IPsec <received fragmentation="" vendor="" id="">after upgrade</received>



  • My ipsec tunnel to a Cisco ASA is failing to come up after upgrading from 2.1.5 to 2.2-RC, I'm seeing "received FRAGMENTATION vendor ID" and "received INVALID_IKE_SPI error notify" anyone knows how fix it?

    charon: 14[KNL] creating acquire job for policy x.x.x.x/32|/0 === y.y.y.y/32|/0 with reqid {1}
    charon: 14[IKE] <con1|1>initiating Main Mode IKE_SA con1[1] to y.y.y.y
    charon: 14[IKE] initiating Main Mode IKE_SA con1[1] to y.y.y.y
    charon: 14[ENC] generating ID_PROT request 0 [ SA V V V V V V ]
    charon: 14[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500] (196 bytes)
    charon: 14[NET] received packet: from y.y.y.y[500] to x.x.x.x[500] (116 bytes)
    charon: 14[ENC] parsed ID_PROT response 0 [ SA V V ]
    charon: 14[IKE] <con1|1>received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    charon: 14[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    charon: 14[IKE] <con1|1>received FRAGMENTATION vendor ID
    charon: 14[IKE] received FRAGMENTATION vendor ID</con1|1>

    charon: 14[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
    charon: 14[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500] (236 bytes)
    Dec 14 11:57:48 pfsense charon: 14[IKE] <con1|1>sending retransmit 1 of request message ID 0, seq 2
    Dec 14 11:57:48 pfsense charon: 14[IKE] sending retransmit 1 of request message ID 0, seq 2
    Dec 14 11:57:48 pfsense charon: 14[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500] (236 bytes)
    Dec 14 11:57:48 pfsense charon: 14[NET] received packet: from y.y.y.y[500] to x.x.x.x[500] (68 bytes)
    Dec 14 11:57:48 pfsense charon: 14[ENC] parsed INFORMATIONAL_V1 request 0 [ N(INVAL_IKE_SPI) ]
    Dec 14 11:57:48 pfsense charon: 14[IKE] <con1|1>received INVALID_IKE_SPI error notify
    Dec 14 11:57:48 pfsense charon: 14[IKE] received INVALID_IKE_SPI error notify</con1|1>

    –--------------logs from Cisco side--------------------------------------------------------------------

    [IKEv1]: Group = tunnel.acme.com, IP = x.x.x.x, Removing peer from peer table failed, no match!
    [IKEv1]: Group = tunnel.acme.com, IP = x.x.x.x, Error: Unable to remove PeerTblEntry</con1|1></con1|1></con1|1>



  • What do the ASA logs show?



  • Here what I see on the ASA, I can get phase 1 to complete if I change "crypto isakmp identity hostname" to "crypto isakmp identity address" on the ASA not sure why, but this is what I found after digging up on cisco's site. However; phase 2 never completes.

    [IKEv1]: IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 196
    [IKEv1 DEBUG]: IP = x.x.x.x, processing SA payload
    [IKEv1 DEBUG]: IP = x.x.x.x, Oakley proposal is acceptable
    [IKEv1 DEBUG]: IP = x.x.x.x, processing VID payload
    [IKEv1 DEBUG]: IP = x.x.x.x, Received xauth V6 VID
    [IKEv1 DEBUG]: IP = x.x.x.x, processing VID payload
    [IKEv1 DEBUG]: IP = x.x.x.x, Received DPD VID
    [IKEv1 DEBUG]: IP = x.x.x.x, processing VID payload
    [IKEv1 DEBUG]: IP = x.x.x.x, Received Cisco Unity client VID
    [IKEv1 DEBUG]: IP = x.x.x.x, processing VID payload
    [IKEv1 DEBUG]: IP = x.x.x.x, Received Fragmentation VID
    [IKEv1 DEBUG]: IP = x.x.x.x, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  False
    [IKEv1 DEBUG]: IP = x.x.x.x, processing VID payload
    [IKEv1 DEBUG]: IP = x.x.x.x, Received NAT-Traversal RFC VID
    [IKEv1 DEBUG]: IP = x.x.x.x, processing VID payload
    [IKEv1 DEBUG]: IP = x.x.x.x, Received NAT-Traversal ver 02 VID
    [IKEv1 DEBUG]: IP = x.x.x.x, processing IKE SA payload
    [IKEv1 DEBUG]: IP = x.x.x.x, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 3
    [IKEv1 DEBUG]: IP = x.x.x.x, constructing ISAKMP SA payload
    [IKEv1 DEBUG]: IP = x.x.x.x, constructing NAT-Traversal VID ver 02 payload
    [IKEv1 DEBUG]: IP = x.x.x.x, constructing Fragmentation VID + extended capabilities payload
    [IKEv1]: IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 116
    [IKEv1]: IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 236
    [IKEv1 DEBUG]: IP = x.x.x.x, processing ke payload
    [IKEv1 DEBUG]: IP = x.x.x.x, processing ISA_KE payload
    [IKEv1 DEBUG]: IP = x.x.x.x, processing nonce payload
    [IKEv1 DEBUG]: IP = x.x.x.x, processing NAT-Discovery payload
    [IKEv1 DEBUG]: IP = x.x.x.x, computing NAT Discovery hash
    [IKEv1 DEBUG]: IP = x.x.x.x, processing NAT-Discovery payload
    [IKEv1 DEBUG]: IP = x.x.x.x, computing NAT Discovery hash
    [IKEv1 DEBUG]: IP = x.x.x.x, constructing ke payload
    [IKEv1 DEBUG]: IP = x.x.x.x, constructing nonce payload
    [IKEv1 DEBUG]: IP = x.x.x.x, constructing Cisco Unity VID payload
    [IKEv1 DEBUG]: IP = x.x.x.x, constructing xauth V6 VID payload
    [IKEv1 DEBUG]: IP = x.x.x.x, Send IOS VID
    [IKEv1 DEBUG]: IP = x.x.x.x, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
    [IKEv1 DEBUG]: IP = x.x.x.x, constructing VID payload
    [IKEv1 DEBUG]: IP = x.x.x.x, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
    [IKEv1 DEBUG]: IP = x.x.x.x, constructing NAT-Discovery payload
    [IKEv1 DEBUG]: IP = x.x.x.x, computing NAT Discovery hash
    [IKEv1 DEBUG]: IP = x.x.x.x, constructing NAT-Discovery payload
    [IKEv1 DEBUG]: IP = x.x.x.x, computing NAT Discovery hash
    [IKEv1]: IP = x.x.x.x, Connection landed on tunnel_group x.x.x.x
    [IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, Generating keys for Responder…
    [IKEv1]: IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 296
    [IKEv1]: IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 74
    [IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, processing ID payload
    [IKEv1 DECODE]: Group = x.x.x.x, IP = x.x.x.x, ID_FQDN ID received, len 18
    [IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, processing hash payload
    [IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, Computing hash for ISAKMP
    [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Automatic NAT Detection Status:    Remote end is NOT behind a NAT device    This  end is NOT behind a NAT device
    [IKEv1]: IP = x.x.x.x, Connection landed on tunnel_group x.x.x.x
    [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Freeing previously allocated memory for authorization-dn-attributes
    [IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, constructing ID payload
    [IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, constructing hash payload
    [IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, Computing hash for ISAKMP
    [IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, constructing dpd vid payload
    [IKEv1]: IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 99
    [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, PHASE 1 COMPLETED
    [IKEv1]: IP = x.x.x.x, Keep-alive type for this connection: DPD
    [IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, Starting P1 rekey timer: 82080 seconds.
    [IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, sending notify message
    [IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, constructing blank hash payload
    [IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, constructing qm hash payload
    [IKEv1]: IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=b16dcde0) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 88
    [IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, Restarting P1 rekey timer: 82080 seconds.
    [IKEv1]: IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=39d932f1) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
    [IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, processing hash payload
    [IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, processing delete
    [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Connection terminated for peer x.x.x.x.  Reason: Peer Terminate  Remote Proxy N/A, Local Proxy N/A
    [IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, IKE SA MM:d4086445 terminating:  flags 0x0100c802, refcnt 0, tuncnt 0



  • Can you please describe your setup.
    IKEv1?
    how many subnets in phase2?



  • sure

    Phase 1
    –--------------

    ike v1
    PSK
    3DES
    MD5
    DH group2
    DPD enabled
    NAT Auto
    Lifetime 28800

    Phase 2

    3DES/MD5
    Lifetime 28800
    3 subnets



  • update

    configuring 1 subnet out of 3 in phase 2 works, any idea how to have reachability to all 3 subnets behind the firewall?



  • Known issue we're looking into. https://redmine.pfsense.org/issues/4129



  • thank you! looking forward for the fix


Log in to reply