Re: site-to-site vpn 4.0 to cisco 3000 SOLVED

[c l]

Finally got this to work.  Here's the config that ended up working.
I'm not sure why I didn't notice before but the quick mode stuff wasn't 
setup correctly.

ipsec.conf
ike esp from 192.168.1.0/24 to 10.10.0.0/16 peer 2.2.2.2 \
       main auth hmac-sha1 enc 3des group modp768 \
       quick auth hmac-sha1 enc 3des group none psk openbsdrules


cisco
IKE proposal
authentication mode - presharedkeys
authentication algorithm - sha/hmac-160
encryption - 3DES-168
DH Group - 1 768-bits
Lifetime - 3600seconds

Lan-to-Lan connection
interface - external(2.2.2.2)
connection type - bi-directional
peer - 1.1.1.1
presharedkey - openbsdrules
authentication - esp/sha/hmac160
local network - 10.10.0.0  (wildcard mask 0.0.255.255)
remote network - 192.168.1.0 (wildcard mask 0.0.0.255)

SA
authentication - esp/sha/hmac160
encryption - 3DES-168
mode - tunnel
Lifetime - 1200seconds



Now I just have to figure out the routing :)




From: William Bloom <[EMAIL PROTECTED]>
To: c l <[EMAIL PROTECTED]>
CC: misc@openbsd.org
Subject: Re: site-to-site vpn 4.0 to cisco 3000
Date: Sun, 25 Feb 2007 18:53:12 -0700

The man page for isakpd.conf indeed sheds some light, there's an  example 
in that page that show's how to specify lifetimes for both  phases...

           [General]
           Default-phase-1-lifetime=       3600,60:86400
           Default-phase-2-lifetime=       1200,60:86400

At this point, if the lifetimes indeed agree, then I myself would be  a 
little puzzled over why the proposal would be rejected.  Both  endpoints 
are configured to use the peer address as the ID?  At first  blush, your 
settings seem all kosher.

I would agree, though, that it certainly appears that there must  still be 
some sort of inconsistency between the proposals.

Another suggestion...

It appears that you've been trying to initiate the VPN from one end,  
perhaps the OpenBSD end.  Probably by sending a ping from the 1st  site to 
the 2nd.  Restart both ends to clear out any SAs that have  been negotiated 
and try to ping from the -other- end in order to see  what happens when the 
VPN negotiation is initiated the opposite  direction.  The log entries 
might show something useful.

Also, did the OpenBSD logs show any detail of the failure from the  last 
attempts apart from the mismatched SA queries?


Bill


On Feb 25, 2007, at 14:48, c l wrote:

Hello,  thanks for the reply, it helped if I'm not mistaken.  I  think I'm 
getting closer but still no joy.  See below.

From: William Bloom <[EMAIL PROTECTED]>
To: c l <[EMAIL PROTECTED]>
CC: misc@openbsd.org
Subject: Re: site-to-site vpn 4.0 to cisco 3000
Date: Sun, 25 Feb 2007 14:02:13 -0700

I've setup maybe 78 LAN-to-LAN VPNs between my datacenter and  other  
sites of customers and partners.  However, I haven't had  occasion to  
use OpenBSD as a VPN endpoint yet and I'm not an  expert on the ike/ 
ipsec features of OpenBSD.  Having said that,  I've done quite a bit  of 
VPN troubleshooting in the past, so I'll  take a stab at this in  general 
terms...

My reading of the three 'ike esp' statements in ipsec.conf is  that  
you've declared three sets of SAs on the OpenBSD endpoint,  all to  peer 
2.2.2.2 - one SA between the interior address spaces  of the two  
locations, a second between the endpoint address of  the 1st location  
and the interior address space of the 2nd, and a  third between the  
endpoint addresses.  That third one certainly  catches my attention  
since I know that -some- pieces of equipment  (particularly the PIX,  
ASA, and I believe the Juniper although  I've never confirmed this for  a 
Cisco 3000) hate the idea of  having their own endpoint address  included 
in the encryption  domain.  This seems likely to me as a  cause for the 
rejection.   This is something that IKE might negotiate  on -some-  
manufacturer's equipment but not others.  In most cases,  there's  no 
need for the endpoints to participate in the encryption  domain  since 
they aren't application servers - they only need to   exchange IKE 
messages and then simply pass IPsec to/from their   respective protected 
address spaces.

So my suggestion would be to strike that third 'ike esp'  statement  and 
then see what difference that makes in the log.  As  a special  note, do 
be aware that this means that you probably  won't be able to  ping the 
2.2.2.2 address from the 1st site  (encryption enforcement on  the Cisco 
will deny this, since you're  pining from an address space  at the 1st 
site that's covered by  the VPN proposal and yet 2.2.2.2 is  not in the 
encryption  domain).  If you need to troubleshoot the Cisco  by pinging 
it,  then you'll have to do so from a point -outside- the  OpenBSD VPN  
endpoint.

This did in fact change the behavior.  First I did as you suggested  and 
struck the statement for the two end points.  The logs showed a  similar 
message as before but this time it complained about the  src: 1.1.1.1 dst: 
10.10.x.x  tunnel.  So I removed that one as  well.  So now my ipsec.conf 
has just the one line in it.

ike esp from 192.168.1.0/24 to 10.10.0.0/16 peer 2.2.2.2 \
       main auth hmac-sha1 enc 3des group modp768 psk openbsdrules

This gives me a different result.  Here is the output from the  cisco log.

2 02/25/2007 15:28:21.210 SEV=5 IKE/172 RPT=7437 1.1.1.1
Group [1.1.1.1]
Automatic NAT Detection Status:
  Remote end is NOT behind a NAT device
  This   end is NOT behind a NAT device

6 02/25/2007 15:28:21.310 SEV=4 IKE/119 RPT=6722 1.1.1.1
Group [1.1.1.1]
PHASE 1 COMPLETED

7 02/25/2007 15:28:21.310 SEV=4 AUTH/22 RPT=6617 1.1.1.1
User [1.1.1.1] Group [1.1.1.1] connected, Session Type: IPSec/LAN-to
-LAN

9 02/25/2007 15:28:21.310 SEV=4 AUTH/84 RPT=86
LAN-to-LAN tunnel to headend device 1.1.1.1 connected

10 02/25/2007 15:28:21.400 SEV=5 IKE/35 RPT=30 1.1.1.1
Group [1.1.1.1]
Received remote IP Proxy Subnet data in ID Payload:
Address 192.168.1.0, Mask 255.255.255.0, Protocol 0, Port 0

13 02/25/2007 15:28:21.400 SEV=5 IKE/34 RPT=9176 1.1.1.1
Group [1.1.1.1]
Received local IP Proxy Subnet data in ID Payload:
Address 10.10.0.0, Mask 255.255.0.0, Protocol 0, Port 0

16 02/25/2007 15:28:21.400 SEV=5 IKE/66 RPT=9174 1.1.1.1
Group [1.1.1.1]
IKE Remote Peer configured for SA: L2L: to_openbsd

17 02/25/2007 15:28:21.400 SEV=4 IKE/227 RPT=30 1.1.1.1
Group [1.1.1.1]
All IPSec SA proposals found unacceptable!

18 02/25/2007 15:28:21.400 SEV=4 IKEDBG/97 RPT=86 1.1.1.1
Group [1.1.1.1]
QM FSM error (P2 struct &0xe622d7c, mess id 0x58c640ca)!


Looks like it's getting a bit farther now.    The /var/log/message  still 
give me the dubious ID message along with 'giving up on  exchange 
192.168.1.0/16-10.10.0.0/16, no response from peer'.

Something must not match between the SA's



I haven't googled, as you have, for VPN examples involving  OpenBSD  and 
Cisco VPN 3000, but it would surprise me if someone  had  configured a 
VPN 3000 to include its endpoint address as part  of an  encryption 
domain successfully.

Another observation, even though it may not be relevant to the   symptom 
you describe, is that I don't see the phase 1/2 SA  lifetimes  spelled 
out in your OpenBSD configuration even though  they are  spelled out on 
the Cisco device.  I can't tell whether  your IKE  negotiation has gotten 
far enough to enforce lifetimes  since it  choked on the policy failure 
for 1.1.1.1/2.2.2.2.  For  all I know,  maybe you've selected lifetimes 
on the Cisco that  agree with the  default lifetimes that OpenBSD uses.  
If so, I'd  suggest that you  explicitly spell out the lifetimes on the  
OpenBSD end since IKE/IPsec  software (at large, not necessarily  
especially for OpenBSD) is  somewhat notorious for changing  defaults 
from time to time.   If you  accept defaults for things,  you might find 
one day when upgrade to a  future release of  OpenBSD that the VPN 
suddenly stops negotiating.

I specifically changed the cisco's SA lifetimes to 3600 and 1200  because 
the isakmpd man page says those are the defaults.  Maybe I  mis-read it?  
I'll look again.  Also the ipsec.conf man page  doesn't say anything about 
specifying the lifetime.  Where would I  specify this on the OpenBSD box?  
Does it go in the /etc/isakmpd/ isakmpd.conf file?

I'm thinking these values don't jive between the two and that's why  I see 
the
"All IPSec SA proposals found unacceptable!"  message.

Oh and I turned up debugging on isakmpd.  Not sure which classes to  
fiddle with since A=99 gives me tons.  I did see some messages  about "no 
sa query matched"




There's also another reason to spell out lifetimes.  Turns out  that  
some VPN equipment is actually accommodating about proposed  lifetime  
values from the remote end that don't agree with the  local policy,  
while other equipment is not.  So when  interoperating two unlike VPN  
platforms (e.g. OpenBSD and Cisco),  it's possible to get into a  
situation where one endpoint can  initiate a VPN tunnel while other  
cannot (negotiation only works  one way).  Spelling out lifetimes on  
both ends avoids this  situation.  BTW, this sort of thing can also  
happen with a Diffie- Hellman group mismatch for phase 1, but I see  that 
you've already  spelled that one out on both ends.

Also, a bit off subject, it is goodness to keep the time sync'd  on  both 
endpoints (e.g. NTP).


Bill

On Feb 25, 2007, at 10:23, c l wrote:

Hello list,

I'm trying to get a site-to-site tunnel running between a 4.0  box  and 
a cisco 3000 concentrator.

Here's the networks... (ip's changed to protect the innocent)

192.168.1.x  [OpenBSD 4.0] 1.1.1.1   <->   internet   <->   2.2.2.2  
[cisco 3000] 10.10.x.x

My ipsec.conf looks like this....

ike esp from 192.168.1.0/24 to 10.10.0.0/16 peer 2.2.2.2 \
       main auth hmac-sha1 enc 3des group modp768 psk openbsdrules
ike esp from 1.1.1.1 to 10.10.0.0/16 peer 2.2.2.2 \
       main auth hmac-sha1 enc 3des group modp768 psk openbsdrules
ike esp from 1.1.1.1 to 2.2.2.2 \
       main auth hmac-sha1 enc 3des group modp768 psk openbsdrules

On the cisco I've created IKE proposals, defined a LAN-to-LAN   
connection, and SAs like this...

IKE proposal
authentication - presharedkeys
encryption - 3DES-168
DH Group - 1 768-bits
Lifetime - 3600seconds

Lan-to-Lan connection
interface - external(2.2.2.2)
connection type - bi-directional
peer - 1.1.1.1
presharedkey - openbsdrules
authentication - esp/sha/hmac160
local network - 10.10.0.0  (wildcard mask 0.0.255.255)
remote network - 192.168.1.0 (wildcard mask 0.0.0.255)

SA
authentication - esp/sha/hmac160
encryption - 3DES-168
mode - tunnel
Lifetime - 1200seconds


On the OpenBSD box I start isakmpd with 'isakmpd -K', then  ipsecctl  -f 
/etc/ipsec.conf

After a bit of time I see this in /var/log/messages
isakmpd[18700]: ipsec_validate_id_information: dubious ID   information 
accepted


And the cisco log shows this....

2 02/25/2007 10:37:16.280 SEV=5 IKE/172 RPT=7394 1.1.1.1
Group [1.1.1.1]
Automatic NAT Detection Status:
  Remote end is NOT behind a NAT device
  This   end is NOT behind a NAT device

6 02/25/2007 10:37:16.380 SEV=4 IKE/119 RPT=6680 1.1.1.1
Group [1.1.1.1]
PHASE 1 COMPLETED

7 02/25/2007 10:37:16.380 SEV=4 AUTH/22 RPT=6575 1.1.1.1
User [1.1.1.1] Group [1.1.1.1] connected, Session Type: IPSec/LAN-to
-LAN

9 02/25/2007 10:37:16.380 SEV=4 AUTH/84 RPT=52
LAN-to-LAN tunnel to headend device 1.1.1.1 connected

10 02/25/2007 10:37:16.500 SEV=5 IKE/25 RPT=9162 1.1.1.1
Group [1.1.1.1]
Received remote Proxy Host data in ID Payload:
Address 1.1.1.1, Protocol 0, Port 0

13 02/25/2007 10:37:16.500 SEV=5 IKE/24 RPT=27 1.1.1.1
Group [1.1.1.1]
Received local Proxy Host data in ID Payload:
Address 2.2.2.2, Protocol 0, Port 0

16 02/25/2007 10:37:16.500 SEV=4 IKE/61 RPT=27 1.1.1.1
Group [1.1.1.1]
Tunnel rejected: Policy not found for Src:1.1.1.1, Dst: 2.2.2.2!

18 02/25/2007 10:37:16.500 SEV=4 IKEDBG/97 RPT=52 1.1.1.1
Group [1.1.1.1]
QM FSM error (P2 struct &0xe7ed120, mess id 0xac462db5)!
&0xe7ed120, mess id 0xac462db5)!



Any ideas why I'm getting the "tunnel rejected" error?   Does   anyone 
see any glaring mistakes?  After searching the archives  and  
google'ing, I gather other folks are doing this without issue.

I have complete control over both devices so if there's any  other  info 
I can provide let me know.

I realize this isn't a cisco support list so if it's the cisco's   fault 
I'll go bother someone else.


I appreciate your time, thank you.
please cc me as I'm not subscribed to the list.

_________________________________________________________________
With tax season right around the corner, make sure to follow  these  few 
simple tips. http://articles.moneycentral.msn.com/ Taxes/ 
PreparationTips/PreparationTips.aspx?icid=HMFebtagline


--
William Bloom
[EMAIL PROTECTED]




_________________________________________________________________
Win a Zunemake MSN. your homepage for your chance to win! http:// 
homepage.msn.com/zune?icid=hmetagline


--
William Bloom
[EMAIL PROTECTED]




_________________________________________________________________
Want a degree but can't afford to quit? Top school degrees online - in as 
fast as 1 year 
http://forms.nextag.com/goto.jsp?url=/serv/main/buyer/education.jsp?doSearch=n&tm=y&search=education_text_links_88_h288c&s=4079&p=5116