I have set up an aggressive mode VPN between a cisco 877 and OpenBSD server.
The SA seems to have set up correctly however the connection only
appears to pass traffic from the cisco to the server.
The private IPs on the cisco have a nat exemption to keep it from
natting when going through the tunnel.
The server its self has no pf running on it right now for testing purposes.
Thank you for your response, if you want or need any more info please
let me know
If i ping the server from my work station behind the cisco i get this
and a timeout on the ping
# tcpdump -i enc0
tcpdump: listening on enc0, link-type ENC
22:30:25.843966 (authentic,confidential): SPI 0x1fd60d2c: 10.0.0.17 >
mail.sporkton.com: icmp: echo request (encap)
22:30:31.343855 (authentic,confidential): SPI 0x1fd60d2c: 10.0.0.17 >
mail.sporkton.com: icmp: echo request (encap)
22:30:36.843874 (authentic,confidential): SPI 0x1fd60d2c: 10.0.0.17 >
mail.sporkton.com: icmp: echo request (encap)
^C
3 packets received by filter
0 packets dropped by kernel
SERVER:
# uname -a
OpenBSD angie.sporkton.com 4.3 GENERIC#698 i386
# cat /etc/ipsec.conf
# angie.sporkton.com
ike dynamic esp tunnel proto ip \
from 38.102.248.176/29 to 10.0.0.0/24 \
aggressive auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des \
srcid "angie.sporkton.com" dstid "fire.sporkton.com" \
psk "secret"
# ipsecctl -vs all
FLOWS:
No flows
SAD:
esp tunnel from 75.22.69.151 to 38.102.248.178 spi 0x6b8a31cd auth
hmac-sha1 enc 3des-cbc
sa: spi 0x6b8a31cd auth hmac-sha1 enc 3des-cbc
state mature replay 16 flags 4
lifetime_cur: alloc 0 bytes 8960 add 1222319514 first 1222319514
lifetime_hard: alloc 0 bytes 0 add 1200 first 0
lifetime_soft: alloc 0 bytes 0 add 1080 first 0
address_src: 75.22.69.151
address_dst: 38.102.248.178
identity_src: type fqdn id 0: fire.sporkton.com
identity_dst: type fqdn id 0: angie.sporkton.com
src_mask: 255.255.255.0
dst_mask: 255.255.255.248
protocol: proto 0 flags 0
flow_type: type use direction in
src_flow: 10.0.0.0
dst_flow: 38.102.248.176
lifetime_lastuse: alloc 0 bytes 0 add 0 first 1222320279
esp tunnel from 38.102.248.178 to 75.22.69.151 spi 0xbf127570 auth
hmac-sha1 enc 3des-cbc
sa: spi 0xbf127570 auth hmac-sha1 enc 3des-cbc
state mature replay 16 flags 4
lifetime_cur: alloc 0 bytes 0 add 1222319514 first 0
lifetime_hard: alloc 0 bytes 0 add 1200 first 0
lifetime_soft: alloc 0 bytes 0 add 1080 first 0
address_src: 38.102.248.178
address_dst: 75.22.69.151
identity_src: type fqdn id 0: angie.sporkton.com
identity_dst: type fqdn id 0: fire.sporkton.com
src_mask: 255.255.255.248
dst_mask: 255.255.255.0
protocol: proto 0 flags 0
flow_type: type use direction out
src_flow: 38.102.248.176
dst_flow: 10.0.0.0
CISCO:
!
hostname fire
aaa new-model
aaa authentication login default local
!
ip inspect udp idle-time 180
ip inspect tcp block-non-session
ip inspect name outside_in tcp audit-trail on router-traffic timeout 43200
ip inspect name outside_in udp router-traffic
ip domain name sporkton.com
ip host sporkton.com 38.102.248.178
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key secret hostname angie.sporkton.com no-xauth
crypto isakmp identity hostname
!
crypto isakmp peer address 38.102.248.178
set aggressive-mode password secret
set aggressive-mode client-endpoint fqdn fire.sporkton.com
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map outside_vpn 10 ipsec-isakmp
set peer 38.102.248.178
set transform-set ESP-3DES-SHA
match address cryptomap_outside_10
!
interface FastEthernet0
!
interface Vlan1
ip address 10.0.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly
crypto map outside_vpn
!
ip nat inside source route-map NoNAT interface Dialer1 overload
!
ip access-list extended NoNAT
permit tcp 10.0.0.0 0.0.0.255 38.102.248.176 0.0.0.7 eq 22
deny ip 10.0.0.0 0.0.0.255 38.102.248.176 0.0.0.7
permit ip 10.0.0.0 0.0.0.255 any
ip access-list extended cryptomap_outside_10
permit ip 10.0.0.0 0.0.0.255 38.102.248.176 0.0.0.7
ip access-list extended outside_access_in
permit tcp any any eq 22
permit icmp any any
permit tcp any any established
permit udp any eq domain any
permit esp any any
permit udp any any eq isakmp
!
route-map NoNAT permit 10
match ip address NoNAT
fire# show crypto session
Crypto session current status
Interface: Dialer1
Session status: UP-ACTIVE
Peer: 38.102.248.178 port 500
IKE SA: local 75.22.69.151/500 remote 38.102.248.178/500 Active
IPSEC FLOW: permit ip 10.0.0.0/255.255.255.0 38.102.248.176/255.255.255.248
Active SAs: 2, origin: crypto map
IPSEC FLOW: permit ip 10.0.0.0/255.255.255.0 38.102.248.176/255.255.255.248
Active SAs: 2, origin: crypto map
fire#sho cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
38.102.248.178 75.22.69.151 QM_IDLE 1002 0 ACTIVE
IPv6 Crypto ISAKMP SA
fire#sho cry ips sa
interface: Dialer1
Crypto map tag: outside_vpn, local addr 75.22.69.151
protected vrf: (none)
local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (38.102.248.176/255.255.255.248/0/0)
current_peer 38.102.248.178 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1155, #pkts encrypt: 1155, #pkts digest: 1155
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 52, #recv errors 0
local crypto endpt.: 75.22.69.151, remote crypto endpt.: 38.102.248.178
path mtu 1500, ip mtu 1500
current outbound spi: 0x6B8A31CD(1804218829)
inbound esp sas:
spi: 0xBF127570(3205657968)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 15, flow_id: C87X_MBRD:15, crypto map: outside_vpn
sa timing: remaining key lifetime (k/sec): (4499623/218)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x6B8A31CD(1804218829)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 16, flow_id: C87X_MBRD:16, crypto map: outside_vpn
sa timing: remaining key lifetime (k/sec): (4499603/218)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
interface: Virtual-Access1
Crypto map tag: outside_vpn, local addr 75.22.69.151
protected vrf: (none)
local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (38.102.248.176/255.255.255.248/0/0)
current_peer 38.102.248.178 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1155, #pkts encrypt: 1155, #pkts digest: 1155
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 52, #recv errors 0
local crypto endpt.: 75.22.69.151, remote crypto endpt.: 38.102.248.178
path mtu 1500, ip mtu 1500
current outbound spi: 0x6B8A31CD(1804218829)
inbound esp sas:
spi: 0xBF127570(3205657968)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 15, flow_id: C87X_MBRD:15, crypto map: outside_vpn
sa timing: remaining key lifetime (k/sec): (4499623/217)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x6B8A31CD(1804218829)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 16, flow_id: C87X_MBRD:16, crypto map: outside_vpn
sa timing: remaining key lifetime (k/sec): (4499603/217)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
fire#
--
-Lawrence
