Hello,
As asked by Stuart, here are our exchanges regarding a problem I encountered
with isakmpd.
After applying the patch, I'm here to report my progress. I applied the patch
by hand on a stable 5.6 tree and didn't encountered any issue merging it.
In my first try, the VPN didnt went up. I was advertising
UDP_ENCAP_TUNNEL_DRAFT and that was not working. I updated the patch to
transmit UDP_ENCAP_TUNNEL instead (the same string the ASA was emmiting), then
the 3 SAs went up right away.
Here is the final patch I'm using :
Common subdirectories: src/sbin/isakmpd/CVS and src2/sbin/isakmpd/CVS
diff -uN src/sbin/isakmpd/attribute.c src2/sbin/isakmpd/attribute.c
--- src/sbin/isakmpd/attribute.c Sat Apr 9 00:32:09 2005
+++ src2/sbin/isakmpd/attribute.c Tue Feb 3 12:29:04 2015
@@ -37,6 +37,9 @@
#include "log.h"
#include "isakmp.h"
#include "util.h"
+#if 1 /* XXX hshoexer */
+#include "sa.h"
+#endif
u_int8_t *
attribute_set_basic(u_int8_t *buf, u_int16_t type, u_int16_t value)
@@ -108,3 +111,30 @@
*attr = attribute_set_basic(*attr, attr_class, value);
return 0;
}
+
+#if 1 /* XXX hshoexer */
+int
+attribute_set_encap(char *section, char *tag, struct constant_map *map,
+ int attr_class, u_int8_t **attr, u_int32_t flags)
+{
+ char *name;
+ int value;
+
+ name = conf_get_str(section, tag);
+ if (!name) {
+ LOG_DBG((LOG_MISC, 70,
+ "attribute_set_constant: no %s in the %s section", tag,
+ section));
+ return -1;
+ }
+ if (flags & SA_FLAG_NAT_T_ENABLE) {
+ if (strcmp(name, "TUNNEL") == 0)
+ name = "UDP_ENCAP_TUNNEL";
+ else if (strcmp(name, "TRANSPORT") == 0)
+ name = "UDP_ENCAP_TRANSPORT";
+ }
+ value = constant_value(map, name);
+ *attr = attribute_set_basic(*attr, attr_class, value);
+ return 0;
+}
+#endif
diff -uN src/sbin/isakmpd/attribute.h src2/sbin/isakmpd/attribute.h
--- src/sbin/isakmpd/attribute.h Fri May 14 10:42:56 2004
+++ src2/sbin/isakmpd/attribute.h Tue Feb 3 12:30:36 2015
@@ -41,6 +41,10 @@
extern u_int8_t *attribute_set_basic(u_int8_t *, u_int16_t, u_int16_t);
extern int attribute_set_constant(char *, char *, struct constant_map *,
int, u_int8_t **);
+#if 1 /* XXX hshoexer */
+extern int attribute_set_encap(char *, char *, struct constant_map *,
+ int, u_int8_t **, u_int32_t);
+#endif
extern u_int8_t *attribute_set_var(u_int8_t *, u_int16_t, u_int8_t *,
u_int16_t);
diff -uN src/sbin/isakmpd/ike_quick_mode.c src2/sbin/isakmpd/ike_quick_mode.c
--- src/sbin/isakmpd/ike_quick_mode.c Mon Dec 12 08:35:29 2011
+++ src2/sbin/isakmpd/ike_quick_mode.c Tue Feb 3 12:33:27 2015
@@ -621,9 +621,16 @@
}
conf_free_list(life_conf);
}
+ #if 1 /* XXX hshoexer */
+ attribute_set_encap(xf->field,
+ "ENCAPSULATION_MODE", ipsec_encap_cst,
+ IPSEC_ATTR_ENCAPSULATION_MODE, &attr,
+ msg->isakmp_sa->flags);
+ #else
attribute_set_constant(xf->field,
"ENCAPSULATION_MODE", ipsec_encap_cst,
IPSEC_ATTR_ENCAPSULATION_MODE, &attr);
+ #endif
if (proto_id != IPSEC_PROTO_IPCOMP) {
attribute_set_constant(xf->field,
Common subdirectories: src/sbin/isakmpd/obj and src2/sbin/isakmpd/obj
Common subdirectories: src/sbin/isakmpd/sysdep and src2/sbin/isakmpd/sysdep
----- Forwarded message from Stuart Henderson <s...@spacehopper.org> -----
From: Stuart Henderson <s...@spacehopper.org>
To: Claer <cl...@claer.hammock.fr>
Subject: Re: Isakmpd NAT-T interoperability
Date: Mon, 9 Feb 2015 09:42:51 +0000
User-Agent: Mutt/1.5.23 (2014-03-12)
Thanks - would you mind posting results on the mailing list thread too, please?
It would be nice to draw more attention to this problem and it's more likely to
generate interest when multiple people are running into it ;-)
On 2015/02/09 10:40, Claer wrote:
> Hello,
>
> No problem, I built a stable release with the patch and will test it in the
> following days. I already got the acknowledge from the other IPSec endpoint.
>
> I'll keep you informed of the results.
> Thanks for the quick answer! (quicker than mine ;))
>
> Regards,
>
> Claer
>
> On Fri, Jan 30 2015 at 17:18, Stuart Henderson wrote:
>
> > Sorry no time to look at this now. Personally I'd just try the diff and
> > see if it applies, if it doesn't, look at the .rej file and hand apply those
> > bits. isakmpd hasn't changed much recently.
> >
> > On 2015/01/30 17:32, Claer wrote:
> > > Hello,
> > >
> > > Two and half years ago, you posted an interesting mail on openbsd-tech
> > > mailing
> > > list regarding isakmpd NAT-T interoperability. Here is the link for
> > > reference :
> > > http://openbsd.7691.n7.nabble.com/isakmpd-NAT-T-interoperability-tt173004.html#none
> > >
> > > Yesterday I encountered exactly that problem when setting up an IPSEC
> > > connection with a client that is using an ASA. The OpenBSD cluster is
> > > behind
> > > NAT and I couldn't establish the SAs from my side From the ASA side it
> > > was OK.
> > > Strange enougth, I'm sure I established a tunnel with another client
> > > using the
> > > same setup on my side and it was working well. In either case,
> > > unfortunately I
> > > don't have the configuration on the ASA side.
> > >
> > > The setup
> > > =========
> > >
> > > ASA with public IP,
> > > OpenBSD with Static NAT on Internet and firewalled ports except UDP 500,
> > > UDP
> > > 4500, and ESP.
> > >
> > > The configuration on OpenBSD Side :
> > > /etc/ipsec.conf
> > > ---------------------------------
> > > lan_local = "{10.11.64.0/24 10.11.66.0/24 10.11.67.0/24}"
> > > localip = "10.50.13.4"
> > >
> > > # brain loop
> > > gw_blo = "93.104.248.34"
> > >
> > > psk_blo = "test12345"
> > > dstid_blo = "93.104.248.34"
> > > lan_blo = "172.16.17.7/24"
> > >
> > >
> > > ike esp from $lan_local to $lan_blo \
> > > local $localip peer $gw_blo \
> > > main auth hmac-sha1 enc aes-256 group grp5 lifetime 3600 \
> > > quick auth hmac-sha1 enc aes-256 group grp5 lifetime 28800 \
> > > srcid 10.50.13.4 dstid $dstid_blo \
> > > psk $psk_blo
> > >
> > > flow esp from $lan_local to $lan_blo \
> > > local $localip peer $gw_blo type require
> > > ---------------------------------
> > >
> > > With that setup, IKE Phase1 establish OK and IKE Phase2 fail. Here is the
> > > tcpdump.pcap output:
> > >
> > > ---------------------------------
> > > 18:39:30.749875 10.50.13.4.500 > 93.104.248.34.500: [udp sum ok] isakmp
> > > v1.0 exchange ID_PROT
> > > cookie: c709479d6bb30b43->0000000000000000 msgid: 00000000 len:
> > > 184
> > > payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
> > > payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0
> > > xforms: 1
> > > payload: TRANSFORM len: 36
> > > transform: 0 ID: ISAKMP
> > > attribute ENCRYPTION_ALGORITHM = AES_CBC
> > > attribute HASH_ALGORITHM = SHA
> > > attribute AUTHENTICATION_METHOD = PRE_SHARED
> > > attribute GROUP_DESCRIPTION = MODP_1536
> > > attribute LIFE_TYPE = SECONDS
> > > attribute LIFE_DURATION = 3600
> > > attribute KEY_LENGTH = 256
> > > payload: VENDOR len: 20
> > > payload: VENDOR len: 20 (supports v2 NAT-T,
> > > draft-ietf-ipsec-nat-t-ike-02)
> > > payload: VENDOR len: 20 (supports v3 NAT-T,
> > > draft-ietf-ipsec-nat-t-ike-03)
> > > payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
> > > payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len
> > > 212)
> > > 18:39:30.768273 93.104.248.34.500 > 10.50.13.4.500: [udp sum ok] isakmp
> > > v1.0 exchange ID_PROT
> > > cookie: c709479d6bb30b43->cbdc4c575422b397 msgid: 00000000 len:
> > > 128
> > > payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
> > > payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0
> > > xforms: 1
> > > payload: TRANSFORM len: 36
> > > transform: 0 ID: ISAKMP
> > > attribute ENCRYPTION_ALGORITHM = AES_CBC
> > > attribute KEY_LENGTH = 256
> > > attribute HASH_ALGORITHM = SHA
> > > attribute GROUP_DESCRIPTION = MODP_1536
> > > attribute AUTHENTICATION_METHOD = PRE_SHARED
> > > attribute LIFE_TYPE = SECONDS
> > > attribute LIFE_DURATION = 3600
> > > payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
> > > payload: VENDOR len: 24 [ttl 0] (id 1, len 156)
> > > 18:39:30.772483 10.50.13.4.500 > 93.104.248.34.500: [udp sum ok] isakmp
> > > v1.0 exchange ID_PROT
> > > cookie: c709479d6bb30b43->cbdc4c575422b397 msgid: 00000000 len:
> > > 292
> > > payload: KEY_EXCH len: 196
> > > payload: NONCE len: 20
> > > payload: NAT-D len: 24
> > > payload: NAT-D len: 24 [ttl 0] (id 1, len 320)
> > > 18:39:30.830497 93.104.248.34.500 > 10.50.13.4.500: [udp sum ok] isakmp
> > > v1.0 exchange ID_PROT
> > > cookie: c709479d6bb30b43->cbdc4c575422b397 msgid: 00000000 len:
> > > 368
> > > payload: KEY_EXCH len: 196
> > > payload: NONCE len: 24
> > > payload: VENDOR len: 20 (supports Cisco Unity)
> > > payload: VENDOR len: 12 (supports
> > > draft-ietf-ipsra-isakmp-xauth-06.txt)
> > > payload: VENDOR len: 20
> > > payload: VENDOR len: 20
> > > payload: NAT-D len: 24
> > > payload: NAT-D len: 24 [ttl 0] (id 1, len 396)
> > > 18:39:30.834458 10.50.13.4.4500 > 93.104.248.34.4500: [bad udp cksum
> > > b44a!] udpencap: isakmp v1.0 exchange ID_PROT
> > > cookie: c709479d6bb30b43->cbdc4c575422b397 msgid: 00000000 len: 92
> > > payload: ID len: 12 type: IPV4_ADDR = 10.50.13.4
> > > payload: HASH len: 24
> > > payload: NOTIFICATION len: 28
> > > notification: INITIAL CONTACT
> > > (c709479d6bb30b43->cbdc4c575422b397) [ttl 0] (id 1, len 124)
> > > 18:39:30.852747 93.104.248.34.4500 > 10.50.13.4.4500: [bad udp cksum
> > > b44a!] udpencap: isakmp v1.0 exchange ID_PROT
> > > cookie: c709479d6bb30b43->cbdc4c575422b397 msgid: 00000000 len: 92
> > > payload: ID len: 12 proto: 17 port: 0 type: IPV4_ADDR =
> > > 93.104.248.34
> > > payload: HASH len: 24
> > > payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len
> > > 124)
> > > 18:39:30.857435 10.50.13.4.4500 > 93.104.248.34.4500: [bad udp cksum
> > > 50ff!] udpencap: isakmp v1.0 exchange QUICK_MODE
> > > cookie: c709479d6bb30b43->cbdc4c575422b397 msgid: d02fa158 len:
> > > 356
> > > payload: HASH len: 24
> > > payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
> > > payload: PROPOSAL len: 44 proposal: 1 proto: IPSEC_ESP spisz:
> > > 4 xforms: 1 SPI: 0x50ded563
> > > payload: TRANSFORM len: 32
> > > transform: 1 ID: AES
> > > attribute LIFE_TYPE = SECONDS
> > > attribute LIFE_DURATION = 28800
> > > attribute ENCAPSULATION_MODE = TUNNEL
> > > attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
> > > attribute GROUP_DESCRIPTION = 5
> > > attribute KEY_LENGTH = 256
> > > payload: NONCE len: 20
> > > payload: KEY_EXCH len: 196
> > > payload: ID len: 16 type: IPV4_ADDR_SUBNET =
> > > 10.11.64.0/255.255.255.0
> > > payload: ID len: 16 type: IPV4_ADDR_SUBNET =
> > > 172.16.17.7/255.255.255.255 [ttl 0] (id 1, len 388)
> > > 18:39:30.861882 10.50.13.4.4500 > 93.104.248.34.4500: [bad udp cksum
> > > 50ff!] udpencap: isakmp v1.0 exchange QUICK_MODE
> > > cookie: c709479d6bb30b43->cbdc4c575422b397 msgid: 242b57b3 len:
> > > 356
> > > payload: HASH len: 24
> > > payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
> > > payload: PROPOSAL len: 44 proposal: 1 proto: IPSEC_ESP spisz:
> > > 4 xforms: 1 SPI: 0xbb0ab16d
> > > payload: TRANSFORM len: 32
> > > transform: 1 ID: AES
> > > attribute LIFE_TYPE = SECONDS
> > > attribute LIFE_DURATION = 28800
> > > attribute ENCAPSULATION_MODE = TUNNEL
> > > attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
> > > attribute GROUP_DESCRIPTION = 5
> > > attribute KEY_LENGTH = 256
> > > payload: NONCE len: 20
> > > payload: KEY_EXCH len: 196
> > > payload: ID len: 16 type: IPV4_ADDR_SUBNET =
> > > 10.11.66.0/255.255.255.0
> > > payload: ID len: 16 type: IPV4_ADDR_SUBNET =
> > > 172.16.17.7/255.255.255.255 [ttl 0] (id 1, len 388)
> > > 18:39:30.866270 10.50.13.4.4500 > 93.104.248.34.4500: [bad udp cksum
> > > 50ff!] udpencap: isakmp v1.0 exchange QUICK_MODE
> > > cookie: c709479d6bb30b43->cbdc4c575422b397 msgid: 170985af len:
> > > 356
> > > payload: HASH len: 24
> > > payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
> > > payload: PROPOSAL len: 44 proposal: 1 proto: IPSEC_ESP spisz:
> > > 4 xforms: 1 SPI: 0x9a5e0d52
> > > payload: TRANSFORM len: 32
> > > transform: 1 ID: AES
> > > attribute LIFE_TYPE = SECONDS
> > > attribute LIFE_DURATION = 28800
> > > attribute ENCAPSULATION_MODE = TUNNEL
> > > attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
> > > attribute GROUP_DESCRIPTION = 5
> > > attribute KEY_LENGTH = 256
> > > payload: NONCE len: 20
> > > payload: KEY_EXCH len: 196
> > > payload: ID len: 16 type: IPV4_ADDR_SUBNET =
> > > 10.11.67.0/255.255.255.0
> > > payload: ID len: 16 type: IPV4_ADDR_SUBNET =
> > > 172.16.17.7/255.255.255.255 [ttl 0] (id 1, len 388)
> > > 18:39:30.885789 93.104.248.34.4500 > 10.50.13.4.500: [bad udp cksum 580!]
> > > udpencap: isakmp v1.0 exchange INFO
> > > cookie: c709479d6bb30b43->cbdc4c575422b397 msgid: 0539161d len: 92
> > > payload: HASH len: 24
> > > payload: NOTIFICATION len: 32
> > > notification: NO PROPOSAL CHOSEN [ttl 0] (id 1, len 124)
> > > 18:39:30.887766 93.104.248.34.4500 > 10.50.13.4.500: [bad udp cksum 580!]
> > > udpencap: isakmp v1.0 exchange INFO
> > > cookie: c709479d6bb30b43->cbdc4c575422b397 msgid: fa97c0f1 len: 92
> > > payload: HASH len: 24
> > > payload: NOTIFICATION len: 32
> > > notification: NO PROPOSAL CHOSEN [ttl 0] (id 1, len 124)
> > > 18:39:30.888941 93.104.248.34.4500 > 10.50.13.4.500: [bad udp cksum 580!]
> > > udpencap: isakmp v1.0 exchange INFO
> > > cookie: c709479d6bb30b43->cbdc4c575422b397 msgid: 04e4095d len: 92
> > > payload: HASH len: 24
> > > payload: NOTIFICATION len: 32
> > > notification: NO PROPOSAL CHOSEN [ttl 0] (id 1, len 124)
> > > 18:39:30.889819 93.104.248.34.4500 > 10.50.13.4.500: [bad udp cksum 580!]
> > > udpencap: isakmp v1.0 exchange INFO
> > > cookie: c709479d6bb30b43->cbdc4c575422b397 msgid: bf6231b2 len: 92
> > > payload: HASH len: 24
> > > payload: DELETE len: 28 DOI: 1(IPSEC) proto: ISAKMP nspis: 1
> > > cookie: c709479d6bb30b43->cbdc4c575422b397 [ttl 0] (id 1, len
> > > 124)
> > > ---------------------------------
> > >
> > > When I configure the tunnel in passive mode, I can see the phase 2
> > > proposals
> > > coming from the Cisco and try to determine what's wrong. Here are the
> > > logs with
> > > the Cisco phase2 proposals. Except the fact that I had to adapt phase 2
> > > parameters that were different between asked by admin and proposed by the
> > > Cisco, the Phase 2 got successful and traffic flows normally between
> > > peers.
> > >
> > > The main point of all this is the Cisco is negociating
> > > ENCAPSULATION_MODE = UDP_ENCAP_TUNNEL and refused to establish SAs with
> > > ENCAPSULATION_MODE = TUNNEL respecting the RFC on this point.
> > >
> > > To conclude, I had a look at the diff you sent in the "famous" thread 2
> > > years
> > > ago, but I didn't apply it as is. Do you know if somebody has a more up
> > > to date
> > > version with out ifdefs for ex. that I could try to solve my problem? :)
> > >
> > >
> > > Regards and thanks for your help,
> > >
> > > Benjamin
> > >
> > > (Note: The parameters were slightly different as we were conducting tests)
> > > ---------------------------------
> > > 17:20:32.644981 93.104.248.34.500 > 10.50.13.4.500: [udp sum ok] isakmp
> > > v1.0 exchange ID_PROT
> > > cookie: 1fe2fae6c273f86d->0000000000000000 msgid: 00000000 len:
> > > 324
> > > payload: SA len: 212 DOI: 1(IPSEC) situation: IDENTITY_ONLY
> > > payload: PROPOSAL len: 200 proposal: 1 proto: ISAKMP spisz: 0
> > > xforms: 5
> > > payload: TRANSFORM len: 40
> > > transform: 1 ID: ISAKMP
> > > attribute GROUP_DESCRIPTION = MODP_1536
> > > attribute ENCRYPTION_ALGORITHM = AES_CBC
> > > attribute KEY_LENGTH = 256
> > > attribute HASH_ALGORITHM = SHA
> > > attribute AUTHENTICATION_METHOD = PRE_SHARED
> > > attribute LIFE_TYPE = SECONDS
> > > attribute LIFE_DURATION = 00015180
> > > payload: TRANSFORM len: 36
> > > transform: 2 ID: ISAKMP
> > > attribute GROUP_DESCRIPTION = MODP_1024
> > > attribute ENCRYPTION_ALGORITHM = 3DES_CBC
> > > attribute HASH_ALGORITHM = SHA
> > > attribute AUTHENTICATION_METHOD = PRE_SHARED
> > > attribute LIFE_TYPE = SECONDS
> > > attribute LIFE_DURATION = 00015180
> > > payload: TRANSFORM len: 40
> > > transform: 3 ID: ISAKMP
> > > attribute GROUP_DESCRIPTION = MODP_1536
> > > attribute ENCRYPTION_ALGORITHM = AES_CBC
> > > attribute KEY_LENGTH = 256
> > > attribute HASH_ALGORITHM = MD5
> > > attribute AUTHENTICATION_METHOD = PRE_SHARED
> > > attribute LIFE_TYPE = SECONDS
> > > attribute LIFE_DURATION = 00015180
> > > payload: TRANSFORM len: 36
> > > transform: 4 ID: ISAKMP
> > > attribute GROUP_DESCRIPTION = MODP_1024
> > > attribute ENCRYPTION_ALGORITHM = 3DES_CBC
> > > attribute HASH_ALGORITHM = MD5
> > > attribute AUTHENTICATION_METHOD = PRE_SHARED
> > > attribute LIFE_TYPE = SECONDS
> > > attribute LIFE_DURATION = 00015180
> > > payload: TRANSFORM len: 40
> > > transform: 5 ID: ISAKMP
> > > attribute GROUP_DESCRIPTION = MODP_1024
> > > attribute ENCRYPTION_ALGORITHM = AES_CBC
> > > attribute KEY_LENGTH = 256
> > > attribute HASH_ALGORITHM = SHA
> > > attribute AUTHENTICATION_METHOD = PRE_SHARED
> > > attribute LIFE_TYPE = SECONDS
> > > attribute LIFE_DURATION = 00015180
> > > payload: VENDOR len: 20 (supports v2 NAT-T,
> > > draft-ietf-ipsec-nat-t-ike-02)
> > > payload: VENDOR len: 20 (supports v3 NAT-T,
> > > draft-ietf-ipsec-nat-t-ike-03)
> > > payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
> > > payload: VENDOR len: 24 [ttl 0] (id 1, len 352)
> > > 17:20:32.645175 10.50.13.4.500 > 93.104.248.34.500: [udp sum ok] isakmp
> > > v1.0 exchange ID_PROT
> > > cookie: 1fe2fae6c273f86d->0c439f9b99468058 msgid: 00000000 len:
> > > 188
> > > payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY
> > > payload: PROPOSAL len: 48 proposal: 1 proto: ISAKMP spisz: 0
> > > xforms: 1
> > > payload: TRANSFORM len: 40
> > > transform: 1 ID: ISAKMP
> > > attribute GROUP_DESCRIPTION = MODP_1536
> > > attribute ENCRYPTION_ALGORITHM = AES_CBC
> > > attribute KEY_LENGTH = 256
> > > attribute HASH_ALGORITHM = SHA
> > > attribute AUTHENTICATION_METHOD = PRE_SHARED
> > > attribute LIFE_TYPE = SECONDS
> > > attribute LIFE_DURATION = 00015180
> > > payload: VENDOR len: 20
> > > payload: VENDOR len: 20 (supports v2 NAT-T,
> > > draft-ietf-ipsec-nat-t-ike-02)
> > > payload: VENDOR len: 20 (supports v3 NAT-T,
> > > draft-ietf-ipsec-nat-t-ike-03)
> > > payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
> > > payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len
> > > 216)
> > > 17:20:32.682762 93.104.248.34.500 > 10.50.13.4.500: [udp sum ok] isakmp
> > > v1.0 exchange ID_PROT
> > > cookie: 1fe2fae6c273f86d->0c439f9b99468058 msgid: 00000000 len:
> > > 368
> > > payload: KEY_EXCH len: 196
> > > payload: NONCE len: 24
> > > payload: VENDOR len: 20 (supports Cisco Unity)
> > > payload: VENDOR len: 12 (supports
> > > draft-ietf-ipsra-isakmp-xauth-06.txt)
> > > payload: VENDOR len: 20
> > > payload: VENDOR len: 20
> > > payload: NAT-D len: 24
> > > payload: NAT-D len: 24 [ttl 0] (id 1, len 396)
> > > 17:20:32.685530 10.50.13.4.4500 > 93.104.248.34.4500: [bad udp cksum
> > > dcbd!] udpencap: isakmp v1.0 exchange ID_PROT
> > > cookie: 1fe2fae6c273f86d->0c439f9b99468058 msgid: 00000000 len:
> > > 296
> > > payload: KEY_EXCH len: 196
> > > payload: NONCE len: 24
> > > payload: NAT-D len: 24
> > > payload: NAT-D len: 24 [ttl 0] (id 1, len 328)
> > > 17:20:32.723879 93.104.248.34.4500 > 10.50.13.4.4500: [bad udp cksum
> > > 87f8!] udpencap: isakmp v1.0 exchange ID_PROT
> > > cookie: 1fe2fae6c273f86d->0c439f9b99468058 msgid: 00000000 len: 92
> > > payload: ID len: 12 proto: 17 port: 0 type: IPV4_ADDR =
> > > 93.104.248.34
> > > payload: HASH len: 24
> > > payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len
> > > 124)
> > > 17:20:32.723981 10.50.13.4.4500 > 93.104.248.34.4500: [bad udp cksum
> > > 87f8!] udpencap: isakmp v1.0 exchange ID_PROT
> > > cookie: 1fe2fae6c273f86d->0c439f9b99468058 msgid: 00000000 len: 92
> > > payload: ID len: 12 type: IPV4_ADDR = 10.50.13.4
> > > payload: HASH len: 24
> > > payload: NOTIFICATION len: 28
> > > notification: INITIAL CONTACT
> > > (1fe2fae6c273f86d->0c439f9b99468058) [ttl 0] (id 1, len 124)
> > > 17:20:32.744862 93.104.248.34.4500 > 10.50.13.4.500: [udp sum ok]
> > > udpencap: isakmp v1.0 exchange QUICK_MODE
> > > cookie: 1fe2fae6c273f86d->0c439f9b99468058 msgid: 8d2443a7 len:
> > > 652
> > > payload: HASH len: 24
> > > payload: SA len: 516 DOI: 1(IPSEC) situation: IDENTITY_ONLY
> > > payload: PROPOSAL len: 52 proposal: 1 proto: IPSEC_ESP spisz:
> > > 4 xforms: 1 SPI: 0x299308c0
> > > payload: TRANSFORM len: 40
> > > transform: 1 ID: AES
> > > attribute LIFE_TYPE = SECONDS
> > > attribute LIFE_DURATION = 28800
> > > attribute LIFE_TYPE = KILOBYTES
> > > attribute LIFE_DURATION = 00465000
> > > attribute ENCAPSULATION_MODE = UDP_ENCAP_TUNNEL
> > > attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
> > > attribute KEY_LENGTH = 128
> > > payload: PROPOSAL len: 52 proposal: 2 proto: IPSEC_ESP spisz:
> > > 4 xforms: 1 SPI: 0x1c13d7d2
> > > payload: TRANSFORM len: 40
> > > transform: 1 ID: AES
> > > attribute LIFE_TYPE = SECONDS
> > > attribute LIFE_DURATION = 28800
> > > attribute LIFE_TYPE = KILOBYTES
> > > attribute LIFE_DURATION = 00465000
> > > attribute ENCAPSULATION_MODE = UDP_ENCAP_TUNNEL
> > > attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
> > > attribute KEY_LENGTH = 128
> > > payload: PROPOSAL len: 52 proposal: 3 proto: IPSEC_ESP spisz:
> > > 4 xforms: 1 SPI: 0x42a16d34
> > > payload: TRANSFORM len: 40
> > > transform: 1 ID: AES
> > > attribute LIFE_TYPE = SECONDS
> > > attribute LIFE_DURATION = 28800
> > > attribute LIFE_TYPE = KILOBYTES
> > > attribute LIFE_DURATION = 00465000
> > > attribute ENCAPSULATION_MODE = UDP_ENCAP_TUNNEL
> > > attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
> > > attribute KEY_LENGTH = 192
> > > payload: PROPOSAL len: 52 proposal: 4 proto: IPSEC_ESP spisz:
> > > 4 xforms: 1 SPI: 0x24401c0e
> > > payload: TRANSFORM len: 40
> > > transform: 1 ID: AES
> > > attribute LIFE_TYPE = SECONDS
> > > attribute LIFE_DURATION = 28800
> > > attribute LIFE_TYPE = KILOBYTES
> > > attribute LIFE_DURATION = 00465000
> > > attribute ENCAPSULATION_MODE = UDP_ENCAP_TUNNEL
> > > attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
> > > attribute KEY_LENGTH = 192
> > > payload: PROPOSAL len: 52 proposal: 5 proto: IPSEC_ESP spisz:
> > > 4 xforms: 1 SPI: 0x0355c1cd
> > > payload: TRANSFORM len: 40
> > > transform: 1 ID: AES
> > > attribute LIFE_TYPE = SECONDS
> > > attribute LIFE_DURATION = 28800
> > > attribute LIFE_TYPE = KILOBYTES
> > > attribute LIFE_DURATION = 00465000
> > > attribute ENCAPSULATION_MODE = UDP_ENCAP_TUNNEL
> > > attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
> > > attribute KEY_LENGTH = 256
> > > payload: PROPOSAL len: 52 proposal: 6 proto: IPSEC_ESP spisz:
> > > 4 xforms: 1 SPI: 0xc7f6f8ae
> > > payload: TRANSFORM len: 40
> > > transform: 1 ID: AES
> > > attribute LIFE_TYPE = SECONDS
> > > attribute LIFE_DURATION = 28800
> > > attribute LIFE_TYPE = KILOBYTES
> > > attribute LIFE_DURATION = 00465000
> > > attribute ENCAPSULATION_MODE = UDP_ENCAP_TUNNEL
> > > attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
> > > attribute KEY_LENGTH = 256
> > > payload: PROPOSAL len: 48 proposal: 7 proto: IPSEC_ESP spisz:
> > > 4 xforms: 1 SPI: 0xc85e9c1a
> > > payload: TRANSFORM len: 36
> > > transform: 1 ID: 3DES
> > > attribute LIFE_TYPE = SECONDS
> > > attribute LIFE_DURATION = 28800
> > > attribute LIFE_TYPE = KILOBYTES
> > > attribute LIFE_DURATION = 00465000
> > > attribute ENCAPSULATION_MODE = UDP_ENCAP_TUNNEL
> > > attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
> > > payload: PROPOSAL len: 48 proposal: 8 proto: IPSEC_ESP spisz:
> > > 4 xforms: 1 SPI: 0xedf24cd6
> > > payload: TRANSFORM len: 36
> > > transform: 1 ID: 3DES
> > > attribute LIFE_TYPE = SECONDS
> > > attribute LIFE_DURATION = 28800
> > > attribute LIFE_TYPE = KILOBYTES
> > > attribute LIFE_DURATION = 00465000
> > > attribute ENCAPSULATION_MODE = UDP_ENCAP_TUNNEL
> > > attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
> > > payload: PROPOSAL len: 48 proposal: 9 proto: IPSEC_ESP spisz:
> > > 4 xforms: 1 SPI: 0x66bc9583
> > > payload: TRANSFORM len: 36
> > > transform: 1 ID: DES
> > > attribute LIFE_TYPE = SECONDS
> > > attribute LIFE_DURATION = 28800
> > > attribute LIFE_TYPE = KILOBYTES
> > > attribute LIFE_DURATION = 00465000
> > > attribute ENCAPSULATION_MODE = UDP_ENCAP_TUNNEL
> > > attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
> > > payload: PROPOSAL len: 48 proposal: 10 proto: IPSEC_ESP
> > > spisz: 4 xforms: 1 SPI: 0xde5e6ce7
> > > payload: TRANSFORM len: 36
> > > transform: 1 ID: DES
> > > attribute LIFE_TYPE = SECONDS
> > > attribute LIFE_DURATION = 28800
> > > attribute LIFE_TYPE = KILOBYTES
> > > attribute LIFE_DURATION = 00465000
> > > attribute ENCAPSULATION_MODE = UDP_ENCAP_TUNNEL
> > > attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
> > > payload: NONCE len: 24
> > > payload: ID len: 12 type: IPV4_ADDR = 172.16.17.7
> > > payload: ID len: 16 type: IPV4_ADDR_SUBNET =
> > > 10.11.66.0/255.255.255.0
> > > payload: NOTIFICATION len: 28
> > > notification: INITIAL CONTACT
> > > (1fe2fae6c273f86d->0c439f9b99468058) [ttl 0] (id 1, len 684)
> > > DE
> > > cookie: 1fe2fae6c273f86d->0c439f9b99468058 msgid: 8d2443a7 len:
> > > 168
> > > payload: HASH len: 24
> > > payload: SA len: 64 DOI: 1(IPSEC) situation: IDENTITY_ONLY
> > > payload: PROPOSAL len: 52 proposal: 1 proto: IPSEC_ESP spisz:
> > > 4 xforms: 1 SPI: 0xa39ef635
> > > payload: TRANSFORM len: 40
> > > transform: 1 ID: AES
> > > attribute LIFE_TYPE = SECONDS
> > > attribute LIFE_DURATION = 28800
> > > attribute LIFE_TYPE = KILOBYTES
> > > attribute LIFE_DURATION = 00465000
> > > attribute ENCAPSULATION_MODE = UDP_ENCAP_TUNNEL
> > > attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
> > > attribute KEY_LENGTH = 128
> > > payload: NONCE len: 24
> > > payload: ID len: 12 type: IPV4_ADDR = 172.16.17.7
> > > payload: ID len: 16 type: IPV4_ADDR_SUBNET =
> > > 10.11.66.0/255.255.255.0 [ttl 0] (id 1, len 200)
> > > DE
> > > cookie: 1fe2fae6c273f86d->0c439f9b99468058 msgid: 8d2443a7 len: 76
> > > payload: HASH len: 24 [ttl 0] (id 1, len 108)
> > > [...]
----- End forwarded message -----
