[vpn-help] Cisco and Shrew - tunnel up, failed SA identity check
mihai gabriel
mihaigabriel at gmail.com
Thu Jul 7 06:00:50 CDT 2011
Hello,
I realized what was wrong. The problem was the split-tunnel acl wich
contains only a /32 address. I think something is wrong with Shrew
implementation of the split-tunneling function (VPNC is working in this
setup) because even the route appears in the routing table, the packets fail
the SA identity check on Cisco:
Jul 7 13:31:32: IPSEC(epa_des_crypt): decrypted packet failed SA identity
check
Jul 7 13:31:33: IPSEC(epa_des_crypt): decrypted packet failed SA identity
check
Jul 7 13:31:34: IPSEC(epa_des_crypt): decrypted packet failed SA identity
check
Now, with a /30 in the split-tunnel acl, everything is as it should be:
route -n | grep 10.10.10.0
10.10.10.0 3.3.3.3 255.255.255.252 UG 0 0 0 tap0
vpn-concentrator#sh crypto ipsec sa peer 2.2.2.2 | i encaps|decaps
#pkts encaps: 1227, #pkts encrypt: 1227, #pkts digest: 1227
Thank you,
On Thu, Jul 7, 2011 at 11:40 AM, mihai gabriel <mihaigabriel at gmail.com>wrote:
> Hello,
>
> I a have a Cisco 7200 with a VAM2+ PA installed that is acting as an ipsec
> concentrator. Using vpnc everything is ok, but with Shrew (Linux or Windows)
> even the tunnel is up, there is no traffic passed through the tunnel.
> The difference between vpnc and Shrew is that on 7200, the local_proxy is
> set to 0.0.0.0/255.255.255.255/0/0 (type=1) when Shrew is used, and
> local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4) when vpnc is used.
> I attached the config and some logs on cisco:
>
> crypto isakmp policy 1
> encr aes
> authentication pre-share
> group 2
> !
> crypto isakmp client configuration group vpn
> key 6 ThJ\giXJQKgTAVSMV^]QVdeJ[faFPgPVe
> pool ippool
> acl 100
> netmask 255.255.255.224
> crypto isakmp profile vpn
> match identity group vpn
> virtual-template 1
>
> crypto ipsec transform-set vpn esp-aes esp-sha-hmac
> !
> crypto ipsec profile vpn
> set security-association lifetime seconds 3600
> set transform-set vpn
> set isakmp-profile vpn
>
> crypto dynamic-map vpn 1
> set transform-set vpn
>
> interface Virtual-Template1 type tunnel
> ip unnumbered FastEthernet0/0
> ip virtual-reassembly
> tunnel source FastEthernet0/1
> tunnel mode ipsec ipv4
> tunnel protection ipsec profile vpn
>
>
> Cisco debug when Shrew is used:
>
> Jul 7 11:04:44: IPSEC(validate_proposal_request): proposal part #1,
> (key eng. msg.) INBOUND local= 1.1.1.1, remote= 2.2.2.2,
> local_proxy= 0.0.0.0/255.255.255.255/0/0 (type=1),
> remote_proxy= 3.3.3.3/255.255.255.255/0/0 (type=1),
> protocol= ESP, transform= NONE (Tunnel),
> lifedur= 0s and 0kb,
> spi= 0x0(0), conn_id= 0, keysize= 192, flags= 0x0
>
>
> IPSEC(epa_des_crypt): decrypted packet failed SA identity check
> IPSEC(epa_des_crypt): decrypted packet failed SA identity check
>
> vpn-concentrator#sh crypto isakmp sa
> IPv4 Crypto ISAKMP SA
> dst src state conn-id status
> 1.1.1.1 2.2.2.2 QM_IDLE 13019 ACTIVE
>
> vpn-concentrator#sh crypto ipsec sa
>
> interface: Virtual-Access3
> Crypto map tag: Virtual-Access3-head-9, local addr 1.1.1.1
>
> protected vrf: (none)
> local ident (addr/mask/prot/port): (0.0.0.0/255.255.255.255/0/0)
> remote ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/0/0)
> current_peer 2.2.2.2 port 500
> PERMIT, flags={origin_is_acl,}
> #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
> #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
> #pkts compressed: 0, #pkts decompressed: 0
> #pkts not compressed: 0, #pkts compr. failed: 0
> #pkts not decompressed: 0, #pkts decompress failed: 0
> #send errors 0, #recv errors 0
>
> Shrew logs:
>
> 11/07/07 08:43:49 ii : - loc ANY:3.3.3.3:* -> ANY:0.0.0.0:*
> 11/07/07 08:43:49 ii : - rmt ANY:0.0.0.0:* -> ANY:3.3.3.3:*
> 11/07/07 08:43:49 ii : phase2 sa established
> 11/07/07 08:43:49 ii :2.2.2.2:500 <-> 1.1.1.1:500
> 11/07/07 08:43:49 K< : recv pfkey GETSPI ESP message
> 11/07/07 08:43:49 ii : - seq = 0x60c8de99
> 11/07/07 08:43:49 ii : - spi = 0x40602cd0
> 11/07/07 08:43:49 ii : - src = 2.2.2.2:0
> 11/07/07 08:43:49 ii : - dst = 1.1.1.1:0
>
>
>
> Using VPNC:
>
> Jul 7 11:23:58: IPSEC(validate_proposal_request): proposal part #1,
> (key eng. msg.) INBOUND local=1.1.1.1, remote= 2.2.2.2,
> local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
> remote_proxy= 3.3.3.3/255.255.255.255/0/0 (type=1),
> protocol= ESP, transform= NONE (Tunnel),
> lifedur= 0s and 0kb,
> spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
>
> I tried 3 IOS and Shrew 2.2 and 2.1.7. The ip addressess used are fictive.
>
> I would be very grateful if someone would help me to solve this.
>
> Thank you,
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20110707/daa213fe/attachment-0001.html>
More information about the vpn-help
mailing list