Hi,
I am trying to create a VPN between my OpenBSD test box running in a
Virtual Box instance, with bridged interface to my NIC and my Cisco 857
router.....
I am getting these error messages in /var/log/messages:
Mar 5 21:24:31 OpenBSD isakmpd[27722]: dropped message from 192.168.0.1
port 500 due to notification type INVALID_ID_INFORMATION
Mar 5 21:25:14 OpenBSD isakmpd[27722]: transport_send_messages: giving
up on exchange peer-192.168.0.2, no response from peer 192.168.0.2:500
Mar 5 21:26:41 OpenBSD isakmpd[27722]: responder_recv_HASH_SA_NONCE:
peer proposed invalid phase 2 IDs: initiator id 0.0.0.0/0.0.0.0,
responder id 0.0.0.0/0.0.0.0
Running; debug crypto isakmp on the Cisco I get this:
010554: Mar 5 21:45:03.871: ISAKMP:(0): beginning Main Mode exchange
Cisco857W#
010555: Mar 5 21:45:03.871: ISAKMP:(0): sending packet to 192.168.0.2
my_port 500 peer_port 500 (I) MM_NO_STATE
010556: Mar 5 21:45:03.875: ISAKMP:(0):Sending an IKE IPv4 Packet.
Cisco857W#
010557: Mar 5 21:45:13.875: ISAKMP:(0): retransmitting phase 1
MM_NO_STATE...
010558: Mar 5 21:45:13.875: ISAKMP (0:0): incrementing error counter on
sa, attempt 1 of 5: retransmit phase 1
010559: Mar 5 21:45:13.875: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
010560: Mar 5 21:45:13.875: ISAKMP:(0): sending packet to 192.168.0.2
my_port 500 peer_port 500 (I) MM_NO_STATE
010561: Mar 5 21:45:13.875: ISAKMP:(0):Sending an IKE IPv4 Packet.
Cisco857W#
010562: Mar 5 21:45:23.874: ISAKMP:(0): retransmitting phase 1
MM_NO_STATE...
010563: Mar 5 21:45:23.874: ISAKMP (0:0): incrementing error counter on
sa, attempt 2 of 5: retransmit phase 1
010564: Mar 5 21:45:23.874: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
010565: Mar 5 21:45:23.874: ISAKMP:(0): sending packet to 192.168.0.2
my_port 500 peer_port 500 (I) MM_NO_STATE
010566: Mar 5 21:45:23.874: ISAKMP:(0):Sending an IKE IPv4 Packet.
So far after lots of research and reading I have got this config:
OpenBSD 5.0-RELEASE-x64:
{ipsec.conf}
ike esp transport from 192.168.0.2 to 192.168.0.1 main auth hmac-md5 enc
3des group modp1536 quick auth hmac-md5 enc 3des psk "secret"
ike esp transport from 10.255.255.101 to 10.255.255.102 peer 192.168.0.2
{gre1 interface}
10.255.255.101 10.255.255.102 netmask 0xffffffff link0 up
tunnel 192.168.0.2 192.168.0.1
Cisco 857:
{Crypto information}
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
lifetime 60
crypto isakmp key secret address 192.168.0.2
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set geo-sync-set-01 esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile geo-sync-profile-01
set transform-set geo-sync-set-01
!
!
crypto map geo-sync-01 10 ipsec-isakmp
set peer 192.168.0.2
set transform-set geo-sync-set-01
match address 101
{Tunnel interface}
interface Tunnel0
bandwidth 1000000
ip address 10.255.255.102 255.255.255.252
ip accounting output-packets
ip accounting access-violations
ip rip send version 2
ip rip receive version 2
tunnel source BVI2
tunnel destination 192.168.0.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile geo-sync-profile-01
{BVI2}
interface BVI2
description Bridge between Vlan2 and Dot11Radio0.2 for wireless network
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip rip send version 2
ip rip receive version 2
no ip virtual-reassembly
no ip route-cache
crypto map geo-sync-01
{Access-list 101}
access-list 101 permit udp any host 192.168.0.2 eq isakmp
access-list 101 permit esp any host 192.168.0.1
access-list 101 permit gre host 10.255.255.101 host 10.255.255.102
access-list 101 permit gre any host 192.168.0.1
I'm quite puzzled by where the problem lies as the above Cisco config
was working fine using Cisco<->Cisco between 3 separate gateways.
Could anyone help me identify what the issue could be and define a
resolution??
I do realize that am using internal IP addresses..... but this is only a
test bed in preparation for production use later!
Regards,
Kaya
