It is currently Wed Sep 18, 2019 5:57 am

All times are UTC [ DST ]




Post new topic Reply to topic  [ 5 posts ] 
Author Message
 Post subject: IPSEC(epa_des_crypt): decrypted packet failed SA identity
PostPosted: Wed Dec 17, 2008 3:31 pm 

Joined: Wed Dec 17, 2008 3:00 pm
Posts: 6
Hello Forum,

I have a serious problem with openl2tp to get the tunnel working.
Ipsec is working with openswan - the connection is stable. At the moment I try to start openl2tpd the following error occurs on CISCO 876W:

Code:
IPSEC(epa_des_crypt): decrypted packet failed SA identity check


I tried a lot of things to get this working but none of them works. Please help !!!

This are the vpn partners (ip's faked):
Code:
LAN                  CISCO                              OpenSuse Server           LAN
192.168.0.0/24 ---> (217.1.1.1)>>> ----- INTERNET ------<<(87.1.1.1) <--------< 10.1.1.1



CONFIGS:
-----------------

=== CISCO ========
Code:
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
accept-dialin
  protocol l2tp
  virtual-template 1
no l2tp tunnel authentication
!
!
isdn switch-type basic-net3
!
crypto pki trustpoint TP-self-signed-3727965874
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3727965874
revocation-check none
rsakeypair TP-self-signed-3727965874
!
!


     crypto keyring L2TP
  pre-shared-key address 0.0.0.0 0.0.0.0 key mykey
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp keepalive 3600
!
crypto ipsec security-association lifetime seconds 600
!
crypto ipsec transform-set L2TP-SET esp-3des esp-sha-hmac
mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map DYN_MAP 10
set nat demux
set transform-set L2TP-SET
!
!
crypto map CRYP_MAP 6000 ipsec-isakmp dynamic DYN_MAP
!
bridge irb


==== openswan /etc/ipsec.conf =====
Code:
version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
               # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=no
        # exclude networks used on server side by adding %v4:!a.b.c.0/24
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/24
        protostack=auto  ## uses netkey
        fragicmp=yes    # only for KLIPS - disable PMTU
        #nhelpers=0


# Add connections here

conn L2TPPSKCLIENT
        #
        # ----------------------------------------------------------
        # Use a Preshared Key. Disable Perfect Forward Secrecy.
        # Initiate rekeying.
        # Connection type _must_ be Transport Mode.
        #
        authby=secret
        pfs=yes  # default
        rekey=yes
        keyingtries=3
        keyexchange=ike
        type=transport
        #
        # Specify type of encryption for ISAKAMP SA (IPsec Phase 1)
        # Cipher= 3des, Hash = sha, DH-Group = 2
        ike=3des-sha1-modp1024
        # Specify type of encryption for IPSEC SA (IPsec Phase 2)
        # Cipher= 3des, Hash = sha, DH-Group = 2
        phase2=esp
        phase2alg=3des-sha1
        #
        # Specifiy liftime of ike and key management
        # Note: Should match values on remote end
        ikelifetime=3600s
        salifetime=600s
        #
        # Keep connection alive through DPD (Dead Peer Detection)
        dpddelay=30
        dpdtimeout=120
        dpdaction=clear
        #
        #
        # Try XAUTH authentication
        #leftxauthclient=yes
        # ----------------------------------------------------------
        # The local Linux machine that connects as a client.
        #
        # The external network interface is used to connect to the server.
        # If you want to use a different interface or if there is no
        # defaultroute, you can use:   left=your.ip.addr.ess
        #left=87.1.1.1
        left=%defaultroute
        leftid=%myid
        leftprotoport=17/1701
        #
        # ----------------------------------------------------------
        # The remote server.
        #
        # Connect to the server at this IP address.
        right=217.1.1.1
        #rightid=217.1.1.1
        #rightsubnet=192.168.0.0/24  # Caused fail of phase 2 : NO_PROPOSAL_CHOOSEN
        rightprotoport=17/1701
        # ----------------------------------------------------------
        #
        # Change 'ignore' to 'add' to enable this configuration.
        #
        auto=add


===== /etc/openl2tpd.conf =====
Code:
# system
# peer profiles
# tunnel profiles
# session profiles
# ppp profiles
ppp profile modify profile_name=default \
        default_route=no \
        auth_pap=no \
        auth_mschapv1=no \
        auth_mschapv2=yes \
        auth_eap=no \
# locally created tunnels and sessions
        #auth_mode=none \
        #trace_flags=1 \
        #mtu=1496 \
tunnel create tunnel_name=L2TP_IPSec dest_ipaddr=217.1.1.1 \
        auth_mode=none \
        trace_flags=1 \
        persist=yes \

session create tunnel_name=L2TP_IPSec \
        user_name=UserName \
        user_password=myPassword \

======== end openl2tpd.conf ======

Start of openl2tpd gives :
Code:
# openl2tpd -D -f
Start, trace_flags=00000000 (debug enabled)
OpenL2TP V1.6, (c) Copyright 2004,2005,2006,2007,2008 Katalix Systems Ltd.
Loading plugin /usr/lib64/openl2tp/ppp_unix.so, version V1.5
Using config file: /etc/openl2tpd.conf
FUNC: tunl 29399: allocated context using profile 'default'
PROTO: tunl 29399: sending SCCRQ
PROTO: tunl 29399/30062: waiting for tunnel up


An tcpdump at the same time echo's:
Code:
# tcpdump -v -n |grep -i esp
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
^[[D82:15:15:30.395164 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ESP (50), length 208) 87.1.1.1 > 217.1.1.1: ESP(spi=0xfdb633f2,seq=0x7), length 188
99:15:15:32.898749 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ESP (50), length 208) 87.1.1.1 > 217.1.1.1: ESP(spi=0xfdb633f2,seq=0x8), length 188
108:15:15:34.148717 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ESP (50), length208) 87.1.1.1 > 217.1.1.1: ESP(spi=0xfdb633f2,seq=0x9), length 188
115:15:15:35.398692 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ESP (50), length208) 87.1.1.1 > 217.1.1.1: ESP(spi=0xfdb633f2,seq=0xa), length 188


IPsec say:
Code:
# rcipsec restart;sleep 5;ipsec auto --verbose --up L2TPPSKCLIENT
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec U2.6.19/K2.6.27.5-askmodified...
002 "L2TPPSKCLIENT" #1: initiating Main Mode
104 "L2TPPSKCLIENT" #1: STATE_MAIN_I1: initiate
002 "L2TPPSKCLIENT" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
106 "L2TPPSKCLIENT" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "L2TPPSKCLIENT" #1: received Vendor ID payload [Cisco-Unity]
003 "L2TPPSKCLIENT" #1: received Vendor ID payload [Dead Peer Detection]
003 "L2TPPSKCLIENT" #1: ignoring unknown Vendor ID payload [4d20822d7abe245b622aa554db9eda55]
003 "L2TPPSKCLIENT" #1: received Vendor ID payload [XAUTH]
002 "L2TPPSKCLIENT" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
108 "L2TPPSKCLIENT" #1: STATE_MAIN_I3: sent MI3, expecting MR3
002 "L2TPPSKCLIENT" #1: Main mode peer ID is ID_IPV4_ADDR: '217.1.1.1'
002 "L2TPPSKCLIENT" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
004 "L2TPPSKCLIENT" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
002 "L2TPPSKCLIENT" #1: Dead Peer Detection (RFC 3706): enabled
002 "L2TPPSKCLIENT" #2: initiating Quick Mode PSK+ENCRYPT+PFS+UP+IKEv2ALLOW {using isakmp#1msgid:25d04cdf proposal=3DES(3)_192-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}
117 "L2TPPSKCLIENT" #2: STATE_QUICK_I1: initiate
003 "L2TPPSKCLIENT" #2: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME msgid=25d04cdf
002 "L2TPPSKCLIENT" #2: Dead Peer Detection (RFC 3706): enabled
002 "L2TPPSKCLIENT" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
004 "L2TPPSKCLIENT" #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0xfdb633f2 <0x2cf7f540 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=enabled}



I don't know what to do anymore.

Additional information:
- CISCO answers no ICMP requests (pings)
- Several XP-Clients can connect successfully (VISTA not b.t.w :) )

Any ideas??

Regards Markus


Top
 Profile  
 
 Post subject: Re: IPSEC(epa_des_crypt): decrypted packet failed SA identity
PostPosted: Thu Dec 18, 2008 10:37 am 

Joined: Wed Dec 17, 2008 3:00 pm
Posts: 6
Ok I found out that it is not a problem of L2TP, because when I don't start the ipsec-daemon I got the following:

Code:
openl2tpd -D -f
Start, trace_flags=00000000 (debug enabled)
OpenL2TP V1.6, (c) Copyright 2004,2005,2006,2007,2008 Katalix Systems Ltd.
Loading plugin /usr/lib64/openl2tp/ppp_unix.so, version V1.5
Using config file: /etc/openl2tpd.conf
FUNC: tunl 32787: allocated context using profile 'default'
PROTO: tunl 32787: sending SCCRQ
PROTO: tunl 32787/35840: waiting for tunnel up
PROTO: tunl 32787: SCCRP received from peer 5158
PROTO: tunl 32787: sending SCCCN to peer 5158
PROTO: tunl 32787/35840: sending ICRQ to peer 5158/0
PROTO: tunl 32787/35840: ICRP received from peer 5158
PROTO: tunl 32787/35840: sending ICCN to peer 5158/89
pppd: /usr/lib/pppd/2.4.4/pppol2tp.so: cannot open shared object file: No such file or directory
pppd: Couldn't load plugin pppol2tp.so
PROTO: tunl 32787/35840: sending CDN to peer 5158/89


Means that I have a different problem with openl2tpd now.... I set up another post.

Thanks!


Top
 Profile  
 
 Post subject: Re: IPSEC(epa_des_crypt): decrypted packet failed SA identity
PostPosted: Mon Jan 19, 2009 11:32 am 

Joined: Wed Dec 17, 2008 3:00 pm
Posts: 6
Solved !!! :D

So I wasn't right with my last statement. It obviously was the openl2tpd, because of a missing parameter.

And here is the request !!! Please update the online documentation for l2tpconfig!!

I found out that the CISCO sends packets for openl2tp not to port 1701, but ipsec expected them on this port (I used "debug ip packet detail" on the CISCO). I had to force openl2tpd to use 1701 as send-port.

I tried to use the "udp_port" as described on openl2tp.org, but the next startup fails, because the daemon doesn't know about such a parameter. In a forum post I found a parameter named "our_udp_port" and this one functioned correct.

Now CISCO and OpenL2TP communicate on ports 1701 and the IPSEC-Error disappeared!

Regards Markus


Top
 Profile  
 
 Post subject: Re: IPSEC(epa_des_crypt): decrypted packet failed SA identity
PostPosted: Fri Feb 06, 2009 11:38 pm 
Site Admin

Joined: Sun Jul 27, 2008 1:39 pm
Posts: 122
askask1 wrote:
Solved !!! :D

So I wasn't right with my last statement. It obviously was the openl2tpd, because of a missing parameter.

And here is the request !!! Please update the online documentation for l2tpconfig!!

I found out that the CISCO sends packets for openl2tp not to port 1701, but ipsec expected them on this port (I used "debug ip packet detail" on the CISCO). I had to force openl2tpd to use 1701 as send-port.

I tried to use the "udp_port" as described on openl2tp.org, but the next startup fails, because the daemon doesn't know about such a parameter. In a forum post I found a parameter named "our_udp_port" and this one functioned correct.

Now CISCO and OpenL2TP communicate on ports 1701 and the IPSEC-Error disappeared!

The documentation should say our_udp_port, not udp_port. Thanks for pointing out this error.

It's quite funny that Cisco can't handle ephemeral ports when doing IPSec. :) I'll add something in the docs to warn of this. Thanks!


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group