Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: vpnc: devel

lifetime problem

  

 
vpnc devel RSS feed   Index | Next | Previous | View Threaded


karen.durinyan at gmail

Feb 27, 2009, 1:13 AM

Post #1 of 2 (1303 views)
Permalink
lifetime problem
Hello,

Sorry if question is repeated, I was not able to find an answer to this
problem.

vpnc is connecting without any problem to Cisco IOS EzVPN. After 1st IPSec
SA lifetime expiration (in this example I put it 120 sec to do fast debug,
but it is the same for any lifetime value) vpnc is not able to renegotiate
next SA and it is disconnected without calling procedures to cleanup
resolv.conf etc... In the same time Cisco VPN client works fine with the
same VPN server. After editing resolv.conf manually (restoring resolver to
be able to resolve peer address) and rerunning vpnc it connects again
without problem and works fine also but only during next lifetime period
(in this example 120 sec). I am running Fedora 10 x86_64 Linux on dual core
Intel CPU.
If it is needed I can provide more details about HW/SW/CONFIG
of both Linux and Cisco boxes. Thanks!

--
Bests,
Karen

======== debug ================
[root [at] k1 ~]# vpnc test --no-detach

vpnc version 0.5.3

S1 init_sockaddr
[2009-02-21 09:43:29]

S2 make_socket
[2009-02-21 09:43:29]

S3 setup_tunnel
[2009-02-21 09:43:29]
using interface tun0

S4 do_phase1_am
[2009-02-21 09:43:29]

S4.1 create_nonce
[2009-02-21 09:43:29]

S4.2 dh setup
[2009-02-21 09:43:29]

S4.3 AM packet_1
[2009-02-21 09:43:29]

S4.4 AM_packet2
[2009-02-21 09:43:30]
(Cisco Unity)
(DPD)
(unknown)
(Xauth)
(Nat-T RFC)
got ike lifetime attributes: 2147483 seconds
IKE SA selected psk+xauth-3des-sha1
ignoring that peer is DPD capable (RFC3706)
peer is NAT-T capable (RFC 3947)
peer is using type 20 (ISAKMP_PAYLOAD_NAT_D) for NAT-Discovery payloads
peer is using type 20 (ISAKMP_PAYLOAD_NAT_D) for NAT-Discovery payloads

S4.5 AM_packet3
[2009-02-21 09:43:30]
NAT status: this end behind NAT? YES -- remote end behind NAT? YES
NAT-T mode, adding non-esp marker

S4.6 cleanup
[2009-02-21 09:43:31]

S5 do_phase2_xauth
[2009-02-21 09:43:31]

S5.1 xauth_start
[2009-02-21 09:43:31]

S5.2 notice_check
[2009-02-21 09:43:31]
got ike lifetime attributes: 86400 seconds

S5.3 type-is-xauth check
[2009-02-21 09:43:31]

S5.4 xauth type check
[2009-02-21 09:43:31]

S5.5 do xauth authentication
[2009-02-21 09:43:31]
NAT-T mode, adding non-esp marker

S5.2 notice_check
[2009-02-21 09:43:32]

S5.3 type-is-xauth check
[2009-02-21 09:43:32]

S5.6 process xauth response
[2009-02-21 09:43:32]
NAT-T mode, adding non-esp marker

S5.7 xauth done
[2009-02-21 09:43:32]

S6 do_phase2_config
[2009-02-21 09:43:32]

S6.1 phase2_config send modecfg
[2009-02-21 09:43:32]
NAT-T mode, adding non-esp marker

S6.2 phase2_config receive modecfg
[2009-02-21 09:43:33]
got save password setting: 0
got 4 acls for split include
acl 0: addr: 10.0.0.0/ 255.0.0.0 (8), protocol: 0, sport:
0, dport: 0
acl 1: addr: 192.168.0.0/ 255.255.255.0 (24), protocol: 0,
sport: 0, dport: 0
acl 2: addr: 192.168.23.0/ 255.255.255.0 (24), protocol: 0,
sport: 0, dport: 0
acl 3: addr: 192.168.20.11/ 255.255.255.255 (32), protocol:
0, sport: 0, dport: 0
Remote Application Version: Cisco IOS Software, C181X Software
(C181X- ADVIPSERVICESK9-M), Version 12.4(15)T4, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 13-Mar-08 20:11 by prod_rel_team
got address 10.0.14.244

S7 setup_link (phase 2 + main_loop)
[2009-02-21 09:43:33]

S7.0 run interface setup script
[2009-02-21 09:43:33]

S7.1 QM_packet1
[2009-02-21 09:43:33]

S7.2 QM_packet2 send_receive
[2009-02-21 09:43:33]
NAT-T mode, adding non-esp marker

S7.3 QM_packet2 validate type
[2009-02-21 09:43:34]

S7.5 QM_packet2 check reject offer
[2009-02-21 09:43:34]

S7.6 QM_packet2 check and process proposal
[2009-02-21 09:43:34]
got ipsec lifetime attributes: 2147483 seconds
IPSEC SA selected 3des-sha1
got ipsec lifetime attributes: 120 seconds
got ipsec lifetime attributes: 4608000 kilobyte
NAT-T mode, adding non-esp marker

S7.7 QM_packet3 sent
[2009-02-21 09:43:34]

S7.8 setup ipsec tunnel
[2009-02-21 09:43:34]

S7.9 main loop (receive and transmit ipsec packets)
[2009-02-21 09:43:34]
remote -> local spi: 0x3a84f1a0
local -> remote spi: 0x4d756e7e
VPNC started in foreground...
lifetime status: 10 of 120 seconds used, 0|0 of 4608000 kbytes used
lifetime status: 20 of 120 seconds used, 0|0 of 4608000 kbytes used
...
...
lifetime status: 87 of 120 seconds used, 0|1 of 4608000 kbytes used
lifetime status: 87 of 120 seconds used, 0|1 of 4608000 kbytes used
lifetime status: 87 of 120 seconds used, 0|1 of 4608000 kbytes used
got late ike paket: 172 bytes
got ipsec lifetime attributes: 120 seconds
got ipsec lifetime attributes: 4608000 kilobyte
got ipsec lifetime attributes: 4608000 kilobyte
NAT-T mode, adding non-esp marker
lifetime status: 1 of 120 seconds used, 0|0 of 4608000 kbytes used
lifetime status: 2 of 120 seconds used, 0|0 of 4608000 kbytes used
...
...
lifetime status: 32 of 120 seconds used, 0|2 of 4608000 kbytes used
lifetime status: 33 of 120 seconds used, 0|2 of 4608000 kbytes used
lifetime status: 34 of 120 seconds used, 0|2 of 4608000 kbytes used
got late ike paket: 76 bytes

S7.1 QM_packet1
[2009-02-21 09:45:34]

S7.2 QM_packet2 send_receive
[2009-02-21 09:45:34]
NAT-T mode, adding non-esp marker

S7.3 QM_packet2 validate type
[2009-02-21 09:45:34]
payload too short or not padded: len=112, min=28 (ivlen=8)
got paket with wrong cookies

S7.5 QM_packet2 check reject offer
[2009-02-21 09:45:34]


---!!!!!!!!! entering phase2_fatal !!!!!!!!!---


NAT-T mode, adding non-esp marker
NAT-T mode, adding non-esp marker
vpnc: quick mode response rejected: (ISAKMP_N_INVALID_COOKIE)(4)
this means the concentrator did not like what we had to offer.
Possible reasons are:
* concentrator configured to require a firewall
this locks out even Cisco clients on any platform expect windows
which is an obvious security improvment. There is no workaround (yet).
* concentrator configured to require IP compression
this is not yet supported by vpnc.
Note: the Cisco Concentrator Documentation recommends against using
compression, expect on low-bandwith (read: ISDN) links, because it
uses much CPU-resources on the concentrator

[root [at] k1 ~]#

======== end debug ================

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/


karen.durinyan at gmail

Feb 20, 2009, 11:13 PM

Post #2 of 2 (1199 views)
Permalink
lifetime problem [In reply to]
Hello,

Sorry if question is repeated, I was not able to find an answer to this
problem.

vpnc is connecting without any problem to Cisco IOS EzVPN. After 1st IPSec
SA lifetime expiration (in this example I put it 120 sec to do fast debug, but
it is the same for any lifetime value) vpnc is not able to renegotiate next SA
and it is disconnected without calling procedures to cleanup resolv.conf
etc... In the same time Cisco VPN client works fine with the same VPN server.
After editing resolv.conf manually (restoring resolver to be able to resolve
peer address) and rerunning vpnc it connects again without problem and works
fine also but only during next lifetime period (in this example 120 sec).
I am running Fedora 10 x86_64 Linux on dual core Intel CPU.
If it is needed I can provide more details about HW/SW/CONFIG
of both Linux and Cisco boxes. Thanks!

--
Bests,
Karen

======== debug ================
[root [at] k1 ~]# vpnc test --no-detach

vpnc version 0.5.3

S1 init_sockaddr
[2009-02-21 09:43:29]

S2 make_socket
[2009-02-21 09:43:29]

S3 setup_tunnel
[2009-02-21 09:43:29]
using interface tun0

S4 do_phase1_am
[2009-02-21 09:43:29]

S4.1 create_nonce
[2009-02-21 09:43:29]

S4.2 dh setup
[2009-02-21 09:43:29]

S4.3 AM packet_1
[2009-02-21 09:43:29]

S4.4 AM_packet2
[2009-02-21 09:43:30]
(Cisco Unity)
(DPD)
(unknown)
(Xauth)
(Nat-T RFC)
got ike lifetime attributes: 2147483 seconds
IKE SA selected psk+xauth-3des-sha1
ignoring that peer is DPD capable (RFC3706)
peer is NAT-T capable (RFC 3947)
peer is using type 20 (ISAKMP_PAYLOAD_NAT_D) for NAT-Discovery payloads
peer is using type 20 (ISAKMP_PAYLOAD_NAT_D) for NAT-Discovery payloads

S4.5 AM_packet3
[2009-02-21 09:43:30]
NAT status: this end behind NAT? YES -- remote end behind NAT? YES
NAT-T mode, adding non-esp marker

S4.6 cleanup
[2009-02-21 09:43:31]

S5 do_phase2_xauth
[2009-02-21 09:43:31]

S5.1 xauth_start
[2009-02-21 09:43:31]

S5.2 notice_check
[2009-02-21 09:43:31]
got ike lifetime attributes: 86400 seconds

S5.3 type-is-xauth check
[2009-02-21 09:43:31]

S5.4 xauth type check
[2009-02-21 09:43:31]

S5.5 do xauth authentication
[2009-02-21 09:43:31]
NAT-T mode, adding non-esp marker

S5.2 notice_check
[2009-02-21 09:43:32]

S5.3 type-is-xauth check
[2009-02-21 09:43:32]

S5.6 process xauth response
[2009-02-21 09:43:32]
NAT-T mode, adding non-esp marker

S5.7 xauth done
[2009-02-21 09:43:32]

S6 do_phase2_config
[2009-02-21 09:43:32]

S6.1 phase2_config send modecfg
[2009-02-21 09:43:32]
NAT-T mode, adding non-esp marker

S6.2 phase2_config receive modecfg
[2009-02-21 09:43:33]
got save password setting: 0
got 4 acls for split include
acl 0: addr: 10.0.0.0/ 255.0.0.0 (8), protocol: 0, sport: 0,
dport: 0
acl 1: addr: 192.168.0.0/ 255.255.255.0 (24), protocol: 0,
sport: 0, dport: 0
acl 2: addr: 192.168.23.0/ 255.255.255.0 (24), protocol: 0,
sport: 0, dport: 0
acl 3: addr: 192.168.20.11/ 255.255.255.255 (32), protocol: 0,
sport: 0, dport: 0
Remote Application Version: Cisco IOS Software, C181X Software (C181X-
ADVIPSERVICESK9-M), Version 12.4(15)T4, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 13-Mar-08 20:11 by prod_rel_team
got address 10.0.14.244

S7 setup_link (phase 2 + main_loop)
[2009-02-21 09:43:33]

S7.0 run interface setup script
[2009-02-21 09:43:33]

S7.1 QM_packet1
[2009-02-21 09:43:33]

S7.2 QM_packet2 send_receive
[2009-02-21 09:43:33]
NAT-T mode, adding non-esp marker

S7.3 QM_packet2 validate type
[2009-02-21 09:43:34]

S7.5 QM_packet2 check reject offer
[2009-02-21 09:43:34]

S7.6 QM_packet2 check and process proposal
[2009-02-21 09:43:34]
got ipsec lifetime attributes: 2147483 seconds
IPSEC SA selected 3des-sha1
got ipsec lifetime attributes: 120 seconds
got ipsec lifetime attributes: 4608000 kilobyte
NAT-T mode, adding non-esp marker

S7.7 QM_packet3 sent
[2009-02-21 09:43:34]

S7.8 setup ipsec tunnel
[2009-02-21 09:43:34]

S7.9 main loop (receive and transmit ipsec packets)
[2009-02-21 09:43:34]
remote -> local spi: 0x3a84f1a0
local -> remote spi: 0x4d756e7e
VPNC started in foreground...
lifetime status: 10 of 120 seconds used, 0|0 of 4608000 kbytes used
lifetime status: 20 of 120 seconds used, 0|0 of 4608000 kbytes used
...
...
lifetime status: 87 of 120 seconds used, 0|1 of 4608000 kbytes used
lifetime status: 87 of 120 seconds used, 0|1 of 4608000 kbytes used
lifetime status: 87 of 120 seconds used, 0|1 of 4608000 kbytes used
got late ike paket: 172 bytes
got ipsec lifetime attributes: 120 seconds
got ipsec lifetime attributes: 4608000 kilobyte
got ipsec lifetime attributes: 4608000 kilobyte
NAT-T mode, adding non-esp marker
lifetime status: 1 of 120 seconds used, 0|0 of 4608000 kbytes used
lifetime status: 2 of 120 seconds used, 0|0 of 4608000 kbytes used
...
...
lifetime status: 32 of 120 seconds used, 0|2 of 4608000 kbytes used
lifetime status: 33 of 120 seconds used, 0|2 of 4608000 kbytes used
lifetime status: 34 of 120 seconds used, 0|2 of 4608000 kbytes used
got late ike paket: 76 bytes

S7.1 QM_packet1
[2009-02-21 09:45:34]

S7.2 QM_packet2 send_receive
[2009-02-21 09:45:34]
NAT-T mode, adding non-esp marker

S7.3 QM_packet2 validate type
[2009-02-21 09:45:34]
payload too short or not padded: len=112, min=28 (ivlen=8)
got paket with wrong cookies

S7.5 QM_packet2 check reject offer
[2009-02-21 09:45:34]


---!!!!!!!!! entering phase2_fatal !!!!!!!!!---


NAT-T mode, adding non-esp marker
NAT-T mode, adding non-esp marker
vpnc: quick mode response rejected: (ISAKMP_N_INVALID_COOKIE)(4)
this means the concentrator did not like what we had to offer.
Possible reasons are:
* concentrator configured to require a firewall
this locks out even Cisco clients on any platform expect windows
which is an obvious security improvment. There is no workaround (yet).
* concentrator configured to require IP compression
this is not yet supported by vpnc.
Note: the Cisco Concentrator Documentation recommends against using
compression, expect on low-bandwith (read: ISDN) links, because it
uses much CPU-resources on the concentrator

[root [at] k1 ~]#

======== end debug ================

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

vpnc devel RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.