[vpn-help] Cisco and Shrew - tunnel up, failed SA identity check

mihai gabriel mihaigabriel at gmail.com
Thu Jul 7 06:00:50 CDT 2011 

Hello,

I realized what was wrong. The problem was the split-tunnel acl wich
contains only a /32 address. I think something is wrong with Shrew
implementation of the split-tunneling function (VPNC is working in this
setup) because even the route appears in the routing table, the packets fail
the SA identity check on Cisco:

Jul  7 13:31:32: IPSEC(epa_des_crypt): decrypted packet failed SA identity
check
Jul  7 13:31:33: IPSEC(epa_des_crypt): decrypted packet failed SA identity
check
Jul  7 13:31:34: IPSEC(epa_des_crypt): decrypted packet failed SA identity
check

Now, with a /30 in the split-tunnel acl, everything is as it should be:

 route -n | grep 10.10.10.0
10.10.10.0  3.3.3.3    255.255.255.252 UG    0      0        0 tap0

vpn-concentrator#sh crypto ipsec sa peer 2.2.2.2 | i encaps|decaps
    #pkts encaps: 1227, #pkts encrypt: 1227, #pkts digest: 1227

Thank you,

On Thu, Jul 7, 2011 at 11:40 AM, mihai gabriel <mihaigabriel at gmail.com>wrote:

> Hello,
>
>  I a have a Cisco 7200 with a VAM2+ PA installed that is acting as an ipsec
> concentrator. Using vpnc everything is ok, but with Shrew (Linux or Windows)
> even the tunnel is up, there is no traffic passed through the tunnel.
> The difference between vpnc and Shrew is that on 7200, the local_proxy is
> set to  0.0.0.0/255.255.255.255/0/0 (type=1) when Shrew is used, and
> local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4) when vpnc is used.
> I attached the config and some logs on cisco:
>
> crypto isakmp policy 1
>  encr aes
>  authentication pre-share
>  group 2
> !
> crypto isakmp client configuration group vpn
>  key 6 ThJ\giXJQKgTAVSMV^]QVdeJ[faFPgPVe
>  pool ippool
>  acl 100
>  netmask 255.255.255.224
> crypto isakmp profile vpn
>    match identity group vpn
>    virtual-template 1
>
> crypto ipsec transform-set vpn esp-aes esp-sha-hmac
> !
> crypto ipsec profile vpn
>  set security-association lifetime seconds 3600
>  set transform-set vpn
>  set isakmp-profile vpn
>
> crypto dynamic-map vpn 1
>  set transform-set vpn
>
>  interface Virtual-Template1 type tunnel
>  ip unnumbered FastEthernet0/0
>  ip virtual-reassembly
>  tunnel source FastEthernet0/1
>  tunnel mode ipsec ipv4
>  tunnel protection ipsec profile vpn
>
>
> Cisco debug when Shrew is used:
>
> Jul  7 11:04:44: IPSEC(validate_proposal_request): proposal part #1,
>   (key eng. msg.) INBOUND local= 1.1.1.1, remote= 2.2.2.2,
>     local_proxy= 0.0.0.0/255.255.255.255/0/0 (type=1),
>     remote_proxy= 3.3.3.3/255.255.255.255/0/0 (type=1),
>     protocol= ESP, transform= NONE  (Tunnel),
>     lifedur= 0s and 0kb,
>     spi= 0x0(0), conn_id= 0, keysize= 192, flags= 0x0
>
>
> IPSEC(epa_des_crypt): decrypted packet failed SA identity check
> IPSEC(epa_des_crypt): decrypted packet failed SA identity check
>
> vpn-concentrator#sh crypto isakmp sa
> IPv4 Crypto ISAKMP SA
> dst             src             state          conn-id status
> 1.1.1.1    2.2.2.2    QM_IDLE          13019 ACTIVE
>
> vpn-concentrator#sh crypto ipsec sa
>
> interface: Virtual-Access3
>     Crypto map tag: Virtual-Access3-head-9, local addr 1.1.1.1
>
>    protected vrf: (none)
>    local  ident (addr/mask/prot/port): (0.0.0.0/255.255.255.255/0/0)
>    remote ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/0/0)
>    current_peer 2.2.2.2 port 500
>      PERMIT, flags={origin_is_acl,}
>     #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
>     #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
>     #pkts compressed: 0, #pkts decompressed: 0
>     #pkts not compressed: 0, #pkts compr. failed: 0
>     #pkts not decompressed: 0, #pkts decompress failed: 0
>     #send errors 0, #recv errors 0
>
> Shrew logs:
>
> 11/07/07 08:43:49 ii : - loc ANY:3.3.3.3:* -> ANY:0.0.0.0:*
> 11/07/07 08:43:49 ii : - rmt ANY:0.0.0.0:* -> ANY:3.3.3.3:*
> 11/07/07 08:43:49 ii : phase2 sa established
> 11/07/07 08:43:49 ii :2.2.2.2:500 <-> 1.1.1.1:500
> 11/07/07 08:43:49 K< : recv pfkey GETSPI ESP message
> 11/07/07 08:43:49 ii : - seq  = 0x60c8de99
> 11/07/07 08:43:49 ii : - spi  = 0x40602cd0
> 11/07/07 08:43:49 ii : - src  = 2.2.2.2:0
> 11/07/07 08:43:49 ii : - dst  = 1.1.1.1:0
>
>
>
> Using VPNC:
>
> Jul  7 11:23:58: IPSEC(validate_proposal_request): proposal part #1,
>   (key eng. msg.) INBOUND local=1.1.1.1, remote= 2.2.2.2,
>     local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
>     remote_proxy= 3.3.3.3/255.255.255.255/0/0 (type=1),
>     protocol= ESP, transform= NONE  (Tunnel),
>     lifedur= 0s and 0kb,
>     spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
>
> I tried 3 IOS and Shrew 2.2 and 2.1.7. The ip addressess used are fictive.
>
> I would be very grateful if someone would help me to  solve this.
>
> Thank you,
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20110707/daa213fe/attachment-0002.html>

More information about the vpn-help mailing list