PIX 8.0(3) <-> openswan 2.4.6 rekey issue with cert authentication
a customer uses openswan 2.4.6-k261805-netkey to establish a site-to-site VPN to our Cisco PIX running OS 8.0(3). Certificates are used to authenticate the connection.
Unfortunately we have some troubles when the connection needs to be rekeyd. It seems the PIX sends the FQDN upon the first connection attempt and the DN when rekeying (the log file of openswan shows this).
On the PIX we configured properly "isakmp identity auto" which means (according to doc) it should use the FQDN/IP-Address for pre-shared-key authentication and the cert DN for certificate based authentication.
I think there might be a bug in IOS... maybe somebody else can confirm this issue or can give me a hint how to resolve it.
Cisco log on rekeying:
%PIX-5-713041: IP = xxx.xxx.xxx.xxx, IKE Initiator: Rekeying Phase 1, Intf outside, IKE Peer xxx.xxx.xxx.xxx local Proxy Address N/A, remote Proxy Address N/A, Crypto map (N/A)
%PIX-5-713201: IP = xxx.xxx.xxx.xxx, Duplicate Phase 1 packet detected. Retransmitting last packet.
%PIX-6-713905: IP = xxx.xxx.xxx.xxx, P1 Retransmit msg dispatched to MM FSM
%PIX-4-713903: IP = xxx.xxx.xxx.xxx, Header invalid, missing SA payload! (next payload = 4)
%PIX-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x73C9CD6D) between xxx.xxx.xxx.xxx and xxx.xxx.xxx.xxx (user= xxx.xxx.xxx.xxx) has been deleted.
%PIX-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x8B98E224) between xxx.xxx.xxx.xxx and xxx.xxx.xxx.xxx (user= xxx.xxx.xxx.xxx) has been deleted.
%PIX-3-713902: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, Removing peer from peer table failed, no match!
%PIX-4-713903: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, Error: Unable to remove PeerTblEntry
This error message means that the ISAKMP lifetime on both the PIX and the remote site (VPN) does not match. Therefore, you need to check this ISAKMP lifetime on both the PIX and the remote VPN device to make sure that they match.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...