[VPN] vpn between SSH Sentinel and Cisco 2600

Dragan Mickovic dmickovic at verio.net
Sun Apr 27 12:13:04 EDT 2003 

I'm trying to setup VPN between a unit with ssh sentinel and cisco 2600, but for
some reason ssh sentinel doesn't send the xauth information (username/password).
I've made sure it is correctly checked and has the correct info entered (user/pass),
but still get the following:

---------------------------------------------------------
2d20h: ISAKMP (0:0): received packet from <my ip> (N) NEW SA
2d20h: ISAKMP: local port 500, remote port 500
2d20h: ISAKMP (0:1): Setting client config settings 8273CF74
2d20h: ISAKMP (0:1): (Re)Setting client xauth list userlogin and state
2d20h: ISAKMP: Created a peer node for <my ip>
2d20h: ISAKMP: Locking struct 8273CF74 from crypto_ikmp_config_initialize_sa
2d20h: ISAKMP (0:1): processing SA payload. message ID = 0
2d20h: ISAKMP (0:1): found peer pre-shared key matching 
2d20h: ISAKMP (0:1): Checking ISAKMP transform 0 against priority 1 policy
2d20h: ISAKMP:      encryption DES-CBC
2d20h: ISAKMP:      hash MD5
2d20h: ISAKMP:      auth pre-share
2d20h: ISAKMP:      default group 2
2d20h: ISAKMP:      life type in seconds
2d20h: ISAKMP:      life duration (basic) of 14400
2d20h: ISAKMP (0:1): atts are acceptable. Next payload is 0
2d20h: ISAKMP (0:1): processing vendor id payload
2d20h: ISAKMP (0:1): processing vendor id payload
2d20h: ISAKMP (0:1): processing vendor id payload
2d20h: ISAKMP (0:1): processing vendor id payload
2d20h: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
2d20h: ISAKMP (0:1): sending packet to <my ip> (R) MM_SA_SETUP
2d20h: ISAKMP (0:1): received packet from <my ip> (R) MM_SA_SETUP
2d20h: ISAKMP (0:1): processing KE payload. message ID = 0
2d20h: ISAKMP (0:1): processing NONCE payload. message ID = 0
2d20h: ISAKMP (0:1): found peer pre-shared key matching <my ip>
2d20h: ISAKMP (0:1): SKEYID state generated
2d20h: ISAKMP (0:1): sending packet to <my ip> (R) MM_KEY_EXCH
2d20h: ISAKMP (0:1): received packet from <my ip> (R) MM_KEY_EXCH
2d20h: ISAKMP (0:1): processing ID payload. message ID = 0
2d20h: ISAKMP (0:1): processing HASH payload. message ID = 0
2d20h: ISAKMP (0:1): processing NOTIFY INITIAL_CONTACT protocol 1
        spi 0, message ID = 0, sa = 8273C00C
2d20h: ISAKMP (0:1): SA has been authenticated with <my ip>
2d20h: ISAKMP (1): ID payload
        next-payload : 8
        type         : 1
        protocol     : 17
        port         : 500
        length       : 8
2d20h: ISAKMP (1): Total payload length: 12
2d20h: ISAKMP (0:1): sending packet to <my ip> (R) CONF_XAUTH   
2d20h: ISAKMP (0:1): received packet from <my ip> (R) CONF_XAUTH   
2d20h: ISAKMP (0:1): (Re)Setting client xauth list userlogin and state
2d20h: ISAKMP (0:1): Need XAUTH
2d20h: ISAKMP: got callback 1
2d20h: ISAKMP (0:1): initiating peer config to <my ip>. ID = -1240066450
2d20h: ISAKMP (0:1): sending packet to <my ip> (R) CONF_XAUTH   
2d20h: ISAKMP (0:1): received packet from <my ip> (R) CONF_XAUTH   
2d20h: ISAKMP (0:1): processing transaction payload from <my ip>. message ID = -1240066450
2d20h: ISAKMP: configuration header expected in config message
2d20h: ISAKMP (0:1): deleting node -1240066450 error FALSE reason ""
2d20h: ISAKMP (0:1): peer does not do paranoid keepalives.

2d20h: ISAKMP (0:1): deleting SA reason "Needed xauth" state (R) CONF_XAUTH    (peer <my ip>) input queue 0
2d20h: ISAKMP: Unlocking struct 8273CF74 on return of attributes
2d20h: ISAKMP (0:1): deleting node 938348426 error TRUE reason "Needed xauth"
2d20h: ISAKMP (0:1): peer does not do paranoid keepalives.

2d20h: ISAKMP (0:1): received packet from <my ip> (R) MM_NO_STATE
2d20h: ISAKMP (0:1): received packet from <my ip> (R) MM_NO_STATE
----------------------------------------------------------------

and here is the router config:

----------------------------------------------------------------
aaa new-model
aaa authentication login userlogin group tacacs+
aaa authorization network grouplogin group tacacs+ 
!
ip subnet-zero
!
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
 group 2
 lifetime 14400
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto isakmp client configuration address-pool local REMOTE
!
!
crypto ipsec transform-set ONE esp-des esp-md5-hmac 
!
crypto dynamic-map MAP 10
 set transform-set ONE 
!
!
crypto map INTMAP client authentication list userlogin
crypto map INTMAP isakmp authorization list grouplogin
crypto map INTMAP client configuration address initiate
crypto map INTMAP client configuration address respond
crypto map INTMAP 1 ipsec-isakmp dynamic MAP discover
!
interface Loopback1
 ip address 192.168.2.1 255.255.255.255
!         
interface Ethernet0/0
 ip address <public ip> 255.255.255.0
 ip nat outside
 half-duplex
 crypto map INTMAP
!         
interface Serial0/0
 no ip address
 shutdown 
!         
interface Ethernet0/1
 ip address 192.168.1.101 255.255.255.0
 ip nat inside
 half-duplex
!         
interface Serial0/1
 no ip address
 shutdown 
!         
ip local pool REMOTE 192.168.2.50 192.168.2.100
ip nat inside source list 20 interface Ethernet0/0 overload


-------------------------------------

is it something with the router config or ssh sentinel setting?

thanks
dragan

-- 
Dragan Mickovic
UNIX Systems Administrator
NTT/Verio    x.4012

More information about the VPN mailing list