IKE key negotiation with a Cisco box

From: kbarry@enpocketbureau.com
Date: Thu May 08 2003 - 11:38:21 EDT

• Next message: Biagio De Giovanni: "Ultra 10 doesn't boot after jumpstart or sys-unconfig"
• Previous message: pm557@daimlerchrysler.com: "Course Recommendation for SAN"
• Next in thread: kbarry@enpocketbureau.com: "SUMMARY Re: IKE key negotiation with a Cisco box"
• Reply: kbarry@enpocketbureau.com: "SUMMARY Re: IKE key negotiation with a Cisco box"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

I'm trying to negotiate a vpn tunnel with a cisco box,
and I'm having problems.

I'm using the native ipsec/ike on a Solaris 9 box
with a preshared key, esp-3des and md5.

The error I'm getting when I run /usr/lib/inet/in.iked -d
appears to be a timeout. I've changed the ip addresses in
the following but, both are routable. 192.16.8.1 represents the
local box.

Thu May 08 16:15:36 2003: ./in.iked: In match_phase1.
Thu May 08 16:15:36 2003: ./in.iked: get_phase1: searching rulebase for src = 192.168.1.1
Thu May 08 16:15:36 2003: ./in.iked: get_phase1: dst = 10.0.0.1
Thu May 08 16:15:36 2003: ./in.iked: get_phase1: rule simple inheritor 0x1
Thu May 08 16:15:36 2003: ./in.iked: laddr = AF2:192.168.1.1
Thu May 08 16:15:36 2003: ./in.iked: raddr = AF2:10.0.0.1!
Thu May 08 16:15:36 2003: ./in.iked: winning rule: simple inheritor

Thu May 08 16:15:36 2003: ./in.iked: construct_local_id
Thu May 08 16:15:36 2003: ./in.iked: construct_local_id: ipv4(any:0,[0..4]=192.168.1.1)
Thu May 08 16:15:36 2003: ./in.iked: xchg_type=2, 1 xforms.
Thu May 08 16:15:36 2003: ./in.iked: In ssh_policy_isakmp_request_vendor_ids pm_info == eebc0.
Thu May 08 16:15:36 2003: ./in.iked: Non-NULL new negotiation! Get back to work!
Thu May 08 16:15:36 2003: ./in.iked: Waiting for IKE results.
Thu May 08 16:15:36 2003: ./in.iked: In ssh_policy_isakmp_vendor_id.
Thu May 08 16:15:36 2003: ./in.iked: In ssh_policy_isakmp_vendor_id.
Thu May 08 16:15:36 2003: ./in.iked: In ssh_policy_isakmp_nonce_data_len.
Thu May 08 16:15:36 2003: ./in.iked: In match_phase1.
Thu May 08 16:15:36 2003: ./in.iked: get_phase1: searching rulebase for src = 192.168.1.1
Thu May 08 16:15:36 2003: ./in.iked: get_phase1: dst = 10.0.0.1
Thu May 08 16:15:36 2003: ./in.iked: get_phase1: rule simple inheritor 0x1
Thu May 08 16:15:36 2003: ./in.iked: laddr = AF2:192.168.1.1
Thu May 08 16:15:36 2003: ./in.iked: raddr = AF2:10.0.0.1!
Thu May 08 16:15:36 2003: ./in.iked: winning rule: simple inheritor

Thu May 08 16:15:36 2003: ./in.iked: construct_local_id
Thu May 08 16:15:36 2003: ./in.iked: construct_local_id: ipv4(any:0,[0..4]=192.168.1.1)
Thu May 08 16:15:36 2003: ./in.iked: xchg_type=2, 1 xforms.
Thu May 08 16:15:36 2003: ./in.iked: In ssh_policy_isakmp_request_vendor_ids pm_info == eebc0.
Thu May 08 16:15:36 2003: ./in.iked: Non-NULL new negotiation! Get back to work!
Thu May 08 16:15:36 2003: ./in.iked: Waiting for IKE results.
Thu May 08 16:15:36 2003: ./in.iked: In ssh_policy_isakmp_vendor_id.
Thu May 08 16:15:36 2003: ./in.iked: In ssh_policy_isakmp_vendor_id.
Thu May 08 16:15:36 2003: ./in.iked: In ssh_policy_isakmp_nonce_data_len.
Thu May 08 16:15:37 2003: ./in.iked: In ssh_policy_find_pre_shared_key.
Thu May 08 16:15:37 2003: ./in.iked: in ike_report_error: type 24, decrypted 0, rx 1
Thu May 08 16:15:37 2003: ./in.iked: pm_info null! (msg type 24)
Thu May 08 16:15:37 2003: ./in.iked: In ssh_policy_phase_ii_sa_freed.Thu May 08 16:15:37 2003: ./in.iked: In ssh_policy_find_pre_shared_key.
Thu May 08 16:15:37 2003: ./in.iked: in ike_report_error: type 24, decrypted 0, rx 1
Thu May 08 16:15:37 2003: ./in.iked: pm_info null! (msg type 24)
Thu May 08 16:15:37 2003: ./in.iked: In ssh_policy_phase_ii_sa_freed.

The output of "tethereal host 10.0.0.1" is:
mobicus:root usr# tethereal host 10.0.0.1
Capturing on hme0
  0.000000 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
  0.001800 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
  0.002351 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
  0.003024 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
  0.003578 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
  0.004128 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
  0.004689 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
  0.005246 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
  0.005804 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
  0.024719 10.0.0.1 -> 192.168.1.1 ISAKMP Identity Protection (Main Mode)
  0.032000 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
  0.054656 10.0.0.1 -> 192.168.1.1 ISAKMP Identity Protection (Main Mode)
  0.062064 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
  0.091009 10.0.0.1 -> 192.168.1.1 ISAKMP Informational
  0.503179 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
  0.503413 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
  0.513106 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
  0.513340 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
  0.513580 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
  0.513820 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
  0.514085 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
  0.514322 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
  0.563123 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
  1.513166 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
  1.513410 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
  1.513685 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
  1.513924 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
  1.514177 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
  1.514419 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
  1.514658 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
  1.514906 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
  1.573115 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
  3.523164 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
  3.523398 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
  3.523626 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
  3.523870 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
  3.524125 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
  3.524364 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
  3.524601 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
  3.524832 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
  3.583103 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
  3.969448 10.0.0.1 -> 192.168.1.1 ISAKMP Identity Protection (Main Mode)
  7.533193 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
  7.533456 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
  7.533712 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
  7.533969 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
  7.534231 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
  7.534486 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
  7.534740 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
  7.535004 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
  7.557340 10.0.0.1 -> 192.168.1.1 ISAKMP Identity Protection (Main Mode)
  7.593109 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
 11.471333 10.0.0.1 -> 192.168.1.1 ISAKMP Identity Protection (Main Mode)
 11.971485 10.0.0.1 -> 192.168.1.1 ISAKMP Identity Protection (Main Mode)
 11.971891 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
 15.543190 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
 15.543448 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
 15.543706 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
 15.543968 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
 15.544227 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
 15.544481 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
 15.544746 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
 15.545001 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
 15.566946 10.0.0.1 -> 192.168.1.1 ISAKMP Identity Protection (Main Mode)
 15.971624 10.0.0.1 -> 192.168.1.1 ISAKMP Identity Protection (Main Mode)
 15.971962 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
 19.471779 10.0.0.1 -> 192.168.1.1 ISAKMP Identity Protection (Main Mode)
 19.472884 10.0.0.1 -> 192.168.1.1 ISAKMP Identity Protection (Main Mode)
 19.972533 10.0.0.1 -> 192.168.1.1 ISAKMP Identity Protection (Main Mode)
 19.973010 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
 23.472654 10.0.0.1 -> 192.168.1.1 ISAKMP Identity Protection (Main Mode)
 23.474440 10.0.0.1 -> 192.168.1.1 ISAKMP Identity Protection (Main Mode)
 23.973514 10.0.0.1 -> 192.168.1.1 ISAKMP Identity Protection (Main Mode)
 23.973882 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)
 27.973478 192.168.1.1 -> 10.0.0.1 ISAKMP Identity Protection (Main Mode)

Any suggestions gratefully appreciated.

i will summarise to the list.

Regards

Kieran
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers

• Next message: Biagio De Giovanni: "Ultra 10 doesn't boot after jumpstart or sys-unconfig"
• Previous message: pm557@daimlerchrysler.com: "Course Recommendation for SAN"
• Next in thread: kbarry@enpocketbureau.com: "SUMMARY Re: IKE key negotiation with a Cisco box"
• Reply: kbarry@enpocketbureau.com: "SUMMARY Re: IKE key negotiation with a Cisco box"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:26:22 EDT