Jump to content

IPsec zwischen PIX7.2 und Openswan

sguru

Von sguru
in Cisco Forum — Allgemein

Der letzte Beitrag zu diesem Thema ist mehr als 180 Tage alt. Bitte erstelle einen neuen Beitrag zu Deiner Anfrage!

Empfohlene Beiträge

sguru Proficient

sguru   10

Geschrieben
Geschrieben

Hallo!

 

Ich möchte eine IPsec Verbindung zwischen einer PIX515E v7.2 und dem MoRoS (von Fa. Insys) ein Linux device mit Openswan Version 2.6.23 herstellen.

Mit einer Dynamischen IP auf beiden Geräten gelingt es mir eine IPsec Verbindung aufzubauen und Daten in beide Richtungen zu übertragen.

Doch in der Endkonfiguration erhält Openswan eine dynamische IP.

 

Wie muß man die PIX konfigurieren das Sie mit einer dynamischen IP der Gegenstelle umgehen kann.

 

Logs mit dynamischer IP:

 

PIX

4|Jun 22 2011|17:01:07|113019|||Group = moros@insys, Username = moros@insys, IP = 9.2.6.1, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
3|Jun 22 2011|17:01:07|713214|||Group = moros@insys, IP = 9.2.1.1, Could not delete route for L2L peer that came in on a dynamic map. address: 172.27.0.0, mask: 255.255.0.0
3|Jun 22 2011|17:01:07|713902|||Group = moros@insys, IP = 9.2.1.1, Removing peer from correlator table failed, no match!
3|Jun 22 2011|17:01:07|713902|||Group = moros@insys, IP = 93.240.163.179, QM FSM error (P2 struct &0x2af5610, mess id 0xd6c2f554)!
3|Jun 22 2011|17:01:07|713119|||Group = moros@insys, IP = 9.2.1.1, PHASE 1 COMPLETED
4|Jun 22 2011|17:00:56|713903|||IP = 9.2.1.2, Error: Unable to remove PeerTblEntry
3|Jun 22 2011|17:00:56|713902|||IP = 9.2.1.2, Removing peer from peer table failed, no match!
4|Jun 22 2011|17:00:23|713903|||IP = 9.2.1.2, Error: Unable to remove PeerTblEntry
3|Jun 22 2011|17:00:23|713902|||IP = 9.2.1.2, Removing peer from peer table failed, no match!
4|Jun 22 2011|16:59:56|113019|||Group = moros@insys, Username = moros@insys, IP = 9.2.1.1, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch

 

Openswan

ipsec_vpn_1" #1: initiating Aggressive Mode #1, connection "ipsec_vpn_1"
002 "ipsec_vpn_1" #1: initiating Aggressive Mode #1, connection "ipsec_vpn_1"
"ipsec_vpn_1" #1: received Vendor ID payload [Cisco-Unity]
"ipsec_vpn_1" #1: received Vendor ID payload [XAUTH]
"ipsec_vpn_1" #1: received Vendor ID payload [Dead Peer Detection]
"ipsec_vpn_1" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
"ipsec_vpn_1" #1: ignoring Vendor ID payload [FRAGMENTATION c0000000]
"ipsec_vpn_1" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
"ipsec_vpn_1" #1: protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0
"ipsec_vpn_1" #1: Aggressive mode peer ID is ID_IPV4_ADDR: '212.186.184.18'
"ipsec_vpn_1" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
"ipsec_vpn_1" #1: transition from state STATE_AGGR_I1 to state STATE_AGGR_I2
"ipsec_vpn_1" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha gro
up=modp1024}

"ipsec_vpn_1" #1: Dead Peer Detection (RFC 3706): enabled
"ipsec_vpn_1" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE {using isakmp#1 msgid:a9c7ad3f proposal=3DES(3)_192-SHA1(2)_160
pfsgroup=no-pfs}
"ipsec_vpn_1" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
"ipsec_vpn_1" #1: received and ignored informational message
"ipsec_vpn_1" #1: received Delete SA payload: deleting ISAKMP State #1
packet from 195.3.96.69:4500: received and ignored informational message

Link zu diesem Kommentar
sguru Proficient

sguru   10

Geschrieben
  • Autor
Geschrieben

Danke für den Link Wordo aber ich kann ihn mit Access Level 2 nicht aufrufen bzw. er existiert nicht mehr.

 

Zum Themenstart von mir:

Es soll heißen

Mit statischen IPs auf beiden Geräten gelingt es mir eine IPsec Verbindung aufzubauen und Daten in beide Richtungen zu übertragen. Die Dynamische IP die OpenSwan verwendet macht mir mit der PIX die immer eine fixe IP hat probleme.

Link zu diesem Kommentar
sguru Proficient

sguru   10

Geschrieben
  • Autor
Geschrieben

Auf meinen Linux Device komm ich nur an folgende Logs ran:

 

using kernel interface: netkey
interface lo/lo ::1
interface eth1/eth1 fd5c:1284:ace6:1111:205:b6ff:fe00:9111
interface lo/lo 127.0.0.1
interface lo/lo 127.0.0.1
interface eth1/eth1 192.168.200.178
interface eth1/eth1 192.168.200.178
interface br0/br0 172.27.0.1
interface br0/br0 172.27.0.1
%myid = (none)
debug none

virtual_private (%priv):
- allowed 0 subnets:
- disallowed 0 subnets:

stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,33,36} trans={0,33,324} attrs={0,33,432}

"ipsec_vpn_1": 172.27.0.0/16===192.168.200.178[moros@insys]...195.3.96.69===10.0.100.0/24; unrouted; eroute owner: #0
"ipsec_vpn_1": myip=unset; hisip=unset; myup=echo 0 > /dev/null;
"ipsec_vpn_1": ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
"ipsec_vpn_1": policy: PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE; prio: 16,24; interface: eth1;
"ipsec_vpn_1": dpd: action:restart; delay:30; timeout:120;
"ipsec_vpn_1": newest ISAKMP SA: #0; newest IPsec SA: #0;
"ipsec_vpn_1": IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)-MODP1024(2); flags=-strict
"ipsec_vpn_1": IKE algorithms found: 3DES_CBC(5)_192-SHA1(2)_160-2,
"ipsec_vpn_1": ESP algorithms wanted: 3DES(3)_000-SHA1(2); flags=-strict
"ipsec_vpn_1": ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160

#64: "ipsec_vpn_1":4500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 3s; lastdpd=-1s(seq in:0 out:0); idle; import:admin
initiate

Link zu diesem Kommentar
sguru Proficient

sguru   10

Geschrieben
  • Autor
Geschrieben

Log:

 

"ipsec_vpn_1" #58: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: per
haps peer likes no proposal
"ipsec_vpn_1" #58: starting keying attempt 2 of an unlimited number
"ipsec_vpn_1" #59: initiating Aggressive Mode #59, connection "ipsec_vpn_1"
"ipsec_vpn_1" #59: received Vendor ID payload [Cisco-Unity]
"ipsec_vpn_1" #59: received Vendor ID payload [XAUTH]
"ipsec_vpn_1" #59: received Vendor ID payload [Dead Peer Detection]
"ipsec_vpn_1" #59: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
"ipsec_vpn_1" #59: ignoring Vendor ID payload [FRAGMENTATION c0000000]
"ipsec_vpn_1" #59: ignoring Vendor ID payload [Cisco VPN 3000 Series]
"ipsec_vpn_1" #59: protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0
"ipsec_vpn_1" #59: Aggressive mode peer ID is ID_IPV4_ADDR: '195.3.96.68'
"ipsec_vpn_1" #59: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
"ipsec_vpn_1" #59: transition from state STATE_AGGR_I1 to state STATE_AGGR_I2
"ipsec_vpn_1" #59: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha gr
oup=modp1024}
"ipsec_vpn_1" #59: Dead Peer Detection (RFC 3706): enabled
"ipsec_vpn_1" #60: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE {using isakmp#59 msgid:f36ea7d4 proposal=3DES(3)_192-SHA1(2)_16
0 pfsgroup=no-pfs}
"ipsec_vpn_1" #59: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
"ipsec_vpn_1" #59: received and ignored informational message
"ipsec_vpn_1" #59: received Delete SA payload: deleting ISAKMP State #59
packet from 195.3.96.69:4500: received and ignored informational message
"ipsec_vpn_1" #60: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: per
haps peer likes no proposal
"ipsec_vpn_1" #60: starting keying attempt 2 of an unlimited number
"ipsec_vpn_1" #61: initiating Aggressive Mode #61, connection "ipsec_vpn_1"
"ipsec_vpn_1" #61: received Vendor ID payload [Cisco-Unity]
"ipsec_vpn_1" #61: received Vendor ID payload [XAUTH]
"ipsec_vpn_1" #61: received Vendor ID payload [Dead Peer Detection]
"ipsec_vpn_1" #61: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
"ipsec_vpn_1" #61: ignoring Vendor ID payload [FRAGMENTATION c0000000]
"ipsec_vpn_1" #61: ignoring Vendor ID payload [Cisco VPN 3000 Series]
"ipsec_vpn_1" #61: protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0
"ipsec_vpn_1" #61: Aggressive mode peer ID is ID_IPV4_ADDR: '195.3.96.68'
"ipsec_vpn_1" #61: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
"ipsec_vpn_1" #61: transition from state STATE_AGGR_I1 to state STATE_AGGR_I2
"ipsec_vpn_1" #61: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha gr
oup=modp1024}
"ipsec_vpn_1" #61: Dead Peer Detection (RFC 3706): enabled
"ipsec_vpn_1" #62: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE {using isakmp#61 msgid:fe1e3c52 proposal=3DES(3)_192-SHA1(2)_16
0 pfsgroup=no-pfs}
"ipsec_vpn_1" #61: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
"ipsec_vpn_1" #61: received and ignored informational message
"ipsec_vpn_1" #61: received Delete SA payload: deleting ISAKMP State #61
packet from 195.3.96.69:4500: received and ignored informational message

Link zu diesem Kommentar
Der letzte Beitrag zu diesem Thema ist mehr als 180 Tage alt. Bitte erstelle einen neuen Beitrag zu Deiner Anfrage!

Schreibe einen Kommentar

Du kannst jetzt antworten und Dich später registrieren. Falls Du bereits ein Mitglied bist, logge Dich jetzt ein.

Gast
Auf dieses Thema antworten...

×   Du hast formatierten Text eingefügt.   Formatierung jetzt entfernen

  Only 75 emoji are allowed.

×   Dein Link wurde automatisch eingebettet.   Einbetten rückgängig machen und als Link darstellen

×   Dein vorheriger Inhalt wurde wiederhergestellt.   Editor-Fenster leeren

×   Du kannst Bilder nicht direkt einfügen. Lade Bilder hoch oder lade sie von einer URL.

×
Zurück zur Übersicht


×
×
  • Neu erstellen...