[VPN] Cisco IOS to Checkpoint 4.1 Problem

Tammy Ruth truth at pugettech.com
Wed Nov 13 10:09:20 EST 2002 

Thanks much - turns out it was the pre-shared key.

truth

-----Original Message-----
From: Joel M Snyder [mailto:Joel.Snyder at Opus1.COM]
Sent: Monday, November 11, 2002 2:33 AM
To: truth at pugettech.com
Cc: vpn at lists.shmoo.com
Subject: Re: [VPN] Cisco IOS to Checkpoint 4.1 Problem


It looks like your pre-shared secrets don't match.  You get all the way
through SA setup up to the point where the Cisco would expect to get the
6th packet of an IKE MM exchange back, and then everything falls apart.
Another possibility is that there is some NAT function in the way,
breaking the mapping between PSS and IP address.

I would check the PSS on both ends and try a different one, of a
different length.  You might be running into some data-dependent bug
somewhere.

You can get MUCH better IKE debugs out of the CP box; that is really
where you want to watch this.  The initiator is a bad place to debug
IPsec from; the responder always has a better idea of why they're not
sending the right packet.  Or, if you don't control the CP box, try to
get the administrator on that end to at least initate to you so that you
can see why you don't want to play ball.

But check the PSS first.

jms



Tammy Ruth wrote:
>
>         I have a Cisco router running Version 12.2(8)T5 connecting to a
Checkpoint
> v4.1.  The Checkpoint has other connections to Cisco routers and PIX.  We
> are unable to establish a connection the Checkpoint - the Cisco debug logs
> show a "%CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from y.y.y.y was not
> encrypted and it should've been.".  The Checkpoint then gets an "invalid
> payload" error on its end which I see from the Cisco debug logs we've set
> the Invalid Payload type bit.   We have verified the settings on both ends
> and everything appears in order.  I am including the logs from the Cisco
> debug and the error the Checkpoint receives.   The Cisco explanation of
the
> error message stats "Contact Remote Administrator".  Any clues on what to
> look for would be appreciated.
>
> thanks,
> truth
>
> CISCO DEBUG LOG:
>
> 2w2d: IPSEC(sa_request): ,
>   (key eng. msg.) OUTBOUND local= x.x.x.x, remote= y.y.y.y,
>     local_proxy= a.a.a.a/255.255.255.255/0/0 (type=1),
>     remote_proxy= b.b.b.b/255.255.255.255/0/0 (type=1),
>     protocol= ESP, transform= esp-3des esp-md5-hmac ,
>     lifedur= 3600s and 4608000kb,
>     spi= 0xD71D6723(3609028387), conn_id= 0, keysize= 0, flags= 0x400C
> 2w2d: ISAKMP: received ke message (1/1)
> 2w2d: ISAKMP: local port 500, remote port 500
> 2w2d: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
> Old State = IKE_READY  New State = IKE_I_MM1
>
> 2w2d: ISAKMP (0:1): beginning Main Mode exchange
> 2w2d: ISAKMP (0:1): sending packet to y.y.y.y (I) MM_NO_STATE
> 2w2d: ISAKMP (0:1): received packet from y.y.y.y (I) MM_NO_STATE
> 2w2d: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
> Old State = IKE_I_MM1  New State = IKE_I_MM2
>
> 2w2d: ISAKMP (0:1): processing SA payload. message ID = 0
> 2w2d: ISAKMP (0:1): found peer pre-shared key matching y.y.y.y
> 2w2d: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 1 policy
> 2w2d: ISAKMP:      encryption 3DES-CBC
> 2w2d: ISAKMP:      hash SHA
> 2w2d: ISAKMP:      default group 2
> 2w2d: ISAKMP:      auth pre-share
> 2w2d: ISAKMP:      life type in seconds
> 2w2d: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
> 2w2d: ISAKMP (0:1): atts are acceptable. Next payload is 0
> 2w2d: CryptoEngine0: generate alg parameter
> 2w2d: CRYPTO_ENGINE: Dh phase 1 status: 0
> 2w2d: CRYPTO_ENGINE: Dh phase 1 status: 0
> 2w2d: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
> Old State = IKE_I_MM2  New State = IKE_I_MM2
>
> 2w2d: ISAKMP (0:1): sending packet to y.y.y.y (I) MM_SA_SETUP
> 2w2d: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
> Old State = IKE_I_MM2  New State = IKE_I_MM3
>
> 2w2d: ISAKMP (0:1): received packet from y.y.y.y  (I) MM_SA_SETUP
> 2w2d: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
> Old State = IKE_I_MM3  New State = IKE_I_MM4
>
> 2w2d: ISAKMP (0:1): processing KE payload. message ID = 0
> 2w2d: CryptoEngine0: generate alg parameter
> 2w2d: ISAKMP (0:1): processing NONCE payload. message ID = 0
> 2w2d: ISAKMP (0:1): found peer pre-shared key matching y.y.y.y
> 2w2d: CryptoEngine0: create ISAKMP SKEYID for conn id 1
> 2w2d: ISAKMP (0:1): SKEYID state generated
> 2w2d: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
> Old State = IKE_I_MM4  New State = IKE_I_MM4
>
> 2w2d: ISAKMP (0:1): SA is doing pre-shared key authentication using id
type
> ID_IPV4_ADDR
> 2w2d: ISAKMP (1): ID payload
>         next-payload : 8
>         type         : 1
>         protocol     : 17
>         port         : 500
>         length       : 8
> 2w2d: ISAKMP (1): Total payload length: 12
> 2w2d: CryptoEngine0: generate hmac context for conn id 1
> 2w2d: ISAKMP (0:1): sending packet to y.y.y.y (I) MM_KEY_EXCH
> 2w2d: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
> Old State = IKE_I_MM4  New State = IKE_I_MM5
>
> 2w2d: ISAKMP (0:1): received packet from y.y.y.y (I) MM_KEY_EXCH
> 2w2d: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from y.y.y.y    was not
> encrypted and it should've been.
> 2w2d: ISAKMP (0:1): incrementing error counter on sa: reset_retransmission
> 2w2d: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH...
> 2w2d: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
> 2w2d: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH
> 2w2d: ISAKMP (0:1): sending packet to y.y.y.y (I) MM_KEY_EXCH
> 2w2d: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH...
> 2w2d: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
> 2w2d: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH
> 2w2d: ISAKMP (0:1): sending packet to y.y.y.y (I) MM_KEY_EXCH
>
> CHECKPOINT ERROR:
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> fwIsakmp_BuildInfoExc-N p1 (1) peer: 3ffb0abb ~~ Fri Nov  8 16:57:44 2002
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> debugIsakmpHdr: (Creation)
>         InitCookie: bf 94 af a2 a7 f3 d9 0c
>         RspCookie: e3 b8 6d bc 18 aa ad 92
>         NextPld: 0b (PA_NOTIFY)
>         MjVer: 01
>         MnVer: 00
>         ExcType: 05
>         ResFlag: 00
>         CommitFlag: 00
>         EncFlag: 00
>         MsgID: 0f f4 f4 2e
>         Length: 00 00 00 00 (0)
> debugNotifyPayload: (Creation)
>         NextPld: 00 (PA_NONE)
>         Reserved: 00
>         Length: 00 0c (12)
>         DOI: 00 00 00 01
>         ProtID: 01
>         SPISize: 00 (0)
>         NotifyType: 00 01  (invalid payload type)  <==================
HERE
> ****
> debugIsakmpHdrLen:
>         Length: 00 00 00 28 (40)
>
> **** fwIsakmp_RecvSA: ****
> debugIsakmpHdr: (Process)
>         InitCookie: 05 72 91 ad 88 ba 83 03
>         RspCookie: ec 05 3f ce e9 73 62 e3
>         NextPld: 08 (PA_HASH)
>         MjVer: 01
>         MnVer: 00
>         ExcType: 20
>         ResFlag: 00
>         CommitFlag: 00
>         EncFlag: 01
>         MsgID: e6 f5 3f 61
>         Length: 00 00 01 0c (268)
>
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn

--
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Phone: +1 520 324 0494 (voice)  +1 520 324 0495 (FAX)
jms at Opus1.COM    http://www.opus1.com/jms    Opus One

More information about the VPN mailing list