Main Mode exchange 018511: Mar 6 02:02:59.519: ISAKMP:(0): sending packet to 192.168.0.2 my_port 500 peer_port 500 (I) MM_NO_STATE 018512: Mar 6 02:02:59.519: ISAKMP:(0):Sending an IKE IPv4 Packet. 018513: Mar 6 02:02:59.839: ISAKMP (0:2620): received packet from 192.168.0.2 dport 500 sport 500 Global (I) MM_NO_STATE Cisco857W(config)# 018514: Mar 6 02:03:08.851: ISAKMP (0:2620): received packet from 192.168.0.2 dport 500 sport 500 Global (I) MM_NO_STATE 018515: Mar 6 02:03:09.519: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE... 018516: Mar 6 02:03:09.519: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1 018517: Mar 6 02:03:09.519: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE 018518: Mar 6 02:03:09.519: ISAKMP:(0): sending packet to 192.168.0.2 my_port 500 peer_port 500 (I) MM_NO_STATE 018519: Mar 6 02:03:09.519: ISAKMP:(0):Sending an IKE IPv4 Packet.
Nothing useful is really shown in the above Cisco debug.
From the more useful OpenBSD logs and debug information and even initial stages of Cisco debug routine.. it seems that ISAKMP Phase-1 is completing without any issues.
I can't figure Phase-2 out though and have tried everything in order to change the ID given by the Cisco or change the way IPSEC on OpenBSD handles that information.
This is Cisco config for site-to-site VPN which works using Cisco<->Cisco without any problems or issues:
crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 5 crypto isakmp key secret address 192.168.0.2 crypto isakmp invalid-spi-recovery ! ! crypto ipsec transform-set geo-sync-set-01 esp-3des esp-md5-hmac ! crypto ipsec profile geo-sync-profile-01 set transform-set geo-sync-set-01 ! ! crypto map geo-sync-01 10 ipsec-isakmp set peer 192.168.0.2 set transform-set geo-sync-set-01 match address 101
interface Tunnel0 bandwidth 1000000 ip address 10.255.255.102 255.255.255.252 ip accounting output-packets ip accounting access-violations ip rip send version 2 ip rip receive version 2 tunnel source BVI2 tunnel destination 192.168.0.2 tunnel mode ipsec ipv4 tunnel flow egress-records tunnel protection ipsec profile geo-sync-profile-01
Bridge Virtual Interface:
interface BVI2 description Bridge between Vlan2 and Dot11Radio0.2 for wireless network ip address 192.168.0.1 255.255.255.0 ip nat inside ip rip send version 2 ip rip receive version 2 no ip virtual-reassembly no ip route-cache crypto map geo-sync-01
access-list 101 permit udp any host 192.168.0.2 eq isakmp access-list 101 permit esp any host 192.168.0.1 access-list 101 permit gre host 10.255.255.101 host 10.255.255.102 access-list 101 permit gre any host 192.168.0.1
This is what I have in /etc/ipsec.conf on OpenBSD:
ike esp from 192.168.0.2 to 192.168.0.1 peer 192.168.0.1 main auth hmac-md5 enc 3des group modp1536 quick auth hmac-md5 enc 3des srcid 192.168.0.2 dstid 192.168.0.1 psk "secret"
I wasn't quite sure if I needed to add another line defining the Tunnel interface in the ipsec.conf file as my BSD to BSD definition is as follows:
ike esp transport from 192.168.0.2 to 192.168.0.3
#ike esp transport from 10.255.255.101/30 to 10.255.255.102/30 peer 192.168.0.1
10.255.255.101 10.255.255.102 netmask 255.255.255.252 link0 up tunnel 192.168.0.2 192.168.0.1
As I'm still quite unfamiliar with OpenBSD and using Cisco IOS mentality a lot of the time I am pretty sure that I've either misunderstood/interpreted the documentation or don't know about some other way to initiate compatibility between both systems.
The reason for the IP addresses being Local are basically that OpenBSD is setup on Virtual Box with bridged interface to my notebooks NIC, as this is a test bed so WAN IP addresses not really important at this stage!
Can anyone give me a hand??
I'd really appreciate any kind of advise or help as I've been racking my brain trying to figure this thing out constantly reading the man pages and trying to Google the errors but with no-luck.... and additionally (don't know why) but OpenBSD howto guides don't seem to work as well as FreeBSD, Linux or Solaris. Actually they don't work period as I've attempted to try to analyze other peoples claims and configs too......
What happened to good old: dummies guide to LAMP
Anyway thanks for any responses in advance
|Thread||Thread Starter||Forum||Replies||Last Post|
|mount_cd9660 : Invalid argument ..||daemonfowl||OpenBSD General||5||23rd February 2012 01:40 PM|
|cat: [file]: Invalid argument||pieterverberne||OpenBSD General||6||19th November 2011 01:43 PM|
|isakmp to ipsec||badguy||OpenBSD Security||3||17th November 2010 09:52 PM|
|Warning domain_not_set.invalid||aleunix||OpenBSD General||13||15th December 2009 10:19 AM|
|Mount DVD - invalid argument.||maxrussell||FreeBSD General||17||7th January 2009 07:46 AM|