openl2tp.org
http://forums.openl2tp.org/

IPSEC(epa_des_crypt): decrypted packet failed SA identity
http://forums.openl2tp.org/viewtopic.php?f=3&t=9
Page 1 of 1

Author:  askask1 [ Wed Dec 17, 2008 3:31 pm ]
Post subject:  IPSEC(epa_des_crypt): decrypted packet failed SA identity

Hello Forum,

I have a serious problem with openl2tp to get the tunnel working.
Ipsec is working with openswan - the connection is stable. At the moment I try to start openl2tpd the following error occurs on CISCO 876W:

Code:
IPSEC(epa_des_crypt): decrypted packet failed SA identity check


I tried a lot of things to get this working but none of them works. Please help !!!

This are the vpn partners (ip's faked):
Code:
LAN                  CISCO                              OpenSuse Server           LAN
192.168.0.0/24 ---> (217.1.1.1)>>> ----- INTERNET ------<<(87.1.1.1) <--------< 10.1.1.1



CONFIGS:
-----------------

=== CISCO ========
Code:
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
accept-dialin
  protocol l2tp
  virtual-template 1
no l2tp tunnel authentication
!
!
isdn switch-type basic-net3
!
crypto pki trustpoint TP-self-signed-3727965874
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3727965874
revocation-check none
rsakeypair TP-self-signed-3727965874
!
!


     crypto keyring L2TP
  pre-shared-key address 0.0.0.0 0.0.0.0 key mykey
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp keepalive 3600
!
crypto ipsec security-association lifetime seconds 600
!
crypto ipsec transform-set L2TP-SET esp-3des esp-sha-hmac
mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map DYN_MAP 10
set nat demux
set transform-set L2TP-SET
!
!
crypto map CRYP_MAP 6000 ipsec-isakmp dynamic DYN_MAP
!
bridge irb


==== openswan /etc/ipsec.conf =====
Code:
version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
               # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=no
        # exclude networks used on server side by adding %v4:!a.b.c.0/24
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/24
        protostack=auto  ## uses netkey
        fragicmp=yes    # only for KLIPS - disable PMTU
        #nhelpers=0


# Add connections here

conn L2TPPSKCLIENT
        #
        # ----------------------------------------------------------
        # Use a Preshared Key. Disable Perfect Forward Secrecy.
        # Initiate rekeying.
        # Connection type _must_ be Transport Mode.
        #
        authby=secret
        pfs=yes  # default
        rekey=yes
        keyingtries=3
        keyexchange=ike
        type=transport
        #
        # Specify type of encryption for ISAKAMP SA (IPsec Phase 1)
        # Cipher= 3des, Hash = sha, DH-Group = 2
        ike=3des-sha1-modp1024
        # Specify type of encryption for IPSEC SA (IPsec Phase 2)
        # Cipher= 3des, Hash = sha, DH-Group = 2
        phase2=esp
        phase2alg=3des-sha1
        #
        # Specifiy liftime of ike and key management
        # Note: Should match values on remote end
        ikelifetime=3600s
        salifetime=600s
        #
        # Keep connection alive through DPD (Dead Peer Detection)
        dpddelay=30
        dpdtimeout=120
        dpdaction=clear
        #
        #
        # Try XAUTH authentication
        #leftxauthclient=yes
        # ----------------------------------------------------------
        # The local Linux machine that connects as a client.
        #
        # The external network interface is used to connect to the server.
        # If you want to use a different interface or if there is no
        # defaultroute, you can use:   left=your.ip.addr.ess
        #left=87.1.1.1
        left=%defaultroute
        leftid=%myid
        leftprotoport=17/1701
        #
        # ----------------------------------------------------------
        # The remote server.
        #
        # Connect to the server at this IP address.
        right=217.1.1.1
        #rightid=217.1.1.1
        #rightsubnet=192.168.0.0/24  # Caused fail of phase 2 : NO_PROPOSAL_CHOOSEN
        rightprotoport=17/1701
        # ----------------------------------------------------------
        #
        # Change 'ignore' to 'add' to enable this configuration.
        #
        auto=add


===== /etc/openl2tpd.conf =====
Code:
# system
# peer profiles
# tunnel profiles
# session profiles
# ppp profiles
ppp profile modify profile_name=default \
        default_route=no \
        auth_pap=no \
        auth_mschapv1=no \
        auth_mschapv2=yes \
        auth_eap=no \
# locally created tunnels and sessions
        #auth_mode=none \
        #trace_flags=1 \
        #mtu=1496 \
tunnel create tunnel_name=L2TP_IPSec dest_ipaddr=217.1.1.1 \
        auth_mode=none \
        trace_flags=1 \
        persist=yes \

session create tunnel_name=L2TP_IPSec \
        user_name=UserName \
        user_password=myPassword \

======== end openl2tpd.conf ======

Start of openl2tpd gives :
Code:
# openl2tpd -D -f
Start, trace_flags=00000000 (debug enabled)
OpenL2TP V1.6, (c) Copyright 2004,2005,2006,2007,2008 Katalix Systems Ltd.
Loading plugin /usr/lib64/openl2tp/ppp_unix.so, version V1.5
Using config file: /etc/openl2tpd.conf
FUNC: tunl 29399: allocated context using profile 'default'
PROTO: tunl 29399: sending SCCRQ
PROTO: tunl 29399/30062: waiting for tunnel up


An tcpdump at the same time echo's:
Code:
# tcpdump -v -n |grep -i esp
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
^[[D82:15:15:30.395164 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ESP (50), length 208) 87.1.1.1 > 217.1.1.1: ESP(spi=0xfdb633f2,seq=0x7), length 188
99:15:15:32.898749 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ESP (50), length 208) 87.1.1.1 > 217.1.1.1: ESP(spi=0xfdb633f2,seq=0x8), length 188
108:15:15:34.148717 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ESP (50), length208) 87.1.1.1 > 217.1.1.1: ESP(spi=0xfdb633f2,seq=0x9), length 188
115:15:15:35.398692 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ESP (50), length208) 87.1.1.1 > 217.1.1.1: ESP(spi=0xfdb633f2,seq=0xa), length 188


IPsec say:
Code:
# rcipsec restart;sleep 5;ipsec auto --verbose --up L2TPPSKCLIENT
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec U2.6.19/K2.6.27.5-askmodified...
002 "L2TPPSKCLIENT" #1: initiating Main Mode
104 "L2TPPSKCLIENT" #1: STATE_MAIN_I1: initiate
002 "L2TPPSKCLIENT" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
106 "L2TPPSKCLIENT" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "L2TPPSKCLIENT" #1: received Vendor ID payload [Cisco-Unity]
003 "L2TPPSKCLIENT" #1: received Vendor ID payload [Dead Peer Detection]
003 "L2TPPSKCLIENT" #1: ignoring unknown Vendor ID payload [4d20822d7abe245b622aa554db9eda55]
003 "L2TPPSKCLIENT" #1: received Vendor ID payload [XAUTH]
002 "L2TPPSKCLIENT" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
108 "L2TPPSKCLIENT" #1: STATE_MAIN_I3: sent MI3, expecting MR3
002 "L2TPPSKCLIENT" #1: Main mode peer ID is ID_IPV4_ADDR: '217.1.1.1'
002 "L2TPPSKCLIENT" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
004 "L2TPPSKCLIENT" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
002 "L2TPPSKCLIENT" #1: Dead Peer Detection (RFC 3706): enabled
002 "L2TPPSKCLIENT" #2: initiating Quick Mode PSK+ENCRYPT+PFS+UP+IKEv2ALLOW {using isakmp#1msgid:25d04cdf proposal=3DES(3)_192-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}
117 "L2TPPSKCLIENT" #2: STATE_QUICK_I1: initiate
003 "L2TPPSKCLIENT" #2: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME msgid=25d04cdf
002 "L2TPPSKCLIENT" #2: Dead Peer Detection (RFC 3706): enabled
002 "L2TPPSKCLIENT" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
004 "L2TPPSKCLIENT" #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0xfdb633f2 <0x2cf7f540 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=enabled}



I don't know what to do anymore.

Additional information:
- CISCO answers no ICMP requests (pings)
- Several XP-Clients can connect successfully (VISTA not b.t.w :) )

Any ideas??

Regards Markus

Author:  askask1 [ Thu Dec 18, 2008 10:37 am ]
Post subject:  Re: IPSEC(epa_des_crypt): decrypted packet failed SA identity

Ok I found out that it is not a problem of L2TP, because when I don't start the ipsec-daemon I got the following:

Code:
openl2tpd -D -f
Start, trace_flags=00000000 (debug enabled)
OpenL2TP V1.6, (c) Copyright 2004,2005,2006,2007,2008 Katalix Systems Ltd.
Loading plugin /usr/lib64/openl2tp/ppp_unix.so, version V1.5
Using config file: /etc/openl2tpd.conf
FUNC: tunl 32787: allocated context using profile 'default'
PROTO: tunl 32787: sending SCCRQ
PROTO: tunl 32787/35840: waiting for tunnel up
PROTO: tunl 32787: SCCRP received from peer 5158
PROTO: tunl 32787: sending SCCCN to peer 5158
PROTO: tunl 32787/35840: sending ICRQ to peer 5158/0
PROTO: tunl 32787/35840: ICRP received from peer 5158
PROTO: tunl 32787/35840: sending ICCN to peer 5158/89
pppd: /usr/lib/pppd/2.4.4/pppol2tp.so: cannot open shared object file: No such file or directory
pppd: Couldn't load plugin pppol2tp.so
PROTO: tunl 32787/35840: sending CDN to peer 5158/89


Means that I have a different problem with openl2tpd now.... I set up another post.

Thanks!

Author:  askask1 [ Mon Jan 19, 2009 11:32 am ]
Post subject:  Re: IPSEC(epa_des_crypt): decrypted packet failed SA identity

Solved !!! :D

So I wasn't right with my last statement. It obviously was the openl2tpd, because of a missing parameter.

And here is the request !!! Please update the online documentation for l2tpconfig!!

I found out that the CISCO sends packets for openl2tp not to port 1701, but ipsec expected them on this port (I used "debug ip packet detail" on the CISCO). I had to force openl2tpd to use 1701 as send-port.

I tried to use the "udp_port" as described on openl2tp.org, but the next startup fails, because the daemon doesn't know about such a parameter. In a forum post I found a parameter named "our_udp_port" and this one functioned correct.

Now CISCO and OpenL2TP communicate on ports 1701 and the IPSEC-Error disappeared!

Regards Markus

Author:  jchapman [ Fri Feb 06, 2009 11:38 pm ]
Post subject:  Re: IPSEC(epa_des_crypt): decrypted packet failed SA identity

askask1 wrote:
Solved !!! :D

So I wasn't right with my last statement. It obviously was the openl2tpd, because of a missing parameter.

And here is the request !!! Please update the online documentation for l2tpconfig!!

I found out that the CISCO sends packets for openl2tp not to port 1701, but ipsec expected them on this port (I used "debug ip packet detail" on the CISCO). I had to force openl2tpd to use 1701 as send-port.

I tried to use the "udp_port" as described on openl2tp.org, but the next startup fails, because the daemon doesn't know about such a parameter. In a forum post I found a parameter named "our_udp_port" and this one functioned correct.

Now CISCO and OpenL2TP communicate on ports 1701 and the IPSEC-Error disappeared!

The documentation should say our_udp_port, not udp_port. Thanks for pointing out this error.

It's quite funny that Cisco can't handle ephemeral ports when doing IPSec. :) I'll add something in the docs to warn of this. Thanks!

Page 1 of 1 All times are UTC [ DST ]
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/