VPN <rsa-enc>

Problemy z zakresu security (VPN, firewall, IDS/IPS itp.)
Wiadomość
Autor
pawel1025
wannabe
wannabe
Posty: 63
Rejestracja: 23 kwie 2006, 16:23
Lokalizacja: Olsztyn

VPN <rsa-enc>

#1

#1 Post autor: pawel1025 »

Czy spotkaliście się może z podobnym problemem, mianowicie konfiguruje prosty VPN site-to-site ze static ip po obu stronach z "pre-shared" keys działa, działa też jeśli użyje "rsa-enc" ale tylko w przypadku kiedy klucze RSA są generowane bez opcji "label".
Jeśli natomiast na obu routerkach wygeneruje klucze RSA z labelem (zarówno "general" jak i "usage-kays") to ISAKMP (pierwsza faza) się nie zestawia.
Przeglądałem kilka dokumentacji i niby klucze RSA generowane z opcja "label" też powinny smigać przy ręcznym kopiwaniu publicznego klucza pomiędzy routerami. Ewidentnie jest jakiś problem z certificatami wygenerowanymi z labelem...
Próbował z synchronizowanym NTP mimo ze przy manualnym kopiowaniu klacza RSA to nie ma żadnego znaczenia, ustawialem wyższy size klucza na 1024 podobno czasem z mniejszym kluczem certyfikacy swirują w/g Cisco, też bez rezulatów. Podstawowa konfiguracja RSA poniżej, może coś pominąłem?
Próbowałem też z opcją standardową bez "named-key" ale bez rezultatów.

----

Kod: Zaznacz cały

!
crypto key pubkey-chain rsa
 named-key VPN
  address 172.16.1.3
  key-string
   XXX (klucz publiczny drugiego routerka z sh crypto key mypubkey rsa)
  quit
!
----

EDIT Do listingow konfiguracji, show, debug, etc uzywamy znacznikow

Kod: Zaznacz cały

 :!:
Seba
Ostatnio zmieniony 19 wrz 2010, 17:31 przez pawel1025, łącznie zmieniany 1 raz.

dorvin
CCIE
CCIE
Posty: 1688
Rejestracja: 21 sty 2008, 13:21
Lokalizacja: Wrocław
Kontakt:

#2

#2 Post autor: dorvin »

Label nie powinien mieć znaczenia, chyba że to jakiś bug. Co mówi debug?

pawel1025
wannabe
wannabe
Posty: 63
Rejestracja: 23 kwie 2006, 16:23
Lokalizacja: Olsztyn

#3

#3 Post autor: pawel1025 »

Wycinek "debug crypto isakmp "
Akecptuje polise isakmp 10 i robi retransmisje..
Log jednego z peerów wyrzuca dodatowo problem z decryptacja, generowałem mu komplet kluczy jeszcze raz, myslac ze klucz prywanty jakims cudem zle mu sie wygenerował ale nie pomogło.

---

Kod: Zaznacz cały

%CRYPTO-6-IKMP_CRYPT_FAILURE: IKE (connection id 0) unable to decrypt (w/RSA private key) packetis
---

---

Kod: Zaznacz cały

Sep 19 14:40:26.979: ISAKMP:(0): sending packet to 172.16.1.4 my_port 500 peer_port 500 (R) MM_SA_SETUP
Sep 19 14:40:26.979: ISAKMP:(0):Sending an IKE IPv4 Packet.
Sep 19 14:40:27.483: ISAKMP:(0): SA request profile is (NULL)
Sep 19 14:40:27.483: ISAKMP: Created a peer struct for 172.16.1.4, peer port 500
Sep 19 14:40:27.483: ISAKMP: New peer created peer = 0x829090DC peer_handle = 0x8000002C
Sep 19 14:40:27.483: ISAKMP: Locking peer struct 0x829090DC, refcount 1 for isakmp_initiator
Sep 19 14:40:27.483: ISAKMP: local port 500, remote port 500
Sep 19 14:40:27.483: ISAKMP: set new node 0 to QM_IDLE
Sep 19 14:40:27.483: insert sa successfully sa = 83D7D3BC
Sep 19 14:40:27.487: ISAKMP:(0):Can not start Aggressive mode, trying Mai.n mode.
Sep 19 14:40:27.487: ISAKMP:(0):No pre-shared key with 172.16.1.4!
Sep 19 14:40:27.487: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Sep 19 14:40:27.487: ISAKMP:(0): constructed NAT-T vendor-07 ID
Sep 19 14:40:27.487: ISAKMP:(0): constructed NAT-T vendor-03 ID
Sep 19 14:40:27.487: ISAKMP:(0): constructed NAT-T vendor-02 ID
Sep 19 14:40:27.491: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Sep 19 14:40:27.491: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

Sep 19 14:40:27.491: ISAKMP:(0): beginning Main Mode exchange
Sep 19 14:40:27.491: ISAKMP:(0): sending packet to 172.16.1.4 my_port 500 peer_port 500 (I) MM_NO_STATE
Sep 19 14:40:27.491: ISAKMP:(0):Sending an IKE IPv4 Packet.
Sep 19 14:40:27.507: ISAKMP (0:0): received packet from 172.16.1.4 dport 500 sport 500 Global (I) MM_NO_STATE
Sep 19 14:40:27.507: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Sep 19 14:40:27.507: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2

Sep 19 14:40:27.511: ISAKMP:(0): processing SA payload. message ID = 0
Sep 19 14:40:27.511: ISAKMP:(0): processing vendor id payload
Sep 19 14:40:27.511: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Sep 19 14:40:27.511: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
Sep 19 14:40:27.511: ISAKMP : Scanning profiles for xauth ...
Sep 19 14:40:27.511: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Sep 19 14:40:27.511: ISAKMP:      encryption 3DES-CBC
Sep 19 14:40:27.511: ISAKMP:      hash MD5
Sep 19 14:40:27.511: ISAKMP:      default group 1
Sep 19 14:40:27.511: ISAKMP:      auth RSA encr
Sep 19 14:40:27.515: ISAKMP:      life type in seconds
Sep 19 14:40:27.515: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
S.ep 19 14:40:27.515: ISAKMP:(0):atts are acceptable. Next payload is 0
Sep 19 14:40:27.515: ISAKMP:(0):Acceptable atts:actual life: 0
Sep 19 14:40:27.515: ISAKMP:(0):Acceptable atts:life: 0
Sep 19 14:40:27.515: ISAKMP:(0):Fill atts in sa vpi_length:4
Sep 19 14:40:27.515: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Sep 19 14:40:27.515: ISAKMP:(0):Returning Actual lifetime: 86400
Sep 19 14:40:27.519: ISAKMP:(0)::Started lifetime timer: 86400.

Sep 19 14:40:27.519: ISAKMP:(0): processing vendor id payload
Sep 19 14:40:27.519: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Sep 19 14:40:27.519: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
Sep 19 14:40:27.519: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Sep 19 14:40:27.519: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

Sep 19 14:40:27.523: ISAKMP:(0):Unable to get router cert or routerdoes not have a cert: needed to find DN!
Sep 19 14:40:27.523: ISAKMP:(0):SA is doing RSA encryption authentication using id type ID_IPV4_ADDR
Sep 19 14:40:27.527: ISAKMP (0:0): ID payload
        next-payload : 10
        type         : 1
        address      : 172.16.1.3
        protocol     : 17
        port         : 500
        length       : 12
Sep 19 14:40:27.535: ISAKMP:(0):length after encryption 64
Sep 19 14:40:27.535: ISAKMP:(0):Total payload length: 68
Sep 19 14:40:27.547: ISAKMP:(0): sending packet to 172.16.1.4 my_port 500 peer_port 500 (I) MM_SA_SETUP
Sep 19 14:40:27.547: ISAKMP:(0):Sending an IKE IPv4 Packet.
Sep 19 14:40:27.547: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Sep 19 14:40:27.547: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

Sep 19 14:40:28.675: ISAKMP (0:0): received packet from 172.16.1.4 dport 500 sport 500 Globa.l (I) MM_SA_SETUP
Sep 19 14:40:28.679: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
Sep 19 14:40:28.679: ISAKMP:(0): retransmitting due to retransmit phase 1
Sep 19 14:40:29.179: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
Sep 19 14:40:29.179: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Sep 19 14:40:29.179: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
Sep 19 14:40:29.179: ISAKMP:(0): sending packet to 172.16.1.4 my_port 500 peer_port 500 (I) MM_SA_SETUP
Sep 19 14:40:29.179: ISAKMP:(0):Sending an IKE IPv4 Packet.
Sep 19 14:40:30.191: ISAKMP (0:0): received packet from 172.16.1.4 dport 500 sport 500 Global (I) MM_SA_SETUP
Sep 19 14:40:30.191: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
Sep 19 14:40:30.191: ISAKMP:(0): retransmitting due to retransmit phase 1
Sep 19 14:40:30.691: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
Sep 19 14:40:30.691: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Sep 19 14:40:30.691: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
Sep 19 14:40:30.691: ISAKMP:(0): sending packet to 172.16.1.4 my_port 500 peer_port 500 (I) MM_SA_SETUP
Sep 19 14:40:30.691: ISAKMP:(0):Sending an IKE IPv4 Packet.
Sep 19 14:40:31.699: ISAKMP (0:0): received packet from 172.16.1.4 dport 500 sport 500 Global (I) MM_SA_SETUP
Sep 19 14:40:31.703: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
Sep 19 14:40:31.703: ISAKMP:(0): retransmitting due to retransmit phase 1
Sep 19 14:40:32.203: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
Sep 19 14:40:32.203: ISAKMP (0:0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Sep 19 14:40:32.203: ISAKMP:(0): r.etransmitting phase 1 MM_SA_SETUP
Sep 19 14:40:32.203: ISAKMP:(0): sending packet to 172.16.1.4 my_port 500 peer_port 500 (I) MM_SA_SETUP
Sep 19 14:40:32.203: ISAKMP:(0):Sending an IKE IPv4 Packet.
Sep 19 14:40:33.215: ISAKMP (0:0): received packet from 172.16.1.4 dport 500 sport 500 Global (I) MM_SA_SETUP
Sep 19 14:40:33.215: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
Sep 19 14:40:33.215: ISAKMP:(0): retransmitting due to retransmit phase 1
Sep 19 14:40:33.715: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
Sep 19 14:40:33.715: ISAKMP (0:0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Sep 19 14:40:33.715: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
Sep 19 14:40:33.715: ISAKMP:(0): sending packet to 172.16.1.4 my_port 500 peer_port 500 (I) MM_SA_SETUP
Sep 19 14:40:33.715: ISAKMP:(0):Sending an IKE IPv4 Packet.
Sep 19 14:40:34.723: ISAKMP (0:0): received packet from 172.16.1.4 dport 500 sport 500 Global (I) MM_SA_SETUP
Sep 19 14:40:34.727: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
Sep 19 14:40:34.727: ISAKMP:(0): retransmitting due to retransmit phase 1
Sep 19 14:40:35.227: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
Sep 19 14:40:35.227: ISAKMP (0:0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Sep 19 14:40:35.227: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
Sep 19 14:40:35.227: ISAKMP:(0): sending packet to 172.16.1.4 my_port 500 peer_port 500 (I) MM_SA_SETUP
Sep 19 14:40:35.227: ISAKMP:(0):Sending an IKE IPv4 Packet..
Success rate is 0 percent (0/5)
R3#
Sep 19 14:40:36.239: ISAKMP (0:0): received packet from 172.16.1.4 dport 500 sport 500 Global (I) MM_SA_SETUP
Sep 19 14:40:36.239: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
Sep 19 14:40:36.239: ISAKMP:(0): retransmitting due to retransmit phase 1
Sep 19 14:40:36.739: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
Sep 19 14:40:36.739: ISAKMP:(0):peer does not do paranoid keepalives.

Sep 19 14:40:36.739: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_SA_SETUP (peer 172.16.1.4)
Sep 19 14:40:36.743: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_SA_SETUP (peer 172.16.1.4)
Sep 19 14:40:36.743: ISAKMP: Unlocking peer struct 0x829090DC for isadb_mark_sa_deleted(), count 0
Sep 19 14:40:36.743: ISAKMP: Deleting peer node by peer_reap for 172.16.1.4: 829090DC
Sep 19 14:40:36.743: ISAKMP:(0):deleting node -89451784 error FALSE reason "IKE deleted"
Sep 19 14:40:36.743: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Sep 19 14:40:36.743: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_DEST_SA

Sep 19 14:40:36.979: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
Sep 19 14:40:36.979: ISAKMP (0:0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Sep 19 14:40:36.979: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
Sep 19 14:40:36.979: ISAKMP:(0): sending packet to 172.16.1.4 my_port 500 peer_port 500 (R) MM_SA_SETUP
Sep 19 14:40:36.979: ISAKMP:(0):Sending an IKE IPv4 Packet.
----

EDIT Do listingow konfiguracji, show, debug, etc uzywamy znacznikow

Kod: Zaznacz cały

 :!:
Seba
Ostatnio zmieniony 19 wrz 2010, 17:32 przez pawel1025, łącznie zmieniany 1 raz.

pawel1025
wannabe
wannabe
Posty: 63
Rejestracja: 23 kwie 2006, 16:23
Lokalizacja: Olsztyn

#4

#4 Post autor: pawel1025 »

A z kluczem RSA generowanym bez labela czyli tworzongo w oparciu o hostmane i domain-name działa "as design"

----

Kod: Zaznacz cały

Sep 19 14:56:46.667: ISAKMP:(0): SA request profile is (NULL)
Sep 19 14:56:46.671: ISAKMP: Created a peer struct for 172.16.1.4, peer port 500
Sep 19 14:56:46.671: ISAKMP: New peer created peer = 0x82908AA4 peer_handle = 0x80000033
Sep 19 14:56:46.671: ISAKMP: Locking peer struct 0x82908AA4, refcount 1 for isakmp_initiator
Sep 19 14:56:46.671: ISAKMP: local port 500, remote port 500
Sep 19 14:56:46.671: ISAKMP: set new node 0 to QM_IDLE
Sep 19 14:56:46.671: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 8291AF80
Sep 19 14:56:46.671: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Sep 19 14:56:46.675: ISAKMP:(0):No pre-shared key with 172.16.1.4!
Sep 19 14:56:46.675: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Sep 19 14:56:46.675: ISAKMP:(0): constructed NAT-T vendor-07 ID
Sep 19 14:56:46.675: ISAKMP:(0): constructed NAT-T vendor-03 ID
Sep 19 14:56:46.675: ISAKMP:(0): constructed NAT-T vendor-02 ID
Sep 19 14:56:46.675: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Sep 19 14:56:46.679: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

Sep 19 14:56:46.679: ISAKMP:(0): beginning Main Mode exchange
Sep 19 14:56:46.679: ISAKMP:(0): sending packet to 172.16.1.4 my_port 500 peer_port 500 (I) MM_NO_STATE
Sep 19 14:56:46.679: ISAKMP:(0):Sending an IKE IPv4 Packet.
Sep 19 14:56:46.691: ISAKMP (0:0): received packet from 172.16.1.4 dport 500 sport 500 Global (I) MM_NO_STATE
Sep 19 14:56:46.695: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Sep 19 14:56:46.695: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2

Sep 19 14:56:46.695: ISAKMP:(0): processing SA payload. message ID = 0
Sep 19 14:56:46.695: ISAKMP:(0): processing vendor id payload
Sep 19 14:56:46.699: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Sep 19 14:56:46.699: ISAKMP (0:0): vend.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/8/8 ms
R3#or ID is NAT-T RFC 3947
Sep 19 14:56:46.699: ISAKMP : Scanning profiles for xauth ...
Sep 19 14:56:46.699: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Sep 19 14:56:46.699: ISAKMP:      encryption 3DES-CBC
Sep 19 14:56:46.699: ISAKMP:      hash MD5
Sep 19 14:56:46.699: ISAKMP:      default group 1
Sep 19 14:56:46.699: ISAKMP:      auth RSA encr
Sep 19 14:56:46.699: ISAKMP:      life type in seconds
Sep 19 14:56:46.699: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
Sep 19 14:56:46.703: ISAKMP:(0):atts are acceptable. Next payload is 0
Sep 19 14:56:46.703: ISAKMP:(0):Acceptable atts:actual life: 0
Sep 19 14:56:46.703: ISAKMP:(0):Acceptable atts:life: 0
Sep 19 14:56:46.703: ISAKMP:(0):Fill atts in sa vpi_length:4
Sep 19 14:56:46.703: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Sep 19 14:56:46.703: ISAKMP:(0):Returning Actual lifetime: 86400
Sep 19 14:56:46.703: ISAKMP:(0)::Started lifetime timer: 86400.

Sep 19 14:56:46.707: ISAKMP:(0): processing vendor id payload
Sep 19 14:56:46.707: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Sep 19 14:56:46.707: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
Sep 19 14:56:46.707: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Sep 19 14:56:46.707: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

Sep 19 14:56:46.711: ISAKMP:(0):Unable to get router cert or routerdoes not have a cert: needed to find DN!
Sep 19 14:56:46.711: ISAKMP:(0):SA is doing RSA encryption authentication using id type ID_IPV4_ADDR
Sep 19 14:56:46.711: ISAKMP (0:0): ID payload
        next-payload : 10
        type         : 1
        address      : 172.16.1.3
        protocol     : 17
        port         : 500
        length       : 12
Sep 19 14:56:46.723: ISAKMP:(0):length after encryption 64
Sep 19 14:56:46.723: ISAKMP:(0):Total payload length: 68
Sep 19 14:56:46.735: ISAKMP:(0): sending packet to 172.16.1.4 my_port 500 peer_port 500 (I) MM_SA_SETUP
Sep 19 14:56:46.735: ISAKMP:(0):Sending an IKE IPv4 Packet.
Sep 19 14:56:46.735: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Sep 19 14:56:46.735: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

Sep 19 14:56:46.995: ISAKMP (0:0): received packet from 172.16.1.4 dport 500 sport 500 Global (I) MM_SA_SETUP
Sep 19 14:56:46.995: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Sep 19 14:56:46.995: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

Sep 19 14:56:46.999: ISAKMP:(0): processing KE payload. message ID = 0
Sep 19 14:56:47.139: ISAKMP:(0): processing ID payload. message ID = 0
Sep 19 14:56:47.219: ISAKMP (0:0): ID payload
        next-payload : 10
        type         : 1
        address      : 172.16.1.4
        protocol     : 17
        port         : 500
        length       : 68
Sep 19 14:56:47.223: ISAKMP:(0):: peer matches *none* of the profiles
Sep 19 14:56:47.223: ISAKMP:(0): processing NONCE payload. message ID = 0
Sep 19 14:56:47.303: ISAKMP:(1031): processing vendor id payload
Sep 19 14:56:47.303: ISAKMP:(1031): vendor ID is Unity
Sep 19 14:56:47.307: ISAKMP:(1031): processing vendor id payload
Sep 19 14:56:47.307: ISAKMP:(1031): vendor ID is DPD
Sep 19 14:56:47.307: ISAKMP:(1031): processing vendor id payload
Sep 19 14:56:47.307: ISAKMP:(1031): speaking to another IOS box!
Sep 19 14:56:47.307: ISAKMP:received payload type 20
Sep 19 14:56:47.307: ISAKMP:received payload type 20
Sep 19 14:56:47.307: ISAKMP:(1031):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Sep 19 14:56:47.311: ISAKMP:(1031):Old State = IKE_I_MM4  New State = IKE_I_MM4

Sep 19 14:56:47.311: ISAKMP:(1031):Send initial contact
Sep 19 14:56:47.315: ISAKMP:(1031): sending packet to 172.16.1.4 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Sep 19 14:56:47.315: ISAKMP:(1031):Sending an IKE IPv4 Packet.
Sep 19 14:56:47.315: ISAKMP:(1031):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Sep 19 14:56:47.315: ISAKMP:(1031):Old State = IKE_I_MM4  New State = IKE_I_MM5

Sep 19 14:56:47.347: ISAKMP (0:1031): received packet from 172.16.1.4 dport 500 sport 500 Global (I) MM_KEY_EXCH
Sep 19 14:56:47.351: ISAKMP:(1031): processing HASH payload. message ID = 0
Sep 19 14:56:47.351: ISAKMP:(1031):SA authentication status:
        authenticated
Sep 19 14:56:47.351: ISAKMP:(1031):SA has been authenticated with 172.16.1.4
Sep 19 14:56:47.351: ISAKMP: Trying to insert a peer 172.16.1.3/172.16.1.4/500/,  and inserted successfully 82908AA4.
Sep 19 14:56:47.351: ISAKMP:(1031):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Sep 19 14:56:47.355: ISAKMP:(1031):Old State = IKE_I_MM5  New State = IKE_I_MM6

Sep 19 14:56:47.355: ISAKMP:(1031):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Sep 19 14:56:47.359: ISAKMP:(1031):Old State = IKE_I_MM6  New State = IKE_I_MM6

Sep 19 14:56:47.359: ISAKMP (0:1031): received packet from 172.16.1.4 dport 500 sport 500 Global (I) MM_KEY_EXCH
Sep 19 14:56:47.363: ISAKMP: set new node 94601659 to QM_IDLE
Sep 19 14:56:47.363: ISAKMP:(1031): processing HASH payload. message ID = 94601659
Sep 19 14:56:47.363: ISAKMP:(1031): processing DELETE payload. message ID = 94601659
Sep 19 14:56:47.363: ISAKMP:(1031):peer does not do paranoid keepalives.

Sep 19 14:56:47.367: ISAKMP:(1031):deleting node 94601659 error FALSE reason "Informational (in) state 1"
Sep 19 14:56:47.367: ISAKMP:(1031):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Sep 19 14:56:47.367: ISAKMP:(1031):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

Sep 19 14:56:47.371: ISAKMP:(1031):beginning Quick Mode exchange, M-ID of 1375985241
Sep 19 14:56:47.371: ISAKMP:(1031):QM Initiator gets spi
Sep 19 14:56:47.375: ISAKMP:(1031): sending packet to 172.16.1.4 my_port 500 peer_port 500 (I) QM_IDLE
Sep 19 14:56:47.375: ISAKMP:(1031):Sending an IKE IPv4 Packet.
Sep 19 14:56:47.375: ISAKMP:(1031):Node 1375985241, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Sep 19 14:56:47.379: ISAKMP:(1031):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
Sep 19 14:56:47.379: ISAKMP:(1031):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Sep 19 14:56:47.379: ISAKMP:(1031):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Sep 19 14:56:47.459: ISAKMP (0:1031): received packet from 172.16.1.4 dport 500 sport 500 Global (I) QM_IDLE
Sep 19 14:56:47.459: ISAKMP:(1031): processing HASH payload. message ID = 1375985241
Sep 19 14:56:47.459: ISAKMP:(1031): processing SA payload. message ID = 1375985241
Sep 19 14:56:47.463: ISAKMP:(1031):Checking IPSec proposal 1
Sep 19 14:56:47.463: ISAKMP: transform 1, ESP_3DES
Sep 19 14:56:47.463: ISAKMP:   attributes in transform:
Sep 19 14:56:47.463: ISAKMP:      encaps is 1 (Tunnel)
Sep 19 14:56:47.463: ISAKMP:      SA life type in seconds
Sep 19 14:56:47.463: ISAKMP:      SA life duration (basic) of 3600
Sep 19 14:56:47.463: ISAKMP:      SA life type in kilobytes
Sep 19 14:56:47.463: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
Sep 19 14:56:47.463: ISAKMP:      authenticator is HMAC-MD5
Sep 19 14:56:47.467: ISAKMP:(1031):atts are acceptable.
Sep 19 14:56:47.467: ISAKMP:(1031): processing NONCE payload. message ID = 1375985241
Sep 19 14:56:47.467: ISAKMP:(1031): processing ID payload. message ID = 1375985241
Sep 19 14:56:47.467: ISAKMP:(1031): processing ID payload. message ID = 1375985241
Sep 19 14:56:47.471: ISAKMP:(1031): Creating IPSec SAs
Sep 19 14:56:47.471:         inbound SA from 172.16.1.4 to 172.16.1.3 (f/i)  0/ 0
        (proxy 20.20.20.4 to 20.20.20.3)
Sep 19 14:56:47.471:         has spi 0x1390FEA2 and conn_id 0
Sep 19 14:56:47.475:         lifetime of 3600 seconds
Sep 19 14:56:47.475:         lifetime of 4608000 kilobytes
Sep 19 14:56:47.475:         outbound SA from 172.16.1.3 to 172.16.1.4 (f/i) 0/0
        (proxy 20.20.20.3 to 20.20.20.4)
Sep 19 14:56:47.475:         has spi  0x2D955F7D and conn_id 0
Sep 19 14:56:47.475:         lifetime of 3600 seconds
Sep 19 14:56:47.475:         lifetime of 4608000 kilobytes
Sep 19 14:56:47.475: ISAKMP:(1031): sending packet to 172.16.1.4 my_port 500 peer_port 500 (I) QM_IDLE
Sep 19 14:56:47.479: ISAKMP:(1031):Sending an IKE IPv4 Packet.
Sep 19 14:56:47.479: ISAKMP:(1031):deleting node 1375985241 error FALSE reason "No Error"
Sep 19 14:56:47.479: ISAKMP:(1031):Node 1375985241, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Sep 19 14:56:47.479: ISAKMP:(1031):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE
----

EDIT Do listingow konfiguracji, show, debug, etc uzywamy znacznikow

Kod: Zaznacz cały

 :!:
Seba
Ostatnio zmieniony 19 wrz 2010, 17:32 przez pawel1025, łącznie zmieniany 1 raz.

pawel1025
wannabe
wannabe
Posty: 63
Rejestracja: 23 kwie 2006, 16:23
Lokalizacja: Olsztyn

#5

#5 Post autor: pawel1025 »

Porównanie publicznych kluczy wygenerowanych z labelem dla obu peer'ów.
Publiczny z R4 wrzucony na R3 i na odwrót. Wyglądają ok, ale nie działa.

---

Kod: Zaznacz cały

R4#sh crypto key mypubkey rsa R4
% Key pair was generated at: 16:06:52 GMT Sep 19 2010
Key name: R4
 Storage Device: not specified
 Usage: General Purpose Key
 Key is not exportable.
 Key Data:
  305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00E84010 04DA24AD
  93E41335 23C5E9DC 58917168 4F93F170 EC66FEF5 DFD327B5 E0440543 F06C4D6E
  C82A8D23 FCE7DF4B 29E9893B B4FF9A75 985B2D9E 06E08802 7D020301 0001

R3#sh crypto key pubkey-chain rsa address 172.16.1.4
Key address:       172.16.1.4
 Usage: Encryption Key
 Source: Manually entered
 Data:
  305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00E84010 04DA24AD
  93E41335 23C5E9DC 58917168 4F93F170 EC66FEF5 DFD327B5 E0440543 F06C4D6E
  C82A8D23 FCE7DF4B 29E9893B B4FF9A75 985B2D9E 06E08802 7D020301 0001


R3#sh crypto key mypubkey rsa R3
% Key pair was generated at: 16:04:57 GMT Sep 19 2010
Key name: R3
 Storage Device: not specified
 Usage: General Purpose Key
 Key is not exportable.
 Key Data:
  305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00CFF55B 1774BCF4
  B6F4BD3B AAADA0C6 628168D4 129B09B7 C0C41575 C3CA1DFC BD5F5785 2825DDAB
  453F0651 02CBD55A 5C94253A EE61813D 95863A72 B337F1B6 7B020301 0001

R4#sh crypto key pubkey-chain rsa address 172.16.1.3
Key address:       172.16.1.3
 Usage: Encryption Key
 Source: Manually entered
 Data:
  305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00CFF55B 1774BCF4
  B6F4BD3B AAADA0C6 628168D4 129B09B7 C0C41575 C3CA1DFC BD5F5785 2825DDAB
  453F0651 02CBD55A 5C94253A EE61813D 95863A72 B337F1B6 7B020301 0001
EDIT Do listingow konfiguracji, show, debug, etc uzywamy znacznikow

Kod: Zaznacz cały

 :!:
Seba
Ostatnio zmieniony 19 wrz 2010, 17:33 przez pawel1025, łącznie zmieniany 1 raz.

dorvin
CCIE
CCIE
Posty: 1688
Rejestracja: 21 sty 2008, 13:21
Lokalizacja: Wrocław
Kontakt:

#6

#6 Post autor: dorvin »

Klucze Ci się nie zgadzają. Nie podoba mi się

Kod: Zaznacz cały

Key is not exportable. 
Napisz, jak generujesz klucze z labelem i bez oraz jak je przenosisz. Spróbuj keyword "label" dać w innym miejscu komendy. Sprawdziłem to u siebie i działa bez problemów. Dodatkowo podaj wersję softu.

pawel1025
wannabe
wannabe
Posty: 63
Rejestracja: 23 kwie 2006, 16:23
Lokalizacja: Olsztyn

#7

#7 Post autor: pawel1025 »

Klucze RSA bez labela generuje za pomocą

Kod: Zaznacz cały

crypto key generate rsa
Klucze RSA z labalem

Kod: Zaznacz cały

crypto key generate rsa label xxx
Klucz publiczny copy/paste do konfgiuracji drugiego routra pod "key-string" enter i "quit" po wrzuceniu klucza.

Używam softu advsecurityk9-mz.124-15.T7 (cisco 1700)

dorvin
CCIE
CCIE
Posty: 1688
Rejestracja: 21 sty 2008, 13:21
Lokalizacja: Wrocław
Kontakt:

#8

#8 Post autor: dorvin »

Wygląda na to, że robisz wszystko poprawnie. Spróbuj zaktualizować soft do nowszego w ramach 12.4.15T.

Awatar użytkownika
garfield
CCIE
CCIE
Posty: 2882
Rejestracja: 25 sie 2006, 18:32
Lokalizacja: Gdynia

#9

#9 Post autor: garfield »

masz błąd moim zdaniem

Kod: Zaznacz cały

named-key xxx
zamien na

Kod: Zaznacz cały

addressed-key xxx 
powinno byc takie jak adres jak masz zwykły klucz bez labelki


czyli spróbuj

Kod: Zaznacz cały

crypto key pubkey-chain rsa
 addressed-key 172.16.1.3
  address 172.16.1.3
  key-string
   XXX (klucz publiczny drugiego routerka z sh crypto key mypubkey rsa)
  quit 
Remember that the lab is just looking for reachability and not “optimal reachability”.

pawel1025
wannabe
wannabe
Posty: 63
Rejestracja: 23 kwie 2006, 16:23
Lokalizacja: Olsztyn

#10

#10 Post autor: pawel1025 »

Kod: Zaznacz cały

named-key xxx
to odwzorowanie nazwy na ip przez ip host. Komenda nie wejdzie jak nie ma routerze odwzorowania nazwy przez ip host.
Póbowałem zaowno przez

Kod: Zaznacz cały

address-key xxx
i ten sam rezultat.

Może coś przegapiłem w configu co trzeba dodać jak klucze rsa sa z labelem , ale dziwne ze dla kluczy rsa bez labela jest ok..

Kod: Zaznacz cały

!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication rsa-encr
!
crypto ipsec transform-set pawel esp-3des esp-md5-hmac
!
crypto map pawel 10 ipsec-isakmp
 set peer 172.16.1.1
 set transform-set pawel
 match address pawel
!
crypto key pubkey-chain rsa
 addressed-key 172.16.1.1
  address 172.16.1.1
  key-string
   305C300D 06092A86 4886F70D 01010105 00034B00 30480241 0092D48B FD1EB3B8
   0AAEC353 ABBD5F23 3193770C A4D7BA81 981F0683 33B88B3A 5D51CCF8 F5FC0395
   F7730705 4095F6B5 B5D52639 30B98EAD 2BF9DAB9 42E1AF7F DB020301 0001
  quit
!
ip access-list extended pawel
 permit ip host 10.10.10.2 host 10.10.10.1
!
interface Loopback0
 ip address 10.10.10.2 255.255.255.255
!
interface Serial1/0.3 point-to-point
 ip address 172.16.1.2 255.255.255.252
 frame-relay interface-dlci 201
 crypto map pawel
!
ip route 10.10.10.0 255.255.255.0 172.16.1.1
!
Analogicznie lustrzanka na drugim peerz'e.
Być może rsa z "labelem" nie sa wspierane przez rsa-enc tylko i wyłacznie przez rsa-sig ?
Postawiłem CA i IPSec w oparciu o rsa-sig i klucze rsa z labelem działaja...

dorvin masz może swoj testowy config kótry Ci działał na RSA label?

Chyba robie jakiś 'czeski bład" bo sprawdziłem testowo na IOS avdsecurity, advipservices i adventerprise i to samo....

Awatar użytkownika
garfield
CCIE
CCIE
Posty: 2882
Rejestracja: 25 sie 2006, 18:32
Lokalizacja: Gdynia

#11

#11 Post autor: garfield »

R5(s3/1)-----(s3/0)R2(f1/0)-----(f2/0)R3(s3/0)-----(s3/1)R8

szyfruje wybrany ruch miedzy R2 i R3

R2

Kod: Zaznacz cały

crypto key pubkey-chain rsa
  addressed-key 192.168.4.3
  address 192.168.4.3
  key-string
   30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00C7209D
   977065FF DDC6285D B6B24FDB 844080BB 4823468A 57372CF8 97A579D6 545E063B
   A77D77F3 927028B3 DCCADEC5 7726745C F29CC312 5AC15D47 BE06C941 1DC0BEE7
   0FEC3557 E621EB27 04F9F1AC 2451AF57 47BBB71F AC0B9A46 BB6E1680 8FE0D1A2
   2065FD8A 2E696FFC C4A5CA6E 8F442596 B3300766 D397F3C9 84847F44 01020301 0001
  quit
crypto isakmp policy 10
 encr 3des
 authentication rsa-encr
 group 5
!
!
crypto ipsec transform-set pawel esp-3des esp-md5-hmac
!
crypto map test 10 ipsec-isakmp
 set peer 192.168.4.3
 set transform-set pawel
 match address test

interface Loopback0
 ip address 2.2.2.2 255.255.255.0

interface FastEthernet1/0
 ip address 192.168.4.2 255.255.255.0
 duplex auto
 speed auto
 crypto map test

interface Serial3/0
 ip address 15.3.0.3 255.255.255.0
 serial restart-delay 0

ip access-list extended test
 permit ip host 5.5.5.5 host 8.8.8.8
R3:

Kod: Zaznacz cały

crypto key pubkey-chain rsa
  addressed-key 192.168.4.2
  address 192.168.4.2
  key-string
   30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00D6C6E8
   378D6181 C10AFC41 81D8B025 53A184D2 4B62ECA4 8BE1456E 316C31C8 53AD0B13
   3CD6F92E CDC547DE 42B049CE 81702781 AC86C148 FE7B6F5C 6626D847 D905A705
   37F61691 FBBB8CDD 41D0818C 94C24913 AAEFA1BA A96288D7 A02B783C 73A409FA
   688F8C2D 57B309C8 4EDB7FA3 02FD1547 EDD1073D 2CCDB332 2F69FF2D 4D020301 0001
  quit
crypto isakmp policy 10
 encr 3des
 authentication rsa-encr
 group 5
!
!
crypto ipsec transform-set pawel esp-3des esp-md5-hmac
!
crypto map test 10 ipsec-isakmp
 set peer 192.168.4.2
 set transform-set pawel
 match address test

interface Loopback0
 ip address 3.3.3.3 255.255.255.0

interface FastEthernet2/0
 ip address 192.168.4.3 255.255.255.0
 duplex auto
 speed auto
 crypto map test

interface Serial3/0
 ip address 15.4.0.3 255.255.255.0
 serial restart-delay 0

ip access-list extended test
 permit ip host 8.8.8.8 host 5.5.5.5
na obu routerach klucz generuje

Kod: Zaznacz cały

R3(config)#crypto key generate rsa general-keys label testt modulus 1024
szyfruje ruch miedzy loopbackami R5 i R8
wynik

Kod: Zaznacz cały

R8#ping 5.5.5.5 source 8.8.8.8

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
Packet sent with a source address of 8.8.8.8
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/38/96 ms
R8#
Remember that the lab is just looking for reachability and not “optimal reachability”.

ODPOWIEDZ