Solved

VPN between free s/wan and cisco 3000

Posted on 2002-07-29
12
17,167 Views
Last Modified: 2007-11-27
I'm trying to establish a VPN with IPSec between Free S/WAN and a Cisco 3000 concentrator. The Interface on my Linux firewall limits the configurations available to me so tweeks need to be made at the cisco end.

I get the following at the Free S/WAN end:
000 "remote_site": 192.xxx.xxx.xxx/32===193.xxx.xxx.xxx---193.xxx.xxx.xxx...
000 "remote_site": ...194.xxx.xxx.xxx===192.xxx.xxx.xxx/32
000 "remote_site":  ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_
fuzz: 100%; keyingtries: 0
000 "remote_site":  policy: POLICY_PSK+POLICY_ENCRYPT+POLICY_TUNNEL+POLICY_PFS; int
erface: eth1; routed
000 "remote_site":  newest ISAKMP SA: #1; newest IPsec SA: #0; eroute owner: #0
000 #3: "remote_site" STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in
 26s
000 #1: "remote_site" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 25
73s; newest ISAKMP
conn remote_site

So you see the first handshake stage is completed successfully. The cisco then complains of a Policy incompatibility (no useful fault numbers I'm afraid). I assume it's the PFS policy (set to "yes" in Free S/WAN; various leves on cisco 1, 2, & 5 from memory)

Any assistance of where to look / references to docs etc. would be greatfully appreciated
0
Comment
Question by:whitfield
  • 5
  • 5
  • 2
12 Comments
 
LVL 3

Expert Comment

by:mbruner
ID: 7185326
I usually find that the error messages that are sent to the event log in the Cisco concentrator give better indications as to where the policy mismatch resides.  Can you post those here?  

Just for reference, you get this info by going to "Monitoring" then to "Filterable Event Log".  Clicking the "Get Log" button should show a window with your event log info.  The latest information at the bottom of the log.

Here is a link to Cisco's VPN 3000 documentation: http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/index.htm

If you could also browse around Cisco's TAC website: http://www.cisco.com/tac  
or more specifically:
http://www.cisco.com/warp/public/471/top_issues/vpn/vpn_index.shtml

Hope it helps!
0
 

Author Comment

by:whitfield
ID: 7185595
Thanks mbruner

Here's the cisco end:
153 07/26/2002 15:45:16.890 SEV=4 IKE/119 RPT=340 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
PHASE 1 COMPLETED
 
154 07/26/2002 15:45:16.890 SEV=4 AUTH/22 RPT=264
User 193.xxx.xxx.xxx connected
 
155 07/26/2002 15:45:17.010 SEV=5 IKE/35 RPT=102 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
Received remote IP Proxy Subnet data in ID Payload:
 Address 192.xxx.xxx.xxx, Mask 255.255.255.255, Protocol 0, Port 0
 
158 07/26/2002 15:45:17.010 SEV=5 IKE/34 RPT=131 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
Received local IP Proxy Subnet data in ID Payload:
 Address 192.yyy.yyy.yyy, Mask 255.255.255.255, Protocol 0, Port 0
 
161 07/26/2002 15:45:17.010 SEV=4 IKE/61 RPT=16 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
Tunnel rejected: Policy not found for Src:192.xxx.xxx.xxx, Dst: 192.yyy.yyy.yyy!
 
163 07/26/2002 15:45:17.010 SEV=4 IKEDBG/0 RPT=251
QM FSM error (P2 struct &0x1c30ae8, mess id 0x47a38a9a)!
 
164 07/26/2002 15:45:17.010 SEV=4 IKEDBG/0 RPT=252
QM FSM history (P2 struct &0x1c30ae8):
  [13, 52], [3, 32], [3, 44], [3, 31]
 
165 07/26/2002 15:45:17.020 SEV=4 AUTH/23 RPT=175 193.xxx.xxx.xxx
User 193.xxx.xxx.xxx disconnected: duration: 0:00:00

Any clearer?
0
 
LVL 3

Accepted Solution

by:
mbruner earned 300 total points
ID: 7185715
To start with, it sounds like you may have the concentrator setup to expect different source and destination networks than your Linux box.  They need to match.  

On the concentrator, check the Local and Remote Network settings for the IPSec Tunnel.  You can find them here (assuming you are setting up a LAN-to-LAN VPN) :  Configuration --> System --> Tunneling Protocols --> IPSec --> LAN-to-LAN --> Whatever-you-called-this-VPN-connection.

While you are here, you might as well double check the other settings.

If you are using network lists to define the local and remote networks above, they can be edited here:  Configuration --> Policy Management --> Traffic Management --> Network Lists.

While you are at it, check your policy rules here:  
Configuration --> Policy Management --> Traffic Management --> Rules.

Anyway, check out your settings to make sure they match, then give it another shot.  If there are any changes to the errors in your event log, post them and we'll take a look.

Good luck.
0
 

Author Comment

by:whitfield
ID: 7188183
Looks like you were on to something. We changed the source and destination as suggested and the tunnel is visible from the Cisco end for a variable but brief period. At the Linux end I see:

Jul 30 14:34:58 pcfw2 Pluto[16931]: added connection description "remote_site"
Jul 30 14:35:10 pcfw2 Pluto[16931]: "remote_site" #1: initiating Main Mode
Jul 30 14:35:12 pcfw2 Pluto[16931]: "remote_site" #1: ignoring Vendor ID payload
Jul 30 14:35:12 pcfw2 Pluto[16931]: "remote_site" #1: ISAKMP SA established
Jul 30 14:35:12 pcfw2 Pluto[16931]: "remote_site" #3: initiating Quick Mode POLICY_
PSK+POLICY_ENCRYPT+POLICY_TUNNEL+POLICY_PFS
Jul 30 14:35:13 pcfw2 Pluto[16931]: "remote_site" #3: our client ID returned doesn't match my proposal
Jul 30 14:35:20 pcfw2 Pluto[16931]: "remote_site" #3: our client ID returned doesn't match my proposal
Jul 30 14:35:43 pcfw2 Pluto[16931]: "remote_site" #1: ignoring Delete SA payload
Jul 30 14:35:43 pcfw2 Pluto[16931]: "remote_site" #1: received and ignored informational message
Jul 30 14:35:43 pcfw2 Pluto[16931]: "remote_site" #1: ignoring Delete SA payload
Jul 30 14:35:43 pcfw2 Pluto[16931]: "remote_site" #1: received and ignored informational message
Jul 30 14:36:12 pcfw2 Pluto[16931]: "remote_site" #1: Informational Exchange message for an established ISAKMP SA must be encrypted
Jul 30 14:36:42 pcfw2 Pluto[16931]: "remote_site" #3: max number of retransmissions
 (2) reached STATE_QUICK_I1
Jul 30 14:36:42 pcfw2 Pluto[16931]: "remote_site" #3: starting keying attempt 2 of an unlimited number
Jul 30 14:36:42 pcfw2 Pluto[16931]: "remote_site" #7: initiating Quick Mode POLICY_
PSK+POLICY_ENCRYPT+POLICY_TUNNEL+POLICY_PFS
Jul 30 14:36:42 pcfw2 Pluto[16931]: "remote_site" #1: Informational Exchange message for an established ISAKMP SA must be encrypted

This looks like an incompatibility in keying; if it were encryption it surely wouldn't succeed at all.

The Cisco end log is:
688 07/30/2002 13:34:58.600 SEV=4 IKE/119 RPT=360 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
PHASE 1 COMPLETED
 
689 07/30/2002 13:34:58.600 SEV=4 AUTH/22 RPT=273
User 193.xxx.xxx.xxx connected
 
690 07/30/2002 13:34:58.710 SEV=5 IKE/35 RPT=120 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
Received remote IP Proxy Subnet data in ID Payload:
 Address 192.xxx.xxx.xxx, Mask 255.255.255.255, Protocol 0, Port 0
 
693 07/30/2002 13:34:58.710 SEV=5 IKE/34 RPT=149 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
Received local IP Proxy Subnet data in ID Payload:
 Address 172.yyy.yyy.yyy, Mask 255.255.255.0, Protocol 0, Port 0
 
696 07/30/2002 13:34:58.710 SEV=5 IKE/66 RPT=176 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
IKE Remote Peer configured for SA: L2L: linux_tunnel
 
697 07/30/2002 13:35:28.650 SEV=4 IKEDBG/0 RPT=259
QM FSM error (P2 struct &0x1c3ded4, mess id 0xff81598b)!
 
698 07/30/2002 13:35:28.650 SEV=4 IKEDBG/0 RPT=260
QM FSM history (P2 struct &0x1c3ded4):
  [13, 52], [8, 5], [8, 65535], [4, 4]
 
699 07/30/2002 13:35:28.660 SEV=4 AUTH/23 RPT=179 193.xxx.xxx.xxx
User 193.xxx.xxx.xxx disconnected: duration: 0:00:30

Where should I look next?

Thanks
Richard
0
 

Author Comment

by:whitfield
ID: 7188185
Looks like you were on to something. We changed the source and destination as suggested and the tunnel is visible from the Cisco end for a variable but brief period. At the Linux end I see:

Jul 30 14:34:58 pcfw2 Pluto[16931]: added connection description "remote_site"
Jul 30 14:35:10 pcfw2 Pluto[16931]: "remote_site" #1: initiating Main Mode
Jul 30 14:35:12 pcfw2 Pluto[16931]: "remote_site" #1: ignoring Vendor ID payload
Jul 30 14:35:12 pcfw2 Pluto[16931]: "remote_site" #1: ISAKMP SA established
Jul 30 14:35:12 pcfw2 Pluto[16931]: "remote_site" #3: initiating Quick Mode POLICY_
PSK+POLICY_ENCRYPT+POLICY_TUNNEL+POLICY_PFS
Jul 30 14:35:13 pcfw2 Pluto[16931]: "remote_site" #3: our client ID returned doesn't match my proposal
Jul 30 14:35:20 pcfw2 Pluto[16931]: "remote_site" #3: our client ID returned doesn't match my proposal
Jul 30 14:35:43 pcfw2 Pluto[16931]: "remote_site" #1: ignoring Delete SA payload
Jul 30 14:35:43 pcfw2 Pluto[16931]: "remote_site" #1: received and ignored informational message
Jul 30 14:35:43 pcfw2 Pluto[16931]: "remote_site" #1: ignoring Delete SA payload
Jul 30 14:35:43 pcfw2 Pluto[16931]: "remote_site" #1: received and ignored informational message
Jul 30 14:36:12 pcfw2 Pluto[16931]: "remote_site" #1: Informational Exchange message for an established ISAKMP SA must be encrypted
Jul 30 14:36:42 pcfw2 Pluto[16931]: "remote_site" #3: max number of retransmissions
 (2) reached STATE_QUICK_I1
Jul 30 14:36:42 pcfw2 Pluto[16931]: "remote_site" #3: starting keying attempt 2 of an unlimited number
Jul 30 14:36:42 pcfw2 Pluto[16931]: "remote_site" #7: initiating Quick Mode POLICY_
PSK+POLICY_ENCRYPT+POLICY_TUNNEL+POLICY_PFS
Jul 30 14:36:42 pcfw2 Pluto[16931]: "remote_site" #1: Informational Exchange message for an established ISAKMP SA must be encrypted

This looks like an incompatibility in keying; if it were encryption it surely wouldn't succeed at all.

The Cisco end log is:
688 07/30/2002 13:34:58.600 SEV=4 IKE/119 RPT=360 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
PHASE 1 COMPLETED
 
689 07/30/2002 13:34:58.600 SEV=4 AUTH/22 RPT=273
User 193.xxx.xxx.xxx connected
 
690 07/30/2002 13:34:58.710 SEV=5 IKE/35 RPT=120 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
Received remote IP Proxy Subnet data in ID Payload:
 Address 192.xxx.xxx.xxx, Mask 255.255.255.255, Protocol 0, Port 0
 
693 07/30/2002 13:34:58.710 SEV=5 IKE/34 RPT=149 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
Received local IP Proxy Subnet data in ID Payload:
 Address 172.yyy.yyy.yyy, Mask 255.255.255.0, Protocol 0, Port 0
 
696 07/30/2002 13:34:58.710 SEV=5 IKE/66 RPT=176 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
IKE Remote Peer configured for SA: L2L: linux_tunnel
 
697 07/30/2002 13:35:28.650 SEV=4 IKEDBG/0 RPT=259
QM FSM error (P2 struct &0x1c3ded4, mess id 0xff81598b)!
 
698 07/30/2002 13:35:28.650 SEV=4 IKEDBG/0 RPT=260
QM FSM history (P2 struct &0x1c3ded4):
  [13, 52], [8, 5], [8, 65535], [4, 4]
 
699 07/30/2002 13:35:28.660 SEV=4 AUTH/23 RPT=179 193.xxx.xxx.xxx
User 193.xxx.xxx.xxx disconnected: duration: 0:00:30

Where should I look next?

Thanks
Richard
0
 

Author Comment

by:whitfield
ID: 7188431
Looks like you were on to something. We changed the source and destination as suggested and the tunnel is visible from the Cisco end for a variable but brief period. At the Linux end I see:

Jul 30 14:34:58 pcfw2 Pluto[16931]: added connection description "remote_site"
Jul 30 14:35:10 pcfw2 Pluto[16931]: "remote_site" #1: initiating Main Mode
Jul 30 14:35:12 pcfw2 Pluto[16931]: "remote_site" #1: ignoring Vendor ID payload
Jul 30 14:35:12 pcfw2 Pluto[16931]: "remote_site" #1: ISAKMP SA established
Jul 30 14:35:12 pcfw2 Pluto[16931]: "remote_site" #3: initiating Quick Mode POLICY_
PSK+POLICY_ENCRYPT+POLICY_TUNNEL+POLICY_PFS
Jul 30 14:35:13 pcfw2 Pluto[16931]: "remote_site" #3: our client ID returned doesn't match my proposal
Jul 30 14:35:20 pcfw2 Pluto[16931]: "remote_site" #3: our client ID returned doesn't match my proposal
Jul 30 14:35:43 pcfw2 Pluto[16931]: "remote_site" #1: ignoring Delete SA payload
Jul 30 14:35:43 pcfw2 Pluto[16931]: "remote_site" #1: received and ignored informational message
Jul 30 14:35:43 pcfw2 Pluto[16931]: "remote_site" #1: ignoring Delete SA payload
Jul 30 14:35:43 pcfw2 Pluto[16931]: "remote_site" #1: received and ignored informational message
Jul 30 14:36:12 pcfw2 Pluto[16931]: "remote_site" #1: Informational Exchange message for an established ISAKMP SA must be encrypted
Jul 30 14:36:42 pcfw2 Pluto[16931]: "remote_site" #3: max number of retransmissions
 (2) reached STATE_QUICK_I1
Jul 30 14:36:42 pcfw2 Pluto[16931]: "remote_site" #3: starting keying attempt 2 of an unlimited number
Jul 30 14:36:42 pcfw2 Pluto[16931]: "remote_site" #7: initiating Quick Mode POLICY_
PSK+POLICY_ENCRYPT+POLICY_TUNNEL+POLICY_PFS
Jul 30 14:36:42 pcfw2 Pluto[16931]: "remote_site" #1: Informational Exchange message for an established ISAKMP SA must be encrypted

This looks like an incompatibility in keying; if it were encryption it surely wouldn't succeed at all.

The Cisco end log is:
688 07/30/2002 13:34:58.600 SEV=4 IKE/119 RPT=360 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
PHASE 1 COMPLETED
 
689 07/30/2002 13:34:58.600 SEV=4 AUTH/22 RPT=273
User 193.xxx.xxx.xxx connected
 
690 07/30/2002 13:34:58.710 SEV=5 IKE/35 RPT=120 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
Received remote IP Proxy Subnet data in ID Payload:
 Address 192.xxx.xxx.xxx, Mask 255.255.255.255, Protocol 0, Port 0
 
693 07/30/2002 13:34:58.710 SEV=5 IKE/34 RPT=149 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
Received local IP Proxy Subnet data in ID Payload:
 Address 172.yyy.yyy.yyy, Mask 255.255.255.0, Protocol 0, Port 0
 
696 07/30/2002 13:34:58.710 SEV=5 IKE/66 RPT=176 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
IKE Remote Peer configured for SA: L2L: linux_tunnel
 
697 07/30/2002 13:35:28.650 SEV=4 IKEDBG/0 RPT=259
QM FSM error (P2 struct &0x1c3ded4, mess id 0xff81598b)!
 
698 07/30/2002 13:35:28.650 SEV=4 IKEDBG/0 RPT=260
QM FSM history (P2 struct &0x1c3ded4):
  [13, 52], [8, 5], [8, 65535], [4, 4]
 
699 07/30/2002 13:35:28.660 SEV=4 AUTH/23 RPT=179 193.xxx.xxx.xxx
User 193.xxx.xxx.xxx disconnected: duration: 0:00:30

Where should I look next?

Thanks
Richard
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 3

Expert Comment

by:mbruner
ID: 7188627
Check out this link and the document linked to page.  It may help you sort things out.

In the meantime, I'll look into this further and see if I can come up with anything.
0
 
LVL 3

Expert Comment

by:mbruner
ID: 7188632
DOH!  Stinking enter key!!  %^$#^&%#@~!!!  

Here is the link:  http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/11/msg00578.html

0
 

Author Comment

by:whitfield
ID: 7190954
Hi Again
The issue was basically a different in source and destination networks as you suggested. We then went through an issue of "Duplicate first packet detected!" on the Cisco end, which turned out to be an inability to reply to the IKE request; this was resolved by correcting the default route; most of the threads in user groups refer to UDP port 10000 being opened but we know this wasn't the issue.
You probably know all this - but I'm fed up following threads with no conclusion, just a "thanks, that fixed it."

Thanks for all your help.
0
 

Expert Comment

by:nealgs
ID: 8656001
question for whitfield regarding the changes to the config if thats ok, in your first list of debug info from the concentrator, the remote and local IP's are 192.x.x.x

155 07/26/2002 15:45:17.010 SEV=5 IKE/35 RPT=102 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
Received remote IP Proxy Subnet data in ID Payload:
Address 192.xxx.xxx.xxx, Mask 255.255.255.255, Protocol 0, Port 0

158 07/26/2002 15:45:17.010 SEV=5 IKE/34 RPT=131 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
Received local IP Proxy Subnet data in ID Payload:
Address 192.yyy.yyy.yyy, Mask 255.255.255.255, Protocol 0, Port 0

161 07/26/2002 15:45:17.010 SEV=4 IKE/61 RPT=16 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
Tunnel rejected: Policy not found for Src:192.xxx.xxx.xxx, Dst: 192.yyy.yyy.yyy!

in a follow-up posting the local IP Proxy subnet had changed to a 172.x.y.z address.  What were the original networks you were trying to link together?

We have exactly the same issue with a freeS/wan and cisco 3005 unit.  the internal networks we want to connect are 192.168.52.0 (cisco end) and 192.168.50.0 (freeswan end) if we configure the cisco and freeswan units with these values for the local and remote (left and right on freeswan) networks, the tunnel fails to establish with the same error:

161 07/26/2002 15:45:17.010 SEV=4 IKE/61 RPT=16 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
Tunnel rejected: Policy not found for Src:192.xxx.xxx.xxx, Dst: 192.yyy.yyy.yyy!

but if the 192.168.52.0 network is changed to 172.28.1.0/0.0.0.255 then the tunnel works,  but the 192.168.52.0 network is no seen as 172.28.1.x which is wrong

how did you fix that?

cheers
Gary

0
 
LVL 3

Expert Comment

by:mbruner
ID: 8657533
Very weird.  Let me make sure I have everything straight in my mind.  Is this close the network design you want?

192.168.50.0/24---[Freeswan]---Some_External_Address-----//-----Another_External_Address---[Cisco3000]---192.168.52.0/24

You know, you'd get a lot more help if you posted a new question on this.   There are some REALLY sharp people here that might be able to answer this much quicker than us.



0
 

Expert Comment

by:nealgs
ID: 8664709
mbruner,

thanks for the reply - and yep I agree with you regarding the REALLY sharp people on here :)  - i'd posted a question on the Security/Firewalls section but no response as of yet.

The design you have is exactly correct.  Since i posted the original question we have managed to get the tunnel working correctly with the proper addressing scheme.  We could get the tunnel working with the 192.168.50.0 and 172.28.1.0 addresses but this meant that a translation was occuring which we didn't want.

The tunnel has now been up for 24 hours with the 192.168.50.0 and 192.168.52.0 addresses :)

so we can ping/telnet etc from PCs in 192.168.52.0 to provide remote support for those in 192.168.50.0

cheers
Gary
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
Let’s list some of the technologies that enable smooth teleworking. 
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now