Jump to content

IPsec zwischen PIX7.2 und Openswan


Der letzte Beitrag zu diesem Thema ist mehr als 180 Tage alt. Bitte erstelle einen neuen Beitrag zu Deiner Anfrage!

Recommended Posts

Hallo!

 

Ich möchte eine IPsec Verbindung zwischen einer PIX515E v7.2 und dem MoRoS (von Fa. Insys) ein Linux device mit Openswan Version 2.6.23 herstellen.

Mit einer Dynamischen IP auf beiden Geräten gelingt es mir eine IPsec Verbindung aufzubauen und Daten in beide Richtungen zu übertragen.

Doch in der Endkonfiguration erhält Openswan eine dynamische IP.

 

Wie muß man die PIX konfigurieren das Sie mit einer dynamischen IP der Gegenstelle umgehen kann.

 

Logs mit dynamischer IP:

 

PIX

4|Jun 22 2011|17:01:07|113019|||Group = moros@insys, Username = moros@insys, IP = 9.2.6.1, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
3|Jun 22 2011|17:01:07|713214|||Group = moros@insys, IP = 9.2.1.1, Could not delete route for L2L peer that came in on a dynamic map. address: 172.27.0.0, mask: 255.255.0.0
3|Jun 22 2011|17:01:07|713902|||Group = moros@insys, IP = 9.2.1.1, Removing peer from correlator table failed, no match!
3|Jun 22 2011|17:01:07|713902|||Group = moros@insys, IP = 93.240.163.179, QM FSM error (P2 struct &0x2af5610, mess id 0xd6c2f554)!
3|Jun 22 2011|17:01:07|713119|||Group = moros@insys, IP = 9.2.1.1, PHASE 1 COMPLETED
4|Jun 22 2011|17:00:56|713903|||IP = 9.2.1.2, Error: Unable to remove PeerTblEntry
3|Jun 22 2011|17:00:56|713902|||IP = 9.2.1.2, Removing peer from peer table failed, no match!
4|Jun 22 2011|17:00:23|713903|||IP = 9.2.1.2, Error: Unable to remove PeerTblEntry
3|Jun 22 2011|17:00:23|713902|||IP = 9.2.1.2, Removing peer from peer table failed, no match!
4|Jun 22 2011|16:59:56|113019|||Group = moros@insys, Username = moros@insys, IP = 9.2.1.1, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch

 

Openswan

ipsec_vpn_1" #1: initiating Aggressive Mode #1, connection "ipsec_vpn_1"
002 "ipsec_vpn_1" #1: initiating Aggressive Mode #1, connection "ipsec_vpn_1"
"ipsec_vpn_1" #1: received Vendor ID payload [Cisco-Unity]
"ipsec_vpn_1" #1: received Vendor ID payload [XAUTH]
"ipsec_vpn_1" #1: received Vendor ID payload [Dead Peer Detection]
"ipsec_vpn_1" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
"ipsec_vpn_1" #1: ignoring Vendor ID payload [FRAGMENTATION c0000000]
"ipsec_vpn_1" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
"ipsec_vpn_1" #1: protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0
"ipsec_vpn_1" #1: Aggressive mode peer ID is ID_IPV4_ADDR: '212.186.184.18'
"ipsec_vpn_1" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
"ipsec_vpn_1" #1: transition from state STATE_AGGR_I1 to state STATE_AGGR_I2
"ipsec_vpn_1" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha gro
up=modp1024}

"ipsec_vpn_1" #1: Dead Peer Detection (RFC 3706): enabled
"ipsec_vpn_1" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE {using isakmp#1 msgid:a9c7ad3f proposal=3DES(3)_192-SHA1(2)_160
pfsgroup=no-pfs}
"ipsec_vpn_1" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
"ipsec_vpn_1" #1: received and ignored informational message
"ipsec_vpn_1" #1: received Delete SA payload: deleting ISAKMP State #1
packet from 195.3.96.69:4500: received and ignored informational message

Link to comment

Danke für den Link Wordo aber ich kann ihn mit Access Level 2 nicht aufrufen bzw. er existiert nicht mehr.

 

Zum Themenstart von mir:

Es soll heißen

Mit statischen IPs auf beiden Geräten gelingt es mir eine IPsec Verbindung aufzubauen und Daten in beide Richtungen zu übertragen. Die Dynamische IP die OpenSwan verwendet macht mir mit der PIX die immer eine fixe IP hat probleme.

Link to comment

Auf meinen Linux Device komm ich nur an folgende Logs ran:

 

using kernel interface: netkey
interface lo/lo ::1
interface eth1/eth1 fd5c:1284:ace6:1111:205:b6ff:fe00:9111
interface lo/lo 127.0.0.1
interface lo/lo 127.0.0.1
interface eth1/eth1 192.168.200.178
interface eth1/eth1 192.168.200.178
interface br0/br0 172.27.0.1
interface br0/br0 172.27.0.1
%myid = (none)
debug none

virtual_private (%priv):
- allowed 0 subnets:
- disallowed 0 subnets:

stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,33,36} trans={0,33,324} attrs={0,33,432}

"ipsec_vpn_1": 172.27.0.0/16===192.168.200.178[moros@insys]...195.3.96.69===10.0.100.0/24; unrouted; eroute owner: #0
"ipsec_vpn_1": myip=unset; hisip=unset; myup=echo 0 > /dev/null;
"ipsec_vpn_1": ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
"ipsec_vpn_1": policy: PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE; prio: 16,24; interface: eth1;
"ipsec_vpn_1": dpd: action:restart; delay:30; timeout:120;
"ipsec_vpn_1": newest ISAKMP SA: #0; newest IPsec SA: #0;
"ipsec_vpn_1": IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)-MODP1024(2); flags=-strict
"ipsec_vpn_1": IKE algorithms found: 3DES_CBC(5)_192-SHA1(2)_160-2,
"ipsec_vpn_1": ESP algorithms wanted: 3DES(3)_000-SHA1(2); flags=-strict
"ipsec_vpn_1": ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160

#64: "ipsec_vpn_1":4500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 3s; lastdpd=-1s(seq in:0 out:0); idle; import:admin
initiate

Link to comment

Log:

 

"ipsec_vpn_1" #58: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: per
haps peer likes no proposal
"ipsec_vpn_1" #58: starting keying attempt 2 of an unlimited number
"ipsec_vpn_1" #59: initiating Aggressive Mode #59, connection "ipsec_vpn_1"
"ipsec_vpn_1" #59: received Vendor ID payload [Cisco-Unity]
"ipsec_vpn_1" #59: received Vendor ID payload [XAUTH]
"ipsec_vpn_1" #59: received Vendor ID payload [Dead Peer Detection]
"ipsec_vpn_1" #59: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
"ipsec_vpn_1" #59: ignoring Vendor ID payload [FRAGMENTATION c0000000]
"ipsec_vpn_1" #59: ignoring Vendor ID payload [Cisco VPN 3000 Series]
"ipsec_vpn_1" #59: protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0
"ipsec_vpn_1" #59: Aggressive mode peer ID is ID_IPV4_ADDR: '195.3.96.68'
"ipsec_vpn_1" #59: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
"ipsec_vpn_1" #59: transition from state STATE_AGGR_I1 to state STATE_AGGR_I2
"ipsec_vpn_1" #59: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha gr
oup=modp1024}
"ipsec_vpn_1" #59: Dead Peer Detection (RFC 3706): enabled
"ipsec_vpn_1" #60: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE {using isakmp#59 msgid:f36ea7d4 proposal=3DES(3)_192-SHA1(2)_16
0 pfsgroup=no-pfs}
"ipsec_vpn_1" #59: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
"ipsec_vpn_1" #59: received and ignored informational message
"ipsec_vpn_1" #59: received Delete SA payload: deleting ISAKMP State #59
packet from 195.3.96.69:4500: received and ignored informational message
"ipsec_vpn_1" #60: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: per
haps peer likes no proposal
"ipsec_vpn_1" #60: starting keying attempt 2 of an unlimited number
"ipsec_vpn_1" #61: initiating Aggressive Mode #61, connection "ipsec_vpn_1"
"ipsec_vpn_1" #61: received Vendor ID payload [Cisco-Unity]
"ipsec_vpn_1" #61: received Vendor ID payload [XAUTH]
"ipsec_vpn_1" #61: received Vendor ID payload [Dead Peer Detection]
"ipsec_vpn_1" #61: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
"ipsec_vpn_1" #61: ignoring Vendor ID payload [FRAGMENTATION c0000000]
"ipsec_vpn_1" #61: ignoring Vendor ID payload [Cisco VPN 3000 Series]
"ipsec_vpn_1" #61: protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0
"ipsec_vpn_1" #61: Aggressive mode peer ID is ID_IPV4_ADDR: '195.3.96.68'
"ipsec_vpn_1" #61: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
"ipsec_vpn_1" #61: transition from state STATE_AGGR_I1 to state STATE_AGGR_I2
"ipsec_vpn_1" #61: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha gr
oup=modp1024}
"ipsec_vpn_1" #61: Dead Peer Detection (RFC 3706): enabled
"ipsec_vpn_1" #62: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE {using isakmp#61 msgid:fe1e3c52 proposal=3DES(3)_192-SHA1(2)_16
0 pfsgroup=no-pfs}
"ipsec_vpn_1" #61: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
"ipsec_vpn_1" #61: received and ignored informational message
"ipsec_vpn_1" #61: received Delete SA payload: deleting ISAKMP State #61
packet from 195.3.96.69:4500: received and ignored informational message

Link to comment
Der letzte Beitrag zu diesem Thema ist mehr als 180 Tage alt. Bitte erstelle einen neuen Beitrag zu Deiner Anfrage!

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...