IPsec <received fragmentation="" vendor="" id="">after upgrade</received>

samham

My ipsec tunnel to a Cisco ASA is failing to come up after upgrading from 2.1.5 to 2.2-RC, I'm seeing "received FRAGMENTATION vendor ID" and "received INVALID_IKE_SPI error notify" anyone knows how fix it?

charon: 14[KNL] creating acquire job for policy x.x.x.x/32|/0 === y.y.y.y/32|/0 with reqid {1}
charon: 14[IKE] <con1|1>initiating Main Mode IKE_SA con1[1] to y.y.y.y
charon: 14[IKE] initiating Main Mode IKE_SA con1[1] to y.y.y.y
charon: 14[ENC] generating ID_PROT request 0 [ SA V V V V V V ]
charon: 14[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500] (196 bytes)
charon: 14[NET] received packet: from y.y.y.y[500] to x.x.x.x[500] (116 bytes)
charon: 14[ENC] parsed ID_PROT response 0 [ SA V V ]
charon: 14[IKE] <con1|1>received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
charon: 14[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
charon: 14[IKE] <con1|1>received FRAGMENTATION vendor ID
charon: 14[IKE] received FRAGMENTATION vendor ID</con1|1>
charon: 14[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
charon: 14[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500] (236 bytes)
Dec 14 11:57:48 pfsense charon: 14[IKE] <con1|1>sending retransmit 1 of request message ID 0, seq 2
Dec 14 11:57:48 pfsense charon: 14[IKE] sending retransmit 1 of request message ID 0, seq 2
Dec 14 11:57:48 pfsense charon: 14[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500] (236 bytes)
Dec 14 11:57:48 pfsense charon: 14[NET] received packet: from y.y.y.y[500] to x.x.x.x[500] (68 bytes)
Dec 14 11:57:48 pfsense charon: 14[ENC] parsed INFORMATIONAL_V1 request 0 [ N(INVAL_IKE_SPI) ]
Dec 14 11:57:48 pfsense charon: 14[IKE] <con1|1>received INVALID_IKE_SPI error notify
Dec 14 11:57:48 pfsense charon: 14[IKE] received INVALID_IKE_SPI error notify</con1|1>

–--------------logs from Cisco side--------------------------------------------------------------------

[IKEv1]: Group = tunnel.acme.com, IP = x.x.x.x, Removing peer from peer table failed, no match!
[IKEv1]: Group = tunnel.acme.com, IP = x.x.x.x, Error: Unable to remove PeerTblEntry</con1|1></con1|1></con1|1>

cmb

What do the ASA logs show?

samham

Here what I see on the ASA, I can get phase 1 to complete if I change "crypto isakmp identity hostname" to "crypto isakmp identity address" on the ASA not sure why, but this is what I found after digging up on cisco's site. However; phase 2 never completes.

[IKEv1]: IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 196
[IKEv1 DEBUG]: IP = x.x.x.x, processing SA payload
[IKEv1 DEBUG]: IP = x.x.x.x, Oakley proposal is acceptable
[IKEv1 DEBUG]: IP = x.x.x.x, processing VID payload
[IKEv1 DEBUG]: IP = x.x.x.x, Received xauth V6 VID
[IKEv1 DEBUG]: IP = x.x.x.x, processing VID payload
[IKEv1 DEBUG]: IP = x.x.x.x, Received DPD VID
[IKEv1 DEBUG]: IP = x.x.x.x, processing VID payload
[IKEv1 DEBUG]: IP = x.x.x.x, Received Cisco Unity client VID
[IKEv1 DEBUG]: IP = x.x.x.x, processing VID payload
[IKEv1 DEBUG]: IP = x.x.x.x, Received Fragmentation VID
[IKEv1 DEBUG]: IP = x.x.x.x, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  False
[IKEv1 DEBUG]: IP = x.x.x.x, processing VID payload
[IKEv1 DEBUG]: IP = x.x.x.x, Received NAT-Traversal RFC VID
[IKEv1 DEBUG]: IP = x.x.x.x, processing VID payload
[IKEv1 DEBUG]: IP = x.x.x.x, Received NAT-Traversal ver 02 VID
[IKEv1 DEBUG]: IP = x.x.x.x, processing IKE SA payload
[IKEv1 DEBUG]: IP = x.x.x.x, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 3
[IKEv1 DEBUG]: IP = x.x.x.x, constructing ISAKMP SA payload
[IKEv1 DEBUG]: IP = x.x.x.x, constructing NAT-Traversal VID ver 02 payload
[IKEv1 DEBUG]: IP = x.x.x.x, constructing Fragmentation VID + extended capabilities payload
[IKEv1]: IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 116
[IKEv1]: IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 236
[IKEv1 DEBUG]: IP = x.x.x.x, processing ke payload
[IKEv1 DEBUG]: IP = x.x.x.x, processing ISA_KE payload
[IKEv1 DEBUG]: IP = x.x.x.x, processing nonce payload
[IKEv1 DEBUG]: IP = x.x.x.x, processing NAT-Discovery payload
[IKEv1 DEBUG]: IP = x.x.x.x, computing NAT Discovery hash
[IKEv1 DEBUG]: IP = x.x.x.x, processing NAT-Discovery payload
[IKEv1 DEBUG]: IP = x.x.x.x, computing NAT Discovery hash
[IKEv1 DEBUG]: IP = x.x.x.x, constructing ke payload
[IKEv1 DEBUG]: IP = x.x.x.x, constructing nonce payload
[IKEv1 DEBUG]: IP = x.x.x.x, constructing Cisco Unity VID payload
[IKEv1 DEBUG]: IP = x.x.x.x, constructing xauth V6 VID payload
[IKEv1 DEBUG]: IP = x.x.x.x, Send IOS VID
[IKEv1 DEBUG]: IP = x.x.x.x, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
[IKEv1 DEBUG]: IP = x.x.x.x, constructing VID payload
[IKEv1 DEBUG]: IP = x.x.x.x, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
[IKEv1 DEBUG]: IP = x.x.x.x, constructing NAT-Discovery payload
[IKEv1 DEBUG]: IP = x.x.x.x, computing NAT Discovery hash
[IKEv1 DEBUG]: IP = x.x.x.x, constructing NAT-Discovery payload
[IKEv1 DEBUG]: IP = x.x.x.x, computing NAT Discovery hash
[IKEv1]: IP = x.x.x.x, Connection landed on tunnel_group x.x.x.x
[IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, Generating keys for Responder…
[IKEv1]: IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 296
[IKEv1]: IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 74
[IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, processing ID payload
[IKEv1 DECODE]: Group = x.x.x.x, IP = x.x.x.x, ID_FQDN ID received, len 18
[IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, processing hash payload
[IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, Computing hash for ISAKMP
[IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Automatic NAT Detection Status:    Remote end is NOT behind a NAT device    This  end is NOT behind a NAT device
[IKEv1]: IP = x.x.x.x, Connection landed on tunnel_group x.x.x.x
[IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Freeing previously allocated memory for authorization-dn-attributes
[IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, constructing ID payload
[IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, constructing hash payload
[IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, Computing hash for ISAKMP
[IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, constructing dpd vid payload
[IKEv1]: IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 99
[IKEv1]: Group = x.x.x.x, IP = x.x.x.x, PHASE 1 COMPLETED
[IKEv1]: IP = x.x.x.x, Keep-alive type for this connection: DPD
[IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, Starting P1 rekey timer: 82080 seconds.
[IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, sending notify message
[IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, constructing blank hash payload
[IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, constructing qm hash payload
[IKEv1]: IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=b16dcde0) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 88
[IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, Restarting P1 rekey timer: 82080 seconds.
[IKEv1]: IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=39d932f1) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
[IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, processing hash payload
[IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, processing delete
[IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Connection terminated for peer x.x.x.x.  Reason: Peer Terminate  Remote Proxy N/A, Local Proxy N/A
[IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, IKE SA MM:d4086445 terminating:  flags 0x0100c802, refcnt 0, tuncnt 0

eri--

Can you please describe your setup.
IKEv1?
how many subnets in phase2?

samham

sure

Phase 1
–--------------

ike v1
PSK
3DES
MD5
DH group2
DPD enabled
NAT Auto
Lifetime 28800

Phase 2

3DES/MD5
Lifetime 28800
3 subnets

samham

update

configuring 1 subnet out of 3 in phase 2 works, any idea how to have reachability to all 3 subnets behind the firewall?

cmb

Known issue we're looking into. https://redmine.pfsense.org/issues/4129

samham

thank you! looking forward for the fix