01-21-2003
12:59 AM
- last edited on
02-21-2020
11:43 PM
by
cc_security_adm
Hello,
Is anybody successfully running ipsec between Cisco and D-Link DI-804V?
i'm having a problem with this.
10.1.1.0/24 -- cisco -- internet -- di-804v -- 10.1.2.0/24
1.1.1.1 2.2.2.2
If i replace either of them with FreeBSD box running racoon for isakmp,
everything works fine
Cisco:
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key plapla address 2.2.2.2
!
!
crypto ipsec transform-set mart esp-3des esp-md5-hmac
!
!
!
!
crypto map staticmart 10 ipsec-isakmp
set peer 2.2.2.2
set transform-set mart
set pfs group1
match address 108
[..]
interface Serial2/0
ip address 1.1.1.1 255.255.255.0
crypto map staticmart
[..]
ip route 10.1.2.0 255.255.255.0 Serial2/0
[..]
access-list 108 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
I tracked the problem down to the point where cisco sends ID Payload
which appears to be different than DI-804V expects and this causes
negotiations to fail.
Any hints how to overcome it? Or i just have to accept that cisco's and
D-Link's implementations of ipsec are not compatible?
Cisco debug:
17:25:00: ISAKMP (0:1): SA is doing
pre-shared key authentication using id type ID_IPV4_ADDR
17:25:00: ISAKMP (1): ID payload
next-payload : 8
type : 1
addr : 1.1.1.1
protocol : 17
port : 0
length : 8
17:25:00: ISAKMP (1): Total payload length: 12
17:25:00: CryptoEngine0: generate hmac context for conn id 1
17:25:00: CryptoEngine0: clear dh number for conn id 1
17:25:00: ISAKMP (0:1): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH
17:25:00: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
17:25:00: ISAKMP (0:1): Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
17:25:00: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
17:25:00: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
17:25:07: ISAKMP (0:1): received packet from 2.2.2.2 dport 500 sport 500 (R) QM_IDLE
17:25:07: ISAKMP (0:1): phase 1 packet is a duplicate of a previous packet.
17:25:07: ISAKMP (0:1): retransmitting due to retransmit phase 1
17:25:07: ISAKMP (0:1): retransmitting phase 1 QM_IDLE ...
17:25:07: ISAKMP (0:1): retransmitting phase 1 QM_IDLE ...
17:25:07: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
17:25:07: ISAKMP (0:1): no outgoing phase 1 packet to retransmit. QM_IDLE
and DI-804V:
IPsec[26]:Initiating Main Mode
IKE[27]:[estnet] Initializing IKE Main Mode
IKE[28]:[estnet] TX >> MM_I1 : 1.1.1.1
IPsec[29]:Packet retransmission, timeout in 10 seconds for #1
IPsec[30]:NO outbound SA found
IKE[31]:[estnet] RX << MM_R1 : 1.1.1.1
IKE[32]:OAKLEY_PRESHARED_KEY/OAKLEY_3DES_CBC/MODP1024
IKE[33]:[estnet] TX >> MM_I2 : 1.1.1.1
IPsec[34]:Packet retransmission, timeout in 10 seconds for #1
IPsec[35]:Find_outsa() not found
IPsec[36]:NO outbound SA found
IKE[37]:[estnet] RX << MM_R2 : 1.1.1.1
IKE[38]:[estnet] TX >> MM_I3 : 1.1.1.1
IPsec[39]:Packet retransmission, timeout in 10 seconds for #1
IPsec[40]:Find_outsa() not found
IPsec[41]:NO outbound SA found
IKE[42]:[estnet] RX << MM_R3 : 1.1.1.1
IPsec[43]:loglog[3] protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0
IPsec[44]:Find_outsa() not found
IPsec[45]:NO outbound SA found
IPSec[46]:*52*DUMP SA: INBOUND:0/64 OUTBOUND:0/64
IPSec[47]:DUMP ST: 1/64
IPSec[48]:DUMP MEM_ALLOC: 24/75
IPsec[49]:conn_list->estnet(0,0,0,0)->NULL
IPsec[50]:Packet retransmission, timeout in 20 seconds for #1
IPsec[51]:Packet retransmission, timeout in 40 seconds for #1
02-06-2003 03:10 PM
How do you configure the dlink router?
Does it configure for 3des as well?Because I think default should be des.
David
02-06-2003 10:35 PM
both are configured for 3des and as i said, it works well with FreeBSD.
02-27-2003 07:39 AM
Have you resolved the problem of using a dlink di-804v to the cisco?
If so could you post the solution
thanks
02-27-2003 09:55 AM
No, i'm pretty sure it is bug in cisco ios or d-link is following standards too strictly. My CCO account is not good enough to open a ticket so i just have to wait in hope that next ios release or next di-804v firmware will solve the problem.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: