[vpn-help] Cisco and Shrew - tunnel up, failed SA identity check
mihai gabriel
mihaigabriel at gmail.com
Thu Jul 7 03:40:07 CDT 2011
Hello,
I a have a Cisco 7200 with a VAM2+ PA installed that is acting as an ipsec
concentrator. Using vpnc everything is ok, but with Shrew (Linux or Windows)
even the tunnel is up, there is no traffic passed through the tunnel.
The difference between vpnc and Shrew is that on 7200, the local_proxy is
set to 0.0.0.0/255.255.255.255/0/0 (type=1) when Shrew is used, and
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4) when vpnc is used.
I attached the config and some logs on cisco:
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp client configuration group vpn
key 6 ThJ\giXJQKgTAVSMV^]QVdeJ[faFPgPVe
pool ippool
acl 100
netmask 255.255.255.224
crypto isakmp profile vpn
match identity group vpn
virtual-template 1
crypto ipsec transform-set vpn esp-aes esp-sha-hmac
!
crypto ipsec profile vpn
set security-association lifetime seconds 3600
set transform-set vpn
set isakmp-profile vpn
crypto dynamic-map vpn 1
set transform-set vpn
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0/0
ip virtual-reassembly
tunnel source FastEthernet0/1
tunnel mode ipsec ipv4
tunnel protection ipsec profile vpn
Cisco debug when Shrew is used:
Jul 7 11:04:44: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 1.1.1.1, remote= 2.2.2.2,
local_proxy= 0.0.0.0/255.255.255.255/0/0 (type=1),
remote_proxy= 3.3.3.3/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 192, flags= 0x0
IPSEC(epa_des_crypt): decrypted packet failed SA identity check
IPSEC(epa_des_crypt): decrypted packet failed SA identity check
vpn-concentrator#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
1.1.1.1 2.2.2.2 QM_IDLE 13019 ACTIVE
vpn-concentrator#sh crypto ipsec sa
interface: Virtual-Access3
Crypto map tag: Virtual-Access3-head-9, local addr 1.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/0/0)
current_peer 2.2.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
Shrew logs:
11/07/07 08:43:49 ii : - loc ANY:3.3.3.3:* -> ANY:0.0.0.0:*
11/07/07 08:43:49 ii : - rmt ANY:0.0.0.0:* -> ANY:3.3.3.3:*
11/07/07 08:43:49 ii : phase2 sa established
11/07/07 08:43:49 ii :2.2.2.2:500 <-> 1.1.1.1:500
11/07/07 08:43:49 K< : recv pfkey GETSPI ESP message
11/07/07 08:43:49 ii : - seq = 0x60c8de99
11/07/07 08:43:49 ii : - spi = 0x40602cd0
11/07/07 08:43:49 ii : - src = 2.2.2.2:0
11/07/07 08:43:49 ii : - dst = 1.1.1.1:0
Using VPNC:
Jul 7 11:23:58: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local=1.1.1.1, remote= 2.2.2.2,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 3.3.3.3/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
I tried 3 IOS and Shrew 2.2 and 2.1.7. The ip addressess used are fictive.
I would be very grateful if someone would help me to solve this.
Thank you,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.shrew.net/pipermail/vpn-help/attachments/20110707/fbd46768/attachment.html>
More information about the vpn-help
mailing list