VPN - VPN with Linksys BEFVP41 V2 and Cisco AS5300

Author

VPN with Linksys BEFVP41 V2 and Cisco AS5300

gigi

2005-08-31, 2:47 am

I am trying to setup a VPN between a BEFVP41 V2 and a cisco AS5300.
I have the following settings on the Linksys side:

WAN IP: 111.111.111.4

Local Secure Group: SubnetIP
IP: 10.10.7.0
Mask: 255.255.255.0
--------------------------------------------------------
Remote Secure Group: SubnetIP
IP: 10.10.5.0
Mask: 255.255.255.0
----------------------------------------------------------------
Remote Security Gateway: IP Address: 222.222.222.42
----------------------------------------------------------------
Encryption: 3DES
Authentication: SHA
----------------------------------------------------------------
Key Management Auto. (IKE)
PFS: Enabled
Pre-shared Key: 112233
Key Lifetime: 86400 Sec.
-----------------------------------------------------------------
Tunnel 1
Phase 1:
Operation mode : Main mode
Proposal :
Encryption : 3DES
Authentication :SHA
Group : 768-bit
Key Lifetime : 86400 seconds
(Note: Following three additional proposals are also proposed in
Main mode:
DES/MD5/768, 3DES/SHA/1024 and 3DES/MD5/1024.)
Phase 2:
Proposal :
Encryption : 3DES
Authentication : SHA
PFS : ON
Group : 768-bit
Key Lifetime : 86400 seconds

Other Setting:
Keep-Alive
-------------------------------------------------------------

Cisco side:

crypto isakmp policy 1
encr 3des
authentication pre-share
crypto isakmp key 112233 address 111.111.111.4
crypto isakmp key 112233 address 10.10.7.1
!
!
crypto ipsec transform-set rtpset1 esp-3des esp-sha-hmac
!
crypto map rtp 1 ipsec-isakmp
set peer 111.111.111.4
set peer 10.10.7.1
set transform-set rtpset1
set pfs group1
match address 101
!
!
!
interface Loopback0
no ip address
!
interface Tunnel0
ip address 10.10.5.1 255.255.255.0
tunnel source 10.10.5.0
tunnel destination 111.111.111.4
tunnel mode dvmrp
tunnel key 112233
crypto map rtp
!
interface FastEthernet0
ip address 222.222.222.42 255.255.255.240
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 222.222.222.33
ip route 10.10.7.0 255.255.255.0 Tunnel0
!
!
access-list 101 permit ip 10.10.5.0 0.0.0.255 10.10.7.0 0.0.0.255

--------------------------------------------------------------

This is what i get when doing a debug crypto isakmp in Cisco:

Aug 31 05:07:51.831: ISAKMP (0:0): received packet from 111.111.111.4
dport 500
sport 500 Global (N) NEW SA
Aug 31 05:07:51.835: ISAKMP: Locking peer struct 0x6366476C, IKE
refcount 15 for
Responding to new initiation
Aug 31 05:07:51.835: ISAKMP: local port 500, remote port 500
Aug 31 05:07:51.835: ISAKMP: Find a dup sa in the avl tree during
calling isadb_
insert sa = 63017FB4
Aug 31 05:07:51.835: ISAKMP (0:164): processing SA payload. message ID
= 0
Aug 31 05:07:51.835: ISAKMP (0:164): processing ID payload. message ID
= 0
Aug 31 05:07:51.835: ISAKMP (0:164): ID payload
next-payload : 0
type : 1
address : 111.111.111.4
protocol : 0
port : 0
length : 12
Aug 31 05:07:51.835: ISAKMP (0:164): peer matches *none* of the
profiles
Aug 31 05:07:51.835: ISAKMP (0:164) local preshared key found
Aug 31 05:07:51.835: ISAKMP : Scanning profiles for xauth ...
Aug 31 05:07:51.835: ISAKMP (0:164): Checking ISAKMP transform 1
against priorit
y 1 policy
Aug 31 05:07:51.835: ISAKMP: encryption 3DES-CBC
Aug 31 05:07:51.835: ISAKMP: hash SHA
Aug 31 05:07:51.835: ISAKMP: auth pre-share
Aug 31 05:07:51.835: ISAKMP: default group 1
Aug 31 05:07:51.835: ISAKMP: life type in seconds
Aug 31 05:07:51.835: ISAKMP: life duration (VPI) of 0x0 0x1 0x51
0x80
Aug 31 05:07:51.835: ISAKMP (0:164): atts are acceptable. Next payload
is 3
Aug 31 05:07:51.891: ISAKMP (0:164): processing KE payload. message ID
= 0
Aug 31 05:07:51.959: ISAKMP (0:164): processing NONCE payload. message
ID = 0
Aug 31 05:07:51.959: ISAKMP (0:164): SKEYID state generated
Aug 31 05:07:51.959: ISAKMP (0:164): SA is doing pre-shared key
authentication u
sing id type ID_IPV4_ADDR
Aug 31 05:07:51.963: ISAKMP (0:164): ID payload
next-payload : 10
type : 1
address : 222.222.222.42
protocol : 17
port : 0
length : 12
Aug 31 05:07:51.963: ISAKMP (164): Total payload length: 12
Aug 31 05:07:51.963: ISAKMP (0:164): sending packet to 111.111.111.4
my_port 500 peer_port 500 (R) AG_INIT_EXCH
Aug 31 05:07:51.963: ISAKMP (0:164): Input = IKE_MESG_FROM_PEER,
IKE_AM_EXCH
Aug 31 05:07:51.963: ISAKMP (0:164): Old State = IKE_READY New State =
IKE_R_AM2
Aug 31 05:07:53.403: ISAKMP (0:164): received packet from 111.111.111.4
dport 500 sport 500 Global (R) AG_INIT_EXCH
Aug 31 05:07:53.403: ISAKMP: set new node -519190985 to QM_IDLE
Aug 31 05:07:53.407: ISAKMP: reserved not zero on HASH payload!
Aug 31 05:07:53.407: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from
111.111.111.4 failed its sanity check or is malformed
Aug 31 05:07:53.407: ISAKMP: set new node -1793324501 to QM_IDLE
Aug 31 05:07:53.407: ISAKMP (0:164): Sending NOTIFY PAYLOAD_MALFORMED
protocol 1 spi 0, message ID = -1793324501
Aug 31 05:07:53.407: ISAKMP (0:164): sending packet to 111.111.111.4
my_port 500 peer_port 500 (R) AG_INIT_EXCH
Aug 31 05:07:53.407: ISAKMP (0:164): purging node -1793324501
Aug 31 05:07:53.407: ISAKMP (0:164): incrementing error counter on sa,
attempt 1 of 5: reset_retransmission
Aug 31 05:07:54.407: ISAKMP (0:164): retransmitting phase 2
AG_INIT_EXCH -519190985 ...
Aug 31 05:07:54.407: ISAKMP (0:164): incrementing error counter on
node, attempt 1 of 5: retransmit phase 2
Aug 31 05:07:54.407: ISAKMP (0:164): incrementing error counter on sa,
attempt 2 of 5: retransmit phase 2
Aug 31 05:07:54.407: ISAKMP (0:164): no outgoing phase 2 packet to
retransmit. -519190985 AG_INIT_EXCHno debug all
Aug 31 05:08:01.963: ISAKMP (0:164): retransmitting phase 1
AG_INIT_EXCH...
Aug 31 05:08:01.963: ISAKMP (0:164): incrementing error counter on sa,
attempt 3 of 5: retransmit phase 1
Aug 31 05:08:01.963: ISAKMP (0:164): retransmitting phase 1
AG_INIT_EXCH
Aug 31 05:08:01.963: ISAKMP (0:164): sending packet to 111.111.111.4
my_port 500 peer_port 500 (R) AG_INIT_EXCH
All possible debugging has been turned off
Aug 31 05:08:03.023: ISAKMP (0:164): received packet from 111.111.111.4
dport 500 sport 500 Global (R) AG_INIT_EXCH
Aug 31 05:08:03.023: ISAKMP: reserved not zero on HASH payload!
Aug 31 05:08:03.023: ISAKMP (0:164): incrementing error counter on sa,
attempt 4 of 5: PAYLOAD_MALFORMED
Aug 31 05:08:03.023: ISAKMP (0:164): sending packet to 111.111.111.4
my_port 500 peer_port 500 (R) AG_INIT_EXCH
Aug 31 05:08:03.023: ISAKMP (0:164): incrementing error counter on sa,
attempt 5 of 5: reset_retransmission
Aug 31 05:08:03.435: ISAKMP (0:164): received packet from 111.111.111.4
dport 500 sport 500 Global (R) AG_INIT_EXCH
Aug 31 05:08:03.435: ISAKMP: set new node -1840514816 to QM_IDLE
Aug 31 05:08:03.435: ISAKMP: reserved not zero on HASH payload!
Aug 31 05:08:03.435: ISAKMP: set new node 231668340 to QM_IDLE
Aug 31 05:08:03.435: ISAKMP (0:164): Sending NOTIFY PAYLOAD_MALFORMED
protocol 1 spi 0, message ID = 231668340
Aug 31 05:08:03.439: ISAKMP (0:164): peer does not do paranoid
keepalives.
Aug 31 05:08:03.439: ISAKMP (0:164): deleting SA reason "death by
retransmission throw" state (R) AG_INIT_EXCH (peer 111.111.111.4) input
queue 0
Aug 31 05:08:03.439: ISAKMP (0:164): incrementing error counter on sa,
attempt 6 of 5: reset_retransmission
Aug 31 05:08:03.439: ISAKMP (0:164): deleting SA reason "death by
retransmission throw" state (R) AG_INIT_EXCH (peer 111.111.111.4) input
queue 0
Aug 31 05:08:03.439: ISAKMP: Unlocking IKE struct 0x6366476C for
isadb_mark_sa_deleted(), count 14
Aug 31 05:08:03.439: ISAKMP (0:164): deleting node -519190985 error
TRUE reason"death by retransmission throw"
Aug 31 05:08:03.439: ISAKMP (0:164): deleting node -1840514816 error
TRUE reason "death by retransmission throw"
Aug 31 05:08:03.439: ISAKMP (0:164): deleting node 231668340 error TRUE
reason "death by retransmission throw"
Aug 31 05:08:03.439: ISAKMP (0:164): Input = IKE_MESG_INTERNAL,
IKE_PHASE1_DEL
Aug 31 05:08:03.439: ISAKMP (0:164): Old State = IKE_R_AM2 New State =
IKE_DEST_SA

And this is what Linksys says:

System Log
ALLSystem LogAccess LogFirewall LogVPN Log
00:00:00 [10.10.7.1] : System is ready
00:00:00 System is warm start
00:00:00 00xx@sys Firmware Version : 1.01.04, Jan 18 2005
00:00:00 Internet(static) IP is 222.222.222.4
2005-08-31 00:32:46 Get current time from NTP server : Aug. 31 2005
Tue. 0:32:46
2005-08-31 00:32:47 IKE[1] Tx >> AG_I1 : 111.111.111.42 SA, KE, Nonce,
ID
2005-08-31 00:32:49 UDP from 111.111.111.42:500 to 222.222.222.4:500
2005-08-31 00:32:49 IKE[1] Rx << AG_R1 : 111.111.111.42 SA, VID, VID,
VID, VID, KE, ID, NONCE, HASH
2005-08-31 00:32:49 IKE[1] ISAKMP SA CKI=[7a0bd601 dd09d6c4]
CKR=[681e4844 dea065fa]
2005-08-31 00:32:49 IKE[1] ISAKMP SA 3DES / SHA / PreShared / MODP_768
2005-08-31 00:32:49 IKE[1] Tx >> AG_I2 : 111.111.111.42 HASH
2005-08-31 00:32:49 IKE[1] Tx >> QM_I1 : 111.111.111.42 HASH, SA,
NONCE, KE, ID, ID
2005-08-31 00:32:55 tunnel select = 0
2005-08-31 00:32:58 NV.Log=1
2005-08-31 00:33:12
2005-08-31 00:33:12 IKE[1] Tx >> AG_I1 : 111.111.111.42 SA, KE, Nonce,
ID
2005-08-31 00:33:13 IKE[1] Rx << AG_R1 : 111.111.111.42 SA, VID, VID,
VID, VID, KE, ID, NONCE, HASH
2005-08-31 00:33:13 IKE[1] ISAKMP SA CKI=[e06a9b4c 5e3b40e9]
CKR=[681e4844 ac989721]
2005-08-31 00:33:13 IKE[1] ISAKMP SA 3DES / SHA / PreShared / MODP_768
2005-08-31 00:33:13 IKE[1] Tx >> AG_I2 : 111.111.111.42 HASH
2005-08-31 00:33:13 IKE[1] Tx >> QM_I1 : 111.111.111.42 HASH, SA,
NONCE, KE, ID, ID
2005-08-31 00:33:42
2005-08-31 00:33:42 IKE[1] Tx >> AG_I1 : 111.111.111.42 SA, KE, Nonce,
ID
2005-08-31 00:34:12
2005-08-31 00:34:12 IKE[1] Tx >> AG_I1 : 111.111.111.42 SA, KE, Nonce,
ID
2005-08-31 00:34:13 IKE[1] Rx << AG_R1 : 111.111.111.42 SA, VID, VID,
VID, VID, KE, ID, NONCE, HASH
2005-08-31 00:34:13 IKE[1] ISAKMP SA CKI=[42271bfe dab072f]
CKR=[681e4844 dc6dd8dc]
2005-08-31 00:34:13 IKE[1] ISAKMP SA 3DES / SHA / PreShared / MODP_768
2005-08-31 00:34:13 IKE[1] Tx >> AG_I2 : 111.111.111.42 HASH
2005-08-31 00:34:13 IKE[1] Tx >> QM_I1 : 111.111.111.42 HASH, SA,
NONCE, KE, ID, ID
2005-08-31 00:34:42
2005-08-31 00:34:42 IKE[1] Tx >> AG_I1 : 111.111.111.42 SA, KE, Nonce,
ID
2005-08-31 00:34:43 IKE[1] Rx << AG_R1 : 111.111.111.42 SA, VID, VID,
VID, VID, KE, ID, NONCE, HASH
2005-08-31 00:34:43 IKE[1] ISAKMP SA CKI=[cbc14e6d f9b1c507]
CKR=[681e4844 d0b7f08b]
2005-08-31 00:34:43 IKE[1] ISAKMP SA 3DES / SHA / PreShared / MODP_768
2005-08-31 00:34:43 IKE[1] Tx >> AG_I2 : 111.111.111.42 HASH
2005-08-31 00:34:43 IKE[1] Tx >> QM_I1 : 111.111.111.42 HASH, SA,
NONCE, KE, ID, ID
2005-08-31 00:35:12
2005-08-31 00:35:12 IKE[1] Tx >> AG_I1 : 111.111.111.42 SA, KE, Nonce,
ID
2005-08-31 00:35:13 IKE[1] Rx << AG_R1 : 111.111.111.42 SA, VID, VID,
VID, VID, KE, ID, NONCE, HASH
2005-08-31 00:35:13 IKE[1] ISAKMP SA CKI=[effbb9be 96c47317]
CKR=[681e4844 8c09428e]
2005-08-31 00:35:13 IKE[1] ISAKMP SA 3DES / SHA / PreShared / MODP_768
2005-08-31 00:35:13 IKE[1] Tx >> AG_I2 : 111.111.111.42 HASH
2005-08-31 00:35:13 IKE[1] Tx >> QM_I1 : 111.111.111.42 HASH, SA,
NONCE, KE, ID, ID
2005-08-31 00:35:42
2005-08-31 00:35:42 IKE[1] Tx >> AG_I1 : 111.111.111.42 SA, KE, Nonce,
ID
2005-08-31 00:35:43 IKE[1] Rx << AG_R1 : 111.111.111.42 SA, VID, VID,
VID, VID, KE, ID, NONCE, HASH
2005-08-31 00:35:43 IKE[1] ISAKMP SA CKI=[a54c6079 37f12a46]
CKR=[681e4844 a7c1a336]
2005-08-31 00:35:43 IKE[1] ISAKMP SA 3DES / SHA / PreShared / MODP_768
2005-08-31 00:35:43 IKE[1] Tx >> AG_I2 : 111.111.111.42 HASH
2005-08-31 00:35:43 IKE[1] Tx >> QM_I1 : 111.111.111.42 HASH, SA,
NONCE, KE, ID, ID
2005-08-31 00:36:12
2005-08-31 00:36:12 IKE[1] Tx >> AG_I1 : 111.111.111.42 SA, KE, Nonce,
ID
2005-08-31 00:36:23 UDP from 111.111.111.42:500 to 222.222.222.4:500
2005-08-31 00:36:23 IKE[1] Rx << AG_R1 : 111.111.111.42 SA, VID, VID,
VID, VID, KE, ID, NONCE, HASH
2005-08-31 00:36:23 IKE[1] ISAKMP SA CKI=[58ea7a71 d9ff581b]
CKR=[681e4844 6c225e]
2005-08-31 00:36:23 IKE[1] ISAKMP SA 3DES / SHA / PreShared / MODP_768
2005-08-31 00:36:23 IKE[1] Tx >> AG_I2 : 111.111.111.42 HASH
2005-08-31 00:36:23 IKE[1] Tx >> QM_I1 : 111.111.111.42 HASH, SA,
NONCE, KE, ID, ID
2005-08-31 00:36:39 TCP from 218.22.170.107:4820 to 222.222.222.4:42
2005-08-31 00:36:40 TCP from 218.22.170.107:4822 to 222.222.222.4:80
2005-08-31 00:36:42
2005-08-31 00:36:42 IKE[1] Tx >> AG_I1 : 111.111.111.42 SA, KE, Nonce,
ID
2005-08-31 00:36:43 UDP from 111.111.111.42:500 to 222.222.222.4:500
2005-08-31 00:36:43 IKE[1] Rx << AG_R1 : 111.111.111.42 SA, VID, VID,
VID, VID, KE, ID, NONCE, HASH
2005-08-31 00:36:43 IKE[1] ISAKMP SA CKI=[a518a060 e8ffc215]
CKR=[681e4844 4f928d9d]
2005-08-31 00:36:43 IKE[1] ISAKMP SA 3DES / SHA / PreShared / MODP_768
2005-08-31 00:36:43 IKE[1] Tx >> AG_I2 : 111.111.111.42 HASH
2005-08-31 00:36:43 IKE[1] Tx >> QM_I1 : 111.111.111.42 HASH, SA,
NONCE, KE, ID, ID
2005-08-31 00:36:46 TCP from 218.22.170.107:4820 to 222.222.222.4:42
2005-08-31 00:36:49 TCP from 218.22.170.107:4822 to 222.222.222.4:80
2005-08-31 00:37:12
2005-08-31 00:37:12 IKE[1] Tx >> AG_I1 : 111.111.111.42 SA, KE, Nonce,
ID
2005-08-31 00:37:13 UDP from 111.111.111.42:500 to 222.222.222.4:500
2005-08-31 00:37:13 IKE[1] Rx << AG_R1 : 111.111.111.42 SA, VID, VID,
VID, VID, KE, ID, NONCE, HASH
2005-08-31 00:37:13 IKE[1] ISAKMP SA CKI=[d30c9b2c ad5449cb]
CKR=[681e4844 6fdf294]
2005-08-31 00:37:13 IKE[1] ISAKMP SA 3DES / SHA / PreShared / MODP_768
2005-08-31 00:37:13 IKE[1] Tx >> AG_I2 : 111.111.111.42 HASH
2005-08-31 00:37:13 IKE[1] Tx >> QM_I1 : 111.111.111.42 HASH, SA,
NONCE, KE, ID, ID
2005-08-31 00:37:42
2005-08-31 00:37:42 IKE[1] Tx >> AG_I1 : 111.111.111.42 SA, KE, Nonce,
ID
2005-08-31 00:37:43 IKE[1] Rx << AG_R1 : 111.111.111.42 SA, VID, VID,
VID, VID, KE, ID, NONCE, HASH
2005-08-31 00:37:43 IKE[1] ISAKMP SA CKI=[a11411c4 21a3ac26]
CKR=[681e4844 d7ebbfcd]
2005-08-31 00:37:43 IKE[1] ISAKMP SA 3DES / SHA / PreShared / MODP_768
2005-08-31 00:37:43 IKE[1] Tx >> AG_I2 : 111.111.111.42 HASH
2005-08-31 00:37:43 IKE[1] Tx >> QM_I1 : 111.111.111.42 HASH, SA,
NONCE, KE, ID, ID
2005-08-31 00:37:54 IKE[1] Rx << AG_R1 : 111.111.111.42 SA, VID, VID,
VID, VID, KE, ID, NONCE, HASH
2005-08-31 00:37:54 IKE[1] ISAKMP SA CKI=[a11411c4 21a3ac26]
CKR=[681e4844 d7ebbfcd]
2005-08-31 00:37:54 IKE[1] ISAKMP SA 3DES / SHA / PreShared / MODP_768
2005-08-31 00:37:54 IKE[1] Tx >> AG_I2 : 111.111.111.42 HASH
2005-08-31 00:37:54 IKE[1] Tx >> QM_I1 : 111.111.111.42 HASH, SA,
NONCE, KE, ID, ID
2005-08-31 00:38:12
2005-08-31 00:38:12 IKE[1] Tx >> AG_I1 : 111.111.111.42 SA, KE, Nonce,
ID
2005-08-31 00:38:13 IKE[1] Rx << AG_R1 : 111.111.111.42 SA, VID, VID,
VID, VID, KE, ID, NONCE, HASH
2005-08-31 00:38:13 IKE[1] ISAKMP SA CKI=[8a8b078c 8f9347bc]
CKR=[681e4844 ecf850be]
2005-08-31 00:38:13 IKE[1] ISAKMP SA 3DES / SHA / PreShared / MODP_768
2005-08-31 00:38:13 IKE[1] Tx >> AG_I2 : 111.111.111.42 HASH
2005-08-31 00:38:13 IKE[1] Tx >> QM_I1 : 111.111.111.42 HASH, SA,
NONCE, KE, ID, ID

----------------------------------------------

Any idea what am I doing wrong here?