0 Replies Latest reply: Jan 15, 2012 7:31 PM by 910877 RSS

    Problem with IPsec tunnel

    910877
      I have issue connecting to a Cisco PIX

      Dump from IKE

      # /usr/lib/inet/in.iked -f /etc/inet/ike/config -d
      Jan 16 00:40:57: 2012 (+0800) *** in.iked started ***
      Jan 16 00:40:57: Loading configuration...
      Jan 16 00:40:57: Checking lifetimes in "nullrule"
      Jan 16 00:40:57: Using default value for p2 lifetime: 28800 seconds.
      Jan 16 00:40:57: p2 softlife too small.
      Jan 16 00:40:57: Using default value for p2 soft lifetime: 25920 seconds.
      Jan 16 00:40:57: Using default value for p2 idle lifetime: 14400 seconds.
      Jan 16 00:40:57: Using default value for p2 byte lifetime: 134217728 kb
      Jan 16 00:40:57: Using default value for p2 soft byte lifetime: 120795955 kb
      Jan 16 00:40:57: Checking lifetimes in "myvpn"
      Jan 16 00:40:57: Adding rule "myvpn" to IKE configuration;
      Jan 16 00:40:57: mode 256 (any), cookie 6, slot 0; total rules 1
      Jan 16 00:40:57: Configuration update succeeded! Updating active databases.
      Jan 16 00:40:57: Configuration ok.
      Jan 16 00:40:57: Loading preshared keys...
      Jan 16 00:40:57: Unique instance of in.iked started.
      Jan 16 00:40:57: Adding certificates...
      Jan 16 00:40:57: 0 certificates successfully added
      Jan 16 00:40:57: Adding private keys...
      Jan 16 00:40:57: 0 private keys successfully added.
      Jan 16 00:40:57: Skipping lo0 address 127.0.0.1
      Jan 16 00:40:57: Adding bnx0 address xxx.xxx.44.239 to in.iked service list...
      Jan 16 00:40:57: Adding entry #1; IP address = xxx.xxx.44.239, interface = bnx0.
      Jan 16 00:40:57: Now 1 addresses being serviced.
      Jan 16 00:40:57: Adding bnx0:1 address xxx.xxx.44.245 to in.iked service list...
      Jan 16 00:40:57: Adding entry #2; IP address = xxx.xxx.44.245, interface = bnx0:1.
      Jan 16 00:40:57: Now 2 addresses being serviced.
      Jan 16 00:40:57: Adding bnx0:2 address 10.1.1.239 to in.iked service list...
      Jan 16 00:40:57: Adding entry #3; IP address = 10.1.1.239, interface = bnx0:2.
      Jan 16 00:40:57: Now 3 addresses being serviced.
      Jan 16 00:40:57: Adding ip.tun0 address xxx.xxx.44.245 to in.iked service list...
      Jan 16 00:40:57: Address already exists: now 2 users
      Jan 16 00:40:57: Initializing PF_KEY socket...
      Jan 16 00:40:57: ESP initial REGISTER with SADB...
      Jan 16 00:40:57: Handling SADB register message from kernel...
      Jan 16 00:40:57: AH initial REGISTER with SADB...
      Jan 16 00:40:57: Handling SADB register message from kernel...


      Jan 16 00:41:16: Handling data on PF_KEY socket:
      SADB msg: message type 6 (ACQUIRE), SA type 0 (UNSPEC),
      pid 0, sequence number 4294963042,
      error code 0 (Error 0), diag code 0 (No diagnostic), length 25
      Jan 16 00:41:16: Inner addresses present,
      Jan 16 00:41:16: Doing ACQUIRE....
      Jan 16 00:41:16: Trying to get Phase 1 (by itself)...
      Jan 16 00:41:16: Looking for an existing Phase 1 SA...
      Jan 16 00:41:16: Searching rulebase for src = xxx.xxx.44.239[0]
      Jan 16 00:41:16: dst = xxx.xxx.11.24[0]
      Jan 16 00:41:16: Examining rule list.
      Jan 16 00:41:16: rule 'myvpn' 0x6;
      Jan 16 00:41:16: local addr xxx.xxx.44.239[2824];
      Jan 16 00:41:16: remote addr xxx.xxx.11.24[2824]
      Jan 16 00:41:16: [basic match]
      Jan 16 00:41:16: Selected rule: 'myvpn'

      Jan 16 00:41:16: Updating p2_lifetime to 28800 seconds.
      Jan 16 00:41:16: Checking lifetimes in "myvpn"
      Jan 16 00:41:16: Starting Phase 1 negotiation...
      Jan 16 00:41:16: Constructing local identity payload...
      Jan 16 00:41:16: Local ID type: ipv4(any:0,[0..3]=xxx.xxx.44.239)
      Jan 16 00:41:16: Constructing Phase 1 Transforms:
      Our Proposal:
      Rule: "myvpn" ; transform 0
      auth_method = 1 (Pre-shared)
      hash_alg = 1 (md5)
      encr_alg = 5 (3des-cbc)
      oakley_group = 2
      Jan 16 00:41:16: Phase 1 exchange type=2 (IP), 1 transform(s).
      Jan 16 00:41:16: Looking for xxx.xxx.44.239[0] in IKE daemon context...
      Jan 16 00:41:16: Sending out Vendor IDs, if needed: NAT-T state 0 (INIT)
      Jan 16 00:41:16: New Phase 1 negotiation!
      Jan 16 00:41:16: Waiting for IKE results.
      Jan 16 00:41:16: IKE library: Using default remote port for NAT-T, if active.
      Jan 16 00:41:16: Determining P1 nonce data length.
      Jan 16 00:41:16: NAT-T state 0 (INIT)
      Jan 16 00:41:17: IKE library: Using default remote port for NAT-T, if active.
      Jan 16 00:41:17: IKE library: Doing port jump in case we need NAT-T. Current NAT-T state -1
      Jan 16 00:41:17: Vendor ID from peer:
      Jan 16 00:41:17: 0x09002689dfd6b712
      Jan 16 00:41:17: XAUTH
      Jan 16 00:41:17: Vendor ID from peer:
      Jan 16 00:41:17: 0xafcad71368a1f1c96b8696fc77570100
      Jan 16 00:41:17: Detecting Dead IKE Peers (RFC 3706)
      Jan 16 00:41:17: Using Dead Peer Detection (RFC 3706)
      Jan 16 00:41:17: Vendor ID from peer:
      Jan 16 00:41:17: 0x12f5f28c457168a9702d9fe274cc0100
      Jan 16 00:41:17: Cisco-Unity
      Jan 16 00:41:17: Vendor ID from peer:
      Jan 16 00:41:17: 0x1bbeeea30f37d3ccd73e1cd102c84809
      Jan 16 00:41:17: Could not find VID description
      Jan 16 00:41:17: Finding preshared key...
      Jan 16 00:41:17: IKE library: Using default remote port for NAT-T, if active.
      Jan 16 00:41:17: Finishing P1 negotiation: NAT-T state -1 (NEVER)
      Jan 16 00:41:17: Looking for xxx.xxx.44.239[0] in IKE daemon context...
      Jan 16 00:41:17: Phase 1 negotiation done.
      Jan 16 00:41:17: Getting ready for phase 2 (quick mode).
      Jan 16 00:41:17: Tunnel mode [ACQUIRE]
      Jan 16 00:41:17: PF_KEY message contents:
      Timestamp: Mon Jan 16 00:41:17 2012
      Base message (version 2) type ACQUIRE, SA type <unspecified/all>.
      Message length 200 bytes, seq=4294963042, pid=0.
      INS: Inner source address (proto=0)
      INS: AF_INET: port 0, 0.0.0.0.
      IND: Inner destination address (proto=0)
      IND: AF_INET: port 0, 0.0.0.0.
      SRC: Source address (proto=4)
      SRC: AF_INET: port 0, xxx.xxx.44.239.
      DST: Destination address (proto=4)
      DST: AF_INET: port 0, xxx.xxx.11.24.
      EPR: Extended Proposal, replay counter = 32, number of combinations = 1.
      EPR: Extended combination #1:
      EPR: HARD: alloc=0, bytes=0, post-add secs=28800, post-use secs=0
      EPR: SOFT: alloc=0, bytes=0, post-add secs=24000, post-use secs=0
      EPR: Alg #1 for AH Authentication = hmac-md5 minbits=128, maxbits=128.
      EPR: Alg #2 for ESP Encryption = 3des-cbc minbits=192, maxbits=192.
      Jan 16 00:41:17: Allocating SPI for Phase 2.
      Jan 16 00:41:17: SADB GETSPI type == "ah"
      Jan 16 00:41:17: local xxx.xxx.44.239[0]
      Jan 16 00:41:17: remote xxx.xxx.11.24[0]
      Jan 16 00:41:17: PF_KEY request:
      queueing sequence number 5, message type 1 (GETSPI),
      SA type 2 (AH)
      Jan 16 00:41:17: PF_KEY transmit request:
      posting sequence number 5, message type 1 (GETSPI),
      SA type 2 (AH)
      Jan 16 00:41:17: Handling data on PF_KEY socket:
      SADB msg: message type 1 (GETSPI), SA type 2 (AH),
      pid 2978, sequence number 5,
      error code 0 (Error 0), diag code 0 (No diagnostic), length 10
      Jan 16 00:41:17: SADB message reply handler:
      got sequence number 5, message type 1 (GETSPI),
      SA type 2 (AH)
      Jan 16 00:41:17: Allocating SPI for Phase 2.
      Jan 16 00:41:17: SADB GETSPI type == "esp"
      Jan 16 00:41:17: local xxx.xxx.44.239[0]
      Jan 16 00:41:17: remote xxx.xxx.11.24[0]
      Jan 16 00:41:17: PF_KEY request:
      queueing sequence number 6, message type 1 (GETSPI),
      SA type 3 (ESP)
      Jan 16 00:41:17: PF_KEY transmit request:
      posting sequence number 6, message type 1 (GETSPI),
      SA type 3 (ESP)
      Jan 16 00:41:17: Handling data on PF_KEY socket:
      SADB msg: message type 1 (GETSPI), SA type 3 (ESP),
      pid 2978, sequence number 6,
      error code 0 (Error 0), diag code 0 (No diagnostic), length 10
      Jan 16 00:41:17: SADB message reply handler:
      got sequence number 6, message type 1 (GETSPI),
      SA type 3 (ESP)
      Jan 16 00:41:17: Allocating SPI for Phase 2.
      Jan 16 00:41:17: Looking for xxx.xxx.44.239[0] in IKE daemon context...
      Jan 16 00:41:17: Starting Phase 2 negotiation...
      Jan 16 00:41:17: Setting QM nonce data length to 32 bytes.
      Jan 16 00:41:17: IKE library: Using default remote port for NAT-T, if active.
      Jan 16 00:41:17: IKE error: type 10 (Invalid protocol ID), decrypted 1, received 1
      Jan 16 00:41:17: Policy Manager phase 1 info not found! (message type 10 (Invalid protocol ID))
      Jan 16 00:41:17: Notifying library that P2 SA is freed.
      Jan 16 00:41:17: Local IP = xxx.xxx.44.239, Remote IP = xxx.xxx.11.24,


      Is this cause by mismatch protocol?

      Edited by: 907874 on Jan 16, 2012 9:30 AM