Re: Isakmpd and NAT-T

Fri, 17 Mar 2017 19:04:35 -0700 

Hello Mike,

"group none" in phase 2 because of this in the documentation:
<<
 Possible values for auth, enc, and group are described below in CRYPTO
TRANSFORMS.  Perfect Forward Secrecy (PFS) is enabled unless group none is
specified.
>>

And their documentation says: No PFS. As far as I understand I disable PFS
by putting "group none" in phase 2, don't I?

I'm actually waiting their logs for more information.

Regards,
Sebastien


On Thu, Mar 16, 2017 at 10:08 PM, Mik J <mikyde...@yahoo.fr> wrote:

> Hello Sebastien,
> Why "group none" for phase 2 ?
>
> "     The following group types are permitted with the group keyword:
>            Group       Size
>            none        0       [phase 2 only]
> "
>
> maybe you should ask them their conf and their logs
>
> Try also
> sysctl -a | grep esp
>
>
>
>
> Le Jeudi 16 mars 2017 16h33, Sébastien Morand <seb.mor...@gmail.com> a
> écrit :
>
>
> Hi Mike and everybody,
>
> Thank you Mike for your answer. There is nothing more like you said.
> Actually we succeed in phase 1 but not in phase 2.
>
> My client give me the following spec:
> Phase 1: SHA1 - 160 bits / DH 5 / Authentication with PSK / CIPHER :
> AES-256 / Lifetime 86400s
> Phase 2: Tunnel mode / SHA1 / No PFS / Authentication with PSK / CIPHER
> AES-128 / Lifetime 3600s
>
> So I end up with the following in ipsec.conf:
> ike active esp tunnel \
>     from 10.85.98.16/29 to \
>         {10.249.0.0/21} \
>     peer <public_ip_of_my_client> \
>     main auth hmac-sha1 enc aes-256 group modp1536 lifetime 86400 \
>     quick auth hmac-sha1 enc aes-128 group none lifetime 3600 \
>     srcid "<my_public_ip>" \
>     psk "************"
>
> I'm starting the ipsec like this :
> isakmpd -Kdvvv (to see what is happening)
> and
> ipsecctl -f /etc/ipsec.conf
>
> It's look like good to me and conform to the provided specs. Phase 1 is ok
> but no phase 2:
> 155851.640374 Default ipsec_validate_id_information: dubious ID information
> accepted
> 155851.640478 Default isakmpd: phase 1 done: initiator id 196.207.241.154,
> responder id 80.125.165.142, src: 192.168.254.2 dst: 80.125.165.142
> 155918.682560 Default transport_send_messages: giving up on exchange
> from-10.85.98.16/29-to-10.249.0.0/21, no response from peer
> 80.125.165.142:4500
> 155918.682611 Default transport_send_messages: giving up on exchange
> from-10.85.98.16/29-to-80.125.172.0/23, no response from peer
> 80.125.165.142:4500
> 155918.682644 Default transport_send_messages: giving up on exchange
> from-10.85.98.16/29-to-80.125.174.0/24, no response from peer
> 80.125.165.142:4500
>
> In TCPDUMP I got no answer on port 4500 (but everything fine on port 500)
> so it means to me they don't answer to my packet but I don't know why :
> 16:01:41.673599 192.168.254.2.4500 > 80.125.165.142.4500:udpencap: isakmp
> v1.0 exchange QUICK_MODE encrypted
> 16:01:41.673655 192.168.254.2.4500 > 80.125.165.142.4500:udpencap: isakmp
> v1.0 exchange QUICK_MODE encrypted
> 16:01:41.673674 192.168.254.2.4500 > 80.125.165.142.4500:udpencap: isakmp
> v1.0 exchange QUICK_MODE encrypted
> 16:01:50.686803 192.168.254.2.4500 > 80.125.165.142.4500:udpencap: isakmp
> v1.0 exchange QUICK_MODE encrypted
> 16:01:50.686862 192.168.254.2.4500 > 80.125.165.142.4500:udpencap: isakmp
> v1.0 exchange QUICK_MODE encrypted
> 16:01:50.686881 192.168.254.2.4500 > 80.125.165.142.4500:udpencap: isakmp
> v1.0 exchange QUICK_MODE encrypted
> 16:02:01.700016 192.168.254.2.4500 > 80.125.165.142.4500:udpencap: isakmp
> v1.0 exchange QUICK_MODE encrypted
> 16:02:01.700106 192.168.254.2.4500 > 80.125.165.142.4500:udpencap: isakmp
> v1.0 exchange QUICK_MODE encrypted
> 16:02:01.700154 192.168.254.2.4500 > 80.125.165.142.4500:udpencap: isakmp
> v1.0 exchange QUICK_MODE encrypted
> (... it can last forever ...)
>
> Any idea what can be done or a way to get more information on what's going
> on? They are using CISCO 6509 with IOS 12.2-33.SXH3a.
>
> Thanks by advance,
> Sebastien
>
> On Tue, Mar 14, 2017 at 12:46 AM, Mik J <mikyde...@yahoo.fr> wrote:
>
> > Hello Sebastien,
> > I'm not sure there's something special to force nat-t, it's automatic.
> > The natted side has to initiate the flow to the non natted side.
> > If the two sides are natted then there should be a port forward to one of
> > them.
> > There should be a nat keepalive parameter as well.
> >
> >
> >
> > Le Lundi 13 mars 2017 18h40, Sébastien Morand <seb.mor...@gmail.com> a
> > écrit :
>
> >
> >
> > Hi,
> >
> > I'm trying to set up a NAT-T IPSec VPN with one of my client.
> >
> > Is this configuration ok on ipsec.conf for NAT-T?
> > ike esp \
> >    from 10.85.98.16/29 to {10.249.0.0/21} \
> >    peer <IP CLIENT> \
> >    main auth hmac-sha1 enc aes-256 group modp1536 lifetime 86400 \
> >    quick auth hmac-sha1 enc aes-256 group modp1536 lifetime 86400 \
> >    srcid "<MY PUBLIC IP>" \
> >    psk "********"
> >
> > Something else to force NAT-T?
> > Thanks by advance,
>
> > Sébastien

Reply via email to