Análisis forense de una negociación IPSec para conectar dos sitios mediante VPN

Fecha: septiembre del 2014 Clase: CCNA Security

 

Escenario

 

Este escenario deriva de pruebas  anteriores basadas en NAT, pero se analizan esos detalles en otro documento.

En este escenario se analizan las negociaciones IKE para fase I y II y el tráfico ESP entre los peers, una vez establecido

el tunel. También se analizan o resaltan aspectos como la negociación de la asociación de seguridad (SA) con varias

políticas de seguridad configuradas en un extremo y una única en el otro.

 

Todo lo redactado en este documento es mi punto de apreciación y puede ser modificado a medida que se depuren o

investiguen algunos pasos pendientes del proceso IPSec. Todo aporte es bien recibido en ernesto@vilarrasa.com.ar.

 

Fases del establecimiento del tunel IPSec

 

1.       Un paquete llega al router y se le analiza la red de destino.

2.       Mediante la tabla de enrutamiento se determina que debe transmitirse por una la interface WAN, generalmente

se utiliza la ruta por defecto en VPNs de internet.

3.       Justo antes de transmitirse por esta interface, el paquete deberá evaluarse ya que hay asociado un crypto-map.

4.       El crypto-map tiene asociada una ACL, se evalúa el paquete con la misma para verificar coincidencias.

5.       Al encontrarse una coincidencia el paquete y si ubiese una asociación de seguridad (SA) entre pares (routers terminadores

Del túnel) se encripta según la política IPSec acordada entre los mismos.

6.       Si no hay una asociación de seguridad establecida, se busca el peer en el crypto-map correspondiente a la ACL.

7.       Se negocian políticas en común de fase I (isakmp) con el peer declarado en el crypto-map antes mencionado, para ello

el router busca la configuración necesaria del peer y PSK para la fase I.

8.       Se genera el intercambio seguro en un medio inseguro, mediante claves Diffie-Hellmann.

9.       Se verifican las identidades de los peers, ahora encriptando la negociación.

10.   Se establece la fase II de IPsec (quick mode), donde se acuerdan políticas para proteger el tráfico del túnel.

11.   El tráfico ahora atravesará el túnel protegido con la política acordada entre los peers.

12.   El tráfico siguiente cumplirá los puntos 1,2,3,4,5 y 11.

 

 

 

 

Tráfico analizado

 

 

La fase I de IPSec (ISAKMP):

 

 

 

No.     Source                Destination Protocol Length

      2 10.0.0.1              10.0.0.6              ISAKMP   206    Identity Protection (Main Mode)

 

Frame 2: 206 bytes on wire (1648 bits), 206 bytes captured (1648 bits) on interface 0

Ethernet II, Src: 00:1d:e6:08:4b:4f (00:1d:e6:08:4b:4f), Dst: 00:1d:46:a5:27:61 (00:1d:46:a5:27:61) (capa 2 OSI)

Internet Protocol Version 4, Src: 10.0.0.1 (10.0.0.1), Dst: 10.0.0.6 (10.0.0.6) (capa 3 OSI)

User Datagram Protocol, Src Port: 500 (500), Dst Port: 500 (500) (capa 4 OSI)

Internet Security Association and Key Management Protocol

    Initiator cookie: 03aad8e9957f9bb8

    Responder cookie: 0000000000000000

    Next payload: Security Association (1)

    Version: 1.0

    Exchange type: Identity Protection (Main Mode) (2)

    Flags: 0x00

        .... ...0 = Encryption: Not encrypted

        .... ..0. = Commit: No commit

        .... .0.. = Authentication: No authentication

    Message ID: 0x00000000

    Length: 164

    Type Payload: Security Association (1)

        Next payload: Vendor ID (13)

        Payload length: 56

        Domain of interpretation: IPSEC (1)

        Situation: 00000001

        Type Payload: Proposal (2) # 1

            Next payload: NONE / No Next Payload  (0)

            Payload length: 44

            Proposal number: 1

            Protocol ID: ISAKMP (1)

            SPI Size: 0

            Proposal transforms: 1

            Type Payload: Transform (3) # 1

                Next payload: NONE / No Next Payload  (0)

                Payload length: 36

                Transform number: 1

                Transform ID: KEY_IKE (1)

                Transform IKE Attribute Type (t=1,l=2) Encryption-Algorithm : AES-CBC

                    1... .... .... .... = Transform IKE Format: Type/Value (TV)

                    Transform IKE Attribute Type: Encryption-Algorithm (1)

                    Value: 0007

                    Encryption Algorithm: AES-CBC (7)

                Transform IKE Attribute Type (t=14,l=2) Key-Length : 256

                    1... .... .... .... = Transform IKE Format: Type/Value (TV)

                    Transform IKE Attribute Type: Key-Length (14)

                    Value: 0100

                    Key Length: 256

                Transform IKE Attribute Type (t=2,l=2) Hash-Algorithm : SHA

                    1... .... .... .... = Transform IKE Format: Type/Value (TV)

                    Transform IKE Attribute Type: Hash-Algorithm (2)

                    Value: 0002

                    HASH Algorithm: SHA (2)

                Transform IKE Attribute Type (t=4,l=2) Group-Description : 1536 bit MODP group

                    1... .... .... .... = Transform IKE Format: Type/Value (TV)

                    Transform IKE Attribute Type: Group-Description (4)

                    Value: 0005

                    Group Description: 1536 bit MODP group (5)

                Transform IKE Attribute Type (t=3,l=2) Authentication-Method : PSK

                    1... .... .... .... = Transform IKE Format: Type/Value (TV)

                    Transform IKE Attribute Type: Authentication-Method (3)

                    Value: 0001

                    Authentication Method: PSK (1)

                Transform IKE Attribute Type (t=11,l=2) Life-Type : Seconds

                    1... .... .... .... = Transform IKE Format: Type/Value (TV)

                    Transform IKE Attribute Type: Life-Type (11)

                    Value: 0001

                    Life Type: Seconds (1)

                Transform IKE Attribute Type (t=12,l=2) Life-Duration : 3600

                    1... .... .... .... = Transform IKE Format: Type/Value (TV)

                    Transform IKE Attribute Type: Life-Duration (12)

                    Value: 0e10

                    Life Duration: 3600

    Type Payload: Vendor ID (13) : RFC 3947 Negotiation of NAT-Traversal in the IKE

        Next payload: Vendor ID (13)

        Payload length: 20

        Vendor ID: 4a131c81070358455c5728f20e95452f

        Vendor ID: RFC 3947 Negotiation of NAT-Traversal in the IKE

    Type Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-07

        Next payload: Vendor ID (13)

        Payload length: 20

        Vendor ID: 439b59f8ba676c4c7737ae22eab8f582

        Vendor ID: draft-ietf-ipsec-nat-t-ike-07

    Type Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-03

        Next payload: Vendor ID (13)

        Payload length: 20

        Vendor ID: 7d9419a65310ca6f2c179d9215529d56

        Vendor ID: draft-ietf-ipsec-nat-t-ike-03

    Type Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-02\n

        Next payload: NONE / No Next Payload  (0)

        Payload length: 20

        Vendor ID: 90cb80913ebb696e086381b5ec427b1f

        Vendor ID: draft-ietf-ipsec-nat-t-ike-02\n

 

No.     Source                Destination Protocol Length

      3 10.0.0.6              10.0.0.1              ISAKMP   146    Identity Protection (Main Mode)

 

Frame 3: 146 bytes on wire (1168 bits), 146 bytes captured (1168 bits) on interface 0

Ethernet II, Src: 00:1d:46:a5:27:61 (00:1d:46:a5:27:61), Dst: 00:1d:e6:08:4b:4f (00:1d:e6:08:4b:4f)

Internet Protocol Version 4, Src: 10.0.0.6 (10.0.0.6), Dst: 10.0.0.1 (10.0.0.1) (respuesta desde el peer)

User Datagram Protocol, Src Port: 500 (500), Dst Port: 500 (500)

Internet Security Association and Key Management Protocol

    Initiator cookie: 03aad8e9957f9bb8

    Responder cookie: 9d7e6a485583e66c

    Next payload: Security Association (1)

    Version: 1.0

    Exchange type: Identity Protection (Main Mode) (2)

    Flags: 0x00

        .... ...0 = Encryption: Not encrypted

        .... ..0. = Commit: No commit

        .... .0.. = Authentication: No authentication

    Message ID: 0x00000000

    Length: 104

    Type Payload: Security Association (1)

        Next payload: Vendor ID (13)

        Payload length: 56

        Domain of interpretation: IPSEC (1)

        Situation: 00000001

        Type Payload: Proposal (2) # 1

            Next payload: NONE / No Next Payload  (0)

            Payload length: 44

            Proposal number: 1

            Protocol ID: ISAKMP (1)

            SPI Size: 0

            Proposal transforms: 1

            Type Payload: Transform (3) # 1

                Next payload: NONE / No Next Payload  (0)

                Payload length: 36

                Transform number: 1

                Transform ID: KEY_IKE (1)

                Transform IKE Attribute Type (t=1,l=2) Encryption-Algorithm : AES-CBC

                    1... .... .... .... = Transform IKE Format: Type/Value (TV)

                    Transform IKE Attribute Type: Encryption-Algorithm (1)

                    Value: 0007

                    Encryption Algorithm: AES-CBC (7)

                Transform IKE Attribute Type (t=14,l=2) Key-Length : 256

                    1... .... .... .... = Transform IKE Format: Type/Value (TV)

                    Transform IKE Attribute Type: Key-Length (14)

                    Value: 0100

                    Key Length: 256

                Transform IKE Attribute Type (t=2,l=2) Hash-Algorithm : SHA

                    1... .... .... .... = Transform IKE Format: Type/Value (TV)

                    Transform IKE Attribute Type: Hash-Algorithm (2)

                    Value: 0002

                    HASH Algorithm: SHA (2)

                Transform IKE Attribute Type (t=4,l=2) Group-Description : 1536 bit MODP group

                    1... .... .... .... = Transform IKE Format: Type/Value (TV)

                    Transform IKE Attribute Type: Group-Description (4)

                    Value: 0005

                    Group Description: 1536 bit MODP group (5)

                Transform IKE Attribute Type (t=3,l=2) Authentication-Method : PSK

                    1... .... .... .... = Transform IKE Format: Type/Value (TV)

                    Transform IKE Attribute Type: Authentication-Method (3)

                    Value: 0001

                    Authentication Method: PSK (1)

                Transform IKE Attribute Type (t=11,l=2) Life-Type : Seconds

                    1... .... .... .... = Transform IKE Format: Type/Value (TV)

                    Transform IKE Attribute Type: Life-Type (11)

                    Value: 0001

                    Life Type: Seconds (1)

                Transform IKE Attribute Type (t=12,l=2) Life-Duration : 3600

                    1... .... .... .... = Transform IKE Format: Type/Value (TV)

                    Transform IKE Attribute Type: Life-Duration (12)

                    Value: 0e10

                    Life Duration: 3600

    Type Payload: Vendor ID (13) : RFC 3947 Negotiation of NAT-Traversal in the IKE

        Next payload: NONE / No Next Payload  (0)

        Payload length: 20

        Vendor ID: 4a131c81070358455c5728f20e95452f

        Vendor ID: RFC 3947 Negotiation of NAT-Traversal in the IKE

 

Intercambio Diffie-Hellmann:

 

 

No.     Source                Destination Protocol Length

      4 10.0.0.1              10.0.0.6              ISAKMP   390    Identity Protection (Main Mode)

 

Frame 4: 390 bytes on wire (3120 bits), 390 bytes captured (3120 bits) on interface 0

Ethernet II, Src: 00:1d:e6:08:4b:4f (00:1d:e6:08:4b:4f), Dst: 00:1d:46:a5:27:61 (00:1d:46:a5:27:61)

Internet Protocol Version 4, Src: 10.0.0.1 (10.0.0.1), Dst: 10.0.0.6 (10.0.0.6)

User Datagram Protocol, Src Port: 500 (500), Dst Port: 500 (500)

Internet Security Association and Key Management Protocol

    Initiator cookie: 03aad8e9957f9bb8

    Responder cookie: 9d7e6a485583e66c

    Next payload: Key Exchange (4)

    Version: 1.0

    Exchange type: Identity Protection (Main Mode) (2)

    Flags: 0x00

        .... ...0 = Encryption: Not encrypted

        .... ..0. = Commit: No commit

        .... .0.. = Authentication: No authentication

    Message ID: 0x00000000

    Length: 348

    Type Payload: Key Exchange (4)

        Next payload: Nonce (10)

        Payload length: 196

        Key Exchange Data: 8e7d32e78ba32c60faee05b41dae0b0735e25e7928e38259...

    Type Payload: Nonce (10)

        Next payload: Vendor ID (13)

        Payload length: 24

        Nonce DATA: 93143975e7aa0e9b4c407ed2fe4137ba2c19f665

    Type Payload: Vendor ID (13) : RFC 3706 DPD (Dead Peer Detection)

        Next payload: Vendor ID (13)

        Payload length: 20

        Vendor ID: afcad71368a1f1c96b8696fc77570100

        Vendor ID: RFC 3706 DPD (Dead Peer Detection)

    Type Payload: Vendor ID (13) : Unknown Vendor ID

        Next payload: Vendor ID (13)

        Payload length: 20

        Vendor ID: f66d7ff4957e9bb88c37ee4fde06d3dc

        Vendor ID: Unknown Vendor ID

    Type Payload: Vendor ID (13) : XAUTH

        Next payload: NAT-D (RFC 3947) (20)

        Payload length: 12

        Vendor ID: 09002689dfd6b712

        Vendor ID: XAUTH

    Type Payload: NAT-D (RFC 3947) (20)

        Next payload: NAT-D (RFC 3947) (20)

        Payload length: 24

        HASH of the address and port: 1f515c8e9201c59472b1b3cdeed2ff01e8ce0fbd

    Type Payload: NAT-D (RFC 3947) (20)

        Next payload: NONE / No Next Payload  (0)

        Payload length: 24

        HASH of the address and port: 982866c15a6a187ac932fe8270caae07808043bd

 

No.     Source                Destination Protocol Length

      5 10.0.0.6              10.0.0.1              ISAKMP   410    Identity Protection (Main Mode)

 

Frame 5: 410 bytes on wire (3280 bits), 410 bytes captured (3280 bits) on interface 0

Ethernet II, Src: 00:1d:46:a5:27:61 (00:1d:46:a5:27:61), Dst: 00:1d:e6:08:4b:4f (00:1d:e6:08:4b:4f)

Internet Protocol Version 4, Src: 10.0.0.6 (10.0.0.6), Dst: 10.0.0.1 (10.0.0.1) (respuesta desde el peer)

User Datagram Protocol, Src Port: 500 (500), Dst Port: 500 (500)

Internet Security Association and Key Management Protocol

    Initiator cookie: 03aad8e9957f9bb8

    Responder cookie: 9d7e6a485583e66c

    Next payload: Key Exchange (4)

    Version: 1.0

    Exchange type: Identity Protection (Main Mode) (2)

    Flags: 0x00

        .... ...0 = Encryption: Not encrypted

        .... ..0. = Commit: No commit

        .... .0.. = Authentication: No authentication

    Message ID: 0x00000000

    Length: 368

    Type Payload: Key Exchange (4)

        Next payload: Nonce (10)

        Payload length: 196

        Key Exchange Data: 397729b63c89901909190955d57d1f7fd156e2b8de200f15...

    Type Payload: Nonce (10)

        Next payload: Vendor ID (13)

        Payload length: 24

        Nonce DATA: 88766d3cc5cb7c4a34d1f0f41d396891a40a14b3

    Type Payload: Vendor ID (13) : CISCO-UNITY 1.0

        Next payload: Vendor ID (13)

        Payload length: 20

        Vendor ID: 12f5f28c457168a9702d9fe274cc0100

        Vendor ID: CISCO-UNITY

        CISCO-UNITY Major version: 1

        CISCO-UNITY Minor version: 0

    Type Payload: Vendor ID (13) : RFC 3706 DPD (Dead Peer Detection)

        Next payload: Vendor ID (13)

        Payload length: 20

        Vendor ID: afcad71368a1f1c96b8696fc77570100

        Vendor ID: RFC 3706 DPD (Dead Peer Detection)

    Type Payload: Vendor ID (13) : Unknown Vendor ID

        Next payload: Vendor ID (13)

        Payload length: 20

        Vendor ID: 68b9cd555582e66cc960c9cf58ade265

        Vendor ID: Unknown Vendor ID

    Type Payload: Vendor ID (13) : XAUTH

        Next payload: NAT-D (RFC 3947) (20)

        Payload length: 12

        Vendor ID: 09002689dfd6b712

        Vendor ID: XAUTH

    Type Payload: NAT-D (RFC 3947) (20)

        Next payload: NAT-D (RFC 3947) (20)

        Payload length: 24

        HASH of the address and port: 982866c15a6a187ac932fe8270caae07808043bd

    Type Payload: NAT-D (RFC 3947) (20)

        Next payload: NONE / No Next Payload  (0)

        Payload length: 24

        HASH of the address and port: 1f515c8e9201c59472b1b3cdeed2ff01e8ce0fbd

 

No.     Source                Destination Protocol Length

      6 10.0.0.1              10.0.0.6              ISAKMP   150    Identity Protection (Main Mode)

 

Frame 6: 150 bytes on wire (1200 bits), 150 bytes captured (1200 bits) on interface 0

Ethernet II, Src: 00:1d:e6:08:4b:4f (00:1d:e6:08:4b:4f), Dst: 00:1d:46:a5:27:61 (00:1d:46:a5:27:61)

Internet Protocol Version 4, Src: 10.0.0.1 (10.0.0.1), Dst: 10.0.0.6 (10.0.0.6)

User Datagram Protocol, Src Port: 500 (500), Dst Port: 500 (500)

Internet Security Association and Key Management Protocol

    Initiator cookie: 03aad8e9957f9bb8

    Responder cookie: 9d7e6a485583e66c

    Next payload: Identification (5)

    Version: 1.0

    Exchange type: Identity Protection (Main Mode) (2)

    Flags: 0x01

        .... ...1 = Encryption: Encrypted

        .... ..0. = Commit: No commit

        .... .0.. = Authentication: No authentication

    Message ID: 0x00000000

    Length: 108

    Encrypted Data (80 bytes)

 

No.     Source                Destination Protocol Length

      7 10.0.0.6              10.0.0.1              ISAKMP   118    Identity Protection (Main Mode)

 

Frame 7: 118 bytes on wire (944 bits), 118 bytes captured (944 bits) on interface 0

Ethernet II, Src: 00:1d:46:a5:27:61 (00:1d:46:a5:27:61), Dst: 00:1d:e6:08:4b:4f (00:1d:e6:08:4b:4f)

Internet Protocol Version 4, Src: 10.0.0.6 (10.0.0.6), Dst: 10.0.0.1 (10.0.0.1)

User Datagram Protocol, Src Port: 500 (500), Dst Port: 500 (500)

Internet Security Association and Key Management Protocol

    Initiator cookie: 03aad8e9957f9bb8

    Responder cookie: 9d7e6a485583e66c

    Next payload: Identification (5)

    Version: 1.0

    Exchange type: Identity Protection (Main Mode) (2)

    Flags: 0x01

        .... ...1 = Encryption: Encrypted

        .... ..0. = Commit: No commit

        .... .0.. = Authentication: No authentication

    Message ID: 0x00000000

    Length: 76

    Encrypted Data (48 bytes)

 

Del punto 8.3.3 (5) de la currícula CCNASec:

 

The purpose of IKE Phase 2 is to negotiate the IPsec security parameters that will be used to secure the IPsec tunnel.

IKE Phase 2 is called quick mode and can only occur after IKE has established the secure tunnel in Phase 1.

SAs are negotiated  by the IKE process ISAKMP on behalf of IPsec, which needs encryption keys for operation.

Quick mode negotiates the IKE Phase 2 SAs. In this phase, the SAs that IPsec uses are unidirectional; therefore, a separate key

exchange is required for each data flow.

 

IKE Phase 2 performs the following functions:

 

·         Negotiates IPsec security parameters, known as IPsec transform sets

·         Establishes IPsec SAs

·         Periodically renegotiates IPsec SAs to ensure security

·         Optionally performs an additional DH exchange

 

 

No.     Source                Destination Protocol Length

      8 10.0.0.1              10.0.0.6              ISAKMP   422    Quick Mode

 

Frame 8: 422 bytes on wire (3376 bits), 422 bytes captured (3376 bits) on interface 0

Ethernet II, Src: 00:1d:e6:08:4b:4f (00:1d:e6:08:4b:4f), Dst: 00:1d:46:a5:27:61 (00:1d:46:a5:27:61)

Internet Protocol Version 4, Src: 10.0.0.1 (10.0.0.1), Dst: 10.0.0.6 (10.0.0.6)

User Datagram Protocol, Src Port: 500 (500), Dst Port: 500 (500)

Internet Security Association and Key Management Protocol

    Initiator cookie: 03aad8e9957f9bb8

    Responder cookie: 9d7e6a485583e66c

    Next payload: Hash (8)

    Version: 1.0

    Exchange type: Quick Mode (32)

    Flags: 0x01

        .... ...1 = Encryption: Encrypted

        .... ..0. = Commit: No commit

        .... .0.. = Authentication: No authentication

    Message ID: 0x493c0aa4

    Length: 380

    Encrypted Data (352 bytes)

 

No.     Source                Destination Protocol Length

      9 10.0.0.6              10.0.0.1              ISAKMP   422    Quick Mode

 

Frame 9: 422 bytes on wire (3376 bits), 422 bytes captured (3376 bits) on interface 0

Ethernet II, Src: 00:1d:46:a5:27:61 (00:1d:46:a5:27:61), Dst: 00:1d:e6:08:4b:4f (00:1d:e6:08:4b:4f)

Internet Protocol Version 4, Src: 10.0.0.6 (10.0.0.6), Dst: 10.0.0.1 (10.0.0.1)

User Datagram Protocol, Src Port: 500 (500), Dst Port: 500 (500)

Internet Security Association and Key Management Protocol

    Initiator cookie: 03aad8e9957f9bb8

    Responder cookie: 9d7e6a485583e66c

    Next payload: Hash (8)

    Version: 1.0

    Exchange type: Quick Mode (32)

    Flags: 0x01

        .... ...1 = Encryption: Encrypted

        .... ..0. = Commit: No commit

        .... .0.. = Authentication: No authentication

    Message ID: 0x493c0aa4

    Length: 380

    Encrypted Data (352 bytes)

 

No.     Source                Destination Protocol Length

     10 10.0.0.1              10.0.0.6              ISAKMP   102    Quick Mode

 

Frame 10: 102 bytes on wire (816 bits), 102 bytes captured (816 bits) on interface 0

Ethernet II, Src: 00:1d:e6:08:4b:4f (00:1d:e6:08:4b:4f), Dst: 00:1d:46:a5:27:61 (00:1d:46:a5:27:61)

Internet Protocol Version 4, Src: 10.0.0.1 (10.0.0.1), Dst: 10.0.0.6 (10.0.0.6)

User Datagram Protocol, Src Port: 500 (500), Dst Port: 500 (500)

Internet Security Association and Key Management Protocol

    Initiator cookie: 03aad8e9957f9bb8

    Responder cookie: 9d7e6a485583e66c

    Next payload: Hash (8)

    Version: 1.0

    Exchange type: Quick Mode (32)

    Flags: 0x01

        .... ...1 = Encryption: Encrypted

        .... ..0. = Commit: No commit

        .... .0.. = Authentication: No authentication

    Message ID: 0x493c0aa4

    Length: 60

    Encrypted Data (32 bytes)

 

Tráfico con el túnel establecido:

 

Descripción: Descripción: http://www.free-it.de/archiv/talks_2005/paper-11156/Pictures/100000000000033A0000016CD539E27A.png

 

No.     Source                Destination Protocol Length

     11 10.0.0.1              10.0.0.6              ESP      134    ESP (SPI=0xb9c670c4)

 

Frame 11: 134 bytes on wire (1072 bits), 134 bytes captured (1072 bits) on interface 0

Ethernet II, Src: 00:1d:e6:08:4b:4f (00:1d:e6:08:4b:4f), Dst: 00:1d:46:a5:27:61 (00:1d:46:a5:27:61)

Internet Protocol Version 4, Src: 10.0.0.1 (10.0.0.1), Dst: 10.0.0.6 (10.0.0.6)

Encapsulating Security Payload

    ESP SPI: 0xb9c670c4 (3116789956)

    ESP Sequence: 1

 

No.     Source                Destination Protocol Length

     15 10.0.0.6              10.0.0.1              ESP      118    ESP (SPI=0x794d8088)

 

Frame 15: 118 bytes on wire (944 bits), 118 bytes captured (944 bits) on interface 0

Ethernet II, Src: 00:1d:46:a5:27:61 (00:1d:46:a5:27:61), Dst: 00:1d:e6:08:4b:4f (00:1d:e6:08:4b:4f)

Internet Protocol Version 4, Src: 10.0.0.6 (10.0.0.6), Dst: 10.0.0.1 (10.0.0.1)

Encapsulating Security Payload

    ESP SPI: 0x794d8088 (2035122312)

    ESP Sequence: 1

 

No.     Source                Destination Protocol Length

     16 10.0.0.1              10.0.0.6              ESP      118    ESP (SPI=0xb9c670c4)

 

Frame 16: 118 bytes on wire (944 bits), 118 bytes captured (944 bits) on interface 0

Ethernet II, Src: 00:1d:e6:08:4b:4f (00:1d:e6:08:4b:4f), Dst: 00:1d:46:a5:27:61 (00:1d:46:a5:27:61)

Internet Protocol Version 4, Src: 10.0.0.1 (10.0.0.1), Dst: 10.0.0.6 (10.0.0.6)

Encapsulating Security Payload

    ESP SPI: 0xb9c670c4 (3116789956)

    ESP Sequence: 2

 

No.     Source                Destination Protocol Length

     17 10.0.0.1              10.0.0.6              ESP      134    ESP (SPI=0xb9c670c4)

 

Frame 17: 134 bytes on wire (1072 bits), 134 bytes captured (1072 bits) on interface 0

Ethernet II, Src: 00:1d:e6:08:4b:4f (00:1d:e6:08:4b:4f), Dst: 00:1d:46:a5:27:61 (00:1d:46:a5:27:61)

Internet Protocol Version 4, Src: 10.0.0.1 (10.0.0.1), Dst: 10.0.0.6 (10.0.0.6)

Encapsulating Security Payload

    ESP SPI: 0xb9c670c4 (3116789956)

    ESP Sequence: 3

 

No.     Source                Destination Protocol Length

     18 10.0.0.6              10.0.0.1              ESP      134    ESP (SPI=0x794d8088)

 

Frame 18: 134 bytes on wire (1072 bits), 134 bytes captured (1072 bits) on interface 0

Ethernet II, Src: 00:1d:46:a5:27:61 (00:1d:46:a5:27:61), Dst: 00:1d:e6:08:4b:4f (00:1d:e6:08:4b:4f)

Internet Protocol Version 4, Src: 10.0.0.6 (10.0.0.6), Dst: 10.0.0.1 (10.0.0.1)

Encapsulating Security Payload

    ESP SPI: 0x794d8088 (2035122312)

    ESP Sequence: 2

 

No.     Source                Destination Protocol Length

     19 10.0.0.1              10.0.0.6              ESP      134    ESP (SPI=0xb9c670c4)

 

Frame 19: 134 bytes on wire (1072 bits), 134 bytes captured (1072 bits) on interface 0

Ethernet II, Src: 00:1d:e6:08:4b:4f (00:1d:e6:08:4b:4f), Dst: 00:1d:46:a5:27:61 (00:1d:46:a5:27:61)

Internet Protocol Version 4, Src: 10.0.0.1 (10.0.0.1), Dst: 10.0.0.6 (10.0.0.6)

Encapsulating Security Payload

    ESP SPI: 0xb9c670c4 (3116789956)

    ESP Sequence: 4

 

Depuración de la negociación en el router Rosario:

 

Se genera tráfico interesante desde la PC 192.168.1.101 al SW 192.168.4.2, en el otro extremo del túnel.

 

The following four modes are found in IKE main mode

 

MM_NO_STATE – ISAKMP SA process has started but has not continued to form (typically due to a connectivity issue with the peer)

MM_SA_SETUP – Both peers agree on ISAKMP SA parameters and will move along the process

MM_KEY_EXCH – Both peers exchange their DH keys and are generating their secret keys. (This state could also mean there is a

mis-matched authentication type or PSK, if it does not proceed to the next step)

MM_KEY_AUTH – ISAKMP SA’s have been authenticated in main mode and will proceed to QM_IDLE immediately.

The following three modes are found in IKE aggressive mode

 

The following mode is found in IKE Quick Mode, phase 2

 

QM_IDLE – The ISAKMP SA is idle and authenticated

 

Rosario#debug crypto isakmp

*Jul 22 18:29:39.630: ISAKMP:(0): SA request profile is (NULL)

*Jul 22 18:29:39.630: ISAKMP: Created a peer struct for 10.0.0.6, peer port 500

*Jul 22 18:29:39.630: ISAKMP: New peer created peer = 0x6724CCA8 peer_handle = 0x80000004

*Jul 22 18:29:39.630: ISAKMP: Locking peer struct 0x6724CCA8, refcount 1 for isakmp_initiator

*Jul 22 18:29:39.630: ISAKMP: local port 500, remote port 500

*Jul 22 18:29:39.630: ISAKMP: set new node 0 to QM_IDLE

*Jul 22 18:29:39.630: ISAKMP:(0):insert sa successfully sa = 67A594A4

*Jul 22 18:29:39.630: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

*Jul 22 18:29:39.630: ISAKMP:(0):found peer pre-shared key matching 10.0.0.6 (configurado en crypto isakmp key Cisco123 address 10.0.0.6)

*Jul 22 18:29:39.630: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

*Jul 22 18:29:39.630: ISAKMP:(0): constructed NAT-T vendor-07 ID

*Jul 22 18:29:39.630: ISAKMP:(0): constructed NAT-T vendor-03 ID

*Jul 22 18:29:39.630: ISAKMP:(0): constructed NAT-T vendor-02 ID

*Jul 22 18:29:39.630: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*Jul 22 18:29:39.630: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

 

New State = IKE_I_MM1. This indicates that IKE negotiation has been initiated, and the first ISAKMP message in the

main mode exchange is about to be sent.

Note the I in the message here. This character indicates that Rosario is the initiator of IKE negotiation.

If Rosario were the responder, then an R would be shown.

 

*Jul 22 18:29:39.630: ISAKMP:(0): beginning Main Mode exchange

*Jul 22 18:29:39.634: ISAKMP:(0): sending packet to 10.0.0.6 my_port 500 peer_port 500 (I) MM_NO_STATE

*Jul 22 18:29:39.634: ISAKMP:(0): sending an IKE IPv4 Packet.

*Jul 22 18:29:39.638: ISAKMP (0): received packet from 10.0.0.6 dport 500 sport 500 Global (I) MM_NO_STATE

 

This message contains the accepted proposal (one out of those sent in Rosario's initial message)

 

*Jul 22 18:29:39.638: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Jul 22 18:29:39.638: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2

 

The state has moved from IKE_I_MM1 to IKE_I_MM2, indicating that this is the second message in the IKE exchange.

Rosario now begins to process the SA payload, which contains the accepted proposal.

Note the message ID here. The function of the message ID is to distinguish messages for different phase 2 exchanges (SAs)

from each other, and so it remains as zero throughout main mode negotiation.

 

*Jul 22 18:29:39.638: ISAKMP:(0): processing SA payload. message ID = 0

*Jul 22 18:29:39.642: ISAKMP:(0): processing vendor id payload

*Jul 22 18:29:39.642: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

*Jul 22 18:29:39.642: ISAKMP (0): vendor ID is NAT-T RFC 3947

*Jul 22 18:29:39.642: ISAKMP:(0):found peer pre-shared key matching 10.0.0.6

*Jul 22 18:29:39.642: ISAKMP:(0): local preshared key found

*Jul 22 18:29:39.642: ISAKMP : Scanning profiles for xauth ...

*Jul 22 18:29:39.642: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy

*Jul 22 18:29:39.642: ISAKMP:      encryption AES-CBC

*Jul 22 18:29:39.642: ISAKMP:      keylength of 256

*Jul 22 18:29:39.642: ISAKMP:      hash SHA

*Jul 22 18:29:39.642: ISAKMP:      default group 5

*Jul 22 18:29:39.642: ISAKMP:      auth pre-share

*Jul 22 18:29:39.642: ISAKMP:      life type in seconds

*Jul 22 18:29:39.642: ISAKMP:      life duration (basic) of 3600

*Jul 22 18:29:39.642: ISAKMP:(0):atts are acceptable. Next payload is 0

*Jul 22 18:29:39.642: ISAKMP:(0):Acceptable atts:actual life: 0

*Jul 22 18:29:39.642: ISAKMP:(0):Acceptable atts:life: 0

*Jul 22 18:29:39.642: ISAKMP:(0):Basic life_in_seconds:3600

*Jul 22 18:29:39.642: ISAKMP:(0):Returning Actual lifetime: 3600

*Jul 22 18:29:39.642: ISAKMP:(0)::Started lifetime timer: 3600.

*Jul 22 18:29:39.642: ISAKMP:(0): processing vendor id payload

*Jul 22 18:29:39.642: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

*Jul 22 18:29:39.642: ISAKMP (0): vendor ID is NAT-T RFC 3947

*Jul 22 18:29:39.642: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Jul 22 18:29:39.642: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

*Jul 22 18:29:39.646: ISAKMP:(0): sending packet to 10.0.0.6 my_port 500 peer_port 500 (I) MM_SA_SETUP

*Jul 22 18:29:39.646: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Jul 22 18:29:39.646: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Jul 22 18:29:39.646: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

 

The state changes to IKE_I_MM3, indicating that the third message in the IKE exchange has been sent.

 

*Jul 22 18:29:39.850: ISAKMP (0): received packet from 10.0.0.6 dport 500 sport 500 Global (I) MM_SA_SETUP

*Jul 22 18:29:39.850: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Jul 22 18:29:39.850: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

 

The state has now changed to IKE_I_MM4, indicating that this response was the fourth message in the main mode exchange.

 

*Jul 22 18:29:39.850: ISAKMP:(0): processing KE payload. message ID = 0

*Jul 22 18:29:40.054: ISAKMP:(0): processing NONCE payload. message ID = 0

*Jul 22 18:29:40.054: ISAKMP:(0):found peer pre-shared key matching 10.0.0.6

*Jul 22 18:29:40.054: ISAKMP:(1003): processing vendor id payload

*Jul 22 18:29:40.054: ISAKMP:(1003): vendor ID is Unity

*Jul 22 18:29:40.054: ISAKMP:(1003): processing vendor id payload

*Jul 22 18:29:40.054: ISAKMP:(1003): vendor ID is DPD

*Jul 22 18:29:40.054: ISAKMP:(1003): processing vendor id payload

*Jul 22 18:29:40.054: ISAKMP:(1003): speaking to another IOS box!

*Jul 22 18:29:40.054: ISAKMP:received payload type 20

*Jul 22 18:29:40.054: ISAKMP (1003): His hash no match - this node outside NAT

*Jul 22 18:29:40.054: ISAKMP:received payload type 20

*Jul 22 18:29:40.054: ISAKMP (1003): No NAT Found for self or peer (el túnel se forma luego de realizado el static NAT)

*Jul 22 18:29:40.054: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Jul 22 18:29:40.054: ISAKMP:(1003):Old State = IKE_I_MM4  New State = IKE_I_MM4

 

*Jul 22 18:29:40.058: ISAKMP:(1003):Send initial contact

*Jul 22 18:29:40.058: ISAKMP:(1003):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

*Jul 22 18:29:40.058: ISAKMP (1003): ID payload

        next-payload : 8

        type         : 1

        address      : 10.0.0.1

        protocol     : 17

        port         : 500

        length       : 12

*Jul 22 18:29:40.058: ISAKMP:(1003):Total payload length: 12

*Jul 22 18:29:40.058: ISAKMP:(1003): sending packet to 10.0.0.6 my_port 500 peer_port 500 (I) MM_KEY_EXCH

*Jul 22 18:29:40.058: ISAKMP:(1003):Sending an IKE IPv4 Packet.

*Jul 22 18:29:40.058: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Jul 22 18:29:40.058: ISAKMP:(1003):Old State = IKE_I_MM4  New State = IKE_I_MM5

 

The state changes to IKE_I_MM5, indicating that the fifth message in the IKE exchange has been sent.

 

*Jul 22 18:29:40.066: ISAKMP (1003): received packet from 10.0.0.6 dport 500 sport 500 Global (I) MM_KEY_EXCH

*Jul 22 18:29:40.066: ISAKMP:(1003): processing ID payload. message ID = 0

*Jul 22 18:29:40.066: ISAKMP (1003): ID payload

        next-payload : 8

        type         : 1

        address      : 10.0.0.6

        protocol     : 17 (refiere a UDP)

        port         : 500

        length       : 12

*Jul 22 18:29:40.070: ISAKMP:(0):: peer matches *none* of the profiles

*Jul 22 18:29:40.070: ISAKMP:(1003): processing HASH payload. message ID = 0

*Jul 22 18:29:40.070: ISAKMP:(1003):SA authentication status: authenticated

*Jul 22 18:29:40.070: ISAKMP:(1003):SA has been authenticated with 10.0.0.6

*Jul 22 18:29:40.070: ISAKMP: Trying to insert a peer 10.0.0.1/10.0.0.6/500/,  and inserted successfully 6724CCA8.

*Jul 22 18:29:40.070: ISAKMP:(1003):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Jul 22 18:29:40.070: ISAKMP:(1003):Old State = IKE_I_MM5  New State = IKE_I_MM6

*Jul 22 18:29:40.070: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Jul 22 18:29:40.070: ISAKMP:(1003):Old State = IKE_I_MM6  New State = IKE_I_MM6

*Jul 22 18:29:40.070: ISAKMP (1003): received packet from 10.0.0.6 dport 500 sport 500 Global (I) MM_KEY_EXCH

*Jul 22 18:29:40.070: ISAKMP: set new node 2129041637 to QM_IDLE

*Jul 22 18:29:40.074: ISAKMP:(1003): processing HASH payload. message ID = 2129041637

*Jul 22 18:29:40.074: ISAKMP:(1003): processing DELETE payload. message ID = 2129041637

*Jul 22 18:29:40.074: ISAKMP:(1003):peer does not do paranoid keepalives.

*Jul 22 18:29:40.074: ISAKMP:(1003):deleting node 2129041637 error FALSE reason "Informational (in) state 1"

*Jul 22 18:29:40.074: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Jul 22 18:29:40.074: ISAKMP:(1003):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

 

*Jul 22 18:29:40.074: ISAKMP:(1003):beginning Quick Mode exchange, M-ID of -685834843 (fase II)

*Jul 22 18:29:40.238: ISAKMP:(1003):QM Initiator gets spi

*Jul 22 18:29:40.238: ISAKMP:(1003): sending packet to 10.0.0.6 my_port 500 peer_port 500 (I) QM_IDLE

*Jul 22 18:29:40.238: ISAKMP:(1003):Sending an IKE IPv4 Packet.

*Jul 22 18:29:40.238: ISAKMP:(1003):Node -685834843, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

*Jul 22 18:29:40.238: ISAKMP:(1003):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1

*Jul 22 18:29:40.238: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

*Jul 22 18:29:40.238: ISAKMP:(1003):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Jul 22 18:29:40.610: ISAKMP (1003): received packet from 10.0.0.6 dport 500 sport 500 Global (I) QM_IDLE

*Jul 22 18:29:40.610: ISAKMP:(1003): processing HASH payload. message ID = -685834843

*Jul 22 18:29:40.610: ISAKMP:(1003): processing SA payload. message ID = -685834843

*Jul 22 18:29:40.610: ISAKMP:(1003):Checking IPSec proposal 1

*Jul 22 18:29:40.610: ISAKMP: transform 1, ESP_AES

*Jul 22 18:29:40.610: ISAKMP:   attributes in transform:

*Jul 22 18:29:40.610: ISAKMP:      encaps is 1 (Tunnel)

*Jul 22 18:29:40.610: ISAKMP:      SA life type in seconds

*Jul 22 18:29:40.610: ISAKMP:      SA life duration (basic) of 3600

*Jul 22 18:29:40.610: ISAKMP:      SA life type in kilobytes

*Jul 22 18:29:40.610: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0

*Jul 22 18:29:40.610: ISAKMP:      authenticator is HMAC-SHA

*Jul 22 18:29:40.610: ISAKMP:      key length is 256

*Jul 22 18:29:40.610: ISAKMP:      group is 5

*Jul 22 18:29:40.610: ISAKMP:(1003):atts are acceptable.

*Jul 22 18:29:40.610: ISAKMP:(1003): processing NONCE payload. message ID = -685834843

*Jul 22 18:29:40.610: ISAKMP:(1003): processing KE payload. message ID = -685834843

*Jul 22 18:29:40.814: ISAKMP:(1003): processing ID payload. message ID = -685834843

*Jul 22 18:29:40.814: ISAKMP:(1003): processing ID payload. message ID = -685834843

*Jul 22 18:29:40.818: ISAKMP:(1003): Creating IPSec SAs

*Jul 22 18:29:40.818:         inbound SA from 10.0.0.6 to 10.0.0.1 (f/i)  0/ 0

        (proxy 192.168.4.0 to 192.168.3.0)

*Jul 22 18:29:40.818:         has spi 0x134BD28 and conn_id 0

*Jul 22 18:29:40.818:         lifetime of 3600 seconds

*Jul 22 18:29:40.818:         lifetime of 4608000 kilobytes

*Jul 22 18:29:40.818:         outbound SA from 10.0.0.1 to 10.0.0.6 (f/i) 0/0

        (proxy 192.168.3.0 to 192.168.4.0)

*Jul 22 18:29:40.818:         has spi  0x11336938 and conn_id 0

*Jul 22 18:29:40.818:         lifetime of 3600 seconds

*Jul 22 18:29:40.818:         lifetime of 4608000 kilobytes

*Jul 22 18:29:40.818: ISAKMP:(1003): sending packet to 10.0.0.6 my_port 500 peer_port 500 (I) QM_IDLE

*Jul 22 18:29:40.818: ISAKMP:(1003):Sending an IKE IPv4 Packet.

*Jul 22 18:29:40.818: ISAKMP:(1003):deleting node -685834843 error FALSE reason "No Error"

*Jul 22 18:29:40.818: ISAKMP:(1003):Node -685834843, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

*Jul 22 18:29:40.818: ISAKMP:(1003):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE

Rosario#

 

Rosario#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst                src                 state               conn-id status

10.0.0.6        10.0.0.1        QM_IDLE           1003 ACTIVE                                                  

 

IPv6 Crypto ISAKMP SA

 

Rosario#

 

Terminación del túnel

 

Los paquetes 11 y 12 corresponden a la terminación del túnel, realizada 240 segundos después de

establecido. El proceso sólo abarca un intercambio de ambos peers.

 

 

Rosario#clear crypto isakmp 1003 (se interrumpe manualmente el tunel)

Rosario#

 

*Jul 22 18:33:40.074: ISAKMP:(1003):deleting SA reason "Death by tree-walk" state (I) QM_IDLE       (peer 10.0.0.6)

*Jul 22 18:33:40.078: ISAKMP: set new node 168501692 to QM_IDLE

*Jul 22 18:33:40.078: ISAKMP:(1003): sending packet to 10.0.0.6 my_port 500 peer_port 500 (I) QM_IDLE

*Jul 22 18:33:40.078: ISAKMP:(1003):Sending an IKE IPv4 Packet.

*Jul 22 18:33:40.078: ISAKMP:(1003):purging node 168501692

*Jul 22 18:33:40.078: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Jul 22 18:33:40.078: ISAKMP:(1003):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

*Jul 22 18:33:40.078: ISAKMP:(1003):deleting SA reason "Death by tree-walk" state (I) QM_IDLE       (peer 10.0.0.6)

*Jul 22 18:33:40.078: ISAKMP:(0):Can't decrement IKE Call Admission Control stat outgoing_active since it's already 0.

*Jul 22 18:33:40.078: ISAKMP: Unlocking peer struct 0x6724CCA8 for isadb_mark_sa_deleted(), count 0

*Jul 22 18:33:40.078: ISAKMP:(1003):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Jul 22 18:33:40.082: ISAKMP:(1003):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

*Jul 22 18:33:40.082: ISAKMP (1003): received packet from 10.0.0.6 dport 500 sport 500 Global (I) MM_NO_STATE

 

Rosario#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst                src                 state                         conn-id status

10.0.0.6        10.0.0.1        MM_NO_STATE       1003 ACTIVE (deleted)

 

IPv6 Crypto ISAKMP SA

 

Rosario#

 

Resumen del flujo de negociaciones de IPSec par el establecimiento y terminación del túnel.

 

 

Configuraciones de los equipos:

 

Rosario#sh runn (se muestra lo mas relevante)

Building configuration...

 

Current configuration : 1487 bytes

!

version 12.4

!

hostname Rosario

!

crypto isakmp policy 10 (fase I de la VPN)

 encr aes 256 (como se protegerán los datos en la negociación de la VPN)

 authentication pre-share (utilizará clave PSK configurada mas adelante)

 group 5 (canal seguro para intercambio de claves PSK a través de DH)

 lifetime 3600 (tiempo de vida de la clave derivada de la PSK)

crypto isakmp key Cisco123 address 10.0.0.6 (la clave y el extremo del tunel)

!

crypto ipsec transform-set ENCRIPTA esp-aes 256 esp-sha-hmac (como se protegen los datos en la VPN)

!

crypto map VPN 10 ipsec-isakmp (fase II de la VPN)

 set peer 10.0.0.6 (extremo del tunel)

 set transform-set ENCRIPTA (como se protegen los datos en la VPN)

 set pfs group5

 match address 100 (ACL que determina el tráfico por la VPN)

!

interface FastEthernet0/1

 description WAN

 ip address 10.0.0.1 255.255.255.252

 crypto map VPN (terminador de tunel)

!

ip route 0.0.0.0 0.0.0.0 10.0.0.2 (mediante la ruta por defecto se fuerza el tráfico hacia la VPN)

!

access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255 (tráfico a enviar por la VPN)

!

end

 

Rosario#

 

BsAs#sh runn (se muestra lo mas relevante)

Building configuration...

 

Current configuration : 1589 bytes

!

version 12.4

!

hostname BsAs

!

crypto isakmp policy 10

 encr aes 256

 authentication pre-share

 group 5

 lifetime 3600

crypto isakmp key Cisco123 address 10.0.0.1

!

crypto ipsec transform-set ENCRIPTA esp-aes 256 esp-sha-hmac

!

crypto map VPN 10 ipsec-isakmp

 set peer 10.0.0.1

 set transform-set ENCRIPTA

 set pfs group5

 match address 100

!

interface FastEthernet0/1

 description WAN

 ip address 10.0.0.6 255.255.255.252

 crypto map VPN

!

ip route 0.0.0.0 0.0.0.0 10.0.0.5

!

end

 

BsAs#

 

Negociación con varias policy en un extremo:

 

 

!

crypto isakmp policy 10 (encription DES, por default)

 authentication pre-share

 group 5

 lifetime 3600

!

crypto isakmp policy 20

 encr 3des (diferente)

 authentication pre-share

 group 2 (diferente)

 lifetime 3600

!

crypto isakmp policy 30

 encr 3des (diferente)

 authentication pre-share

 group 5

 lifetime 3600

!

crypto isakmp policy 40

 encr aes 256

 authentication pre-share

 group 5

 lifetime 28800 (diferente)

!

crypto isakmp policy 50 (coincide con BsAs)

 encr aes 256

 authentication pre-share

 group 5

 lifetime 3600

!

 

BsAs:

 

!

crypto isakmp policy 10

 encr aes 256

 authentication pre-share

 group 5

 lifetime 3600

!

 

Comienzo de la negociación:

 

 

 

Rosario#debug crypto isakmp

*Jul 22 18:38:22.474: ISAKMP:(0): SA request profile is (NULL)

*Jul 22 18:38:22.474: ISAKMP: Created a peer struct for 10.0.0.6, peer port 500

*Jul 22 18:38:22.474: ISAKMP: New peer created peer = 0x6724CCA8 peer_handle = 0x80000005

*Jul 22 18:38:22.478: ISAKMP: Locking peer struct 0x6724CCA8, refcount 1 for isakmp_initiator

*Jul 22 18:38:22.478: ISAKMP: local port 500, remote port 500

*Jul 22 18:38:22.478: ISAKMP: set new node 0 to QM_IDLE

*Jul 22 18:38:22.478: ISAKMP:(0):insert sa successfully sa = 664F5764

*Jul 22 18:38:22.478: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

*Jul 22 18:38:22.478: ISAKMP:(0):found peer pre-shared key matching 10.0.0.6

*Jul 22 18:38:22.478: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

*Jul 22 18:38:22.478: ISAKMP:(0): constructed NAT-T vendor-07 ID

*Jul 22 18:38:22.478: ISAKMP:(0): constructed NAT-T vendor-03 ID

*Jul 22 18:38:22.478: ISAKMP:(0): constructed NAT-T vendor-02 ID

*Jul 22 18:38:22.478: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*Jul 22 18:38:22.478: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

*Jul 22 18:38:22.478: ISAKMP:(0): beginning Main Mode exchange

*Jul 22 18:38:22.478: ISAKMP:(0): sending packet to 10.0.0.6 my_port 500 peer_port 500 (I) MM_NO_STATE (1 en Wireshark)

*Jul 22 18:38:22.478: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Jul 22 18:38:22.486: ISAKMP (0): received packet from 10.0.0.6 dport 500 sport 500 Global (I) MM_NO_STATE (2 en Wireshark)

*Jul 22 18:38:22.486: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Jul 22 18:38:22.486: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2

*Jul 22 18:38:22.486: ISAKMP:(0): processing SA payload. message ID = 0

*Jul 22 18:38:22.486: ISAKMP:(0): processing vendor id payload

*Jul 22 18:38:22.486: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

*Jul 22 18:38:22.486: ISAKMP (0): vendor ID is NAT-T RFC 3947

*Jul 22 18:38:22.486: ISAKMP:(0):found peer pre-shared key matching 10.0.0.6

*Jul 22 18:38:22.486: ISAKMP:(0): local preshared key found

*Jul 22 18:38:22.486: ISAKMP : Scanning profiles for xauth ...

*Jul 22 18:38:22.486: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy

*Jul 22 18:38:22.486: ISAKMP:      encryption AES-CBC

*Jul 22 18:38:22.490: ISAKMP:      keylength of 256

*Jul 22 18:38:22.490: ISAKMP:      hash SHA

*Jul 22 18:38:22.490: ISAKMP:      default group 5

*Jul 22 18:38:22.490: ISAKMP:      auth pre-share

*Jul 22 18:38:22.490: ISAKMP:      life type in seconds

*Jul 22 18:38:22.490: ISAKMP:      life duration (basic) of 28800

*Jul 22 18:38:22.490: ISAKMP:(0):Encryption algorithm offered does not match policy!

*Jul 22 18:38:22.490: ISAKMP:(0):atts are not acceptable. Next payload is 0

*Jul 22 18:38:22.490: ISAKMP:(0):Checking ISAKMP transform 1 against priority 20 policy

*Jul 22 18:38:22.490: ISAKMP:      encryption AES-CBC

*Jul 22 18:38:22.490: ISAKMP:      keylength of 256

*Jul 22 18:38:22.490: ISAKMP:      hash SHA

*Jul 22 18:38:22.490: ISAKMP:      default group 5

*Jul 22 18:38:22.490: ISAKMP:      auth pre-share

*Jul 22 18:38:22.490: ISAKMP:      life type in seconds

*Jul 22 18:38:22.490: ISAKMP:      life duration (basic) of 28800

*Jul 22 18:38:22.490: ISAKMP:(0):Encryption algorithm offered does not match policy!

*Jul 22 18:38:22.490: ISAKMP:(0):atts are not acceptable. Next payload is 0

*Jul 22 18:38:22.490: ISAKMP:(0):Checking ISAKMP transform 1 against priority 30 policy

*Jul 22 18:38:22.490: ISAKMP:      encryption AES-CBC

*Jul 22 18:38:22.490: ISAKMP:      keylength of 256

*Jul 22 18:38:22.490: ISAKMP:      hash SHA

*Jul 22 18:38:22.490: ISAKMP:      default group 5

*Jul 22 18:38:22.490: ISAKMP:      auth pre-share

*Jul 22 18:38:22.490: ISAKMP:      life type in seconds

*Jul 22 18:38:22.490: ISAKMP:      life duration (basic) of 28800

*Jul 22 18:38:22.490: ISAKMP:(0):Encryption algorithm offered does not match policy!

*Jul 22 18:38:22.490: ISAKMP:(0):atts are not acceptable. Next payload is 0

*Jul 22 18:38:22.490: ISAKMP:(0):Checking ISAKMP transform 1 against priority 40 policy

*Jul 22 18:38:22.490: ISAKMP:      encryption AES-CBC

*Jul 22 18:38:22.490: ISAKMP:      keylength of 256

*Jul 22 18:38:22.490: ISAKMP:      hash SHA

*Jul 22 18:38:22.490: ISAKMP:      default group 5

*Jul 22 18:38:22.490: ISAKMP:      auth pre-share

*Jul 22 18:38:22.490: ISAKMP:      life type in seconds

*Jul 22 18:38:22.490: ISAKMP:      life duration (basic) of 28800 (aunque el tiempo de vida de BsAs es 3600)

*Jul 22 18:38:22.490: ISAKMP:(0):atts are acceptable. Next payload is 0

*Jul 22 18:38:22.490: ISAKMP:(0):Acceptable atts:actual life: 0

*Jul 22 18:38:22.490: ISAKMP:(0):Acceptable atts:life: 0

*Jul 22 18:38:22.490: ISAKMP:(0):Basic life_in_seconds:28800

*Jul 22 18:38:22.490: ISAKMP:(0):Returning Actual lifetime: 28800

*Jul 22 18:38:22.490: ISAKMP:(0)::Started lifetime timer: 28800.

*Jul 22 18:38:22.490: ISAKMP:(0): processing vendor id payload

*Jul 22 18:38:22.494: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

*Jul 22 18:38:22.494: ISAKMP (0): vendor ID is NAT-T RFC 3947

*Jul 22 18:38:22.494: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Jul 22 18:38:22.494: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

*Jul 22 18:38:22.494: ISAKMP:(0): sending packet to 10.0.0.6 my_port 500 peer_port 500 (I) MM_SA_SETUP (3 en Wireshark)

*Jul 22 18:38:22.494: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Jul 22 18:38:22.494: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Jul 22 18:38:22.494: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

*Jul 22 18:38:22.698: ISAKMP (0): received packet from 10.0.0.6 dport 500 sport 500 Global (I) MM_SA_SETUP (4 en Wireshark)

*Jul 22 18:38:22.698: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Jul 22 18:38:22.698: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

*Jul 22 18:38:22.698: ISAKMP:(0): processing KE payload. message ID = 0

*Jul 22 18:38:22.902: ISAKMP:(0): processing NONCE payload. message ID = 0

*Jul 22 18:38:22.902: ISAKMP:(0):found peer pre-shared key matching 10.0.0.6

*Jul 22 18:38:22.902: ISAKMP:(1004): processing vendor id payload

*Jul 22 18:38:22.902: ISAKMP:(1004): vendor ID is Unity

*Jul 22 18:38:22.902: ISAKMP:(1004): processing vendor id payload

*Jul 22 18:38:22.902: ISAKMP:(1004): vendor ID is DPD

*Jul 22 18:38:22.902: ISAKMP:(1004): processing vendor id payload

*Jul 22 18:38:22.902: ISAKMP:(1004): speaking to another IOS box!

*Jul 22 18:38:22.902: ISAKMP:received payload type 20

*Jul 22 18:38:22.902: ISAKMP (1004): His hash no match - this node outside NAT

*Jul 22 18:38:22.902: ISAKMP:received payload type 20

*Jul 22 18:38:22.902: ISAKMP (1004): No NAT Found for self or peer

*Jul 22 18:38:22.902: ISAKMP:(1004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Jul 22 18:38:22.902: ISAKMP:(1004):Old State = IKE_I_MM4  New State = IKE_I_MM4

*Jul 22 18:38:22.906: ISAKMP:(1004):Send initial contact

*Jul 22 18:38:22.906: ISAKMP:(1004):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

*Jul 22 18:38:22.906: ISAKMP (1004): ID payload

        next-payload : 8

        type         : 1

        address      : 10.0.0.1

        protocol     : 17

        port         : 500

        length       : 12

*Jul 22 18:38:22.906: ISAKMP:(1004):Total payload length: 12

*Jul 22 18:38:22.906: ISAKMP:(1004): sending packet to 10.0.0.6 my_port 500 peer_port 500 (I) MM_KEY_EXCH (5 en Wireshark)

*Jul 22 18:38:22.906: ISAKMP:(1004):Sending an IKE IPv4 Packet.

*Jul 22 18:38:22.906: ISAKMP:(1004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Jul 22 18:38:22.906: ISAKMP:(1004):Old State = IKE_I_MM4  New State = IKE_I_MM5

*Jul 22 18:38:22.914: ISAKMP (1004): received packet from 10.0.0.6 dport 500 sport 500 Global (I) MM_KEY_EXCH (6 en Wireshark)

*Jul 22 18:38:22.914: ISAKMP:(1004): processing ID payload. message ID = 0

*Jul 22 18:38:22.914: ISAKMP (1004): ID payload

        next-payload : 8

        type         : 1

        address      : 10.0.0.6

        protocol     : 17

        port         : 500

        length       : 12

*Jul 22 18:38:22.914: ISAKMP:(0):: peer matches *none* of the profiles

*Jul 22 18:38:22.914: ISAKMP:(1004): processing HASH payload. message ID = 0

*Jul 22 18:38:22.918: ISAKMP:(1004): processing NOTIFY RESPONDER_LIFETIME protocol 1

        spi 0, message ID = 0, sa = 664F5764

*Jul 22 18:38:22.918: ISAKMP:(1004):SA authentication status: authenticated

*Jul 22 18:38:22.918: ISAKMP:(1004): processing responder lifetime

*Jul 22 18:38:22.918: ISAKMP:(1004): start processing isakmp responder lifetime

*Jul 22 18:38:22.918: ISAKMP:(1004):Returning Actual lifetime: 28800

*Jul 22 18:38:22.918: ISAKMP:(1004): restart ike sa timer to 3600 secs (se ajusta a los valores del peer sin recurrir a la policy 50)

*Jul 22 18:38:22.918: ISAKMP:(1004):Started lifetime timer: 0.

*Jul 22 18:38:22.918: ISAKMP:(1004):SA authentication status: authenticated

*Jul 22 18:38:22.918: ISAKMP:(1004):SA has been authenticated with 10.0.0.6

*Jul 22 18:38:22.918: ISAKMP: Trying to insert a peer 10.0.0.1/10.0.0.6/500/,  and inserted successfully 6724CCA8.

*Jul 22 18:38:22.918: ISAKMP:(1004):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Jul 22 18:38:22.918: ISAKMP:(1004):Old State = IKE_I_MM5  New State = IKE_I_MM6

*Jul 22 18:38:22.918: ISAKMP:(1004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Jul 22 18:38:22.918: ISAKMP:(1004):Old State = IKE_I_MM6  New State = IKE_I_MM6

*Jul 22 18:38:22.922: ISAKMP (1004): received packet from 10.0.0.6 dport 500 sport 500 Global (I) MM_KEY_EXCH (7 en Wireshark)

*Jul 22 18:38:22.922: ISAKMP: set new node 1414558338 to QM_IDLE

*Jul 22 18:38:22.922: ISAKMP:(1004): processing HASH payload. message ID = 1414558338

*Jul 22 18:38:22.922: ISAKMP:(1004): processing DELETE payload. message ID = 1414558338

*Jul 22 18:38:22.922: ISAKMP:(1004):peer does not do paranoid keepalives.

*Jul 22 18:38:22.922: ISAKMP:(1004):deleting node 1414558338 error FALSE reason "Informational (in) state 1"

*Jul 22 18:38:22.922: ISAKMP:(1004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Jul 22 18:38:22.922: ISAKMP:(1004):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

 

*Jul 22 18:38:22.922: ISAKMP:(1004):beginning Quick Mode exchange, M-ID of -1681231133

*Jul 22 18:38:23.078: ISAKMP:(1004):QM Initiator gets spi

*Jul 22 18:38:23.082: ISAKMP:(1004): sending packet to 10.0.0.6 my_port 500 peer_port 500 (I) QM_IDLE (8 en Wireshark)

*Jul 22 18:38:23.082: ISAKMP:(1004):Sending an IKE IPv4 Packet.

*Jul 22 18:38:23.082: ISAKMP:(1004):Node -1681231133, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

*Jul 22 18:38:23.082: ISAKMP:(1004):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1

*Jul 22 18:38:23.082: ISAKMP:(1004):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

*Jul 22 18:38:23.082: ISAKMP:(1004):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

 

*Jul 22 18:38:23.450: ISAKMP (1004): received packet from 10.0.0.6 dport 500 sport 500 Global (I) QM_IDLE (9 en Wireshark)

*Jul 22 18:38:23.454: ISAKMP:(1004): processing HASH payload. message ID = -1681231133

*Jul 22 18:38:23.454: ISAKMP:(1004): processing SA payload. message ID = -1681231133

*Jul 22 18:38:23.454: ISAKMP:(1004):Checking IPSec proposal 1

*Jul 22 18:38:23.454: ISAKMP: transform 1, ESP_AES

*Jul 22 18:38:23.454: ISAKMP:   attributes in transform:

*Jul 22 18:38:23.454: ISAKMP:      encaps is 1 (Tunnel)

*Jul 22 18:38:23.454: ISAKMP:      SA life type in seconds

*Jul 22 18:38:23.454: ISAKMP:      SA life duration (basic) of 3600

*Jul 22 18:38:23.454: ISAKMP:      SA life type in kilobytes

*Jul 22 18:38:23.454: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0

*Jul 22 18:38:23.454: ISAKMP:      authenticator is HMAC-SHA

*Jul 22 18:38:23.454: ISAKMP:      key length is 256

*Jul 22 18:38:23.454: ISAKMP:      group is 5

*Jul 22 18:38:23.454: ISAKMP:(1004):atts are acceptable.

*Jul 22 18:38:23.454: ISAKMP:(1004): processing NONCE payload. message ID = -1681231133

*Jul 22 18:38:23.454: ISAKMP:(1004): processing KE payload. message ID = -1681231133

*Jul 22 18:38:23.650: ISAKMP:(1004): processing ID payload. message ID = -1681231133

*Jul 22 18:38:23.650: ISAKMP:(1004): processing ID payload. message ID = -1681231133

*Jul 22 18:38:23.654: ISAKMP:(1004): Creating IPSec SAs

*Jul 22 18:38:23.654:         inbound SA from 10.0.0.6 to 10.0.0.1 (f/i)  0/ 0

        (proxy 192.168.4.0 to 192.168.3.0)

*Jul 22 18:38:23.654:         has spi 0x2F78766F and conn_id 0

*Jul 22 18:38:23.654:         lifetime of 3600 seconds

*Jul 22 18:38:23.654:         lifetime of 4608000 kilobytes

*Jul 22 18:38:23.654:         outbound SA from 10.0.0.1 to 10.0.0.6 (f/i) 0/0

        (proxy 192.168.3.0 to 192.168.4.0)

*Jul 22 18:38:23.654:         has spi  0xFFF83E23 and conn_id 0

*Jul 22 18:38:23.654:         lifetime of 3600 seconds

*Jul 22 18:38:23.654:         lifetime of 4608000 kilobytes

*Jul 22 18:38:23.654: ISAKMP:(1004): sending packet to 10.0.0.6 my_port 500 peer_port 500 (I) QM_IDLE (10 en Wireshark)

*Jul 22 18:38:23.654: ISAKMP:(1004):Sending an IKE IPv4 Packet.

*Jul 22 18:38:23.658: ISAKMP:(1004):deleting node -1681231133 error FALSE reason "No Error"

*Jul 22 18:38:23.658: ISAKMP:(1004):Node -1681231133, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

*Jul 22 18:38:23.658: ISAKMP:(1004):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE

 

Rosario#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

10.0.0.6        10.0.0.1        QM_IDLE           1004 ACTIVE

 

IPv6 Crypto ISAKMP SA

 

Rosario#

 

Detalle de la negociación IKE con varias policy:

 

 

Inicio desde Rosario:

 

Frame 1: 338 bytes on wire (2704 bits), 338 bytes captured (2704 bits) on interface 0

Ethernet II, Src: Cisco_c9:0b:17 (00:1f:9e:c9:0b:17), Dst: Cisco_08:4b:4e (00:1d:e6:08:4b:4e)

Internet Protocol Version 4, Src: 10.0.0.1 (10.0.0.1), Dst: 10.0.0.6 (10.0.0.6)

User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)

Internet Security Association and Key Management Protocol

    Initiator cookie: 123a0d790c4e9740

    Responder cookie: 0000000000000000

    Next payload: Security Association (1)

    Version: 1.0

    Exchange type: Identity Protection (Main Mode) (2)

    Flags: 0x00

    Message ID: 0x00000000

    Length: 296

    Type Payload: Security Association (1)

        Next payload: Vendor ID (13)

        Payload length: 188

        Domain of interpretation: IPSEC (1)

        Situation: 00000001

        Type Payload: Proposal (2) # 1

            Next payload: NONE / No Next Payload  (0)

            Payload length: 176

            Proposal number: 1

            Protocol ID: ISAKMP (1)

            SPI Size: 0

            Proposal transforms: 5

            Type Payload: Transform (3) # 1 (diferente a BsAs, marcado en negrita)

                Next payload: Transform (3)

                Payload length: 32

                Transform number: 1

                Transform ID: KEY_IKE (1)

                Transform IKE Attribute Type (t=1,l=2) Encryption-Algorithm : DES-CBC

                Transform IKE Attribute Type (t=2,l=2) Hash-Algorithm : SHA

                Transform IKE Attribute Type (t=4,l=2) Group-Description : 1536 bit MODP group

                Transform IKE Attribute Type (t=3,l=2) Authentication-Method : PSK

                Transform IKE Attribute Type (t=11,l=2) Life-Type : Seconds

                Transform IKE Attribute Type (t=12,l=2) Life-Duration : 3600

            Type Payload: Transform (3) # 2 (diferente a BsAs, marcado en negrita)

                Next payload: Transform (3)

                Payload length: 32

                Transform number: 2

                Transform ID: KEY_IKE (1)

                Transform IKE Attribute Type (t=1,l=2) Encryption-Algorithm : 3DES-CBC

                Transform IKE Attribute Type (t=2,l=2) Hash-Algorithm : SHA

                Transform IKE Attribute Type (t=4,l=2) Group-Description : Alternate 1024-bit MODP group

                Transform IKE Attribute Type (t=3,l=2) Authentication-Method : PSK

                Transform IKE Attribute Type (t=11,l=2) Life-Type : Seconds

                Transform IKE Attribute Type (t=12,l=2) Life-Duration : 3600

            Type Payload: Transform (3) # 3 (diferente a BsAs, marcado en negrita)

                Next payload: Transform (3)

                Payload length: 32

                Transform number: 3

                Transform ID: KEY_IKE (1)

                Transform IKE Attribute Type (t=1,l=2) Encryption-Algorithm : 3DES-CBC

                Transform IKE Attribute Type (t=2,l=2) Hash-Algorithm : SHA

                Transform IKE Attribute Type (t=4,l=2) Group-Description : 1536 bit MODP group

                Transform IKE Attribute Type (t=3,l=2) Authentication-Method : PSK

                Transform IKE Attribute Type (t=11,l=2) Life-Type : Seconds

                Transform IKE Attribute Type (t=12,l=2) Life-Duration : 3600

            Type Payload: Transform (3) # 4 (diferente a BsAs, marcado en negrita)

                Next payload: Transform (3)

                Payload length: 36

                Transform number: 4

                Transform ID: KEY_IKE (1)

                Transform IKE Attribute Type (t=1,l=2) Encryption-Algorithm : AES-CBC

                Transform IKE Attribute Type (t=14,l=2) Key-Length : 256

                Transform IKE Attribute Type (t=2,l=2) Hash-Algorithm : SHA

                Transform IKE Attribute Type (t=4,l=2) Group-Description : 1536 bit MODP group

                Transform IKE Attribute Type (t=3,l=2) Authentication-Method : PSK

                Transform IKE Attribute Type (t=11,l=2) Life-Type : Seconds

                Transform IKE Attribute Type (t=12,l=2) Life-Duration : 28800

            Type Payload: Transform (3) # 5 (igual a BsAs)

                Next payload: NONE / No Next Payload  (0)

                Payload length: 36

                Transform number: 5

                Transform ID: KEY_IKE (1)

                Transform IKE Attribute Type (t=1,l=2) Encryption-Algorithm : AES-CBC

                Transform IKE Attribute Type (t=14,l=2) Key-Length : 256

                Transform IKE Attribute Type (t=2,l=2) Hash-Algorithm : SHA

                Transform IKE Attribute Type (t=4,l=2) Group-Description : 1536 bit MODP group

                Transform IKE Attribute Type (t=3,l=2) Authentication-Method : PSK

                Transform IKE Attribute Type (t=11,l=2) Life-Type : Seconds

                Transform IKE Attribute Type (t=12,l=2) Life-Duration : 3600

    Type Payload: Vendor ID (13) : RFC 3947 Negotiation of NAT-Traversal in the IKE

        Next payload: Vendor ID (13)

        Payload length: 20

        Vendor ID: 4a131c81070358455c5728f20e95452f

        Vendor ID: RFC 3947 Negotiation of NAT-Traversal in the IKE

    Type Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-07

        Next payload: Vendor ID (13)

        Payload length: 20

        Vendor ID: 439b59f8ba676c4c7737ae22eab8f582

        Vendor ID: draft-ietf-ipsec-nat-t-ike-07

    Type Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-03

        Next payload: Vendor ID (13)

        Payload length: 20

        Vendor ID: 7d9419a65310ca6f2c179d9215529d56

        Vendor ID: draft-ietf-ipsec-nat-t-ike-03

    Type Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-02\n

        Next payload: NONE / No Next Payload  (0)

        Payload length: 20

        Vendor ID: 90cb80913ebb696e086381b5ec427b1f

        Vendor ID: draft-ietf-ipsec-nat-t-ike-02\n

 

Respuesta de BsAs

 

Frame 2: 146 bytes on wire (1168 bits), 146 bytes captured (1168 bits) on interface 0

Ethernet II, Src: Cisco_08:4b:4e (00:1d:e6:08:4b:4e), Dst: Cisco_c9:0b:17 (00:1f:9e:c9:0b:17)

Internet Protocol Version 4, Src: 10.0.0.6 (10.0.0.6), Dst: 10.0.0.1 (10.0.0.1)

User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)

Internet Security Association and Key Management Protocol

    Initiator cookie: 123a0d790c4e9740

    Responder cookie: c79c237c78bcddc3

    Next payload: Security Association (1)

    Version: 1.0

    Exchange type: Identity Protection (Main Mode) (2)

    Flags: 0x00

    Message ID: 0x00000000

    Length: 104

    Type Payload: Security Association (1)

        Next payload: Vendor ID (13)

        Payload length: 56

        Domain of interpretation: IPSEC (1)

        Situation: 00000001

        Type Payload: Proposal (2) # 1

            Next payload: NONE / No Next Payload  (0)

            Payload length: 44

            Proposal number: 1

            Protocol ID: ISAKMP (1)

            SPI Size: 0

            Proposal transforms: 1

            Type Payload: Transform (3) # 1

                Next payload: NONE / No Next Payload  (0)

                Payload length: 36

                Transform number: 1

                Transform ID: KEY_IKE (1)

                Transform IKE Attribute Type (t=1,l=2) Encryption-Algorithm : AES-CBC

                Transform IKE Attribute Type (t=14,l=2) Key-Length : 256

                Transform IKE Attribute Type (t=2,l=2) Hash-Algorithm : SHA

                Transform IKE Attribute Type (t=4,l=2) Group-Description : 1536 bit MODP group

                Transform IKE Attribute Type (t=3,l=2) Authentication-Method : PSK

                Transform IKE Attribute Type (t=11,l=2) Life-Type : Seconds

                Transform IKE Attribute Type (t=12,l=2) Life-Duration : 28800 (acuerda en lugar de 3600)

    Type Payload: Vendor ID (13) : RFC 3947 Negotiation of NAT-Traversal in the IKE

        Next payload: NONE / No Next Payload  (0)

        Payload length: 20

        Vendor ID: 4a131c81070358455c5728f20e95452f

        Vendor ID: RFC 3947 Negotiation of NAT-Traversal in the IKE

 

(2014)  Sensei, I can see light at the end of the tunnel !

Rosario, Argentina