Re: Cisco 831 and FreeS/WAN

dgregoric · ‎04-16-2003

Hi there,

I try to establish VPN connection between Cisco router and FreeS/WAN on Linux machine.

On cisco 831 I have IOS 12.2 FW/3DES and on linux FreeS/WAN version1.96.

I use preshared keys.

On Linux side I receive this error :

protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0

Debug on cisco site shows this:

02:31:52: ISAKMP (0:1): Send initial contact

02:31:52: ISAKMP (0:1): SA is doing pre-shared key authentication using id type

ID_IPV4_ADDR

02:31:52: ISAKMP (1): ID payload

next-payload : 8

type : 1

addr : xxx.xxx.xxx.xxx

protocol : 17

port : 0

length : 8

02:31:52: ISAKMP (1): Total payload length: 12

Can someone help!

Thanks you

gfullage · ‎04-16-2003

Not sure anyone in Cisco has tested this. Found this (http://www.diverdown.cc/vpn/freeswanciscorouter.html) in Google, it may be of help. there's a bunch of other stuff if you search for "cisco freeswan vpn ipsec".

dgregoric · ‎04-21-2003

Hi,

I look at the google, I also post some questions to mailing lists.

I got this answer:

The Cisco appears to have a buggy IPSec implementation:

RFC 2407, section 4.6.2 states :

During Phase 1 negotiations, the ID port and protocol fields MUST be

set to zero or to UDP port 500. If an implementation receives any

other values, this MUST be treated as an error and the security

association setup MUST be aborted.

So the Cisco is proposing UDP port 0, which according to the RFC is invalid.

Darjo

dgregoric · ‎06-26-2003

Hi,

The Cisco appears to have a buggy IPSec implementation:

RFC 2407, section 4.6.2 states :

During Phase 1 negotiations, the ID port and protocol fields MUST be

set to zero or to UDP port 500. If an implementation receives any

other values, this MUST be treated as an error and the security

association setup MUST be aborted.

Is this connected with IOS version. Is there any patch for this behavior.

andrelo · ‎08-16-2003

Hi,

i've get grey hair with this problem with a cisco 836 an ios 12.2(13)ZG. It's a buggy implementation of the isakmp protocol by cisco

RFC 2407 says:

...

4.6.2 Identification Payload Content

The Identification Payload is used to identify the initiator of the

Security Association. The identity of the initiator SHOULD be used

by the responder to determine the correct host system security policy

requirement for the association. For example, a host might choose to

require authentication and integrity without confidentiality (AH)

from a certain set of IP addresses and full authentication with

confidentiality (ESP) from another range of IP addresses. The

Identification Payload provides information that can be used by the

responder to make this decision.

During Phase I negotiations, the ID port and protocol fields MUST be

set to zero or to UDP port 500. If an implementation receives any

other values, this MUST be treated as an error and the security

association setup MUST be aborted. This event SHOULD be auditable.

..

so, protocol must be 17 (UDP) an port must be 500, not 0!!!

1 week ago i've got an ios-security update, which upgrades me to 12.2.13 ZH2.

With this ios, the preshared key auth runs with freeswan. they've fixed the bug ! It run's with no problem

But i need rsasig, and that doesn't run :-(.

Cisco send an isakmp-header with 156 byte length, but isakmp needs only 28!! Perhaps you know a solution

I think cisco implements the ipsec-standards in a way, that only cisc - cisco ipsec runs :-(

Hope this helps

Andreas