Phase 2 problem between isakmpd and Netscreen
(posted a similar message originally on the IPSec list; thought I'd post here too) Hey all- I almost have a working VPN between isakmpd and a Netscreen box-- things fail at phase 2 as the peers enter quick mode. 64.81.74.226 = isakmpd 206.14.210.146 = netscreen 00:28:11.947907 64.81.74.226.500 206.14.210.146.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: eb114e8223bc0965-3aac9200ac79d919 msgid: 9e7ccdd5 len: 284 payload: HASH len: 24 payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 44 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0xadfa06f3 payload: TRANSFORM len: 32 transform: 1 ID: AES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 1200 attribute ENCAPSULATION_MODE = TUNNEL attribute AUTHENTICATION_ALGORITHM = HMAC_SHA attribute GROUP_DESCRIPTION = 2 attribute KEY_LENGTH = 128 payload: NONCE len: 20 payload: KEY_EXCH len: 132 payload: ID len: 12 type: IPV4_ADDR = 64.81.74.226 payload: ID len: 12 type: IPV4_ADDR = 130.94.4.65 [ttl 0] (id 1, len 312) 00:28:12.138720 206.14.210.146.500 64.81.74.226.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: eb114e8223bc0965-3aac9200ac79d919 msgid: 9e7ccdd5 len: 300 payload: HASH len: 24 payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 48 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0x0502a8eb payload: TRANSFORM len: 36 transform: 1 ID: AES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 04b0 attribute ENCAPSULATION_MODE = TUNNEL attribute AUTHENTICATION_ALGORITHM = HMAC_SHA attribute GROUP_DESCRIPTION = 2 attribute KEY_LENGTH = 128 payload: NONCE len: 24 payload: KEY_EXCH len: 132 payload: ID len: 12 type: IPV4_ADDR = 64.81.74.226 payload: ID len: 12 type: IPV4_ADDR = 130.94.4.65 [ttl 0] (id 1, len 328) 00:28:15.838995 206.14.210.146.500 64.81.74.226.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: eb114e8223bc0965-3aac9200ac79d919 msgid: 9e7ccdd5 len: 300 payload: HASH len: 24 payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 48 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0x0502a8eb payload: TRANSFORM len: 36 transform: 1 ID: AES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 04b0 attribute ENCAPSULATION_MODE = TUNNEL attribute AUTHENTICATION_ALGORITHM = HMAC_SHA attribute GROUP_DESCRIPTION = 2 attribute KEY_LENGTH = 128 payload: NONCE len: 24 payload: KEY_EXCH len: 132 payload: ID len: 12 type: IPV4_ADDR = 64.81.74.226 payload: ID len: 12 type: IPV4_ADDR = 130.94.4.65 [ttl 0] (id 1, len 328) --snip-- Note the wacky LIFE_DURATION sent by the netscreen. As shown in the packet capture the netscreen continues to send quick mode packets but isakmpd never responds. I've logs at http://obstacle9.com/isakmpd/ . I've tried different transforms and proposal settings but the result is the same. This happens on a snapshot from a few days ago. thanks, sk
Re: Phase 2 problem between isakmpd and Netscreen
Hi, this worked with an older isakmpd version? Is this netscreen box some kind of appliance or just some windows software? The general problem is, I can only test interoperatibility with open source vpn solutions on standard hareware. If people need to rely on interoperability with appliance X and Windows client Y and MacOS client Z, I need this kind of hardware/software. People interrested in providing those, are welcome to contact me :-) HJ. On Wed, Jul 27, 2005 at 01:35:34AM -0700, Sean Knox wrote: (posted a similar message originally on the IPSec list; thought I'd post here too) Hey all- I almost have a working VPN between isakmpd and a Netscreen box-- things fail at phase 2 as the peers enter quick mode. 64.81.74.226 = isakmpd 206.14.210.146 = netscreen 00:28:11.947907 64.81.74.226.500 206.14.210.146.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: eb114e8223bc0965-3aac9200ac79d919 msgid: 9e7ccdd5 len: 284 payload: HASH len: 24 payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 44 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0xadfa06f3 payload: TRANSFORM len: 32 transform: 1 ID: AES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 1200 attribute ENCAPSULATION_MODE = TUNNEL attribute AUTHENTICATION_ALGORITHM = HMAC_SHA attribute GROUP_DESCRIPTION = 2 attribute KEY_LENGTH = 128 payload: NONCE len: 20 payload: KEY_EXCH len: 132 payload: ID len: 12 type: IPV4_ADDR = 64.81.74.226 payload: ID len: 12 type: IPV4_ADDR = 130.94.4.65 [ttl 0] (id 1, len 312) 00:28:12.138720 206.14.210.146.500 64.81.74.226.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: eb114e8223bc0965-3aac9200ac79d919 msgid: 9e7ccdd5 len: 300 payload: HASH len: 24 payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 48 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0x0502a8eb payload: TRANSFORM len: 36 transform: 1 ID: AES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 04b0 attribute ENCAPSULATION_MODE = TUNNEL attribute AUTHENTICATION_ALGORITHM = HMAC_SHA attribute GROUP_DESCRIPTION = 2 attribute KEY_LENGTH = 128 payload: NONCE len: 24 payload: KEY_EXCH len: 132 payload: ID len: 12 type: IPV4_ADDR = 64.81.74.226 payload: ID len: 12 type: IPV4_ADDR = 130.94.4.65 [ttl 0] (id 1, len 328) 00:28:15.838995 206.14.210.146.500 64.81.74.226.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: eb114e8223bc0965-3aac9200ac79d919 msgid: 9e7ccdd5 len: 300 payload: HASH len: 24 payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 48 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0x0502a8eb payload: TRANSFORM len: 36 transform: 1 ID: AES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 04b0 attribute ENCAPSULATION_MODE = TUNNEL attribute AUTHENTICATION_ALGORITHM = HMAC_SHA attribute GROUP_DESCRIPTION = 2 attribute KEY_LENGTH = 128 payload: NONCE len: 24 payload: KEY_EXCH len: 132 payload: ID len: 12 type: IPV4_ADDR = 64.81.74.226 payload: ID len: 12 type: IPV4_ADDR = 130.94.4.65 [ttl 0] (id 1, len 328) --snip-- Note the wacky LIFE_DURATION sent by the netscreen. As shown in the packet capture the netscreen continues to send quick mode packets but isakmpd never responds. I've logs at http://obstacle9.com/isakmpd/ . I've tried different transforms and proposal settings but the result is the same. This happens on a snapshot from a few days ago. thanks, sk -- pub 1024D/513AEFD9 1999-12-18 Hans-Joerg Hoexer [EMAIL PROTECTED] Key fingerprint = 83D2 436A 0D3C 34A9 E0FF 4C33 35F6 617C 513A EFD9
Re: Phase 2 problem between isakmpd and Netscreen
On Wed, 27 Jul 2005, Hans-Joerg Hoexer wrote: Hi, this worked with an older isakmpd version? Is this netscreen box some kind of appliance or just some windows software? Nope, I've not been able to get isakmpd and the netscreen to finish phase 2. Sorry I wasn't clearer about the type of netscreen...it's a Juniper Netscreen ISG2000. It's a 4u (I think) appliance that runs ScreenOS, Juniper's firewall OS. AFAIK, it runs an industry standard IPSec implementation. Datasheet/marketing fluff pdf here: http://www.juniper.net/products/integrated/dsheet/110036.pdf The general problem is, I can only test interoperatibility with open source vpn solutions on standard hareware. If people need to rely on interoperability with appliance X and Windows client Y and MacOS client Z, I need this kind of hardware/software. I understand completely. While I'd love to donate an ISG2000 without serving time in prison or going bankrupt, at the moment all I can do is test. As the smaller netscreen models also run the same OS, I'd imagine it'd be possible to debug with one of those. As mentioned, if my isakmpd logs/pcaps are possibly useful towarda a fix, let me know. I'll continue banging away at this in the meantime (and possibly bugging Juniper for more info). sk On Wed, Jul 27, 2005 at 01:35:34AM -0700, Sean Knox wrote: (posted a similar message originally on the IPSec list; thought I'd post here too) Hey all- I almost have a working VPN between isakmpd and a Netscreen box-- things fail at phase 2 as the peers enter quick mode. 64.81.74.226 = isakmpd 206.14.210.146 = netscreen 00:28:11.947907 64.81.74.226.500 206.14.210.146.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: eb114e8223bc0965-3aac9200ac79d919 msgid: 9e7ccdd5 len: 284 payload: HASH len: 24 payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 44 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0xadfa06f3 payload: TRANSFORM len: 32 transform: 1 ID: AES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 1200 attribute ENCAPSULATION_MODE = TUNNEL attribute AUTHENTICATION_ALGORITHM = HMAC_SHA attribute GROUP_DESCRIPTION = 2 attribute KEY_LENGTH = 128 payload: NONCE len: 20 payload: KEY_EXCH len: 132 payload: ID len: 12 type: IPV4_ADDR = 64.81.74.226 payload: ID len: 12 type: IPV4_ADDR = 130.94.4.65 [ttl 0] (id 1, len 312) 00:28:12.138720 206.14.210.146.500 64.81.74.226.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: eb114e8223bc0965-3aac9200ac79d919 msgid: 9e7ccdd5 len: 300 payload: HASH len: 24 payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 48 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0x0502a8eb payload: TRANSFORM len: 36 transform: 1 ID: AES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 04b0 attribute ENCAPSULATION_MODE = TUNNEL attribute AUTHENTICATION_ALGORITHM = HMAC_SHA attribute GROUP_DESCRIPTION = 2 attribute KEY_LENGTH = 128 payload: NONCE len: 24 payload: KEY_EXCH len: 132 payload: ID len: 12 type: IPV4_ADDR = 64.81.74.226 payload: ID len: 12 type: IPV4_ADDR = 130.94.4.65 [ttl 0] (id 1, len 328) 00:28:15.838995 206.14.210.146.500 64.81.74.226.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: eb114e8223bc0965-3aac9200ac79d919 msgid: 9e7ccdd5 len: 300 payload: HASH len: 24 payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 48 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0x0502a8eb payload: TRANSFORM len: 36 transform: 1 ID: AES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 04b0 attribute ENCAPSULATION_MODE = TUNNEL attribute AUTHENTICATION_ALGORITHM = HMAC_SHA attribute GROUP_DESCRIPTION = 2 attribute KEY_LENGTH = 128 payload: NONCE len: 24 payload: KEY_EXCH len: 132 payload: ID len: 12 type: IPV4_ADDR = 64.81.74.226 payload: ID len: 12 type: IPV4_ADDR = 130.94.4.65 [ttl 0] (id 1, len 328) --snip-- Note the wacky LIFE_DURATION sent by the netscreen. As shown in the packet capture the netscreen continues to send quick mode packets but isakmpd never responds. I've logs at http://obstacle9.com/isakmpd/ . I've tried different transforms and proposal settings but the result is the same. This happens on a snapshot from a few days ago. thanks, sk
Re: Phase 2 problem between isakmpd and Netscreen
Sean, Take a look at http://www.vpnc.org/. They perform all sorts of VPN device interoperability tests, using OpenBSD as the common denominator. They have info on how to set up your Netscreen box to make it work with OpenBSD. -Original Message- From: Sean Knox [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 27, 2005 2:50 AM To: Hans-Joerg Hoexer Cc: misc Subject: Re: Phase 2 problem between isakmpd and Netscreen On Wed, 27 Jul 2005, Hans-Joerg Hoexer wrote: Hi, this worked with an older isakmpd version? Is this netscreen box some kind of appliance or just some windows software? Nope, I've not been able to get isakmpd and the netscreen to finish phase 2. Sorry I wasn't clearer about the type of netscreen...it's a Juniper Netscreen ISG2000. It's a 4u (I think) appliance that runs ScreenOS, Juniper's firewall OS. AFAIK, it runs an industry standard IPSec implementation. Datasheet/marketing fluff pdf here: http://www.juniper.net/products/integrated/dsheet/110036.pdf The general problem is, I can only test interoperatibility with open source vpn solutions on standard hareware. If people need to rely on interoperability with appliance X and Windows client Y and MacOS client Z, I need this kind of hardware/software. I understand completely. While I'd love to donate an ISG2000 without serving time in prison or going bankrupt, at the moment all I can do is test. As the smaller netscreen models also run the same OS, I'd imagine it'd be possible to debug with one of those. As mentioned, if my isakmpd logs/pcaps are possibly useful towarda a fix, let me know. I'll continue banging away at this in the meantime (and possibly bugging Juniper for more info). sk On Wed, Jul 27, 2005 at 01:35:34AM -0700, Sean Knox wrote: (posted a similar message originally on the IPSec list; thought I'd post here too) Hey all- I almost have a working VPN between isakmpd and a Netscreen box-- things fail at phase 2 as the peers enter quick mode. 64.81.74.226 = isakmpd 206.14.210.146 = netscreen 00:28:11.947907 64.81.74.226.500 206.14.210.146.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: eb114e8223bc0965-3aac9200ac79d919 msgid: 9e7ccdd5 len: 284 payload: HASH len: 24 payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 44 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0xadfa06f3 payload: TRANSFORM len: 32 transform: 1 ID: AES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 1200 attribute ENCAPSULATION_MODE = TUNNEL attribute AUTHENTICATION_ALGORITHM = HMAC_SHA attribute GROUP_DESCRIPTION = 2 attribute KEY_LENGTH = 128 payload: NONCE len: 20 payload: KEY_EXCH len: 132 payload: ID len: 12 type: IPV4_ADDR = 64.81.74.226 payload: ID len: 12 type: IPV4_ADDR = 130.94.4.65 [ttl 0] (id 1, len 312) 00:28:12.138720 206.14.210.146.500 64.81.74.226.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: eb114e8223bc0965-3aac9200ac79d919 msgid: 9e7ccdd5 len: 300 payload: HASH len: 24 payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 48 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0x0502a8eb payload: TRANSFORM len: 36 transform: 1 ID: AES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 04b0 attribute ENCAPSULATION_MODE = TUNNEL attribute AUTHENTICATION_ALGORITHM = HMAC_SHA attribute GROUP_DESCRIPTION = 2 attribute KEY_LENGTH = 128 payload: NONCE len: 24 payload: KEY_EXCH len: 132 payload: ID len: 12 type: IPV4_ADDR = 64.81.74.226 payload: ID len: 12 type: IPV4_ADDR = 130.94.4.65 [ttl 0] (id 1, len 328) 00:28:15.838995 206.14.210.146.500 64.81.74.226.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: eb114e8223bc0965-3aac9200ac79d919 msgid: 9e7ccdd5 len: 300 payload: HASH len: 24 payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 48 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0x0502a8eb payload: TRANSFORM len: 36 transform: 1 ID: AES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 04b0 attribute ENCAPSULATION_MODE = TUNNEL attribute AUTHENTICATION_ALGORITHM = HMAC_SHA attribute GROUP_DESCRIPTION = 2 attribute KEY_LENGTH = 128 payload: NONCE len: 24 payload: KEY_EXCH len: 132 payload: ID len: 12 type: IPV4_ADDR = 64.81.74.226 payload: ID len: 12 type