IPsec zwischen PIX7.2 und Openswan

[sguru]

Hallo!

Ich möchte eine IPsec Verbindung zwischen einer PIX515E v7.2 und dem MoRoS (von Fa. Insys) ein Linux device mit Openswan Version 2.6.23 herstellen.
Mit einer Dynamischen IP auf beiden Geräten gelingt es mir eine IPsec Verbindung aufzubauen und Daten in beide Richtungen zu übertragen.
Doch in der Endkonfiguration erhält Openswan eine dynamische IP.

Wie muß man die PIX konfigurieren das Sie mit einer dynamischen IP der Gegenstelle umgehen kann.

Logs mit dynamischer IP:

PIX

Code:

4|Jun 22 2011|17:01:07|113019|||Group = moros@insys, Username = moros@insys, IP = 9.2.6.1, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
3|Jun 22 2011|17:01:07|713214|||Group = moros@insys, IP = 9.2.1.1, Could not delete route for L2L peer that came in on a dynamic map. address: 172.27.0.0, mask: 255.255.0.0
3|Jun 22 2011|17:01:07|713902|||Group = moros@insys, IP = 9.2.1.1, Removing peer from correlator table failed, no match!
3|Jun 22 2011|17:01:07|713902|||Group = moros@insys, IP = 93.240.163.179, QM FSM error (P2 struct &0x2af5610, mess id 0xd6c2f554)!
3|Jun 22 2011|17:01:07|713119|||Group = moros@insys, IP = 9.2.1.1, PHASE 1 COMPLETED
4|Jun 22 2011|17:00:56|713903|||IP = 9.2.1.2, Error: Unable to remove PeerTblEntry
3|Jun 22 2011|17:00:56|713902|||IP = 9.2.1.2, Removing peer from peer table failed, no match!
4|Jun 22 2011|17:00:23|713903|||IP = 9.2.1.2, Error: Unable to remove PeerTblEntry
3|Jun 22 2011|17:00:23|713902|||IP = 9.2.1.2, Removing peer from peer table failed, no match!
4|Jun 22 2011|16:59:56|113019|||Group = moros@insys, Username = moros@insys, IP = 9.2.1.1, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch

Openswan

Code:

ipsec_vpn_1" #1: initiating Aggressive Mode #1, connection "ipsec_vpn_1"
002 "ipsec_vpn_1" #1: initiating Aggressive Mode #1, connection "ipsec_vpn_1"
"ipsec_vpn_1" #1: received Vendor ID payload [Cisco-Unity]
"ipsec_vpn_1" #1: received Vendor ID payload [XAUTH]
"ipsec_vpn_1" #1: received Vendor ID payload [Dead Peer Detection]
"ipsec_vpn_1" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
"ipsec_vpn_1" #1: ignoring Vendor ID payload [FRAGMENTATION c0000000]
"ipsec_vpn_1" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
"ipsec_vpn_1" #1: protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0
"ipsec_vpn_1" #1: Aggressive mode peer ID is ID_IPV4_ADDR: '212.186.184.18'
"ipsec_vpn_1" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
"ipsec_vpn_1" #1: transition from state STATE_AGGR_I1 to state STATE_AGGR_I2
"ipsec_vpn_1" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha gro
up=modp1024}

"ipsec_vpn_1" #1: Dead Peer Detection (RFC 3706): enabled
"ipsec_vpn_1" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE {using isakmp#1 msgid:a9c7ad3f proposal=3DES(3)_192-SHA1(2)_160
pfsgroup=no-pfs}
"ipsec_vpn_1" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
"ipsec_vpn_1" #1: received and ignored informational message
"ipsec_vpn_1" #1: received Delete SA payload: deleting ISAKMP State #1
packet from 195.3.96.69:4500: received and ignored informational message

[Wordo]

Aus du auf der PIX 0.0.0.0 als Gegenstelle?

[sguru]

Tunnel Group: Name= moros@insys (hier würde ich bei fester IP die IP der Gegenstelle eingeben), Type= ipsec-l2l
Oder soll die 0.0.0.0 unter IPSec Rules?

[sguru]

Mir wurde gesagt man muß einen @ string für dynamsiche IP Adressen in den Namen einsetzen.

[Wordo]

http://www.cisco.com/en/US/partner/p...807ea936.shtml

Machs mal damit. Dann kann die PIX zwar nicht aufbauen sondern nur Openswan, aber das scheint mir etwas stabiler als die alte PIX

[sguru]

Danke für den Link Wordo aber ich kann ihn mit Access Level 2 nicht aufrufen bzw. er existiert nicht mehr.

Zum Themenstart von mir:
Es soll heißen
Mit statischen IPs auf beiden Geräten gelingt es mir eine IPsec Verbindung aufzubauen und Daten in beide Richtungen zu übertragen. Die Dynamische IP die OpenSwan verwendet macht mir mit der PIX die immer eine fixe IP hat probleme.

[Wordo]

Zitat von sguru Die Dynamische IP die OpenSwan verwendet macht mir mit der PIX die immer eine fixe IP hat probleme.

Der Aufbau der Verbindung? In welche Richtung soll aufgebaut werden? Poste doch mal ne auth.log ... der ist besser lesbar als der PIX Quatsch

[sguru]

Auf meinen Linux Device komm ich nur an folgende Logs ran:

HTML-Code:

using kernel interface: netkey
interface lo/lo ::1
interface eth1/eth1 fd5c:1284:ace6:1111:205:b6ff:fe00:9111
interface lo/lo 127.0.0.1
interface lo/lo 127.0.0.1
interface eth1/eth1 192.168.200.178
interface eth1/eth1 192.168.200.178
interface br0/br0 172.27.0.1
interface br0/br0 172.27.0.1
%myid = (none)
debug none

virtual_private (%priv):
- allowed 0 subnets:
- disallowed 0 subnets:

stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,33,36} trans={0,33,324} attrs={0,33,432}

"ipsec_vpn_1": 172.27.0.0/16===192.168.200.178[moros@insys]...195.3.96.69===10.0.100.0/24; unrouted; eroute owner: #0
"ipsec_vpn_1": myip=unset; hisip=unset; myup=echo 0 > /dev/null;
"ipsec_vpn_1": ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
"ipsec_vpn_1": policy: PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE; prio: 16,24; interface: eth1;
"ipsec_vpn_1": dpd: action:restart; delay:30; timeout:120;
"ipsec_vpn_1": newest ISAKMP SA: #0; newest IPsec SA: #0;
"ipsec_vpn_1": IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)-MODP1024(2); flags=-strict
"ipsec_vpn_1": IKE algorithms found: 3DES_CBC(5)_192-SHA1(2)_160-2,
"ipsec_vpn_1": ESP algorithms wanted: 3DES(3)_000-SHA1(2); flags=-strict
"ipsec_vpn_1": ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160

#64: "ipsec_vpn_1":4500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 3s; lastdpd=-1s(seq in:0 out:0); idle; import:admin
 initiate

[sguru]

Log:

HTML-Code:

"ipsec_vpn_1" #58: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: per
haps peer likes no proposal
"ipsec_vpn_1" #58: starting keying attempt 2 of an unlimited number
"ipsec_vpn_1" #59: initiating Aggressive Mode #59, connection "ipsec_vpn_1"
"ipsec_vpn_1" #59: received Vendor ID payload [Cisco-Unity]
"ipsec_vpn_1" #59: received Vendor ID payload [XAUTH]
"ipsec_vpn_1" #59: received Vendor ID payload [Dead Peer Detection]
"ipsec_vpn_1" #59: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
"ipsec_vpn_1" #59: ignoring Vendor ID payload [FRAGMENTATION c0000000]
"ipsec_vpn_1" #59: ignoring Vendor ID payload [Cisco VPN 3000 Series]
"ipsec_vpn_1" #59: protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0
"ipsec_vpn_1" #59: Aggressive mode peer ID is ID_IPV4_ADDR: '195.3.96.68'
"ipsec_vpn_1" #59: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
"ipsec_vpn_1" #59: transition from state STATE_AGGR_I1 to state STATE_AGGR_I2
"ipsec_vpn_1" #59: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha gr
oup=modp1024}
"ipsec_vpn_1" #59: Dead Peer Detection (RFC 3706): enabled
"ipsec_vpn_1" #60: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE {using isakmp#59 msgid:f36ea7d4 proposal=3DES(3)_192-SHA1(2)_16
0 pfsgroup=no-pfs}
"ipsec_vpn_1" #59: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
"ipsec_vpn_1" #59: received and ignored informational message
"ipsec_vpn_1" #59: received Delete SA payload: deleting ISAKMP State #59
packet from 195.3.96.69:4500: received and ignored informational message
"ipsec_vpn_1" #60: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: per
haps peer likes no proposal
"ipsec_vpn_1" #60: starting keying attempt 2 of an unlimited number
"ipsec_vpn_1" #61: initiating Aggressive Mode #61, connection "ipsec_vpn_1"
"ipsec_vpn_1" #61: received Vendor ID payload [Cisco-Unity]
"ipsec_vpn_1" #61: received Vendor ID payload [XAUTH]
"ipsec_vpn_1" #61: received Vendor ID payload [Dead Peer Detection]
"ipsec_vpn_1" #61: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
"ipsec_vpn_1" #61: ignoring Vendor ID payload [FRAGMENTATION c0000000]
"ipsec_vpn_1" #61: ignoring Vendor ID payload [Cisco VPN 3000 Series]
"ipsec_vpn_1" #61: protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0
"ipsec_vpn_1" #61: Aggressive mode peer ID is ID_IPV4_ADDR: '195.3.96.68'
"ipsec_vpn_1" #61: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
"ipsec_vpn_1" #61: transition from state STATE_AGGR_I1 to state STATE_AGGR_I2
"ipsec_vpn_1" #61: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha gr
oup=modp1024}
"ipsec_vpn_1" #61: Dead Peer Detection (RFC 3706): enabled
"ipsec_vpn_1" #62: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE {using isakmp#61 msgid:fe1e3c52 proposal=3DES(3)_192-SHA1(2)_16
0 pfsgroup=no-pfs}
"ipsec_vpn_1" #61: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
"ipsec_vpn_1" #61: received and ignored informational message
"ipsec_vpn_1" #61: received Delete SA payload: deleting ISAKMP State #61
packet from 195.3.96.69:4500: received and ignored informational message

[Wordo]

Wieso verwendest du aggressive Mode? Kann mir nicht vorstellen das das bei der Site2Site auch so war ...