PIX 8.0(3) <-> openswan 2.4.6 rekey issue with cert authentication

Unanswered Question
Jan 10th, 2008
User Badges:

Dear all,

a customer uses openswan 2.4.6-k261805-netkey to establish a site-to-site VPN to our Cisco PIX running OS 8.0(3). Certificates are used to authenticate the connection.

Unfortunately we have some troubles when the connection needs to be rekeyd. It seems the PIX sends the FQDN upon the first connection attempt and the DN when rekeying (the log file of openswan shows this).

On the PIX we configured properly "isakmp identity auto" which means (according to doc) it should use the FQDN/IP-Address for pre-shared-key authentication and the cert DN for certificate based authentication.

I think there might be a bug in IOS... maybe somebody else can confirm this issue or can give me a hint how to resolve it.


More information:


Cisco log on rekeying:

%PIX-5-713041: IP = xxx.xxx.xxx.xxx, IKE Initiator: Rekeying Phase 1, Intf outside, IKE Peer xxx.xxx.xxx.xxx local Proxy Address N/A, remote Proxy Address N/A, Crypto map (N/A)

%PIX-5-713201: IP = xxx.xxx.xxx.xxx, Duplicate Phase 1 packet detected. Retransmitting last packet.

%PIX-6-713905: IP = xxx.xxx.xxx.xxx, P1 Retransmit msg dispatched to MM FSM

%PIX-4-713903: IP = xxx.xxx.xxx.xxx, Header invalid, missing SA payload! (next payload = 4)

%PIX-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x73C9CD6D) between xxx.xxx.xxx.xxx and xxx.xxx.xxx.xxx (user= xxx.xxx.xxx.xxx) has been deleted.

%PIX-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x8B98E224) between xxx.xxx.xxx.xxx and xxx.xxx.xxx.xxx (user= xxx.xxx.xxx.xxx) has been deleted.

%PIX-3-713902: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, Removing peer from peer table failed, no match!

%PIX-4-713903: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, Error: Unable to remove PeerTblEntry


openswan log on rekeying:

http://www.internetworkpro.org/pastebin/1599


openswan config: http://www.internetworkpro.org/pastebin/1600


Any hints or help welcome :)

Thank you!


Best regards,


Bernhard

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
irisrios Wed, 01/16/2008 - 11:50
User Badges:
  • Silver, 250 points or more

To use the FQDN during rekeying you will have to modify the identity using the line crypto isakmp identity address.


orceo.com Wed, 01/16/2008 - 23:45
User Badges:

"crypto isakmp identity address" is a global command which applies to any other site-to-site connection, even those who require cert DN.

I would prefer to be able to choose the authentication method per vpn connection.


Actions

This Discussion