OpenBSD to Cisco VPN - help needed

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenBSD to Cisco VPN - help needed

Karl Kopp
Hi All,

Our router is humming along nicely, and my prev post re moving a mount
was answered perfectly and is scheduled for tonite - THANKS :)

One problem I am having is VPN issues. Firstly, I know a router
shouldn't also do VPNing, and we will setup another box to do specific
VPN hand off, but some clients turn change requests around in 4 weeks
and right now, thats not an option.

Network config:

OBSD Ext IP - 203.0.0.1
OBSD Net - 10.1.1.0/24

Cisco Ext IP - 202.1.1.30
Cisco Net - 202.1.1.0/24

Now, this is what was on the Cisco router:

access-list siteA permit ip 202.1.1.0 0.0.0.255 10.1.1.0 255.255.255.0

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto map newmap 10 ipsec-isakmp
 set peer 202.1.1.30
 set transform-set myset
 match address siteA

crypto isakmp key shhhSecret address 203.0.0.1

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2

Firstly, I thought I could just use /etc/ipsec.conf (right?) and a
line like this:

ike esp from 10.1.1.0/24 to 202.1.1.0/24 peer 202.1.1.30 main auth
hmac-md5 enc 3des psk shhhSecret

run isakmpd -K -d, then ipsecctl -f /etc/ipsec.conf and get:

170525.073348 Default message_recv: invalid cookie(s) 03af03aac4e7f22f
9c282b0073a7218f
170525.073424 Default dropped message from 202.1.1.30 port 500 due to
notification type INVALID_COOKIE

and then

170829.790305 Default transport_send_messages: giving up on exchange
IPsec-10.1.1.0/24-202.1.1.30, no response from peer 202.1.1.30:500

Anyone shed some light on this? Do I have to setup the traditional
isakmpd.conf and .policy files?

Thanks!
Kolchak

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD to Cisco VPN - help needed

Damien Miller
On Wed, 5 Apr 2006, Karl Kopp wrote:

> crypto isakmp policy 10
>  encr 3des
>  hash md5
>  authentication pre-share
>  group 2

Last time I tried, I had to specify an explicit lifetime for the
phase 1 policy here.

> run isakmpd -K -d, then ipsecctl -f /etc/ipsec.conf and get:
>
> 170525.073348 Default message_recv: invalid cookie(s) 03af03aac4e7f22f
> 9c282b0073a7218f
> 170525.073424 Default dropped message from 202.1.1.30 port 500 due to
> notification type INVALID_COOKIE

You really need to turn up debugging to figure this out.

-d

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD to Cisco VPN - help needed

Karl Kopp
Hi Damien,

Firstly, do you think I will be able to do this with the
/etc/ipsec.conf setup, or will I have to go thru all the
/etc/isakmpd/* stuff?

> > crypto isakmp policy 10
> >  encr 3des
> >  hash md5
> >  authentication pre-share
> >  group 2
>
> Last time I tried, I had to specify an explicit lifetime for the
> phase 1 policy here.

This was from the working Cisco config, before I tried to OpenBSD it...

> > run isakmpd -K -d, then ipsecctl -f /etc/ipsec.conf and get:
> >
> > 170525.073348 Default message_recv: invalid cookie(s) 03af03aac4e7f22f
> > 9c282b0073a7218f
> > 170525.073424 Default dropped message from 202.1.1.30 port 500 due to
> > notification type INVALID_COOKIE
>
> You really need to turn up debugging to figure this out.

# isakmpd -K -d -v


192900.955220 Default isakmpd: phase 1 done: initiator id cb5e8756:
203.0.0.1, responder id 90871c27: 202.1.1.30, src: 203.0.0.1 dst:
202.1.1.30
192901.017180 Default message_recv: invalid cookie(s) 63eb546007dc51cc
d1409bbf559913e2
192901.017227 Default dropped message from 202.1.1.30 port 500 due to
notification type INVALID_COOKIE
192907.996683 Default message_recv: invalid cookie(s) 63eb546007dc51cc
d1409bbf559913e2
192907.996749 Default dropped message from 202.1.1.30 port 500 due to
notification type INVALID_COOKIE

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD to Cisco VPN - help needed

Damien Miller
On Wed, 5 Apr 2006, Karl Kopp wrote:

> Hi Damien,
>
> Firstly, do you think I will be able to do this with the
> /etc/ipsec.conf setup, or will I have to go thru all the
> /etc/isakmpd/* stuff?

I haven't yet used ipsecctl to set up a VPN, but in theory it
shouldn't matter which way you go.

> > > crypto isakmp policy 10
> > >  encr 3des
> > >  hash md5
> > >  authentication pre-share
> > >  group 2
> >
> > Last time I tried, I had to specify an explicit lifetime for the
> > phase 1 policy here.
>
> This was from the working Cisco config, before I tried to OpenBSD it...

Was that Cisco->Cisco? OpenBSD sets different lifetime limits IIRC.

> > You really need to turn up debugging to figure this out.
>
> # isakmpd -K -d -v

"-d" just makes isakmpd log to stderr, you probably want "-DA=99"

-d

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD to Cisco VPN - help needed

Hans-Joerg Hoexer
In reply to this post by Karl Kopp
On Wed, Apr 05, 2006 at 05:13:36PM +1000, Karl Kopp wrote:
>
> Firstly, I thought I could just use /etc/ipsec.conf (right?) and a
> line like this:
>
> ike esp from 10.1.1.0/24 to 202.1.1.0/24 peer 202.1.1.30 main auth
> hmac-md5 enc 3des psk shhhSecret

this looks correct.

Additionally to the debug hints damien already gave, please provide
me the pcap fiel generated with "-L" of such an exchange.

HJ.

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD to Cisco VPN - help needed

Karl Kopp
GOT IT :) Love it when it all falls in place :)

Damiens advice of -D99 worked a treat - we saw that the quick and main
auths were not playing nice so I had to add the 'quick auth hmac-md5
enc 3des' bits as well - DOH!

I must say tho that /etc/ipsec.conf is MUCH easier than the old way so
nice work guys :)

Last reason to hang on to the Cisco router just dissapeared :)

Thanks all
Kolchak

On 4/5/06, Hans-Joerg Hoexer <[hidden email]> wrote:

> On Wed, Apr 05, 2006 at 05:13:36PM +1000, Karl Kopp wrote:
> >
> > Firstly, I thought I could just use /etc/ipsec.conf (right?) and a
> > line like this:
> >
> > ike esp from 10.1.1.0/24 to 202.1.1.0/24 peer 202.1.1.30 main auth
> > hmac-md5 enc 3des psk shhhSecret
>
> this looks correct.
>
> Additionally to the debug hints damien already gave, please provide
> me the pcap fiel generated with "-L" of such an exchange.
>
> HJ.