Hello,
Is anybody successfully running ipsec between Cisco and D-Link DI-804V?
i'm having a problem with this.
10.1.1.0/24 -- cisco -- internet -- di-804v -- 10.1.2.0/24
1.1.1.1 2.2.2.2
If i replace either of them with FreeBSD box running racoon for isakmp,
everything works fine
Cisco:
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key plapla address 2.2.2.2
!
!
crypto ipsec transform-set mart esp-3des esp-md5-hmac
!
!
!
!
crypto map staticmart 10 ipsec-isakmp
set peer 2.2.2.2
set transform-set mart
set pfs group1
match address 108
[..]
interface Serial2/0
ip address 1.1.1.1 255.255.255.0
crypto map staticmart
[..]
ip route 10.1.2.0 255.255.255.0 Serial2/0
[..]
access-list 108 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
I tracked the problem down to the point where cisco sends ID Payload
which appears to be different than DI-804V expects and this causes
negotiations to fail.
Any hints how to overcome it? Or i just have to accept that cisco's and
D-Link's implementations of ipsec are not compatible?
Cisco debug:
17:25:00: ISAKMP (0:1): SA is doing
pre-shared key authentication using id type ID_IPV4_ADDR
17:25:00: ISAKMP (1): ID payload
next-payload : 8
type : 1
addr : 1.1.1.1
protocol : 17
port : 0
length : 8
17:25:00: ISAKMP (1): Total payload length: 12
17:25:00: CryptoEngine0: generate hmac context for conn id 1
17:25:00: CryptoEngine0: clear dh number for conn id 1
17:25:00: ISAKMP (0:1): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH
17:25:00: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
17:25:00: ISAKMP (0:1): Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
17:25:00: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
17:25:00: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
17:25:07: ISAKMP (0:1): received packet from 2.2.2.2 dport 500 sport 500 (R) QM_IDLE
17:25:07: ISAKMP (0:1): phase 1 packet is a duplicate of a previous packet.
17:25:07: ISAKMP (0:1): retransmitting due to retransmit phase 1
17:25:07: ISAKMP (0:1): retransmitting phase 1 QM_IDLE ...
17:25:07: ISAKMP (0:1): retransmitting phase 1 QM_IDLE ...
17:25:07: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
17:25:07: ISAKMP (0:1): no outgoing phase 1 packet to retransmit. QM_IDLE
and DI-804V:
IPsec[26]:Initiating Main Mode
IKE[27]:[estnet] Initializing IKE Main Mode
IKE[28]:[estnet] TX >> MM_I1 : 1.1.1.1
IPsec[29]:Packet retransmission, timeout in 10 seconds for #1
IPsec[30]:NO outbound SA found
IKE[31]:[estnet] RX << MM_R1 : 1.1.1.1
IKE[32]:OAKLEY_PRESHARED_KEY/OAKLEY_3DES_CBC/MODP1024
IKE[33]:[estnet] TX >> MM_I2 : 1.1.1.1
IPsec[34]:Packet retransmission, timeout in 10 seconds for #1
IPsec[35]:Find_outsa() not found
IPsec[36]:NO outbound SA found
IKE[37]:[estnet] RX << MM_R2 : 1.1.1.1
IKE[38]:[estnet] TX >> MM_I3 : 1.1.1.1
IPsec[39]:Packet retransmission, timeout in 10 seconds for #1
IPsec[40]:Find_outsa() not found
IPsec[41]:NO outbound SA found
IKE[42]:[estnet] RX << MM_R3 : 1.1.1.1
IPsec[43]:loglog[3] protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0
IPsec[44]:Find_outsa() not found
IPsec[45]:NO outbound SA found
IPSec[46]:*52*DUMP SA: INBOUND:0/64 OUTBOUND:0/64
IPSec[47]:DUMP ST: 1/64
IPSec[48]:DUMP MEM_ALLOC: 24/75
IPsec[49]:conn_list->estnet(0,0,0,0)->NULL
IPsec[50]:Packet retransmission, timeout in 20 seconds for #1
IPsec[51]:Packet retransmission, timeout in 40 seconds for #1
