Análisis forense de una negociación
IPSec para conectar dos sitios mediante VPN
Fecha: septiembre del 2014 Clase: CCNA Security
Escenario
Este escenario deriva de pruebas anteriores basadas en NAT, pero se analizan esos detalles en otro documento.
En este escenario se analizan las negociaciones IKE para fase I y II y el tráfico ESP entre los peers, una vez establecido
el tunel. También se analizan o resaltan aspectos como la negociación de la asociación de seguridad (SA) con varias
políticas de seguridad configuradas en un extremo y una única en el otro.
Todo lo redactado en este documento es mi punto de apreciación y puede ser modificado a medida que se depuren o
investiguen algunos pasos pendientes del proceso IPSec. Todo aporte es bien recibido en ernesto@vilarrasa.com.ar.
Fases del establecimiento del tunel IPSec
1. Un paquete llega al router y se le analiza la red de destino.
2. Mediante la tabla de enrutamiento se determina que debe transmitirse por una la interface WAN, generalmente
se utiliza la ruta por defecto en VPNs de internet.
3. Justo antes de transmitirse por esta interface, el paquete deberá evaluarse ya que hay asociado un crypto-map.
4. El crypto-map tiene asociada una ACL, se evalúa el paquete con la misma para verificar coincidencias.
5. Al encontrarse una coincidencia el paquete y si ubiese una asociación de seguridad (SA) entre pares (routers terminadores
Del túnel) se encripta según la política IPSec acordada entre los mismos.
6. Si no hay una asociación de seguridad establecida, se busca el peer en el crypto-map correspondiente a la ACL.
7. Se negocian políticas en común de fase I (isakmp) con el peer declarado en el crypto-map antes mencionado, para ello
el router busca la configuración necesaria del peer y PSK para la fase I.
8. Se genera el intercambio seguro en un medio inseguro, mediante claves Diffie-Hellmann.
9. Se verifican las identidades de los peers, ahora encriptando la negociación.
10. Se establece la fase II de IPsec (quick mode), donde se acuerdan políticas para proteger el tráfico del túnel.
11. El tráfico ahora atravesará el túnel protegido con la política acordada entre los peers.
12. El tráfico siguiente cumplirá los puntos 1,2,3,4,5 y 11.
Tráfico analizado
La fase I de IPSec (ISAKMP):
No. Source Destination Protocol Length
2 10.0.0.1 10.0.0.6 ISAKMP 206
Identity Protection (Main Mode)
Frame 2: 206 bytes on wire (1648 bits), 206
bytes captured (1648 bits) on interface 0
Ethernet II, Src: 00:1d:e6:08:4b:4f
(00:1d:e6:08:4b:4f), Dst: 00:1d:46:a5:27:61 (00:1d:46:a5:27:61) (capa 2 OSI)
Internet Protocol Version 4, Src: 10.0.0.1
(10.0.0.1), Dst: 10.0.0.6 (10.0.0.6) (capa 3 OSI)
User Datagram Protocol, Src Port: 500 (500), Dst Port: 500 (500) (capa 4 OSI)
Internet Security Association and Key
Management Protocol
Initiator cookie: 03aad8e9957f9bb8
Responder cookie: 0000000000000000
Next
payload: Security Association (1)
Version: 1.0
Exchange type: Identity Protection (Main Mode) (2)
Flags: 0x00
.... ...0 = Encryption: Not encrypted
.... ..0. = Commit: No commit
.... .0.. = Authentication: No authentication
Message ID: 0x00000000
Length: 164
Type
Payload: Security Association (1)
Next payload: Vendor ID (13)
Payload length: 56
Domain of interpretation: IPSEC (1)
Situation: 00000001
Type Payload: Proposal (2) # 1
Next payload: NONE / No Next Payload (0)
Payload length: 44
Proposal number: 1
Protocol ID: ISAKMP (1)
SPI Size: 0
Proposal transforms: 1
Type Payload: Transform (3) # 1
Next payload: NONE / No Next Payload (0)
Payload length: 36
Transform number: 1
Transform ID: KEY_IKE (1)
Transform IKE Attribute Type
(t=1,l=2) Encryption-Algorithm : AES-CBC
1... ....
.... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute Type:
Encryption-Algorithm (1)
Value: 0007
Encryption Algorithm:
AES-CBC (7)
Transform IKE Attribute Type
(t=14,l=2) Key-Length : 256
1... ....
.... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute
Type: Key-Length (14)
Value: 0100
Key Length: 256
Transform IKE Attribute Type (t=2,l=2) Hash-Algorithm
: SHA
1... ....
.... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute
Type: Hash-Algorithm (2)
Value: 0002
HASH Algorithm: SHA (2)
Transform IKE Attribute Type (t=4,l=2)
Group-Description : 1536 bit MODP group
1... ....
.... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute
Type: Group-Description (4)
Value: 0005
Group Description: 1536 bit
MODP group (5)
Transform IKE Attribute Type
(t=3,l=2) Authentication-Method : PSK
1... ....
.... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute
Type: Authentication-Method (3)
Value: 0001
Authentication Method: PSK (1)
Transform IKE Attribute Type (t=11,l=2)
Life-Type : Seconds
1... ....
.... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute
Type: Life-Type (11)
Value: 0001
Life Type: Seconds (1)
Transform IKE Attribute Type (t=12,l=2)
Life-Duration : 3600
1... ....
.... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute
Type: Life-Duration (12)
Value: 0e10
Life Duration: 3600
Type Payload: Vendor ID (13) : RFC 3947
Negotiation of NAT-Traversal in the IKE
Next payload: Vendor ID (13)
Payload length: 20
Vendor ID: 4a131c81070358455c5728f20e95452f
Vendor ID: RFC 3947 Negotiation of NAT-Traversal in the IKE
Type
Payload: Vendor ID (13) :
draft-ietf-ipsec-nat-t-ike-07
Next payload: Vendor ID (13)
Payload length: 20
Vendor ID: 439b59f8ba676c4c7737ae22eab8f582
Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Type
Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-03
Next payload: Vendor ID (13)
Payload length: 20
Vendor ID: 7d9419a65310ca6f2c179d9215529d56
Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Type
Payload: Vendor ID (13) :
draft-ietf-ipsec-nat-t-ike-02\n
Next
payload: NONE / No Next Payload (0)
Payload length: 20
Vendor ID: 90cb80913ebb696e086381b5ec427b1f
Vendor ID: draft-ietf-ipsec-nat-t-ike-02\n
No. Source Destination Protocol Length
3 10.0.0.6 10.0.0.1 ISAKMP 146
Identity Protection (Main Mode)
Frame 3: 146 bytes on wire (1168 bits), 146
bytes captured (1168 bits) on interface 0
Ethernet II, Src: 00:1d:46:a5:27:61
(00:1d:46:a5:27:61), Dst: 00:1d:e6:08:4b:4f (00:1d:e6:08:4b:4f)
Internet Protocol Version 4, Src: 10.0.0.6 (10.0.0.6), Dst: 10.0.0.1 (10.0.0.1) (respuesta desde el peer)
User Datagram Protocol, Src Port: 500 (500), Dst Port: 500 (500)
Internet Security Association and Key
Management Protocol
Initiator cookie: 03aad8e9957f9bb8
Responder cookie: 9d7e6a485583e66c
Next payload: Security Association (1)
Version: 1.0
Exchange type: Identity Protection (Main Mode) (2)
Flags: 0x00
.... ...0 = Encryption: Not encrypted
.... ..0. = Commit: No commit
.... .0.. =
Authentication: No authentication
Message ID: 0x00000000
Length: 104
Type
Payload: Security Association (1)
Next payload: Vendor ID (13)
Payload length: 56
Domain of interpretation: IPSEC (1)
Situation: 00000001
Type Payload: Proposal (2) # 1
Next payload: NONE / No Next Payload (0)
Payload length: 44
Proposal number: 1
Protocol ID: ISAKMP (1)
SPI Size: 0
Proposal transforms: 1
Type Payload: Transform (3) # 1
Next payload: NONE / No Next Payload (0)
Payload length: 36
Transform number: 1
Transform ID: KEY_IKE (1)
Transform IKE Attribute Type (t=1,l=2) Encryption-Algorithm : AES-CBC
1... ....
.... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute
Type: Encryption-Algorithm (1)
Value: 0007
Encryption Algorithm:
AES-CBC (7)
Transform IKE Attribute Type
(t=14,l=2) Key-Length : 256
1... ....
.... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute Type:
Key-Length (14)
Value: 0100
Key Length: 256
Transform IKE Attribute Type (t=2,l=2)
Hash-Algorithm : SHA
1... ....
.... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute
Type: Hash-Algorithm (2)
Value: 0002
HASH Algorithm: SHA (2)
Transform IKE Attribute Type (t=4,l=2)
Group-Description : 1536 bit MODP group
1... ....
.... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute
Type: Group-Description (4)
Value: 0005
Group Description: 1536 bit
MODP group (5)
Transform IKE Attribute Type
(t=3,l=2) Authentication-Method : PSK
1... ....
.... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute
Type: Authentication-Method (3)
Value: 0001
Authentication Method: PSK (1)
Transform IKE Attribute Type (t=11,l=2)
Life-Type : Seconds
1... ....
.... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute
Type: Life-Type (11)
Value: 0001
Life Type: Seconds (1)
Transform IKE Attribute Type (t=12,l=2)
Life-Duration : 3600
1... ....
.... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute
Type: Life-Duration (12)
Value: 0e10
Life Duration: 3600
Type Payload: Vendor ID (13) : RFC 3947
Negotiation of NAT-Traversal in the IKE
Next payload: NONE / No Next Payload (0)
Payload length: 20
Vendor ID: 4a131c81070358455c5728f20e95452f
Vendor ID: RFC 3947 Negotiation of NAT-Traversal in the IKE
Intercambio Diffie-Hellmann:
No. Source Destination Protocol Length
4 10.0.0.1 10.0.0.6 ISAKMP 390
Identity Protection (Main Mode)
Frame 4: 390 bytes on wire (3120 bits), 390
bytes captured (3120 bits) on interface 0
Ethernet II, Src: 00:1d:e6:08:4b:4f
(00:1d:e6:08:4b:4f), Dst: 00:1d:46:a5:27:61 (00:1d:46:a5:27:61)
Internet Protocol Version 4, Src: 10.0.0.1 (10.0.0.1), Dst: 10.0.0.6
(10.0.0.6)
User Datagram Protocol, Src Port: 500 (500), Dst Port: 500 (500)
Internet Security Association and Key
Management Protocol
Initiator cookie: 03aad8e9957f9bb8
Responder cookie: 9d7e6a485583e66c
Next payload: Key Exchange (4)
Version: 1.0
Exchange type: Identity Protection (Main Mode) (2)
Flags: 0x00
.... ...0 = Encryption: Not encrypted
.... ..0. = Commit: No commit
.... .0.. =
Authentication: No authentication
Message ID: 0x00000000
Length: 348
Type Payload: Key Exchange (4)
Next payload: Nonce (10)
Payload length: 196
Key Exchange Data: 8e7d32e78ba32c60faee05b41dae0b0735e25e7928e38259...
Type
Payload: Nonce (10)
Next payload: Vendor ID (13)
Payload length: 24
Nonce DATA: 93143975e7aa0e9b4c407ed2fe4137ba2c19f665
Type Payload: Vendor ID (13) : RFC 3706 DPD
(Dead Peer Detection)
Next payload: Vendor ID (13)
Payload length: 20
Vendor ID: afcad71368a1f1c96b8696fc77570100
Vendor ID: RFC 3706 DPD (Dead Peer Detection)
Type
Payload: Vendor ID (13) : Unknown Vendor ID
Next payload: Vendor ID (13)
Payload length: 20
Vendor ID: f66d7ff4957e9bb88c37ee4fde06d3dc
Vendor ID: Unknown Vendor ID
Type Payload: Vendor ID (13) : XAUTH
Next payload: NAT-D (RFC 3947) (20)
Payload length: 12
Vendor ID: 09002689dfd6b712
Vendor ID: XAUTH
Type
Payload: NAT-D (RFC 3947) (20)
Next payload: NAT-D (RFC 3947) (20)
Payload length: 24
HASH
of the address and port: 1f515c8e9201c59472b1b3cdeed2ff01e8ce0fbd
Type
Payload: NAT-D (RFC 3947) (20)
Next payload: NONE / No Next Payload (0)
Payload length: 24
HASH of the address and port: 982866c15a6a187ac932fe8270caae07808043bd
No. Source Destination Protocol Length
5 10.0.0.6 10.0.0.1 ISAKMP 410
Identity Protection (Main Mode)
Frame 5: 410 bytes on wire (3280 bits), 410
bytes captured (3280 bits) on interface 0
Ethernet II, Src: 00:1d:46:a5:27:61
(00:1d:46:a5:27:61), Dst: 00:1d:e6:08:4b:4f (00:1d:e6:08:4b:4f)
Internet Protocol Version 4, Src: 10.0.0.6 (10.0.0.6), Dst: 10.0.0.1 (10.0.0.1) (respuesta desde el peer)
User Datagram Protocol, Src Port: 500 (500), Dst Port: 500 (500)
Internet Security Association and Key
Management Protocol
Initiator cookie: 03aad8e9957f9bb8
Responder cookie: 9d7e6a485583e66c
Next payload: Key Exchange (4)
Version: 1.0
Exchange type: Identity Protection (Main Mode) (2)
Flags: 0x00
.... ...0 = Encryption: Not encrypted
.... ..0. = Commit: No commit
.... .0.. =
Authentication: No authentication
Message ID: 0x00000000
Length: 368
Type Payload: Key Exchange (4)
Next
payload: Nonce (10)
Payload length: 196
Key Exchange Data: 397729b63c89901909190955d57d1f7fd156e2b8de200f15...
Type
Payload: Nonce (10)
Next payload: Vendor ID (13)
Payload length: 24
Nonce DATA: 88766d3cc5cb7c4a34d1f0f41d396891a40a14b3
Type Payload: Vendor ID (13) : CISCO-UNITY 1.0
Next payload: Vendor ID (13)
Payload length: 20
Vendor ID: 12f5f28c457168a9702d9fe274cc0100
Vendor ID: CISCO-UNITY
CISCO-UNITY Major version: 1
CISCO-UNITY Minor version: 0
Type Payload: Vendor ID (13) : RFC 3706 DPD
(Dead Peer Detection)
Next payload: Vendor ID (13)
Payload length: 20
Vendor ID: afcad71368a1f1c96b8696fc77570100
Vendor ID: RFC 3706 DPD (Dead Peer Detection)
Type
Payload: Vendor ID (13) : Unknown Vendor ID
Next payload: Vendor ID (13)
Payload length: 20
Vendor ID: 68b9cd555582e66cc960c9cf58ade265
Vendor ID: Unknown Vendor ID
Type Payload: Vendor ID (13) : XAUTH
Next payload: NAT-D (RFC 3947) (20)
Payload length: 12
Vendor ID: 09002689dfd6b712
Vendor ID: XAUTH
Type
Payload: NAT-D (RFC 3947) (20)
Next payload: NAT-D (RFC 3947) (20)
Payload
length: 24
HASH of the address and port: 982866c15a6a187ac932fe8270caae07808043bd
Type
Payload: NAT-D (RFC 3947) (20)
Next payload: NONE / No Next Payload (0)
Payload length: 24
HASH of the address and port: 1f515c8e9201c59472b1b3cdeed2ff01e8ce0fbd
No. Source Destination Protocol Length
6 10.0.0.1 10.0.0.6 ISAKMP 150
Identity Protection (Main Mode)
Frame 6: 150 bytes on wire (1200 bits), 150
bytes captured (1200 bits) on interface 0
Ethernet II, Src: 00:1d:e6:08:4b:4f
(00:1d:e6:08:4b:4f), Dst: 00:1d:46:a5:27:61 (00:1d:46:a5:27:61)
Internet Protocol Version 4, Src: 10.0.0.1
(10.0.0.1), Dst: 10.0.0.6 (10.0.0.6)
User Datagram Protocol, Src Port: 500 (500), Dst Port: 500 (500)
Internet Security Association and Key
Management Protocol
Initiator cookie: 03aad8e9957f9bb8
Responder cookie: 9d7e6a485583e66c
Next payload: Identification (5)
Version: 1.0
Exchange type: Identity Protection (Main
Mode) (2)
Flags: 0x01
....
...1 = Encryption: Encrypted
.... ..0. = Commit: No commit
.... .0.. =
Authentication: No authentication
Message ID: 0x00000000
Length: 108
Encrypted Data (80 bytes)
No. Source Destination Protocol Length
7 10.0.0.6 10.0.0.1 ISAKMP 118
Identity Protection (Main Mode)
Frame 7: 118 bytes on wire (944 bits), 118
bytes captured (944 bits) on interface 0
Ethernet II, Src: 00:1d:46:a5:27:61
(00:1d:46:a5:27:61), Dst: 00:1d:e6:08:4b:4f (00:1d:e6:08:4b:4f)
Internet Protocol Version 4, Src: 10.0.0.6
(10.0.0.6), Dst: 10.0.0.1 (10.0.0.1)
User Datagram Protocol, Src Port: 500 (500), Dst Port: 500 (500)
Internet Security Association and Key
Management Protocol
Initiator cookie: 03aad8e9957f9bb8
Responder cookie: 9d7e6a485583e66c
Next payload: Identification (5)
Version: 1.0
Exchange type: Identity Protection (Main
Mode) (2)
Flags: 0x01
.... ...1 = Encryption: Encrypted
.... ..0. = Commit: No commit
.... .0.. =
Authentication: No authentication
Message ID: 0x00000000
Length: 76
Encrypted Data (48 bytes)
Del punto 8.3.3 (5) de la currícula CCNASec:
The purpose of IKE Phase 2 is to negotiate the
IPsec security parameters that will be used to secure the IPsec tunnel.
IKE Phase 2 is called quick mode and can only occur after IKE has established the secure
tunnel in Phase 1.
SAs are negotiated by the IKE process ISAKMP on behalf of
IPsec, which needs encryption keys for operation.
Quick mode negotiates the IKE Phase 2 SAs. In
this phase, the SAs that IPsec uses are unidirectional; therefore, a separate
key
exchange is required for each data flow.
IKE Phase 2 performs
the following functions:
·
Negotiates
IPsec security parameters, known as IPsec transform sets
· Establishes IPsec SAs
·
Periodically
renegotiates IPsec SAs to ensure security
·
Optionally
performs an additional DH exchange
No. Source Destination Protocol Length
8 10.0.0.1 10.0.0.6 ISAKMP 422
Quick Mode
Frame 8: 422 bytes on wire (3376 bits), 422
bytes captured (3376 bits) on interface 0
Ethernet II, Src: 00:1d:e6:08:4b:4f
(00:1d:e6:08:4b:4f), Dst: 00:1d:46:a5:27:61 (00:1d:46:a5:27:61)
Internet Protocol Version 4, Src: 10.0.0.1
(10.0.0.1), Dst: 10.0.0.6 (10.0.0.6)
User Datagram Protocol, Src Port: 500 (500), Dst Port: 500 (500)
Internet Security Association and Key
Management Protocol
Initiator cookie: 03aad8e9957f9bb8
Responder cookie: 9d7e6a485583e66c
Next payload: Hash (8)
Version: 1.0
Exchange type: Quick Mode (32)
Flags: 0x01
.... ...1 = Encryption: Encrypted
.... ..0. = Commit: No commit
.... .0.. = Authentication: No authentication
Message ID: 0x493c0aa4
Length: 380
Encrypted Data (352 bytes)
No. Source Destination Protocol Length
9 10.0.0.6 10.0.0.1 ISAKMP
422 Quick Mode
Frame 9: 422 bytes on wire (3376 bits), 422
bytes captured (3376 bits) on interface 0
Ethernet II, Src: 00:1d:46:a5:27:61
(00:1d:46:a5:27:61), Dst: 00:1d:e6:08:4b:4f (00:1d:e6:08:4b:4f)
Internet Protocol Version 4, Src: 10.0.0.6
(10.0.0.6), Dst: 10.0.0.1 (10.0.0.1)
User Datagram Protocol, Src Port: 500 (500), Dst Port: 500 (500)
Internet Security Association and Key
Management Protocol
Initiator cookie: 03aad8e9957f9bb8
Responder cookie: 9d7e6a485583e66c
Next payload: Hash (8)
Version: 1.0
Exchange type: Quick Mode (32)
Flags: 0x01
.... ...1 = Encryption: Encrypted
.... ..0. = Commit: No commit
.... .0.. = Authentication: No authentication
Message ID: 0x493c0aa4
Length:
380
Encrypted Data (352 bytes)
No. Source Destination Protocol Length
10 10.0.0.1 10.0.0.6 ISAKMP 102
Quick Mode
Frame 10: 102 bytes on wire (816 bits), 102
bytes captured (816 bits) on interface 0
Ethernet II, Src: 00:1d:e6:08:4b:4f
(00:1d:e6:08:4b:4f), Dst: 00:1d:46:a5:27:61 (00:1d:46:a5:27:61)
Internet Protocol Version 4, Src: 10.0.0.1
(10.0.0.1), Dst: 10.0.0.6 (10.0.0.6)
User Datagram Protocol, Src Port: 500 (500), Dst Port: 500 (500)
Internet Security Association and Key
Management Protocol
Initiator cookie: 03aad8e9957f9bb8
Responder cookie: 9d7e6a485583e66c
Next payload: Hash (8)
Version: 1.0
Exchange type: Quick Mode (32)
Flags: 0x01
.... ...1 = Encryption: Encrypted
.... ..0. = Commit: No commit
.... .0.. = Authentication: No authentication
Message ID: 0x493c0aa4
Length: 60
Encrypted Data (32 bytes)
Tráfico con el túnel establecido:
No. Source Destination Protocol Length
11 10.0.0.1 10.0.0.6 ESP 134
ESP (SPI=0xb9c670c4)
Frame 11: 134 bytes on wire (1072 bits), 134
bytes captured (1072 bits) on interface 0
Ethernet II, Src: 00:1d:e6:08:4b:4f
(00:1d:e6:08:4b:4f), Dst: 00:1d:46:a5:27:61 (00:1d:46:a5:27:61)
Internet Protocol Version 4, Src: 10.0.0.1
(10.0.0.1), Dst: 10.0.0.6 (10.0.0.6)
Encapsulating Security
Payload
ESP
SPI: 0xb9c670c4 (3116789956)
ESP Sequence: 1
No. Source Destination Protocol Length
15 10.0.0.6 10.0.0.1 ESP 118
ESP (SPI=0x794d8088)
Frame 15: 118 bytes on wire (944 bits), 118
bytes captured (944 bits) on interface 0
Ethernet II, Src: 00:1d:46:a5:27:61
(00:1d:46:a5:27:61), Dst: 00:1d:e6:08:4b:4f (00:1d:e6:08:4b:4f)
Internet Protocol Version 4, Src: 10.0.0.6
(10.0.0.6), Dst: 10.0.0.1 (10.0.0.1)
Encapsulating Security
Payload
ESP
SPI: 0x794d8088 (2035122312)
ESP Sequence: 1
No. Source Destination Protocol Length
16 10.0.0.1 10.0.0.6 ESP 118
ESP (SPI=0xb9c670c4)
Frame 16: 118 bytes on wire (944 bits), 118
bytes captured (944 bits) on interface 0
Ethernet II, Src: 00:1d:e6:08:4b:4f
(00:1d:e6:08:4b:4f), Dst: 00:1d:46:a5:27:61 (00:1d:46:a5:27:61)
Internet Protocol Version 4, Src: 10.0.0.1
(10.0.0.1), Dst: 10.0.0.6 (10.0.0.6)
Encapsulating Security Payload
ESP
SPI: 0xb9c670c4 (3116789956)
ESP Sequence: 2
No. Source Destination Protocol Length
17 10.0.0.1 10.0.0.6 ESP 134
ESP (SPI=0xb9c670c4)
Frame 17: 134 bytes on wire (1072 bits), 134 bytes
captured (1072 bits) on interface 0
Ethernet II, Src: 00:1d:e6:08:4b:4f
(00:1d:e6:08:4b:4f), Dst: 00:1d:46:a5:27:61 (00:1d:46:a5:27:61)
Internet Protocol Version 4, Src: 10.0.0.1
(10.0.0.1), Dst: 10.0.0.6 (10.0.0.6)
Encapsulating Security Payload
ESP
SPI: 0xb9c670c4 (3116789956)
ESP Sequence: 3
No. Source Destination Protocol Length
18 10.0.0.6 10.0.0.1 ESP 134
ESP (SPI=0x794d8088)
Frame 18: 134 bytes on wire (1072 bits), 134
bytes captured (1072 bits) on interface 0
Ethernet II, Src: 00:1d:46:a5:27:61
(00:1d:46:a5:27:61), Dst: 00:1d:e6:08:4b:4f (00:1d:e6:08:4b:4f)
Internet Protocol Version 4, Src: 10.0.0.6
(10.0.0.6), Dst: 10.0.0.1 (10.0.0.1)
Encapsulating Security Payload
ESP
SPI: 0x794d8088 (2035122312)
ESP
Sequence: 2
No. Source Destination Protocol Length
19 10.0.0.1 10.0.0.6 ESP 134
ESP (SPI=0xb9c670c4)
Frame 19: 134 bytes on wire (1072 bits), 134
bytes captured (1072 bits) on interface 0
Ethernet II, Src: 00:1d:e6:08:4b:4f
(00:1d:e6:08:4b:4f), Dst: 00:1d:46:a5:27:61 (00:1d:46:a5:27:61)
Internet Protocol Version 4, Src: 10.0.0.1
(10.0.0.1), Dst: 10.0.0.6 (10.0.0.6)
Encapsulating Security Payload
ESP
SPI: 0xb9c670c4 (3116789956)
ESP Sequence: 4
Depuración de la negociación en el router Rosario:
Se genera tráfico interesante desde la PC 192.168.1.101 al SW 192.168.4.2, en el otro extremo del túnel.
The
following four modes are found in IKE main mode
MM_NO_STATE – ISAKMP SA
process has started but has not continued to form (typically due to a
connectivity issue with the peer)
MM_SA_SETUP – Both peers agree
on ISAKMP SA parameters and will move along the process
MM_KEY_EXCH – Both peers
exchange their DH keys and are generating their secret keys. (This state could also mean there is a
mis-matched authentication
type or PSK, if it does not proceed to the next step)
MM_KEY_AUTH – ISAKMP SA’s have
been authenticated in main mode and will proceed to QM_IDLE immediately.
The following three modes are
found in IKE aggressive mode
The following mode is found in
IKE Quick Mode, phase 2
QM_IDLE – The ISAKMP SA is
idle and authenticated
Rosario#debug crypto isakmp
*Jul 22 18:29:39.630: ISAKMP:(0):
SA request profile is (NULL)
*Jul 22 18:29:39.630: ISAKMP: Created a peer struct for 10.0.0.6, peer
port 500
*Jul 22 18:29:39.630: ISAKMP: New peer created
peer = 0x6724CCA8 peer_handle = 0x80000004
*Jul 22 18:29:39.630: ISAKMP: Locking peer
struct 0x6724CCA8, refcount 1 for isakmp_initiator
*Jul 22 18:29:39.630: ISAKMP: local port 500,
remote port 500
*Jul 22 18:29:39.630: ISAKMP: set new node 0 to
QM_IDLE
*Jul 22 18:29:39.630: ISAKMP:(0):insert
sa successfully sa = 67A594A4
*Jul 22 18:29:39.630: ISAKMP:(0):Can
not start Aggressive mode, trying Main mode.
*Jul 22 18:29:39.630: ISAKMP:(0):found
peer pre-shared key matching 10.0.0.6 (configurado en crypto isakmp key Cisco123 address 10.0.0.6)
*Jul 22 18:29:39.630: ISAKMP:(0):
constructed NAT-T vendor-rfc3947 ID
*Jul 22 18:29:39.630: ISAKMP:(0):
constructed NAT-T vendor-07 ID
*Jul 22 18:29:39.630: ISAKMP:(0):
constructed NAT-T vendor-03 ID
*Jul 22 18:29:39.630: ISAKMP:(0):
constructed NAT-T vendor-02 ID
*Jul 22 18:29:39.630: ISAKMP:(0):Input
= IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Jul 22 18:29:39.630: ISAKMP:(0):Old State = IKE_READY New
State = IKE_I_MM1
New State =
IKE_I_MM1. This indicates that IKE negotiation has been initiated, and the
first ISAKMP message in the
main mode
exchange is about to be sent.
Note the I in the message here. This character indicates that
Rosario is the initiator of IKE negotiation.
If Rosario
were the responder, then an R would be shown.
*Jul 22 18:29:39.630: ISAKMP:(0):
beginning Main Mode exchange
*Jul 22 18:29:39.634: ISAKMP:(0):
sending packet to 10.0.0.6 my_port 500
peer_port 500 (I) MM_NO_STATE
*Jul 22 18:29:39.634: ISAKMP:(0):
sending an IKE IPv4 Packet.
*Jul 22 18:29:39.638: ISAKMP (0): received packet from 10.0.0.6 dport 500
sport 500 Global (I) MM_NO_STATE
This message
contains the accepted proposal (one out of those sent in Rosario's initial
message)
*Jul 22 18:29:39.638: ISAKMP:(0):Input
= IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jul 22 18:29:39.638: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
The state
has moved from IKE_I_MM1 to IKE_I_MM2, indicating that this is the second
message in the IKE exchange.
Rosario now
begins to process the SA payload, which contains the accepted proposal.
Note the
message ID here. The function of the message ID is to distinguish messages for
different phase 2 exchanges (SAs)
from
each other, and so it remains as zero throughout main mode negotiation.
*Jul 22 18:29:39.638: ISAKMP:(0):
processing SA payload. message ID = 0
*Jul 22 18:29:39.642: ISAKMP:(0):
processing vendor id payload
*Jul 22 18:29:39.642: ISAKMP:(0):
vendor ID seems Unity/DPD but major 69 mismatch
*Jul 22 18:29:39.642: ISAKMP (0): vendor ID is
NAT-T RFC 3947
*Jul 22 18:29:39.642: ISAKMP:(0):found peer pre-shared key matching 10.0.0.6
*Jul 22 18:29:39.642: ISAKMP:(0):
local preshared key found
*Jul 22 18:29:39.642: ISAKMP
: Scanning profiles for xauth ...
*Jul 22 18:29:39.642: ISAKMP:(0):Checking ISAKMP transform 1 against
priority 10 policy
*Jul 22 18:29:39.642: ISAKMP: encryption AES-CBC
*Jul 22 18:29:39.642: ISAKMP: keylength of 256
*Jul 22 18:29:39.642: ISAKMP: hash SHA
*Jul 22 18:29:39.642: ISAKMP: default group 5
*Jul 22 18:29:39.642: ISAKMP: auth pre-share
*Jul 22 18:29:39.642: ISAKMP: life type in seconds
*Jul 22 18:29:39.642: ISAKMP: life duration (basic) of 3600
*Jul 22 18:29:39.642: ISAKMP:(0):atts are acceptable. Next payload is 0
*Jul 22 18:29:39.642: ISAKMP:(0):Acceptable
atts:actual life: 0
*Jul 22 18:29:39.642: ISAKMP:(0):Acceptable
atts:life: 0
*Jul 22 18:29:39.642: ISAKMP:(0):Basic
life_in_seconds:3600
*Jul 22 18:29:39.642: ISAKMP:(0):Returning
Actual lifetime: 3600
*Jul 22 18:29:39.642: ISAKMP:(0)::Started
lifetime timer: 3600.
*Jul 22 18:29:39.642: ISAKMP:(0):
processing vendor id payload
*Jul 22 18:29:39.642: ISAKMP:(0):
vendor ID seems Unity/DPD but major 69 mismatch
*Jul 22 18:29:39.642: ISAKMP (0): vendor ID is
NAT-T RFC 3947
*Jul 22 18:29:39.642: ISAKMP:(0):Input
= IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jul 22 18:29:39.642: ISAKMP:(0):Old
State = IKE_I_MM2 New State = IKE_I_MM2
*Jul 22 18:29:39.646: ISAKMP:(0):
sending packet to 10.0.0.6 my_port 500
peer_port 500 (I) MM_SA_SETUP
*Jul 22 18:29:39.646: ISAKMP:(0):Sending
an IKE IPv4 Packet.
*Jul 22 18:29:39.646: ISAKMP:(0):Input
= IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jul 22 18:29:39.646: ISAKMP:(0):Old State = IKE_I_MM2 New
State = IKE_I_MM3
The state
changes to IKE_I_MM3, indicating that the third message in the IKE exchange has
been sent.
*Jul 22 18:29:39.850: ISAKMP (0): received packet from 10.0.0.6 dport 500
sport 500 Global (I) MM_SA_SETUP
*Jul 22 18:29:39.850: ISAKMP:(0):Input
= IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jul 22 18:29:39.850: ISAKMP:(0):Old State = IKE_I_MM3 New
State = IKE_I_MM4
The state
has now changed to IKE_I_MM4, indicating that this response was the fourth
message in the main mode exchange.
*Jul 22 18:29:39.850: ISAKMP:(0):
processing KE payload. message ID = 0
*Jul 22 18:29:40.054: ISAKMP:(0):
processing NONCE payload. message ID = 0
*Jul 22 18:29:40.054: ISAKMP:(0):found peer pre-shared key matching 10.0.0.6
*Jul 22 18:29:40.054: ISAKMP:(1003):
processing vendor id payload
*Jul 22 18:29:40.054: ISAKMP:(1003):
vendor ID is Unity
*Jul 22 18:29:40.054: ISAKMP:(1003):
processing vendor id payload
*Jul 22 18:29:40.054: ISAKMP:(1003):
vendor ID is DPD
*Jul 22 18:29:40.054: ISAKMP:(1003):
processing vendor id payload
*Jul 22 18:29:40.054: ISAKMP:(1003):
speaking to another IOS box!
*Jul 22 18:29:40.054: ISAKMP:received
payload type 20
*Jul 22 18:29:40.054: ISAKMP (1003): His hash
no match - this node outside NAT
*Jul 22 18:29:40.054: ISAKMP:received
payload type 20
*Jul 22 18:29:40.054: ISAKMP (1003): No NAT Found for self or peer (el túnel se forma luego de realizado el static NAT)
*Jul 22 18:29:40.054: ISAKMP:(1003):Input
= IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jul 22 18:29:40.054: ISAKMP:(1003):Old
State = IKE_I_MM4 New State = IKE_I_MM4
*Jul 22 18:29:40.058: ISAKMP:(1003):Send initial contact
*Jul 22 18:29:40.058: ISAKMP:(1003):SA is doing pre-shared key authentication
using id type ID_IPV4_ADDR
*Jul 22 18:29:40.058: ISAKMP (1003): ID payload
next-payload : 8
type : 1
address : 10.0.0.1
protocol : 17
port : 500
length : 12
*Jul 22 18:29:40.058: ISAKMP:(1003):Total
payload length: 12
*Jul 22 18:29:40.058: ISAKMP:(1003):
sending packet to 10.0.0.6 my_port 500
peer_port 500 (I) MM_KEY_EXCH
*Jul 22 18:29:40.058: ISAKMP:(1003):Sending
an IKE IPv4 Packet.
*Jul 22 18:29:40.058: ISAKMP:(1003):Input
= IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jul 22 18:29:40.058: ISAKMP:(1003):Old State = IKE_I_MM4 New State = IKE_I_MM5
The state
changes to IKE_I_MM5, indicating that the fifth message in the IKE exchange has
been sent.
*Jul 22 18:29:40.066: ISAKMP (1003): received packet from 10.0.0.6 dport 500
sport 500 Global (I) MM_KEY_EXCH
*Jul 22 18:29:40.066: ISAKMP:(1003):
processing ID payload. message ID = 0
*Jul 22 18:29:40.066: ISAKMP (1003): ID payload
next-payload : 8
type : 1
address :
10.0.0.6
protocol : 17 (refiere a UDP)
port : 500
length : 12
*Jul 22 18:29:40.070: ISAKMP:(0)::
peer matches *none* of the profiles
*Jul 22 18:29:40.070: ISAKMP:(1003):
processing HASH payload. message ID = 0
*Jul 22 18:29:40.070: ISAKMP:(1003):SA authentication status: authenticated
*Jul 22 18:29:40.070: ISAKMP:(1003):SA has been authenticated with 10.0.0.6
*Jul 22 18:29:40.070: ISAKMP: Trying to insert
a peer 10.0.0.1/10.0.0.6/500/, and inserted successfully 6724CCA8.
*Jul 22 18:29:40.070: ISAKMP:(1003):Input
= IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jul 22 18:29:40.070: ISAKMP:(1003):Old State = IKE_I_MM5 New State = IKE_I_MM6
*Jul 22 18:29:40.070: ISAKMP:(1003):Input
= IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jul 22 18:29:40.070: ISAKMP:(1003):Old
State = IKE_I_MM6 New State = IKE_I_MM6
*Jul 22 18:29:40.070: ISAKMP (1003): received packet from 10.0.0.6 dport 500
sport 500 Global (I) MM_KEY_EXCH
*Jul 22 18:29:40.070: ISAKMP: set new node
2129041637 to QM_IDLE
*Jul 22 18:29:40.074: ISAKMP:(1003):
processing HASH payload. message ID = 2129041637
*Jul 22 18:29:40.074: ISAKMP:(1003):
processing DELETE payload. message ID = 2129041637
*Jul 22 18:29:40.074: ISAKMP:(1003):peer
does not do paranoid keepalives.
*Jul 22 18:29:40.074: ISAKMP:(1003):deleting
node 2129041637 error FALSE reason "Informational (in) state 1"
*Jul 22 18:29:40.074: ISAKMP:(1003):Input
= IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jul 22 18:29:40.074: ISAKMP:(1003):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
*Jul 22 18:29:40.074: ISAKMP:(1003):beginning Quick Mode exchange, M-ID of
-685834843 (fase II)
*Jul 22 18:29:40.238: ISAKMP:(1003):QM
Initiator gets spi
*Jul 22 18:29:40.238: ISAKMP:(1003):
sending packet to 10.0.0.6 my_port 500
peer_port 500 (I) QM_IDLE
*Jul 22 18:29:40.238: ISAKMP:(1003):Sending
an IKE IPv4 Packet.
*Jul 22 18:29:40.238: ISAKMP:(1003):Node
-685834843, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Jul 22 18:29:40.238: ISAKMP:(1003):Old
State = IKE_QM_READY New State =
IKE_QM_I_QM1
*Jul 22 18:29:40.238: ISAKMP:(1003):Input
= IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Jul 22 18:29:40.238: ISAKMP:(1003):Old
State = IKE_P1_COMPLETE New State =
IKE_P1_COMPLETE
*Jul 22 18:29:40.610: ISAKMP (1003): received packet from 10.0.0.6 dport 500
sport 500 Global (I) QM_IDLE
*Jul 22 18:29:40.610: ISAKMP:(1003):
processing HASH payload. message ID = -685834843
*Jul 22 18:29:40.610: ISAKMP:(1003):
processing SA payload. message ID = -685834843
*Jul 22 18:29:40.610: ISAKMP:(1003):Checking IPSec proposal 1
*Jul 22 18:29:40.610: ISAKMP: transform 1,
ESP_AES
*Jul 22 18:29:40.610: ISAKMP: attributes in transform:
*Jul 22 18:29:40.610: ISAKMP: encaps is 1 (Tunnel)
*Jul 22 18:29:40.610: ISAKMP: SA life type in seconds
*Jul 22 18:29:40.610: ISAKMP: SA life duration (basic) of 3600
*Jul 22 18:29:40.610: ISAKMP: SA life type in kilobytes
*Jul 22 18:29:40.610: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Jul 22 18:29:40.610: ISAKMP: authenticator is HMAC-SHA
*Jul 22 18:29:40.610: ISAKMP: key length is 256
*Jul 22 18:29:40.610: ISAKMP: group is 5
*Jul 22 18:29:40.610: ISAKMP:(1003):atts are acceptable.
*Jul 22 18:29:40.610: ISAKMP:(1003):
processing NONCE payload. message ID = -685834843
*Jul 22 18:29:40.610: ISAKMP:(1003):
processing KE payload. message ID = -685834843
*Jul 22 18:29:40.814: ISAKMP:(1003):
processing ID payload. message ID = -685834843
*Jul 22 18:29:40.814: ISAKMP:(1003):
processing ID payload. message ID = -685834843
*Jul 22 18:29:40.818: ISAKMP:(1003):
Creating IPSec SAs
*Jul 22 18:29:40.818: inbound SA from 10.0.0.6 to 10.0.0.1
(f/i) 0/ 0
(proxy 192.168.4.0 to 192.168.3.0)
*Jul 22 18:29:40.818: has spi 0x134BD28 and conn_id 0
*Jul 22 18:29:40.818: lifetime of 3600 seconds
*Jul 22 18:29:40.818: lifetime of 4608000 kilobytes
*Jul 22 18:29:40.818: outbound SA from 10.0.0.1 to 10.0.0.6
(f/i) 0/0
(proxy 192.168.3.0 to 192.168.4.0)
*Jul 22 18:29:40.818: has spi 0x11336938 and conn_id 0
*Jul 22 18:29:40.818: lifetime of 3600 seconds
*Jul 22 18:29:40.818: lifetime of 4608000 kilobytes
*Jul 22 18:29:40.818: ISAKMP:(1003):
sending packet to 10.0.0.6 my_port 500
peer_port 500 (I) QM_IDLE
*Jul 22 18:29:40.818: ISAKMP:(1003):Sending
an IKE IPv4 Packet.
*Jul 22 18:29:40.818: ISAKMP:(1003):deleting
node -685834843 error FALSE reason "No Error"
*Jul 22 18:29:40.818: ISAKMP:(1003):Node
-685834843, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jul 22 18:29:40.818: ISAKMP:(1003):Old
State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE
Rosario#
Rosario#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst
src state conn-id status
10.0.0.6 10.0.0.1 QM_IDLE 1003 ACTIVE
IPv6 Crypto ISAKMP SA
Rosario#
Terminación del túnel
Los paquetes 11 y 12 corresponden a la terminación del túnel, realizada 240 segundos después de
establecido. El proceso sólo abarca un intercambio de ambos peers.
Rosario#clear crypto isakmp 1003 (se interrumpe manualmente el tunel)
Rosario#
*Jul 22 18:33:40.074: ISAKMP:(1003):deleting
SA reason "Death by tree-walk" state (I) QM_IDLE (peer 10.0.0.6)
*Jul 22 18:33:40.078: ISAKMP: set new node
168501692 to QM_IDLE
*Jul 22 18:33:40.078: ISAKMP:(1003):
sending packet to 10.0.0.6 my_port 500
peer_port 500 (I) QM_IDLE
*Jul 22 18:33:40.078: ISAKMP:(1003):Sending
an IKE IPv4 Packet.
*Jul 22 18:33:40.078: ISAKMP:(1003):purging node 168501692
*Jul 22 18:33:40.078: ISAKMP:(1003):Input
= IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Jul 22 18:33:40.078: ISAKMP:(1003):Old
State = IKE_P1_COMPLETE New State =
IKE_DEST_SA
*Jul 22 18:33:40.078: ISAKMP:(1003):deleting
SA reason "Death by tree-walk" state (I) QM_IDLE (peer 10.0.0.6)
*Jul 22 18:33:40.078: ISAKMP:(0):Can't
decrement IKE Call Admission Control stat outgoing_active since it's already 0.
*Jul 22 18:33:40.078: ISAKMP: Unlocking peer
struct 0x6724CCA8 for isadb_mark_sa_deleted(), count 0
*Jul 22 18:33:40.078: ISAKMP:(1003):Input
= IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jul 22 18:33:40.082: ISAKMP:(1003):Old
State = IKE_DEST_SA New State =
IKE_DEST_SA
*Jul 22 18:33:40.082: ISAKMP (1003): received packet from 10.0.0.6 dport 500
sport 500 Global (I) MM_NO_STATE
Rosario#sh
crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst
src state conn-id status
10.0.0.6 10.0.0.1 MM_NO_STATE 1003 ACTIVE (deleted)
IPv6 Crypto ISAKMP SA
Rosario#
Resumen del flujo de negociaciones de IPSec par el establecimiento y
terminación del túnel.
Configuraciones de los equipos:
Rosario#sh runn (se muestra lo
mas relevante)
Building configuration...
Current configuration :
1487 bytes
!
version 12.4
!
hostname Rosario
!
crypto isakmp policy 10 (fase I de la VPN)
encr aes 256 (como se protegerán los datos en la negociación de la VPN)
authentication pre-share (utilizará clave PSK configurada mas adelante)
group 5 (canal seguro para intercambio de claves PSK a través de DH)
lifetime 3600 (tiempo de vida de la clave derivada de la PSK)
crypto isakmp key Cisco123 address 10.0.0.6 (la clave y el extremo del tunel)
!
crypto ipsec transform-set ENCRIPTA esp-aes 256 esp-sha-hmac (como se protegen los datos en la VPN)
!
crypto map VPN 10 ipsec-isakmp (fase II de la VPN)
set peer 10.0.0.6 (extremo del tunel)
set transform-set ENCRIPTA (como se protegen los datos en la VPN)
set pfs group5
match address 100 (ACL que determina el tráfico por la VPN)
!
interface FastEthernet0/1
description WAN
ip address 10.0.0.1 255.255.255.252
crypto map VPN (terminador de tunel)
!
ip route 0.0.0.0 0.0.0.0 10.0.0.2 (mediante la ruta por defecto se fuerza el tráfico hacia la VPN)
!
access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255 (tráfico a enviar por la VPN)
!
end
Rosario#
BsAs#sh runn (se muestra lo mas relevante)
Building configuration...
Current configuration :
1589 bytes
!
version 12.4
!
hostname BsAs
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
lifetime 3600
crypto isakmp key Cisco123 address
10.0.0.1
!
crypto ipsec transform-set ENCRIPTA
esp-aes 256 esp-sha-hmac
!
crypto map VPN 10 ipsec-isakmp
set peer 10.0.0.1
set transform-set ENCRIPTA
set pfs group5
match address 100
!
interface FastEthernet0/1
description WAN
ip address 10.0.0.6 255.255.255.252
crypto map VPN
!
ip route 0.0.0.0 0.0.0.0 10.0.0.5
!
end
BsAs#
Negociación con varias policy en un extremo:
!
crypto isakmp policy 10 (encription DES, por default)
authentication pre-share
group 5
lifetime 3600
!
crypto isakmp policy 20
encr 3des (diferente)
authentication pre-share
group 2 (diferente)
lifetime 3600
!
crypto isakmp policy 30
encr 3des (diferente)
authentication pre-share
group 5
lifetime 3600
!
crypto isakmp policy 40
encr aes 256
authentication pre-share
group 5
lifetime 28800 (diferente)
!
crypto isakmp policy 50 (coincide con BsAs)
encr aes 256
authentication pre-share
group 5
lifetime 3600
!
BsAs:
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
lifetime 3600
!
Comienzo de la negociación:
Rosario#debug crypto isakmp
*Jul 22 18:38:22.474: ISAKMP:(0):
SA request profile is (NULL)
*Jul 22 18:38:22.474: ISAKMP: Created a peer
struct for 10.0.0.6, peer port 500
*Jul 22 18:38:22.474: ISAKMP: New peer created
peer = 0x6724CCA8 peer_handle = 0x80000005
*Jul 22 18:38:22.478: ISAKMP: Locking peer
struct 0x6724CCA8, refcount 1 for isakmp_initiator
*Jul 22 18:38:22.478: ISAKMP: local port 500,
remote port 500
*Jul 22 18:38:22.478: ISAKMP: set new node 0 to
QM_IDLE
*Jul 22 18:38:22.478: ISAKMP:(0):insert
sa successfully sa = 664F5764
*Jul 22 18:38:22.478: ISAKMP:(0):Can
not start Aggressive mode, trying Main mode.
*Jul 22 18:38:22.478: ISAKMP:(0):found
peer pre-shared key matching 10.0.0.6
*Jul 22 18:38:22.478: ISAKMP:(0):
constructed NAT-T vendor-rfc3947 ID
*Jul 22 18:38:22.478: ISAKMP:(0):
constructed NAT-T vendor-07 ID
*Jul 22 18:38:22.478: ISAKMP:(0):
constructed NAT-T vendor-03 ID
*Jul 22 18:38:22.478: ISAKMP:(0):
constructed NAT-T vendor-02 ID
*Jul 22 18:38:22.478: ISAKMP:(0):Input
= IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Jul 22 18:38:22.478: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Jul 22 18:38:22.478: ISAKMP:(0):
beginning Main Mode exchange
*Jul 22 18:38:22.478: ISAKMP:(0):
sending packet to 10.0.0.6 my_port 500
peer_port 500 (I) MM_NO_STATE (1
en Wireshark)
*Jul 22 18:38:22.478: ISAKMP:(0):Sending
an IKE IPv4 Packet.
*Jul 22 18:38:22.486: ISAKMP (0): received packet from 10.0.0.6 dport 500
sport 500 Global (I) MM_NO_STATE (2 en Wireshark)
*Jul 22 18:38:22.486: ISAKMP:(0):Input
= IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jul 22 18:38:22.486: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*Jul 22 18:38:22.486: ISAKMP:(0):
processing SA payload. message ID = 0
*Jul 22 18:38:22.486: ISAKMP:(0):
processing vendor id payload
*Jul 22 18:38:22.486: ISAKMP:(0):
vendor ID seems Unity/DPD but major 69 mismatch
*Jul 22 18:38:22.486: ISAKMP (0): vendor ID is
NAT-T RFC 3947
*Jul 22 18:38:22.486: ISAKMP:(0):found
peer pre-shared key matching 10.0.0.6
*Jul 22 18:38:22.486: ISAKMP:(0):
local preshared key found
*Jul 22 18:38:22.486: ISAKMP
: Scanning profiles for xauth ...
*Jul 22 18:38:22.486: ISAKMP:(0):Checking ISAKMP transform 1 against
priority 10 policy
*Jul 22 18:38:22.486: ISAKMP: encryption AES-CBC
*Jul 22 18:38:22.490: ISAKMP: keylength of 256
*Jul 22 18:38:22.490: ISAKMP: hash SHA
*Jul 22 18:38:22.490: ISAKMP: default group 5
*Jul 22 18:38:22.490: ISAKMP: auth pre-share
*Jul 22 18:38:22.490: ISAKMP: life type in seconds
*Jul 22 18:38:22.490: ISAKMP: life duration (basic) of 28800
*Jul 22 18:38:22.490: ISAKMP:(0):Encryption algorithm offered does not match
policy!
*Jul 22 18:38:22.490: ISAKMP:(0):atts are not acceptable. Next payload
is 0
*Jul 22 18:38:22.490: ISAKMP:(0):Checking ISAKMP transform 1 against
priority 20 policy
*Jul 22 18:38:22.490: ISAKMP: encryption AES-CBC
*Jul 22 18:38:22.490: ISAKMP: keylength of 256
*Jul 22 18:38:22.490: ISAKMP: hash SHA
*Jul 22 18:38:22.490: ISAKMP: default group 5
*Jul 22 18:38:22.490: ISAKMP: auth pre-share
*Jul 22 18:38:22.490: ISAKMP: life type in seconds
*Jul 22 18:38:22.490: ISAKMP: life duration (basic) of 28800
*Jul 22 18:38:22.490: ISAKMP:(0):Encryption algorithm offered does not match
policy!
*Jul 22 18:38:22.490: ISAKMP:(0):atts are not acceptable. Next payload
is 0
*Jul 22 18:38:22.490: ISAKMP:(0):Checking ISAKMP transform 1 against
priority 30 policy
*Jul 22 18:38:22.490: ISAKMP: encryption AES-CBC
*Jul 22 18:38:22.490: ISAKMP: keylength of 256
*Jul 22 18:38:22.490: ISAKMP: hash SHA
*Jul 22 18:38:22.490: ISAKMP: default group 5
*Jul 22 18:38:22.490: ISAKMP: auth pre-share
*Jul 22 18:38:22.490: ISAKMP: life type in seconds
*Jul 22 18:38:22.490: ISAKMP: life duration (basic) of 28800
*Jul 22 18:38:22.490: ISAKMP:(0):Encryption algorithm offered does not match
policy!
*Jul 22 18:38:22.490: ISAKMP:(0):atts are not acceptable. Next payload
is 0
*Jul 22 18:38:22.490: ISAKMP:(0):Checking ISAKMP transform 1 against
priority 40 policy
*Jul 22 18:38:22.490: ISAKMP: encryption AES-CBC
*Jul 22 18:38:22.490: ISAKMP: keylength of 256
*Jul 22 18:38:22.490: ISAKMP: hash SHA
*Jul 22 18:38:22.490: ISAKMP: default group 5
*Jul 22 18:38:22.490: ISAKMP: auth pre-share
*Jul 22 18:38:22.490: ISAKMP: life type in seconds
*Jul 22 18:38:22.490: ISAKMP: life duration (basic) of 28800 (aunque el tiempo de vida de BsAs es 3600)
*Jul 22 18:38:22.490: ISAKMP:(0):atts are acceptable. Next payload is 0
*Jul 22 18:38:22.490: ISAKMP:(0):Acceptable
atts:actual life: 0
*Jul 22 18:38:22.490: ISAKMP:(0):Acceptable
atts:life: 0
*Jul 22 18:38:22.490: ISAKMP:(0):Basic life_in_seconds:28800
*Jul 22 18:38:22.490: ISAKMP:(0):Returning Actual lifetime: 28800
*Jul 22 18:38:22.490: ISAKMP:(0)::Started lifetime timer: 28800.
*Jul 22 18:38:22.490: ISAKMP:(0):
processing vendor id payload
*Jul 22 18:38:22.494: ISAKMP:(0):
vendor ID seems Unity/DPD but major 69 mismatch
*Jul 22 18:38:22.494: ISAKMP (0): vendor ID is
NAT-T RFC 3947
*Jul 22 18:38:22.494: ISAKMP:(0):Input
= IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jul 22 18:38:22.494: ISAKMP:(0):Old
State = IKE_I_MM2 New State = IKE_I_MM2
*Jul 22 18:38:22.494: ISAKMP:(0):
sending packet to 10.0.0.6 my_port 500
peer_port 500 (I) MM_SA_SETUP (3
en Wireshark)
*Jul 22 18:38:22.494: ISAKMP:(0):Sending
an IKE IPv4 Packet.
*Jul 22 18:38:22.494: ISAKMP:(0):Input
= IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jul 22 18:38:22.494: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
*Jul 22 18:38:22.698: ISAKMP (0): received packet from 10.0.0.6 dport 500
sport 500 Global (I) MM_SA_SETUP (4 en Wireshark)
*Jul 22 18:38:22.698: ISAKMP:(0):Input
= IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jul 22 18:38:22.698: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*Jul 22 18:38:22.698: ISAKMP:(0):
processing KE payload. message ID = 0
*Jul 22 18:38:22.902: ISAKMP:(0):
processing NONCE payload. message ID = 0
*Jul 22 18:38:22.902: ISAKMP:(0):found
peer pre-shared key matching 10.0.0.6
*Jul 22 18:38:22.902: ISAKMP:(1004):
processing vendor id payload
*Jul 22 18:38:22.902: ISAKMP:(1004):
vendor ID is Unity
*Jul 22 18:38:22.902: ISAKMP:(1004):
processing vendor id payload
*Jul 22 18:38:22.902: ISAKMP:(1004):
vendor ID is DPD
*Jul 22 18:38:22.902: ISAKMP:(1004):
processing vendor id payload
*Jul 22 18:38:22.902: ISAKMP:(1004):
speaking to another IOS box!
*Jul 22 18:38:22.902: ISAKMP:received
payload type 20
*Jul 22 18:38:22.902: ISAKMP (1004): His hash
no match - this node outside NAT
*Jul 22 18:38:22.902: ISAKMP:received
payload type 20
*Jul 22 18:38:22.902: ISAKMP (1004): No NAT
Found for self or peer
*Jul 22 18:38:22.902: ISAKMP:(1004):Input
= IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jul 22 18:38:22.902: ISAKMP:(1004):Old State = IKE_I_MM4 New State = IKE_I_MM4
*Jul 22 18:38:22.906: ISAKMP:(1004):Send
initial contact
*Jul 22 18:38:22.906: ISAKMP:(1004):SA
is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Jul 22 18:38:22.906: ISAKMP (1004): ID payload
next-payload : 8
type : 1
address :
10.0.0.1
protocol : 17
port : 500
length : 12
*Jul 22 18:38:22.906: ISAKMP:(1004):Total
payload length: 12
*Jul 22 18:38:22.906: ISAKMP:(1004):
sending packet to 10.0.0.6 my_port 500
peer_port 500 (I) MM_KEY_EXCH (5
en Wireshark)
*Jul 22 18:38:22.906: ISAKMP:(1004):Sending
an IKE IPv4 Packet.
*Jul 22 18:38:22.906: ISAKMP:(1004):Input
= IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jul 22 18:38:22.906: ISAKMP:(1004):Old State = IKE_I_MM4 New State = IKE_I_MM5
*Jul 22 18:38:22.914: ISAKMP (1004): received packet from 10.0.0.6 dport 500
sport 500 Global (I) MM_KEY_EXCH (6 en Wireshark)
*Jul 22 18:38:22.914: ISAKMP:(1004):
processing ID payload. message ID = 0
*Jul 22 18:38:22.914: ISAKMP (1004): ID payload
next-payload : 8
type : 1
address :
10.0.0.6
protocol : 17
port : 500
length : 12
*Jul 22 18:38:22.914: ISAKMP:(0)::
peer matches *none* of the profiles
*Jul 22 18:38:22.914: ISAKMP:(1004):
processing HASH payload. message ID = 0
*Jul 22 18:38:22.918: ISAKMP:(1004):
processing NOTIFY RESPONDER_LIFETIME protocol 1
spi 0, message ID = 0, sa = 664F5764
*Jul 22 18:38:22.918: ISAKMP:(1004):SA
authentication status: authenticated
*Jul 22 18:38:22.918: ISAKMP:(1004):
processing responder lifetime
*Jul 22 18:38:22.918: ISAKMP:(1004):
start processing isakmp responder lifetime
*Jul 22 18:38:22.918: ISAKMP:(1004):Returning Actual lifetime: 28800
*Jul 22 18:38:22.918: ISAKMP:(1004): restart ike sa timer to 3600 secs (se ajusta a los valores del peer sin recurrir a la policy 50)
*Jul 22 18:38:22.918: ISAKMP:(1004):Started
lifetime timer: 0.
*Jul 22 18:38:22.918: ISAKMP:(1004):SA
authentication status: authenticated
*Jul 22 18:38:22.918: ISAKMP:(1004):SA has been authenticated with 10.0.0.6
*Jul 22 18:38:22.918: ISAKMP: Trying to insert
a peer 10.0.0.1/10.0.0.6/500/, and inserted successfully 6724CCA8.
*Jul 22 18:38:22.918: ISAKMP:(1004):Input
= IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jul 22 18:38:22.918: ISAKMP:(1004):Old State = IKE_I_MM5 New State = IKE_I_MM6
*Jul 22 18:38:22.918: ISAKMP:(1004):Input
= IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jul 22 18:38:22.918: ISAKMP:(1004):Old
State = IKE_I_MM6 New State = IKE_I_MM6
*Jul 22 18:38:22.922: ISAKMP (1004): received packet from 10.0.0.6 dport 500
sport 500 Global (I) MM_KEY_EXCH (7 en Wireshark)
*Jul 22 18:38:22.922: ISAKMP: set new node
1414558338 to QM_IDLE
*Jul 22 18:38:22.922: ISAKMP:(1004):
processing HASH payload. message ID = 1414558338
*Jul 22 18:38:22.922: ISAKMP:(1004):
processing DELETE payload. message ID = 1414558338
*Jul 22 18:38:22.922: ISAKMP:(1004):peer
does not do paranoid keepalives.
*Jul 22 18:38:22.922: ISAKMP:(1004):deleting
node 1414558338 error FALSE reason "Informational (in) state 1"
*Jul 22 18:38:22.922: ISAKMP:(1004):Input
= IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jul 22 18:38:22.922: ISAKMP:(1004):Old
State = IKE_I_MM6 New State = IKE_P1_COMPLETE
*Jul 22 18:38:22.922: ISAKMP:(1004):beginning Quick Mode exchange, M-ID of
-1681231133
*Jul 22 18:38:23.078: ISAKMP:(1004):QM
Initiator gets spi
*Jul 22 18:38:23.082: ISAKMP:(1004):
sending packet to 10.0.0.6 my_port 500 peer_port
500 (I) QM_IDLE (8 en
Wireshark)
*Jul 22 18:38:23.082: ISAKMP:(1004):Sending
an IKE IPv4 Packet.
*Jul 22 18:38:23.082: ISAKMP:(1004):Node
-1681231133, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Jul 22 18:38:23.082: ISAKMP:(1004):Old
State = IKE_QM_READY New State =
IKE_QM_I_QM1
*Jul 22 18:38:23.082: ISAKMP:(1004):Input
= IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Jul 22 18:38:23.082: ISAKMP:(1004):Old
State = IKE_P1_COMPLETE New State =
IKE_P1_COMPLETE
*Jul 22 18:38:23.450: ISAKMP (1004): received packet from 10.0.0.6 dport 500
sport 500 Global (I) QM_IDLE (9
en Wireshark)
*Jul 22 18:38:23.454: ISAKMP:(1004):
processing HASH payload. message ID = -1681231133
*Jul 22 18:38:23.454: ISAKMP:(1004):
processing SA payload. message ID = -1681231133
*Jul 22 18:38:23.454: ISAKMP:(1004):Checking
IPSec proposal 1
*Jul 22 18:38:23.454: ISAKMP: transform 1,
ESP_AES
*Jul 22 18:38:23.454: ISAKMP: attributes in transform:
*Jul 22 18:38:23.454: ISAKMP: encaps is 1 (Tunnel)
*Jul 22 18:38:23.454: ISAKMP: SA life type in seconds
*Jul 22 18:38:23.454: ISAKMP: SA life duration (basic) of 3600
*Jul 22 18:38:23.454: ISAKMP: SA life type in kilobytes
*Jul 22 18:38:23.454: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Jul 22 18:38:23.454: ISAKMP: authenticator is HMAC-SHA
*Jul 22 18:38:23.454: ISAKMP: key length is 256
*Jul 22 18:38:23.454: ISAKMP: group is 5
*Jul 22 18:38:23.454: ISAKMP:(1004):atts are acceptable.
*Jul 22 18:38:23.454: ISAKMP:(1004):
processing NONCE payload. message ID = -1681231133
*Jul 22 18:38:23.454: ISAKMP:(1004):
processing KE payload. message ID = -1681231133
*Jul 22 18:38:23.650: ISAKMP:(1004):
processing ID payload. message ID = -1681231133
*Jul 22 18:38:23.650: ISAKMP:(1004):
processing ID payload. message ID = -1681231133
*Jul 22 18:38:23.654: ISAKMP:(1004):
Creating IPSec SAs
*Jul 22 18:38:23.654: inbound SA from 10.0.0.6 to 10.0.0.1
(f/i) 0/ 0
(proxy 192.168.4.0 to 192.168.3.0)
*Jul 22 18:38:23.654: has spi 0x2F78766F and conn_id 0
*Jul 22 18:38:23.654: lifetime of 3600 seconds
*Jul 22 18:38:23.654: lifetime of 4608000 kilobytes
*Jul 22 18:38:23.654: outbound SA from 10.0.0.1 to 10.0.0.6
(f/i) 0/0
(proxy 192.168.3.0 to 192.168.4.0)
*Jul 22 18:38:23.654: has spi 0xFFF83E23 and conn_id 0
*Jul 22 18:38:23.654: lifetime of 3600 seconds
*Jul 22 18:38:23.654: lifetime of 4608000 kilobytes
*Jul 22 18:38:23.654: ISAKMP:(1004):
sending packet to 10.0.0.6 my_port 500
peer_port 500 (I) QM_IDLE (10
en Wireshark)
*Jul 22 18:38:23.654: ISAKMP:(1004):Sending
an IKE IPv4 Packet.
*Jul 22 18:38:23.658: ISAKMP:(1004):deleting
node -1681231133 error FALSE reason "No Error"
*Jul 22 18:38:23.658: ISAKMP:(1004):Node
-1681231133, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jul 22 18:38:23.658: ISAKMP:(1004):Old
State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE
Rosario#sh
crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst
src state conn-id status
10.0.0.6 10.0.0.1 QM_IDLE 1004 ACTIVE
IPv6 Crypto ISAKMP SA
Rosario#
Detalle de la negociación IKE con varias policy:
Inicio desde Rosario:
Frame 1: 338 bytes on wire (2704 bits), 338
bytes captured (2704 bits) on interface 0
Ethernet II, Src: Cisco_c9:0b:17 (00:1f:9e:c9:0b:17), Dst: Cisco_08:4b:4e (00:1d:e6:08:4b:4e)
Internet Protocol Version 4, Src: 10.0.0.1 (10.0.0.1), Dst: 10.0.0.6 (10.0.0.6)
User Datagram Protocol, Src Port: isakmp (500), Dst
Port: isakmp (500)
Internet Security Association and Key
Management Protocol
Initiator cookie: 123a0d790c4e9740
Responder cookie: 0000000000000000
Next
payload: Security Association (1)
Version: 1.0
Exchange type: Identity Protection (Main
Mode) (2)
Flags: 0x00
Message ID: 0x00000000
Length: 296
Type
Payload: Security Association (1)
Next payload: Vendor ID (13)
Payload length: 188
Domain of interpretation: IPSEC (1)
Situation: 00000001
Type Payload: Proposal (2) # 1
Next payload: NONE / No Next Payload (0)
Payload length: 176
Proposal number: 1
Protocol ID: ISAKMP (1)
SPI Size: 0
Proposal transforms: 5
Type Payload: Transform (3) # 1 (diferente a BsAs, marcado en
negrita)
Next payload: Transform (3)
Payload length: 32
Transform number: 1
Transform ID: KEY_IKE (1)
Transform IKE Attribute Type (t=1,l=2)
Encryption-Algorithm : DES-CBC
Transform IKE Attribute Type (t=2,l=2)
Hash-Algorithm : SHA
Transform IKE Attribute Type (t=4,l=2)
Group-Description : 1536 bit MODP group
Transform IKE Attribute Type (t=3,l=2)
Authentication-Method : PSK
Transform IKE Attribute Type (t=11,l=2)
Life-Type : Seconds
Transform IKE Attribute Type (t=12,l=2)
Life-Duration : 3600
Type Payload: Transform
(3) # 2 (diferente a BsAs,
marcado en negrita)
Next payload: Transform (3)
Payload length: 32
Transform number: 2
Transform ID: KEY_IKE (1)
Transform IKE Attribute Type (t=1,l=2)
Encryption-Algorithm : 3DES-CBC
Transform IKE Attribute Type (t=2,l=2)
Hash-Algorithm : SHA
Transform IKE Attribute Type (t=4,l=2)
Group-Description : Alternate 1024-bit
MODP group
Transform IKE Attribute Type (t=3,l=2)
Authentication-Method : PSK
Transform IKE Attribute Type (t=11,l=2)
Life-Type : Seconds
Transform IKE Attribute Type (t=12,l=2)
Life-Duration : 3600
Type Payload: Transform (3)
# 3 (diferente a BsAs, marcado
en negrita)
Next payload: Transform (3)
Payload length: 32
Transform number: 3
Transform ID: KEY_IKE (1)
Transform IKE Attribute Type (t=1,l=2)
Encryption-Algorithm : 3DES-CBC
Transform IKE Attribute Type (t=2,l=2)
Hash-Algorithm : SHA
Transform IKE Attribute Type (t=4,l=2)
Group-Description : 1536 bit MODP group
Transform IKE Attribute Type
(t=3,l=2) Authentication-Method : PSK
Transform IKE Attribute Type (t=11,l=2)
Life-Type : Seconds
Transform IKE Attribute Type (t=12,l=2)
Life-Duration : 3600
Type Payload: Transform
(3) # 4 (diferente a BsAs,
marcado en negrita)
Next payload: Transform (3)
Payload length: 36
Transform number: 4
Transform ID: KEY_IKE (1)
Transform IKE Attribute Type (t=1,l=2)
Encryption-Algorithm : AES-CBC
Transform IKE Attribute Type (t=14,l=2)
Key-Length : 256
Transform IKE Attribute Type (t=2,l=2)
Hash-Algorithm : SHA
Transform IKE Attribute Type (t=4,l=2)
Group-Description : 1536 bit MODP group
Transform IKE Attribute Type (t=3,l=2)
Authentication-Method : PSK
Transform IKE Attribute Type (t=11,l=2)
Life-Type : Seconds
Transform IKE Attribute Type (t=12,l=2)
Life-Duration : 28800
Type Payload: Transform (3) # 5 (igual a BsAs)
Next payload: NONE / No Next Payload (0)
Payload length: 36
Transform number: 5
Transform ID: KEY_IKE (1)
Transform IKE Attribute Type (t=1,l=2)
Encryption-Algorithm : AES-CBC
Transform IKE Attribute Type (t=14,l=2)
Key-Length : 256
Transform IKE Attribute Type (t=2,l=2)
Hash-Algorithm : SHA
Transform IKE Attribute Type (t=4,l=2)
Group-Description : 1536 bit MODP group
Transform IKE Attribute Type (t=3,l=2)
Authentication-Method : PSK
Transform IKE Attribute Type (t=11,l=2)
Life-Type : Seconds
Transform IKE Attribute Type (t=12,l=2)
Life-Duration : 3600
Type
Payload: Vendor ID (13) : RFC 3947 Negotiation of
NAT-Traversal in the IKE
Next payload: Vendor ID (13)
Payload length: 20
Vendor ID: 4a131c81070358455c5728f20e95452f
Vendor ID: RFC 3947 Negotiation of NAT-Traversal in the IKE
Type
Payload: Vendor ID (13) :
draft-ietf-ipsec-nat-t-ike-07
Next payload: Vendor ID (13)
Payload length: 20
Vendor ID: 439b59f8ba676c4c7737ae22eab8f582
Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Type
Payload: Vendor ID (13) :
draft-ietf-ipsec-nat-t-ike-03
Next payload: Vendor ID (13)
Payload length: 20
Vendor ID: 7d9419a65310ca6f2c179d9215529d56
Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Type
Payload: Vendor ID (13) :
draft-ietf-ipsec-nat-t-ike-02\n
Next payload: NONE / No Next Payload (0)
Payload length: 20
Vendor ID: 90cb80913ebb696e086381b5ec427b1f
Vendor ID: draft-ietf-ipsec-nat-t-ike-02\n
Respuesta de BsAs
Frame 2: 146 bytes on wire (1168 bits), 146
bytes captured (1168 bits) on interface 0
Ethernet II, Src: Cisco_08:4b:4e (00:1d:e6:08:4b:4e), Dst: Cisco_c9:0b:17 (00:1f:9e:c9:0b:17)
Internet Protocol Version 4, Src: 10.0.0.6 (10.0.0.6), Dst:
10.0.0.1 (10.0.0.1)
User Datagram Protocol, Src Port: isakmp (500), Dst
Port: isakmp (500)
Internet Security Association and Key
Management Protocol
Initiator cookie: 123a0d790c4e9740
Responder cookie: c79c237c78bcddc3
Next
payload: Security Association (1)
Version: 1.0
Exchange type: Identity Protection (Main Mode) (2)
Flags: 0x00
Message ID: 0x00000000
Length: 104
Type
Payload: Security Association (1)
Next payload: Vendor ID (13)
Payload length: 56
Domain of interpretation: IPSEC (1)
Situation: 00000001
Type Payload: Proposal (2) # 1
Next payload: NONE / No Next Payload (0)
Payload length: 44
Proposal number: 1
Protocol ID: ISAKMP (1)
SPI Size: 0
Proposal transforms: 1
Type Payload: Transform (3) # 1
Next payload: NONE / No Next Payload (0)
Payload length: 36
Transform number: 1
Transform ID: KEY_IKE (1)
Transform IKE Attribute Type (t=1,l=2)
Encryption-Algorithm : AES-CBC
Transform IKE Attribute Type (t=14,l=2)
Key-Length : 256
Transform IKE Attribute Type (t=2,l=2)
Hash-Algorithm : SHA
Transform IKE Attribute Type (t=4,l=2)
Group-Description : 1536 bit MODP group
Transform IKE Attribute Type (t=3,l=2)
Authentication-Method : PSK
Transform IKE Attribute Type (t=11,l=2)
Life-Type : Seconds
Transform IKE Attribute Type (t=12,l=2)
Life-Duration : 28800 (acuerda en lugar de 3600)
Type
Payload: Vendor ID (13) : RFC 3947 Negotiation of
NAT-Traversal in the IKE
Next payload: NONE / No Next Payload (0)
Payload length: 20
Vendor ID: 4a131c81070358455c5728f20e95452f
Vendor ID: RFC 3947 Negotiation of NAT-Traversal in the IKE
(2014) Sensei, I can see light at the
end of the tunnel !
Rosario, Argentina