[vpn-help] Cisco and Shrew - tunnel up, failed SA identity check

Thu Jul 7 03:40:07 CDT 2011

Hello,

 I a have a Cisco 7200 with a VAM2+ PA installed that is acting as an ipsec
concentrator. Using vpnc everything is ok, but with Shrew (Linux or Windows)
even the tunnel is up, there is no traffic passed through the tunnel.
The difference between vpnc and Shrew is that on 7200, the local_proxy is
set to  0.0.0.0/255.255.255.255/0/0 (type=1) when Shrew is used, and
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4) when vpnc is used.
I attached the config and some logs on cisco:

crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp client configuration group vpn
 key 6 ThJ\giXJQKgTAVSMV^]QVdeJ[faFPgPVe
 pool ippool
 acl 100
 netmask 255.255.255.224
crypto isakmp profile vpn
   match identity group vpn
   virtual-template 1

crypto ipsec transform-set vpn esp-aes esp-sha-hmac
!
crypto ipsec profile vpn
 set security-association lifetime seconds 3600
 set transform-set vpn
 set isakmp-profile vpn

crypto dynamic-map vpn 1
 set transform-set vpn

 interface Virtual-Template1 type tunnel
 ip unnumbered FastEthernet0/0
 ip virtual-reassembly
 tunnel source FastEthernet0/1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile vpn

Cisco debug when Shrew is used:

Jul  7 11:04:44: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 1.1.1.1, remote= 2.2.2.2,
    local_proxy= 0.0.0.0/255.255.255.255/0/0 (type=1),
    remote_proxy= 3.3.3.3/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 192, flags= 0x0

IPSEC(epa_des_crypt): decrypted packet failed SA identity check
IPSEC(epa_des_crypt): decrypted packet failed SA identity check

vpn-concentrator#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
1.1.1.1    2.2.2.2    QM_IDLE          13019 ACTIVE

vpn-concentrator#sh crypto ipsec sa

interface: Virtual-Access3
    Crypto map tag: Virtual-Access3-head-9, local addr 1.1.1.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/0/0)
   current_peer 2.2.2.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

Shrew logs:

11/07/07 08:43:49 ii : - loc ANY:3.3.3.3:* -> ANY:0.0.0.0:*
11/07/07 08:43:49 ii : - rmt ANY:0.0.0.0:* -> ANY:3.3.3.3:*
11/07/07 08:43:49 ii : phase2 sa established
11/07/07 08:43:49 ii :2.2.2.2:500 <-> 1.1.1.1:500
11/07/07 08:43:49 K< : recv pfkey GETSPI ESP message
11/07/07 08:43:49 ii : - seq  = 0x60c8de99
11/07/07 08:43:49 ii : - spi  = 0x40602cd0
11/07/07 08:43:49 ii : - src  = 2.2.2.2:0
11/07/07 08:43:49 ii : - dst  = 1.1.1.1:0

Using VPNC:

Jul  7 11:23:58: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local=1.1.1.1, remote= 2.2.2.2,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= 3.3.3.3/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0

I tried 3 IOS and Shrew 2.2 and 2.1.7. The ip addressess used are fictive.

I would be very grateful if someone would help me to  solve this.

Thank you,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.shrew.net/pipermail/vpn-help/attachments/20110707/fbd46768/attachment.html>