Re: IPsec Configuration Questions

Axton Grams Sun, 03 Sep 2006 18:21:03 -0700

Hans-Joerg Hoexer wrote:
> what ipsec software is running on the clients?  What does your
> ipsec.conf on the firewall look like?
>


Some updated info:

For whatever reason, the last two packets in the packet capture show a
DELETE action:

20:14:24.117160 10.107.208.20.isakmp > router.arswiki.org.isakmp:  [udp
sum ok] isakmp v1.0 exchange QUICK_MODE
        cookie: 5ad2b89593ca41af->acd59e7bdeb12259 msgid: 44aa1cd7 len: 52
        payload: HASH len: 24 [ttl 0] (id 1, len 80)
20:15:06.955703 10.107.208.1.isakmp > 10.107.208.20.isakmp:  [udp sum
ok] isakmp v1.0 exchange INFO
        cookie: 5ad2b89593ca41af->acd59e7bdeb12259 msgid: 8c2a671f len: 68
        payload: HASH len: 24
        payload: DELETE len: 16 DOI: 1(IPSEC) proto: IPSEC_ESP nspis: 1
            SPI: 0xa3ee9768 [ttl 0] (id 1, len 96)
20:15:06.958120 10.107.208.1.isakmp > 10.107.208.20.isakmp:  [udp sum
ok] isakmp v1.0 exchange INFO
        cookie: 5ad2b89593ca41af->acd59e7bdeb12259 msgid: b81113d3 len: 80
        payload: HASH len: 24
        payload: DELETE len: 28 DOI: 1(IPSEC) proto: ISAKMP nspis: 1
            cookie: 5ad2b89593ca41af->acd59e7bdeb12259 [ttl 0] (id 1,
len 108)




*** ipsecctl output:
# date
Sun Sep  3 20:14:33 EDT 2006
# ipsecctl -s all
FLOWS:
flow esp in from 10.107.208.20 to 10.107.208.1 peer 10.107.208.20
flow esp out from 10.107.208.1 to 10.107.208.20 peer 10.107.208.20

SADB:
esp transport from 10.107.208.1 to 10.107.208.20 spi 0xbb351f90 enc
3des-cbc auth hmac-md5
esp transport from 10.107.208.20 to 10.107.208.1 spi 0xa3ee9768 enc
3des-cbc auth hmac-md5


*** isakmpd output:
# isakmpd -L -d -4 -DA=10
201358.608890 Default log_debug_cmd: log level changed from 0 to 10 for
class 0 [priv]
201358.610514 Default log_debug_cmd: log level changed from 0 to 10 for
class 1 [priv]
201358.611163 Default log_debug_cmd: log level changed from 0 to 10 for
class 2 [priv]
201358.611570 Default log_debug_cmd: log level changed from 0 to 10 for
class 3 [priv]
201358.612056 Default log_debug_cmd: log level changed from 0 to 10 for
class 4 [priv]
201358.612448 Default log_debug_cmd: log level changed from 0 to 10 for
class 5 [priv]
201358.612928 Default log_debug_cmd: log level changed from 0 to 10 for
class 6 [priv]
201358.613299 Default log_debug_cmd: log level changed from 0 to 10 for
class 7 [priv]
201358.613755 Default log_debug_cmd: log level changed from 0 to 10 for
class 8 [priv]
201358.614134 Default log_debug_cmd: log level changed from 0 to 10 for
class 9 [priv]
201358.614628 Default log_debug_cmd: log level changed from 0 to 10 for
class 10 [priv]
201358.624595 Misc 10 monitor_init: privileges dropped for child process
201359.285220 Default log_packet_init: starting IKE packet capture to
file "/var/run/isakmpd.pcap"
201423.864748 Timr 10 timer_add_event: event
exchange_free_aux(0x4af26c00) added last, expiration in 120s
201423.865819 Exch 10 exchange_setup_p1: 0x4af26c00 client
Default-main-mode policy responder phase 1 doi 1 exchange 2 step 0
201423.866355 Exch 10 exchange_setup_p1: icookie 5ad2b89593ca41af
rcookie acd59e7bdeb12259
201423.866923 Exch 10 exchange_setup_p1: msgid 00000000
201423.867580 Exch 10 nat_t_check_vendor_payload: NAT-T capable peer
detected
201423.868493 Exch 10 exchange_handle_leftover_payloads: unexpected
payload VENDOR
201423.869011 Exch 10 exchange_handle_leftover_payloads: unexpected
payload VENDOR
201423.869577 Exch 10 exchange_handle_leftover_payloads: unexpected
payload VENDOR
201423.871151 Timr 10 timer_add_event: event
message_send_expire(0x45a64e00) added before
exchange_free_aux(0x4af26c00), expiration in 7s
201423.906614 Timr 10 timer_remove_event: removing event
message_send_expire(0x45a64e00)
201423.996634 Timr 10 timer_add_event: event
message_send_expire(0x45a64a00) added before
exchange_free_aux(0x4af26c00), expiration in 7s
201424.097443 Timr 10 timer_remove_event: removing event
message_send_expire(0x45a64a00)
201424.099859 Exch 10 exchange_finalize: 0x4af26c00 client
Default-main-mode policy responder phase 1 doi 1 exchange 2 step 6
201424.100502 Exch 10 exchange_finalize: icookie 5ad2b89593ca41af
rcookie acd59e7bdeb12259
201424.100925 Exch 10 exchange_finalize: msgid 00000000
201424.101661 Exch 10 exchange_finalize: phase 1 done: initiator id
0a6bd014: 10.107.208.20, responder id 0a6bd001: 10.107.208.1, src:
10.107.208.1 dst: 10.107.208.20
201424.102202 Timr 10 timer_add_event: event sa_soft_expire(0x4af26e00)
added last, expiration in 27302s
201424.102757 Timr 10 timer_add_event: event sa_hard_expire(0x4af26e00)
added last, expiration in 28800s
201424.107976 Timr 10 timer_add_event: event
exchange_free_aux(0x4af27000) added before sa_soft_expire(0x4af26e00),
expiration in 120s
201424.108592 Exch 10 exchange_setup_p2: 0x4af27000 <unnamed> <no
policy> policy responder phase 2 doi 1 exchange 32 step 0
201424.109035 Exch 10 exchange_setup_p2: icookie 5ad2b89593ca41af
rcookie acd59e7bdeb12259
201424.109560 Exch 10 exchange_setup_p2: msgid 44aa1cd7 sa_list
201424.114593 Timr 10 timer_add_event: event
message_send_expire(0x45a65000) added before
exchange_free_aux(0x4af26c00), expiration in 7s
201424.115987 Timr 10 timer_remove_event: removing event
message_send_expire(0x45a65000)
201424.117592 Exch 10 exchange_finalize: 0x4af27000 <unnamed> <no
policy> policy responder phase 2 doi 1 exchange 32 step 2
201424.118178 Exch 10 exchange_finalize: icookie 5ad2b89593ca41af
rcookie acd59e7bdeb12259
201424.118603 Exch 10 exchange_finalize: msgid 44aa1cd7 sa_list 0x4af27200
201424.119271 Sdep 10 pf_key_v2_set_spi: satype 2 dst 10.107.208.20 SPI
0xbb351f90
201424.119775 Timr 10 timer_add_event: event sa_soft_expire(0x4af27200)
added before sa_soft_expire(0x4af26e00), expiration in 3214s
201424.120325 Timr 10 timer_add_event: event sa_hard_expire(0x4af27200)
added before sa_soft_expire(0x4af26e00), expiration in 3600s
201424.121373 Sdep 10 pf_key_v2_set_spi: satype 2 dst 10.107.208.1 SPI
0xa3ee9768
201424.122977 Timr 10 timer_remove_event: removing event
exchange_free_aux(0x4af27000)
^C201506.955032 Default isakmpd: shutting down...
201506.955273 Timr 10 timer_add_event: event
exchange_free_aux(0x4af27000) added before sa_soft_expire(0x4af27200),
expiration in 120s
201506.955356 Exch 10 exchange_establish_p2: 0x4af27000 <unnamed> <no
policy> policy initiator phase 2 doi 1 exchange 5 step 0
201506.955413 Exch 10 exchange_establish_p2: icookie 5ad2b89593ca41af
rcookie acd59e7bdeb12259
201506.955463 Exch 10 exchange_establish_p2: msgid 8c2a671f sa_list
201506.956197 Timr 10 timer_remove_event: removing event
sa_hard_expire(0x4af27200)
201506.956269 Timr 10 timer_remove_event: removing event
sa_soft_expire(0x4af27200)
201506.957292 Timr 10 timer_add_event: event
exchange_free_aux(0x4af27200) added before sa_soft_expire(0x4af26e00),
expiration in 120s
201506.957384 Exch 10 exchange_establish_p2: 0x4af27200 <unnamed> <no
policy> policy initiator phase 2 doi 1 exchange 5 step 0
201506.957438 Exch 10 exchange_establish_p2: icookie 5ad2b89593ca41af
rcookie acd59e7bdeb12259
201506.957487 Exch 10 exchange_establish_p2: msgid b81113d3 sa_list
201506.958611 Timr 10 timer_remove_event: removing event
sa_hard_expire(0x4af26e00)
201506.958693 Timr 10 timer_remove_event: removing event
sa_soft_expire(0x4af26e00)
201506.959032 Exch 10 exchange_finalize: 0x4af27000 <unnamed> <no
policy> policy initiator phase 2 doi 1 exchange 5 step 1
201506.959109 Exch 10 exchange_finalize: icookie 5ad2b89593ca41af
rcookie acd59e7bdeb12259
201506.959159 Exch 10 exchange_finalize: msgid 8c2a671f sa_list
201506.959215 Timr 10 timer_remove_event: removing event
exchange_free_aux(0x4af27000)
201506.959443 Exch 10 exchange_finalize: 0x4af27200 <unnamed> <no
policy> policy initiator phase 2 doi 1 exchange 5 step 1
201506.959568 Exch 10 exchange_finalize: icookie 5ad2b89593ca41af
rcookie acd59e7bdeb12259
201506.959618 Exch 10 exchange_finalize: msgid b81113d3 sa_list
201506.959670 Timr 10 timer_remove_event: removing event
exchange_free_aux(0x4af27200)
201506.959823 Default log_packet_stop: stopped capture
201506.959873 Default isakmpd: exit


*** packet capture:

20:14:23.863975 10.107.208.20.isakmp > 10.107.208.1.isakmp:  [udp sum
ok] isakmp v1.0 exchange ID_PROT
        cookie: 5ad2b89593ca41af->0000000000000000 msgid: 00000000 len: 168
        payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
            payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0
xforms: 1
                payload: TRANSFORM len: 36
                    transform: 1 ID: ISAKMP
                        attribute ENCRYPTION_ALGORITHM = 3DES_CBC
                        attribute HASH_ALGORITHM = SHA
                        attribute GROUP_DESCRIPTION = MODP_1024
                        attribute AUTHENTICATION_METHOD = PRE_SHARED
                        attribute LIFE_TYPE = SECONDS
                        attribute LIFE_DURATION = 00007080
        payload: VENDOR len: 24
        payload: VENDOR len: 20
        payload: VENDOR len: 20 (supports v2 NAT-T,
draft-ietf-ipsec-nat-t-ike-02)
        payload: VENDOR len: 20 [ttl 0] (id 1, len 196)
20:14:23.870231 10.107.208.1.isakmp > 10.107.208.20.isakmp:  [udp sum
ok] isakmp v1.0 exchange ID_PROT
        cookie: 5ad2b89593ca41af->acd59e7bdeb12259 msgid: 00000000 len: 164
        payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
            payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0
xforms: 1
                payload: TRANSFORM len: 36
                    transform: 1 ID: ISAKMP
                        attribute ENCRYPTION_ALGORITHM = 3DES_CBC
                        attribute HASH_ALGORITHM = SHA
                        attribute GROUP_DESCRIPTION = MODP_1024
                        attribute AUTHENTICATION_METHOD = PRE_SHARED
                        attribute LIFE_TYPE = SECONDS
                        attribute LIFE_DURATION = 00007080
        payload: VENDOR len: 20 (supports v2 NAT-T,
draft-ietf-ipsec-nat-t-ike-02)
        payload: VENDOR len: 20 (supports v3 NAT-T,
draft-ietf-ipsec-nat-t-ike-03)
        payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
        payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 192)
20:14:23.907209 10.107.208.20.isakmp > 10.107.208.1.isakmp:  [udp sum
ok] isakmp v1.0 exchange ID_PROT
        cookie: 5ad2b89593ca41af->acd59e7bdeb12259 msgid: 00000000 len: 232
        payload: KEY_EXCH len: 132
        payload: NONCE len: 24
        payload: NAT-D-DRAFT len: 24
        payload: NAT-D-DRAFT len: 24 [ttl 0] (id 1, len 260)
20:14:23.995432 10.107.208.1.isakmp > 10.107.208.20.isakmp:  [udp sum
ok] isakmp v1.0 exchange ID_PROT
        cookie: 5ad2b89593ca41af->acd59e7bdeb12259 msgid: 00000000 len: 232
        payload: KEY_EXCH len: 132
        payload: NONCE len: 24
        payload: NAT-D-DRAFT len: 24
        payload: NAT-D-DRAFT len: 24 [ttl 0] (id 1, len 260)
20:14:24.098552 10.107.208.20.isakmp > 10.107.208.1.isakmp:  [udp sum
ok] isakmp v1.0 exchange ID_PROT
        cookie: 5ad2b89593ca41af->acd59e7bdeb12259 msgid: 00000000 len: 68
        payload: ID len: 12 type: IPV4_ADDR = 10.107.208.20
        payload: HASH len: 24 [ttl 0] (id 1, len 96)
20:14:24.099112 10.107.208.1.isakmp > 10.107.208.20.isakmp:  [udp sum
ok] isakmp v1.0 exchange ID_PROT
        cookie: 5ad2b89593ca41af->acd59e7bdeb12259 msgid: 00000000 len: 92
        payload: ID len: 12 type: IPV4_ADDR = 10.107.208.1
        payload: HASH len: 24
        payload: NOTIFICATION len: 28
            notification: INITIAL CONTACT
(5ad2b89593ca41af->acd59e7bdeb12259) [ttl 0] (id 1, len 120)
20:14:24.107774 10.107.208.20.isakmp > 10.107.208.1.isakmp:  [udp sum
ok] isakmp v1.0 exchange QUICK_MODE
        cookie: 5ad2b89593ca41af->acd59e7bdeb12259 msgid: 44aa1cd7 len: 1300
        payload: HASH len: 24
        payload: SA len: 1196 DOI: 1(IPSEC) situation: IDENTITY_ONLY
            payload: PROPOSAL len: 92 proposal: 1 proto: IPSEC_ESP
spisz: 4 xforms: 2 SPI: 0xbb351f90
                payload: TRANSFORM len: 40
                    transform: 1 ID: 3DES
                        attribute LIFE_TYPE = SECONDS
                        attribute LIFE_DURATION = 00000e10
                        attribute LIFE_TYPE = KILOBYTES
                        attribute LIFE_DURATION = 0003d090
                        attribute ENCAPSULATION_MODE = TRANSPORT
                        attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
                payload: TRANSFORM len: 40
                    transform: 2 ID: 3DES
                        attribute LIFE_TYPE = SECONDS
                        attribute LIFE_DURATION = 00000e10
                        attribute LIFE_TYPE = KILOBYTES
                        attribute LIFE_DURATION = 0003d090
                        attribute ENCAPSULATION_MODE = TRANSPORT
                        attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
            payload: PROPOSAL len: 52 proposal: 2 proto: IPSEC_AH spisz:
4 xforms: 1 SPI: 0xbb351f90
                payload: TRANSFORM len: 40
                    transform: 1 ID: DES
                        attribute LIFE_TYPE = SECONDS
                        attribute LIFE_DURATION = 00000e10
                        attribute LIFE_TYPE = KILOBYTES
                        attribute LIFE_DURATION = 0003d090
                        attribute ENCAPSULATION_MODE = TRANSPORT
                        attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
            payload: PROPOSAL len: 48 proposal: 2 proto: IPSEC_ESP
spisz: 4 xforms: 1 SPI: 0x5c207dad
                payload: TRANSFORM len: 36
                    transform: 1 ID: 3DES
                        attribute LIFE_TYPE = SECONDS
                        attribute LIFE_DURATION = 00000e10
                        attribute LIFE_TYPE = KILOBYTES
                        attribute LIFE_DURATION = 0003d090
                        attribute ENCAPSULATION_MODE = TRANSPORT
            payload: PROPOSAL len: 52 proposal: 3 proto: IPSEC_AH spisz:
4 xforms: 1 SPI: 0xbb351f90
                payload: TRANSFORM len: 40
                    transform: 1 ID: SHA
                        attribute LIFE_TYPE = SECONDS
                        attribute LIFE_DURATION = 00000e10
                        attribute LIFE_TYPE = KILOBYTES
                        attribute LIFE_DURATION = 0003d090
                        attribute ENCAPSULATION_MODE = TRANSPORT
                        attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
            payload: PROPOSAL len: 48 proposal: 3 proto: IPSEC_ESP
spisz: 4 xforms: 1 SPI: 0x5c207dad
                payload: TRANSFORM len: 36
                    transform: 1 ID: 3DES
                        attribute LIFE_TYPE = SECONDS
                        attribute LIFE_DURATION = 00000e10
                        attribute LIFE_TYPE = KILOBYTES
                        attribute LIFE_DURATION = 0003d090
                        attribute ENCAPSULATION_MODE = TRANSPORT
            payload: PROPOSAL len: 52 proposal: 4 proto: IPSEC_AH spisz:
4 xforms: 1 SPI: 0xbb351f90
                payload: TRANSFORM len: 40
                    transform: 1 ID: DES
                        attribute LIFE_TYPE = SECONDS
                        attribute LIFE_DURATION = 00000e10
                        attribute LIFE_TYPE = KILOBYTES
                        attribute LIFE_DURATION = 0003d090
                        attribute ENCAPSULATION_MODE = TRANSPORT
                        attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
            payload: PROPOSAL len: 52 proposal: 4 proto: IPSEC_ESP
spisz: 4 xforms: 1 SPI: 0x5c207dad
                payload: TRANSFORM len: 40
                    transform: 1 ID: 3DES
                        attribute LIFE_TYPE = SECONDS
                        attribute LIFE_DURATION = 00000e10
                        attribute LIFE_TYPE = KILOBYTES
                        attribute LIFE_DURATION = 0003d090
                        attribute ENCAPSULATION_MODE = TRANSPORT
                        attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
            payload: PROPOSAL len: 52 proposal: 5 proto: IPSEC_AH spisz:
4 xforms: 1 SPI: 0xbb351f90
                payload: TRANSFORM len: 40
                    transform: 1 ID: SHA
                        attribute LIFE_TYPE = SECONDS
                        attribute LIFE_DURATION = 00000e10
                        attribute LIFE_TYPE = KILOBYTES
                        attribute LIFE_DURATION = 0003d090
                        attribute ENCAPSULATION_MODE = TRANSPORT
                        attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
            payload: PROPOSAL len: 52 proposal: 5 proto: IPSEC_ESP
spisz: 4 xforms: 1 SPI: 0x5c207dad
                payload: TRANSFORM len: 40
                    transform: 1 ID: 3DES
                        attribute LIFE_TYPE = SECONDS
                        attribute LIFE_DURATION = 00000e10
                        attribute LIFE_TYPE = KILOBYTES
                        attribute LIFE_DURATION = 0003d090
                        attribute ENCAPSULATION_MODE = TRANSPORT
                        attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
            payload: PROPOSAL len: 92 proposal: 6 proto: IPSEC_ESP
spisz: 4 xforms: 2 SPI: 0xbb351f90
                payload: TRANSFORM len: 40
                    transform: 1 ID: DES
                        attribute LIFE_TYPE = SECONDS
                        attribute LIFE_DURATION = 00000e10
                        attribute LIFE_TYPE = KILOBYTES
                        attribute LIFE_DURATION = 0003d090
                        attribute ENCAPSULATION_MODE = TRANSPORT
                        attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
                payload: TRANSFORM len: 40
                    transform: 2 ID: DES
                        attribute LIFE_TYPE = SECONDS
                        attribute LIFE_DURATION = 00000e10
                        attribute LIFE_TYPE = KILOBYTES
                        attribute LIFE_DURATION = 0003d090
                        attribute ENCAPSULATION_MODE = TRANSPORT
                        attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
            payload: PROPOSAL len: 52 proposal: 7 proto: IPSEC_AH spisz:
4 xforms: 1 SPI: 0xbb351f90
                payload: TRANSFORM len: 40
                    transform: 1 ID: DES
                        attribute LIFE_TYPE = SECONDS
                        attribute LIFE_DURATION = 00000e10
                        attribute LIFE_TYPE = KILOBYTES
                        attribute LIFE_DURATION = 0003d090
                        attribute ENCAPSULATION_MODE = TRANSPORT
                        attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
            payload: PROPOSAL len: 48 proposal: 7 proto: IPSEC_ESP
spisz: 4 xforms: 1 SPI: 0x5c207dad
                payload: TRANSFORM len: 36
                    transform: 1 ID: DES
                        attribute LIFE_TYPE = SECONDS
                        attribute LIFE_DURATION = 00000e10
                        attribute LIFE_TYPE = KILOBYTES
                        attribute LIFE_DURATION = 0003d090
                        attribute ENCAPSULATION_MODE = TRANSPORT
            payload: PROPOSAL len: 52 proposal: 8 proto: IPSEC_AH spisz:
4 xforms: 1 SPI: 0xbb351f90
                payload: TRANSFORM len: 40
                    transform: 1 ID: SHA
                        attribute LIFE_TYPE = SECONDS
                        attribute LIFE_DURATION = 00000e10
                        attribute LIFE_TYPE = KILOBYTES
                        attribute LIFE_DURATION = 0003d090
                        attribute ENCAPSULATION_MODE = TRANSPORT
                        attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
            payload: PROPOSAL len: 48 proposal: 8 proto: IPSEC_ESP
spisz: 4 xforms: 1 SPI: 0x5c207dad
                payload: TRANSFORM len: 36
                    transform: 1 ID: DES
                        attribute LIFE_TYPE = SECONDS
                        attribute LIFE_DURATION = 00000e10
                        attribute LIFE_TYPE = KILOBYTES
                        attribute LIFE_DURATION = 0003d090
                        attribute ENCAPSULATION_MODE = TRANSPORT
            payload: PROPOSAL len: 52 proposal: 9 proto: IPSEC_AH spisz:
4 xforms: 1 SPI: 0xbb351f90
                payload: TRANSFORM len: 40
                    transform: 1 ID: DES
                        attribute LIFE_TYPE = SECONDS
                        attribute LIFE_DURATION = 00000e10
                        attribute LIFE_TYPE = KILOBYTES
                        attribute LIFE_DURATION = 0003d090
                        attribute ENCAPSULATION_MODE = TRANSPORT
                        attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
            payload: PROPOSAL len: 52 proposal: 9 proto: IPSEC_ESP
spisz: 4 xforms: 1 SPI: 0x5c207dad
                payload: TRANSFORM len: 40
                    transform: 1 ID: DES
                        attribute LIFE_TYPE = SECONDS
                        attribute LIFE_DURATION = 00000e10
                        attribute LIFE_TYPE = KILOBYTES
                        attribute LIFE_DURATION = 0003d090
                        attribute ENCAPSULATION_MODE = TRANSPORT
                        attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
            payload: PROPOSAL len: 52 proposal: 10 proto: IPSEC_AH
spisz: 4 xforms: 1 SPI: 0xbb351f90
                payload: TRANSFORM len: 40
                    transform: 1 ID: SHA
                        attribute LIFE_TYPE = SECONDS
                        attribute LIFE_DURATION = 00000e10
                        attribute LIFE_TYPE = KILOBYTES
                        attribute LIFE_DURATION = 0003d090
                        attribute ENCAPSULATION_MODE = TRANSPORT
                        attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
            payload: PROPOSAL len: 52 proposal: 10 proto: IPSEC_ESP
spisz: 4 xforms: 1 SPI: 0x5c207dad
                payload: TRANSFORM len: 40
                    transform: 1 ID: DES
                        attribute LIFE_TYPE = SECONDS
                        attribute LIFE_DURATION = 00000e10
                        attribute LIFE_TYPE = KILOBYTES
                        attribute LIFE_DURATION = 0003d090
                        attribute ENCAPSULATION_MODE = TRANSPORT
                        attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
            payload: PROPOSAL len: 92 proposal: 11 proto: IPSEC_ESP
spisz: 4 xforms: 2 SPI: 0xbb351f90
                payload: TRANSFORM len: 40
                    transform: 1 ID: NULL
                        attribute LIFE_TYPE = SECONDS
                        attribute LIFE_DURATION = 00000e10
                        attribute LIFE_TYPE = KILOBYTES
                        attribute LIFE_DURATION = 0003d090
                        attribute ENCAPSULATION_MODE = TRANSPORT
                        attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
                payload: TRANSFORM len: 40
                    transform: 2 ID: NULL
                        attribute LIFE_TYPE = SECONDS
                        attribute LIFE_DURATION = 00000e10
                        attribute LIFE_TYPE = KILOBYTES
                        attribute LIFE_DURATION = 0003d090
                        attribute ENCAPSULATION_MODE = TRANSPORT
                        attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
            payload: PROPOSAL len: 92 proposal: 12 proto: IPSEC_AH
spisz: 4 xforms: 2 SPI: 0xbb351f90
                payload: TRANSFORM len: 40
                    transform: 1 ID: DES
                        attribute LIFE_TYPE = SECONDS
                        attribute LIFE_DURATION = 00000e10
                        attribute LIFE_TYPE = KILOBYTES
                        attribute LIFE_DURATION = 0003d090
                        attribute ENCAPSULATION_MODE = TRANSPORT
                        attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
                payload: TRANSFORM len: 40
                    transform: 2 ID: SHA
                        attribute LIFE_TYPE = SECONDS
                        attribute LIFE_DURATION = 00000e10
                        attribute LIFE_TYPE = KILOBYTES
                        attribute LIFE_DURATION = 0003d090
                        attribute ENCAPSULATION_MODE = TRANSPORT
                        attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
        payload: NONCE len: 24
        payload: ID len: 12 proto: 17 port: 1701 type: IPV4_ADDR =
10.107.208.20
        payload: ID len: 12 proto: 17 port: 1701 type: IPV4_ADDR =
10.107.208.1 [ttl 0] (id 1, len 1328)
20:14:24.113525 10.107.208.1.isakmp > 10.107.208.20.isakmp:  [udp sum
ok] isakmp v1.0 exchange QUICK_MODE
        cookie: 5ad2b89593ca41af->acd59e7bdeb12259 msgid: 44aa1cd7 len: 164
        payload: HASH len: 24
        payload: SA len: 64 DOI: 1(IPSEC) situation: IDENTITY_ONLY
            payload: PROPOSAL len: 52 proposal: 1 proto: IPSEC_ESP
spisz: 4 xforms: 1 SPI: 0xa3ee9768
                payload: TRANSFORM len: 40
                    transform: 1 ID: 3DES
                        attribute LIFE_TYPE = SECONDS
                        attribute LIFE_DURATION = 00000e10
                        attribute LIFE_TYPE = KILOBYTES
                        attribute LIFE_DURATION = 0003d090
                        attribute ENCAPSULATION_MODE = TRANSPORT
                        attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
        payload: NONCE len: 24
        payload: ID len: 12 proto: 17 port: 1701 type: IPV4_ADDR =
10.107.208.20
        payload: ID len: 12 proto: 17 port: 1701 type: IPV4_ADDR =
10.107.208.1 [ttl 0] (id 1, len 192)
20:14:24.117160 10.107.208.20.isakmp > 10.107.208.1.isakmp:  [udp sum
ok] isakmp v1.0 exchange QUICK_MODE
        cookie: 5ad2b89593ca41af->acd59e7bdeb12259 msgid: 44aa1cd7 len: 52
        payload: HASH len: 24 [ttl 0] (id 1, len 80)
20:15:06.955703 10.107.208.1.isakmp > 10.107.208.20.isakmp:  [udp sum
ok] isakmp v1.0 exchange INFO
        cookie: 5ad2b89593ca41af->acd59e7bdeb12259 msgid: 8c2a671f len: 68
        payload: HASH len: 24
        payload: DELETE len: 16 DOI: 1(IPSEC) proto: IPSEC_ESP nspis: 1
            SPI: 0xa3ee9768 [ttl 0] (id 1, len 96)
20:15:06.958120 10.107.208.1.isakmp > 10.107.208.20.isakmp:  [udp sum
ok] isakmp v1.0 exchange INFO
        cookie: 5ad2b89593ca41af->acd59e7bdeb12259 msgid: b81113d3 len: 80
        payload: HASH len: 24
        payload: DELETE len: 28 DOI: 1(IPSEC) proto: ISAKMP nspis: 1
            cookie: 5ad2b89593ca41af->acd59e7bdeb12259 [ttl 0] (id 1,
len 108)


*** The config files:
*** isakmpd.conf
# cat isakmpd.conf
[General]
Listen-On= 10.107.208.1

[Phase 1]
# Default= <ISAKMP-peer>
Default= client

[Phase 2]
# Passive-connections= <IPsec connection>
Passive-connections= client-netB

# <ISAKMP-peer>
[client]
Phase= 1
Transport= udp
# Configuration= <ISAKMP-configuration>
Configuration= Default-main-mode
Authentication= sharedsecret

# <IPsec connection>
[client-netB]
Phase= 2
ISAKMP-peer= client
# Configuration= <IPsec-configuration>
Configuration= Default-quick-mode
# Local-ID= <IPsec-ID>
Local-ID= netB
# Remote-ID= <IPsec-ID>
Remote-ID= client

# <IPsec-ID>
[client]
ID-type= IPV4_ADDR
Address= 10.107.208.20

# <IPsec-ID>
[netB]
ID-type= IPV4_ADDR_SUBNET
Network= 10.180.0.0
Netmask= 255.255.0.0

# <ISAKMP-configuration>
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
# Transforms= <ISAKMP-transform>
Transforms= AES-SHA,3DES-SHA

# <IPsec-configuration>
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
# Suites= <IPsec-suite>
Suites= QM-ESP-AES-SHA-PFS-SUITE,QM-ESP-3DES-SHA-PFS-SUITE

*** isakmpd.policy
# cat isakmpd.policy
Keynote-version: 2
Authorizer: "POLICY"
Licensees: "passphrase:sharedsecret"
Conditions: esp_present == "yes" &&
            esp_enc_alg != "null" -> "true";

Re: IPsec Configuration Questions

Reply via email to