Urgent IPSec issue

savage · October 16, 2008, 1:37pm

Hi,

I have a IPSec tunnel between a MT and a Pix, all is configured, Phase 1 & 2 is up, and my security keys are installed and active. My MT encrypts and transmit the data to the PIX, the PIX receives it and uncrypt it, my PIX encrypts and sends the responces back, the MT refuses to decrypt the encrypted data received back…

On the PIX:

access-list NONAT permit ip 172.21.44.0 255.255.254.0 172.19.44.0 255.255.252.0
access-list NONAT permit ip 172.21.44.0 255.255.254.0 172.20.44.0 255.255.252.0
access-list VPN permit ip 172.21.44.0 255.255.254.0 172.19.44.0 255.255.252.0
access-list VPN permit ip 172.21.44.0 255.255.254.0 172.20.44.0 255.255.252.0
crypto ipsec transform-set IPSEC-BLAH esp-3des esp-md5-hmac
crypto map OSFW 1 ipsec-isakmp
crypto map OSFW 1 match address VPN
crypto map OSFW 1 set peer a.b.240.11
crypto map OSFW 1 set transform-set IPSEC-BLAH
crypto map OSFW 1 set security-association lifetime seconds 86400 kilobytes 4608000
crypto map OSFW interface outside
isakmp enable outside
isakmp key ******** address a.b.240.11 netmask 255.255.255.255
isakmp identity address
isakmp policy 100 authentication pre-share
isakmp policy 100 encryption 3des
isakmp policy 100 hash md5
isakmp policy 100 group 2
isakmp policy 100 lifetime 86400

And, as mentioned, the tunnel is established and active:

interface: outside
    Crypto map tag: OSFW, local addr. a.b.170.14

   local  ident (addr/mask/prot/port): (172.21.44.0/255.255.254.0/0/0)
   remote ident (addr/mask/prot/port): (172.20.44.0/255.255.252.0/0/0)
   current_peer: a.b.240.11:0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: a.b.170.14, remote crypto endpt.: a.b.240.11
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0

     inbound esp sas:


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:


     outbound ah sas:


     outbound pcp sas:



   local  ident (addr/mask/prot/port): (172.21.44.0/255.255.254.0/0/0)
   remote ident (addr/mask/prot/port): (172.19.44.0/255.255.252.0/0/0)
   current_peer: a.b.240.11:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 611, #pkts decrypt: 652, #pkts verify 652
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 41

     local crypto endpt.: a.b.170.14, remote crypto endpt.: a.b.240.11
     path mtu 1500, ipsec overhead 56, media mtu 1500
     current outbound spi: c959bac

     inbound esp sas:
      spi: 0x1caa6eaf(480931503)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 7, crypto map: OSFW
        sa timing: remaining key lifetime (k/sec): (4607922/84969)
        IV size: 8 bytes
        replay detection support: Y


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:
      spi: 0xc959bac(211131308)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 8, crypto map: OSFW
        sa timing: remaining key lifetime (k/sec): (4608000/84972)
        IV size: 8 bytes
        replay detection support: Y


     outbound ah sas:


     outbound pcp sas:

On my MT:

/ip ipsec proposal
set default auth-algorithms=md5 disabled=no enc-algorithms=3des lifetime=1d name=default pfs-group=modp1024
/ip ipsec peer
add address=a.b.170.14/32:500 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=20s dpd-maximum-failures=1 enc-algorithm=3des \
    exchange-mode=main generate-policy=no hash-algorithm=md5 lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey secret=secret \
    send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address=172.21.44.0/23:any ipsec-protocols=esp level=require manual-sa=none priority=0 proposal=default protocol=\
    all sa-dst-address=a.b.170.14 sa-src-address=a.b.240.11 src-address=172.19.44.0/22:any tunnel=yes
add action=encrypt disabled=no dst-address=172.21.44.0/23:any ipsec-protocols=esp level=require manual-sa=none priority=0 proposal=default protocol=\
    all sa-dst-address=a.b.170.14 sa-src-address=a.b.240.11 src-address=172.20.44.0/22:any tunnel=yes

HOWEVER:

Why is my second policy marked as INACTIVE in the Console, but INVALID in Winbox

Flags: X - disabled, D - dynamic, I - inactive 
 0   src-address=172.19.44.0/22:any dst-address=172.21.44.0/23:any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes 
     sa-src-address=a.b.240.11 sa-dst-address=a.b.170.14 proposal=default manual-sa=none priority=0 

 1 I src-address=172.20.44.0/22:any dst-address=172.21.44.0/23:any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes 
     sa-src-address=a.b.240.11 sa-dst-address=a.b.170.14 proposal=default manual-sa=none priority=0

Looking at my installed-sa, encrypted packets received from the PIX to my MT, is never decrypted:

Flags: A - AH, E - ESP, P - pfs 
 0 E  spi=0xC959BAC src-address=a.b.170.14 dst-address=a.b.240.11 auth-algorithm=md5 enc-algorithm=3des replay=4 state=mature 
      auth-key="84d4a2e8e5e3130b6c7c1a94b6543279" enc-key="612ef01732ff3cdd6d08ff03a71aebd34181cc157364a51f" add-lifetime=19h12m/1d 
      use-lifetime=0s/0s lifebytes=0/0 

 1 E  spi=0x1CAA6EAF src-address=a.b.240.11 dst-address=a.b.170.14 auth-algorithm=md5 enc-algorithm=3des replay=4 state=mature 
      auth-key="32b8cfe52031b07b3c46b524b897b67e" enc-key="dafd8e21288eaa8040bf9b03e33a0fe4b0efa49beeafb8da" addtime=oct/16/2008 13:05:04 
      add-lifetime=19h12m/1d usetime=oct/16/2008 13:05:05 use-lifetime=0s/0s current-bytes=64588 lifebytes=0/0

Feedback and suggestions much appreciated!

savage · October 16, 2008, 2:12pm

Just FYI…

MT Debug Log:

echo: ipsec,ike IPsec-SA request for a.b.170.14 queued due to no phase1 found.
echo: ipsec,ike initiate new phase 1 negotiation: a.b.240.11[500]<=>a.b.170.14[500]
echo: ipsec,ike begin Identity Protection mode.
echo: ipsec,ike received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
echo: ipsec,ike received Vendor ID: DPD
echo: ipsec,ike received Vendor ID: CISCO-UNITY
echo: ipsec,ike ISAKMP-SA established a.b.240.11[500]-a.b.170.14[500] spi:af2b0fe6255c5046:4e663fa6841bb55a
echo: ipsec,ike initiate new phase 2 negotiation: a.b.240.11[500]<=>a.b.170.14[500]
echo: ipsec,ike ignore RESPONDER-LIFETIME notification.
echo: ipsec,ike attribute has been modified.
echo: ipsec,ike IPsec-SA established: ESP/Tunnel a.b.170.14[0]->a.b.240.11[0] spi=208470766(0xc6d02ee)
echo: ipsec,ike IPsec-SA established: ESP/Tunnel a.b.240.11[0]->a.b.170.14[0] spi=3758959760(0xe00d2c90)

IPX Debug:

crypto_isakmp_process_block:src:a.b.240.11, dest:a.b.170.14 spt:500 dpt:500
ISAKMP (0): processing DELETE payload. message ID = 2418874781, spi size = 16
ISAKMP (0): deleting SA: src a.b.240.11, dst a.b.170.14
return status is IKMP_NO_ERR_NO_TRANS
ISADB: reaper checking SA 0x114177c, conn_id = 0  DELETE IT!

VPN Peer: ISAKMP: Peer ip:a.b.240.11/500 Ref cnt decremented to:0 Total VPN Peers:1
VPN Peer: ISAKMP: Deleted peer: ip:a.b.240.11/500 Total VPN peers:0IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with   a.b.240.11

crypto_isakmp_process_block:src:a.b.240.11, dest:a.b.170.14 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 100 policy
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP:      encryption 3DES-CBC
ISAKMP:      auth pre-share
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:a.b.240.11, dest:a.b.170.14 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:a.b.240.11, dest:a.b.170.14 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload
        next-payload : 8
        type         : 1
        protocol     : 17
        port         : 500
        length       : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:a.b.240.11/500 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:a.b.240.11/500 Ref cnt incremented to:1 Total VPN Peers:1
crypto_isakmp_process_block:src:a.b.240.11, dest:a.b.170.14 spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 3750862230

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP:      encaps is 1
ISAKMP:      authenticator is HMAC-MD5
ISAKMP:      group is 2
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) dest= a.b.170.14, src= a.b.240.11,
    dest_proxy= 172.21.44.0/255.255.254.0/0/0 (type=4),
    src_proxy= 172.19.44.0/255.255.252.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x24

ISAKMP (0): processing NONCE payload. message ID = 3750862230

ISAKMP (0): processing KE payload. message ID = 3750862230

ISAKMP (0): processing ID payload. message ID = 3750862230
ISAKMP (0): ID_IPV4_ADDR_SUBNET src 172.19.44.0/255.255.252.0 prot 0 port 0
ISAKMP (0): processing ID payload. message ID = 3750862230
ISAKMP (0): ID_IPV4_ADDR_SUBNET dst 172.21.44.0/255.255.254.0 prot 0 port 0IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0xe00d2c90(3758959760) for SA
        from   a.b.240.11 to    a.b.170.14 for prot 3

return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:a.b.240.11, dest:a.b.170.14 spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_AUTH_AWAITmap_alloc_entry: allocating entry 7
map_alloc_entry: allocating entry 8

ISAKMP (0): Creating IPSec SAs
        inbound SA from   a.b.240.11 to    a.b.170.14 (proxy     172.19.44.0 to     172.21.44.0)
        has spi 3758959760 and conn_id 7 and flags 25
        lifetime of 86400 seconds
        outbound SA from    a.b.170.14 to   a.b.240.11 (proxy     172.21.44.0 to     172.19.44.0)
        has spi 208470766 and conn_id 8 and flags 25
        lifetime of 86400 secondsIPSEC(key_engine): got a queue event...
IPSEC(initialize_sas): ,
  (key eng. msg.) dest= a.b.170.14, src= a.b.240.11,
    dest_proxy= 172.21.44.0/255.255.254.0/0/0 (type=4),
    src_proxy= 172.19.44.0/255.255.252.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 86400s and 0kb,
    spi= 0xe00d2c90(3758959760), conn_id= 7, keysize= 0, flags= 0x25
IPSEC(initialize_sas): ,
  (key eng. msg.) src= a.b.170.14, dest= a.b.240.11,
    src_proxy= 172.21.44.0/255.255.254.0/0/0 (type=4),
    dest_proxy= 172.19.44.0/255.255.252.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 86400s and 0kb,
    spi= 0xc6d02ee(208470766), conn_id= 8, keysize= 0, flags= 0x25

VPN Peer: IPSEC: Peer ip:a.b.240.11/500 Ref cnt incremented to:2 Total VPN Peers:1
VPN Peer: IPSEC: Peer ip:a.b.240.11/500 Ref cnt incremented to:3 Total VPN Peers:1

For the love of me, I cannot seem to figure out what the problem is