[Openswan Users] IPSEC tunnelling between OPENSWAN and router CISCO 1900: STATE_QUICK_I1 problem

Thu Feb 10 09:53:15 EST 2011

On Thu, 10 Feb 2011, Vincent Tamet wrote:

> Hi,
> I use the -96 to connect to cisco 870 series, and works fine.
> esp=3des-md5-96

Otherwise, try pfs=no, as Perfect Forward Secrecy is apparently not an
important part of the CCNE.

Paul

> Best regards.
>
> Vince
> OSG[PCQ]
>
> ----- Mail original -----
> De: "Maurice SELLIN" <maurice.sellin at dcnsgroup.com>
> À: users at openswan.org
> Envoyé: Jeudi 10 Février 2011 14:44:30
> Objet: [Openswan Users] IPSEC tunnelling between OPENSWAN and router CISCO 1900: STATE_QUICK_I1 problem
>
>
>
> Hello,
>
> I want to realize a IPSEC tunnel between a linux station and a cisco router 1900.
> But I have problems to connect the linux openswan system to the cisco router 1900 because the STATE_QUICK_I1 step is not ok.
>
> my network configuration
> =====================
> 10.0.0.1 <--> 100.180.26.105 <==========> 100.180.26.106 <--> 11.0.0.1
> the linux station has 2 interfaces: 10.0.0.1 and 100.189.26.105
> the cisco router has 2 interfaces: 100.189.26.106 and 11.0.0.1
>
> the message error after a connection attempt:
> ======================================
> root at sellin-HP-Compaq-dc7100-SFF-DX878AV:~# ipsec auto --verbose --up jsat
> 002 "jsat" #1: initiating Main Mode
> 104 "jsat" #1: STATE_MAIN_I1: initiate
> 003 "jsat" #1: received Vendor ID payload [RFC 3947] method set to=109
> 002 "jsat" #1: enabling possible NAT-traversal with method 4
> 002 "jsat" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> 106 "jsat" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> 003 "jsat" #1: received Vendor ID payload [Cisco-Unity]
> 003 "jsat" #1: received Vendor ID payload [Dead Peer Detection]
> 003 "jsat" #1: ignoring unknown Vendor ID payload [4d84a39fa030c5a5cc6e37f178f28f74]
> 003 "jsat" #1: received Vendor ID payload [XAUTH]
> 003 "jsat" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
> 002 "jsat" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> 108 "jsat" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> 002 "jsat" #1: Main mode peer ID is ID_IPV4_ADDR: '100.180.26.106'
> 002 "jsat" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
> 004 "jsat" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
> 002 "jsat" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#1 msgid:483a3931 proposal=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024}
> 117 "jsat" #2: STATE_QUICK_I1: initiate
> 010 "jsat" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
> 010 "jsat" #2: STATE_QUICK_I1: retransmission; will wait 40s for response
> 031 "jsat" #2: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
> 000 "jsat" #2: starting keying attempt 2 of an unlimited number, but releasing whack
> root at sellin-HP-Compaq-dc7100-SFF-DX878AV:~#
>
> the /etc/ipsec.conf file
> ==================
> # This file: /usr/share/doc/openswan/ipsec.conf-sample
> #
> # Manual: ipsec.conf.5
> version 2.0 # conforms to second version of ipsec.conf specification
> # basic configuration
> config setup
> nat_traversal=yes
> oe=off
> protostack=netkey
> nhelpers=0
>
> # Add connections here
> # sample VPN connection
> # for more examples, see /etc/ipsec.d/examples/
> conn jsat
> left=100.180.26.105
> leftsubnet=10.0.0.0/24
> leftnexthop=100.180.26.106
> leftsourceip=10.0.0.1
>
> right=100.180.26.106
> rightsubnet=11.0.0.0/24
> rightsourceip=11.0.0.1
> rightnexthop=100.180.26.105
> auto=add
> ike=3des-md5
> phase2alg=3des-md5
> authby=secret
>
> /etc/ipsec.secrets file
> ==================
> 100.180.26.105 100.180.26.106: PSK "123456789"
>
> on cisco the show running config
> ================================
> Router#show running-config
> Building configuration...
> Current configuration : 1258 bytes
> !
> ! Last configuration change at 12:48:49 UTC Thu Feb 10 2011
> !
> version 15.0
> service timestamps debug datetime msec
> service timestamps log datetime msec
> no service password-encryption
> !
> hostname Router
> !
> boot-start-marker
> boot-end-marker
> !
> !
> no aaa new-model
> !
> !
> !
> !
> no ipv6 cef
> ip source-route
> ip cef
> !
> !
> !
> !
> !
> multilink bundle-name authenticated
> !
> !
> !
> license udi pid CISCO1941/K9 sn FHK1447783T
> !
> !
> !
> redundancy
> !
> !
> !
> !
> crypto isakmp policy 1
> encr 3des
> hash md5
> authentication pre-share
> group 2
> crypto isakmp key 123456789 address 100.180.26.105
> !
> !
> crypto ipsec transform-set openswan esp-3des esp-md5-hmac
> !
> crypto map openswan 10 ipsec-isakmp
> set peer 100.180.26.105
> set transform-set openswan
> match address 100
> !
> !
> !
> !
> !
> interface GigabitEthernet0/0
> description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
> ip address 11.0.0.1 255.255.255.0
> duplex auto
> speed auto
> !
> !
> interface GigabitEthernet0/1
> ip address 100.180.26.106 255.255.255.0
> duplex auto
> speed auto
> crypto map openswan
> !
> !
> ip forward-protocol nd
> !
> no ip http server
> no ip http secure-server
> !
> !
> access-list 100 permit ip 10.0.0.0 0.0.0.255 11.0.0.0 0.0.0.255
> !
> !
> !
> !
> !
> !
> control-plane
> !
> !
> !
> line con 0
> line aux 0
> line vty 0 4
> login
> !
> scheduler allocate 20000 1000
> end
>
> on cisco the result of show crypto isakmp sa detail
> ===========================================
> Router#show crypto isakmp sa detail
> Codes: C - IKE configuration mode, D - Dead Peer Detection
> K - Keepalives, N - NAT-traversal
> T - cTCP encapsulation, X - IKE Extended Authentication
> psk - Preshared key, rsig - RSA signature
> renc - RSA encryption
> IPv4 Crypto ISAKMP SA
> C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
> 1004 100.180.26.106 100.180.26.105 ACTIVE 3des md5 psk 2 00:19:39
> Engine-id:Conn-id = SW:4
> IPv6 Crypto ISAKMP SA
>
> on cisco the result of show crypto ipsec sa
> ====================================
> Router#show crypto ipsec sa
> interface: GigabitEthernet0/1
> Crypto map tag: openswan, local addr 100.180.26.106
> protected vrf: (none)
> local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
> remote ident (addr/mask/prot/port): (11.0.0.0/255.255.255.0/0/0)
> current_peer 100.180.26.105 port 500
> PERMIT, flags={origin_is_acl,}
> #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
> #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
> #pkts compressed: 0, #pkts decompressed: 0
> #pkts not compressed: 0, #pkts compr. failed: 0
> #pkts not decompressed: 0, #pkts decompress failed: 0
> #send errors 0, #recv errors 0
> local crypto endpt.: 100.180.26.106, remote crypto endpt.: 100.180.26.105
> path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
> current outbound spi: 0x0(0)
> PFS (Y/N): N, DH group: none
> inbound esp sas:
> inbound ah sas:
> inbound pcp sas:
> outbound esp sas:
> outbound ah sas:
> outbound pcp sas:
>
> the software and os versions
> ========================
> -linux: xubuntu 10.10
> # uname --a
> Linux sellin-HP-Compaq-dc7100-SFF-DX878AV 2.6.35-22-generic #33-Ubuntu SMP Sun Sep 19 20:34:50 UTC 2010 i686 GNU/Linux
> -openswan: 2.6.26+dfsg-1
> -Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.0(1)M4, RELEASE SOFTWARE (fc1)
>
> Can you help me please.
> regards,
>
> Maurice Sellin
> DCNS Ingenierie Navires Armes
> (33) 02 97 12 23 31
>
> Pensez à l'environnement : avez-vous besoin d'imprimer ce message ?
>
>
> Think environment : Do you need to print message ?
>
>
> .
>
>
> Ce courrier électronique, et éventuellement ses pièces jointes, peuvent contenir des informations confidentielles et/ou  personnelles et a été envoyé uniquement à l'usage de la personne ou de l'entité  citée ci-dessus. Si vous receviez ce courrier électronique par erreur, merci de bien vouloir en avertir l'expéditeur immédiatement par la réponse en retour à ce courrier  et effacer l'original et détruire toute copie enregistrée dans un ordinateur, ou imprimée ou encore sauvegardée sur un disque . Toute  revue, retransmission ou toute autre forme d'utilisation de ce courrier électronique par toute autre personne que le destinataire prévue est strictement interdite.
>
>
> L'internet ne permettant pas d'assurer l'intégrité de ce message, l'expéditeur décline toute responsabilité au cas où il aurait été intercepté ou modifié par quiconque.
>
>
> This e-mail and possibly any attachment may contain confidential and/or privileged information and is intended only for the use of the individual or entity named above.  If you have received it in error, please advise the sender immediately by reply e-mail and delete  and destroy all copies including all copies stored in the recipient's computer, printed or saved to disk. . Any review , retransmission, or further use of this e-mail by persons or entities other than the intended recipient is strictly  prohibited.
>
>
> Because of the nature of the Internet the sender is not in a position to ensure the integrity of this message, therefore the sender disclaims any liability whatsoever, in the event of this message having been intercepted and/or altered.
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>