Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSec between cisco and D-Link DI-804V?

Hello,

Is anybody successfully running ipsec between Cisco and D-Link DI-804V?

i'm having a problem with this.

10.1.1.0/24 -- cisco -- internet -- di-804v -- 10.1.2.0/24

1.1.1.1 2.2.2.2

If i replace either of them with FreeBSD box running racoon for isakmp,

everything works fine

Cisco:

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key plapla address 2.2.2.2

!

!

crypto ipsec transform-set mart esp-3des esp-md5-hmac

!

!

!

!

crypto map staticmart 10 ipsec-isakmp

set peer 2.2.2.2

set transform-set mart

set pfs group1

match address 108

[..]

interface Serial2/0

ip address 1.1.1.1 255.255.255.0

crypto map staticmart

[..]

ip route 10.1.2.0 255.255.255.0 Serial2/0

[..]

access-list 108 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255

I tracked the problem down to the point where cisco sends ID Payload

which appears to be different than DI-804V expects and this causes

negotiations to fail.

Any hints how to overcome it? Or i just have to accept that cisco's and

D-Link's implementations of ipsec are not compatible?

Cisco debug:

17:25:00: ISAKMP (0:1): SA is doing

pre-shared key authentication using id type ID_IPV4_ADDR

17:25:00: ISAKMP (1): ID payload

next-payload : 8

type : 1

addr : 1.1.1.1

protocol : 17

port : 0

length : 8

17:25:00: ISAKMP (1): Total payload length: 12

17:25:00: CryptoEngine0: generate hmac context for conn id 1

17:25:00: CryptoEngine0: clear dh number for conn id 1

17:25:00: ISAKMP (0:1): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH

17:25:00: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

17:25:00: ISAKMP (0:1): Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE

17:25:00: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

17:25:00: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

17:25:07: ISAKMP (0:1): received packet from 2.2.2.2 dport 500 sport 500 (R) QM_IDLE

17:25:07: ISAKMP (0:1): phase 1 packet is a duplicate of a previous packet.

17:25:07: ISAKMP (0:1): retransmitting due to retransmit phase 1

17:25:07: ISAKMP (0:1): retransmitting phase 1 QM_IDLE ...

17:25:07: ISAKMP (0:1): retransmitting phase 1 QM_IDLE ...

17:25:07: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1

17:25:07: ISAKMP (0:1): no outgoing phase 1 packet to retransmit. QM_IDLE

and DI-804V:

IPsec[26]:Initiating Main Mode

IKE[27]:[estnet] Initializing IKE Main Mode

IKE[28]:[estnet] TX >> MM_I1 : 1.1.1.1

IPsec[29]:Packet retransmission, timeout in 10 seconds for #1

IPsec[30]:NO outbound SA found

IKE[31]:[estnet] RX << MM_R1 : 1.1.1.1

IKE[32]:OAKLEY_PRESHARED_KEY/OAKLEY_3DES_CBC/MODP1024

IKE[33]:[estnet] TX >> MM_I2 : 1.1.1.1

IPsec[34]:Packet retransmission, timeout in 10 seconds for #1

IPsec[35]:Find_outsa() not found

IPsec[36]:NO outbound SA found

IKE[37]:[estnet] RX << MM_R2 : 1.1.1.1

IKE[38]:[estnet] TX >> MM_I3 : 1.1.1.1

IPsec[39]:Packet retransmission, timeout in 10 seconds for #1

IPsec[40]:Find_outsa() not found

IPsec[41]:NO outbound SA found

IKE[42]:[estnet] RX << MM_R3 : 1.1.1.1

IPsec[43]:loglog[3] protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0

IPsec[44]:Find_outsa() not found

IPsec[45]:NO outbound SA found

IPSec[46]:*52*DUMP SA: INBOUND:0/64 OUTBOUND:0/64

IPSec[47]:DUMP ST: 1/64

IPSec[48]:DUMP MEM_ALLOC: 24/75

IPsec[49]:conn_list->estnet(0,0,0,0)->NULL

IPsec[50]:Packet retransmission, timeout in 20 seconds for #1

IPsec[51]:Packet retransmission, timeout in 40 seconds for #1

4 REPLIES
New Member

Re: IPSec between cisco and D-Link DI-804V?

How do you configure the dlink router?

Does it configure for 3des as well?Because I think default should be des.

David

New Member

Re: IPSec between cisco and D-Link DI-804V?

both are configured for 3des and as i said, it works well with FreeBSD.

New Member

Re: IPSec between cisco and D-Link DI-804V?

Have you resolved the problem of using a dlink di-804v to the cisco?

If so could you post the solution

thanks

New Member

Re: IPSec between cisco and D-Link DI-804V?

No, i'm pretty sure it is bug in cisco ios or d-link is following standards too strictly. My CCO account is not good enough to open a ticket so i just have to wait in hope that next ios release or next di-804v firmware will solve the problem.

532
Views
0
Helpful
4
Replies