From: Matthew G. <mga...@re...> - 2009-01-27 19:35:05
|
I've been spending some time yak shaving racoon, trying to get it to connect to a cluster of Cisco ASA5520 security devices. I'm at an impass now and I'm wondering if anyone on the list has encountered/dealt with the ERROR message below: Jan 27 13:28:31 localhost racoon: INFO: @(#)ipsec-tools 0.8-alpha20090126 (http://ipsec-tools.sourceforge.net) Jan 27 13:28:31 localhost racoon: INFO: @(#)This product linked OpenSSL 0.9.8j-fips 07 Jan 2009 (http://www.openssl.org/) Jan 27 13:28:31 localhost racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf" Jan 27 13:28:31 localhost racoon: INFO: 127.0.0.1[500] used for NAT-T Jan 27 13:28:31 localhost racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=8) Jan 27 13:28:31 localhost racoon: INFO: 127.0.0.1[4500] used for NAT-T Jan 27 13:28:31 localhost racoon: INFO: 127.0.0.1[4500] used as isakmp port (fd=9) Jan 27 13:28:31 localhost racoon: INFO: aa.bb.cc.dd[500] used for NAT-T Jan 27 13:28:31 localhost racoon: INFO: aa.bb.cc.dd[500] used as isakmp port (fd=10) Jan 27 13:28:31 localhost racoon: INFO: aa.bb.cc.dd[4500] used for NAT-T Jan 27 13:28:31 localhost racoon: INFO: aa.bb.cc.dd[4500] used as isakmp port (fd=11) Jan 27 13:28:31 localhost racoon: INFO: ::1[500] used as isakmp port (fd=12) Jan 27 13:28:31 localhost racoon: INFO: ::1[4500] used as isakmp port (fd=13) Jan 27 13:29:01 localhost racoon: INFO: accept a request to establish IKE-SA: xx.yy.zz.pp Jan 27 13:29:01 localhost racoon: INFO: initiate new phase 1 negotiation: aa.bb.cc.dd[500]<=>xx.yy.zz.pp[500] Jan 27 13:29:01 localhost racoon: INFO: begin Aggressive mode. Jan 27 13:29:02 localhost racoon: INFO: received Vendor ID: CISCO-UNITY Jan 27 13:29:02 localhost racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt Jan 27 13:29:02 localhost racoon: INFO: received Vendor ID: DPD Jan 27 13:29:02 localhost racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02#012 Jan 27 13:29:02 localhost racoon: INFO: received broken Microsoft ID: FRAGMENTATION Jan 27 13:29:02 localhost racoon: WARNING: port 500 expected, but 0 Jan 27 13:29:02 localhost racoon: INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02#012 Jan 27 13:29:02 localhost racoon: INFO: NAT-D payload #-1 doesn't match Jan 27 13:29:02 localhost racoon: INFO: NAT-D payload #0 doesn't match Jan 27 13:29:02 localhost racoon: INFO: NAT detected: ME PEER Jan 27 13:29:02 localhost racoon: INFO: KA list add: aa.bb.cc.dd[4500]->xx.yy.zz.pp[4500] Jan 27 13:29:02 localhost racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address. Jan 27 13:29:02 localhost racoon: INFO: Adding remote and local NAT-D payloads. Jan 27 13:29:02 localhost racoon: INFO: Hashing xx.yy.zz.pp[4500] with algo #2 (NAT-T forced) Jan 27 13:29:02 localhost racoon: INFO: Hashing aa.bb.cc.dd[4500] with algo #2 (NAT-T forced) Jan 27 13:29:02 localhost racoon: INFO: ISAKMP-SA established aa.bb.cc.dd[4500]-xx.yy.zz.pp[4500] spi:987654321abcdef0:abcdef1234567890 Jan 27 13:29:02 localhost racoon: ERROR: notification 40501 received in informational exchange. Jan 27 13:29:02 localhost racoon: ERROR: notification payload: 42bbe936. notification 40501 seems to be a cisco specific message related to load balancing. Googling around, it seems to be defined on line 331 here: http://ike.sourcearchive.com/documentation/2.1.4plus-pdfsg/ike_8h-source.html It makes sense because the endpoint racoon is connecting to is a cluster of Cisco ASA5520 security appliances. Are there any patches for supporting IKE message 40501 floating about that could use some testing? Thanks, Matt -- Matthew Galgoci Network Operations Red Hat, Inc 919.754.3700 x44155 |
From: Matthew G. <mg...@sh...> - 2009-01-28 05:34:33
|
Matthew Galgoci wrote: > I've been spending some time yak shaving racoon, trying to get it to > connect to a cluster of Cisco ASA5520 security devices. I'm at an impass > now and I'm wondering if anyone on the list has encountered/dealt with > the ERROR message below: > ... > > notification 40501 seems to be a cisco specific message related to load > balancing. Googling around, it seems to be defined on line 331 here: > > http://ike.sourcearchive.com/documentation/2.1.4plus-pdfsg/ike_8h-source.html > > It makes sense because the endpoint racoon is connecting to is a cluster > of Cisco ASA5520 security appliances. > > Are there any patches for supporting IKE message 40501 floating about > that could use some testing? > Hi Matthew, We don't support this currently. I did happen to add support for this recently in the 2.1.4 Shrew Soft IKE daemon I know a few details on how its supposed to work. http://www.shrew.net/support/changeset?new=579%40ike%2Fbranch-2.1%2Fsource%2Fiked%2Fike.exch.inform.cpp&old=536%40ike%2Fbranch-2.1%2Fsource%2Fiked%2Fike.exch.inform.cpp The notification is basically just four bytes which encode the address of the preferred server that the ASA's would like the client to connect to. Not sure how hard this would be to implement with racoon. You could try is connecting to the ASA cluster using software handles the notification and determine one of the unique ASA cluster address that the client gets directed to. If you use that address, you will bypass the notification message and establish the connection. Hope this helps, -Matthew |
From: Timo T. <tim...@ik...> - 2009-01-28 12:39:18
|
Matthew Galgoci wrote: > I've been spending some time yak shaving racoon, trying to get it to > connect to a cluster of Cisco ASA5520 security devices. I'm at an impass > now and I'm wondering if anyone on the list has encountered/dealt with > the ERROR message below: > > Jan 27 13:29:02 localhost racoon: WARNING: port 500 expected, but 0 This looks a bit suscpicous too. > Jan 27 13:29:02 localhost racoon: INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02#012 > Jan 27 13:29:02 localhost racoon: INFO: NAT-D payload #-1 doesn't match > Jan 27 13:29:02 localhost racoon: INFO: NAT-D payload #0 doesn't match > Jan 27 13:29:02 localhost racoon: INFO: NAT detected: ME PEER > Jan 27 13:29:02 localhost racoon: INFO: KA list add: aa.bb.cc.dd[4500]->xx.yy.zz.pp[4500] > Jan 27 13:29:02 localhost racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address. > Jan 27 13:29:02 localhost racoon: INFO: Adding remote and local NAT-D payloads. > Jan 27 13:29:02 localhost racoon: INFO: Hashing xx.yy.zz.pp[4500] with algo #2 (NAT-T forced) > Jan 27 13:29:02 localhost racoon: INFO: Hashing aa.bb.cc.dd[4500] with algo #2 (NAT-T forced) > Jan 27 13:29:02 localhost racoon: INFO: ISAKMP-SA established aa.bb.cc.dd[4500]-xx.yy.zz.pp[4500] spi:987654321abcdef0:abcdef1234567890 This says, that your connection should be working nevertheless. > Jan 27 13:29:02 localhost racoon: ERROR: notification 40501 received in informational exchange. > Jan 27 13:29:02 localhost racoon: ERROR: notification payload: 42bbe936. And even though this is printed as error, the notification should be ignored and your connection working. > It makes sense because the endpoint racoon is connecting to is a cluster > of Cisco ASA5520 security appliances. > > Are there any patches for supporting IKE message 40501 floating about > that could use some testing? No. But I can add it as recognized and not print any warnings/errors if it's received. Just as clarification, does the connection work even though the ERROR message is printed? - Timo |