Re: [opennhrp-devel] ISAKMP Dead Peer Detection with Cisco only funtions if a static peer mapping i
Brought to you by:
fabled80
Menu
▾
▴
Re: [opennhrp-devel] ISAKMP Dead Peer Detection with Cisco only funtions if a static peer mapping is defined
|
From: Jean-Francois D. <jf...@gm...> - 2011-12-13 22:05:39
|
Cool, one more bug squashed ;)
On Tue, Dec 13, 2011 at 9:58 PM, Frank Renwick <fre...@ce...> wrote:
> Jean,
>
> I apologize for the delay. The suggested fix, which was to make a change in
> the function 'intident_r1send' in src/racoon/isakmp_ident.c, worked well.
> The change you suggested reverts back to ipsec-tools 0.7.0 behavior as you
> mentioned, and in 0.7.0 ipsec-tools sends the DPD vendor ID based on the
> racoon.conf configuration file, not based on an event driven scenario. As
> you showed us, the Cisco Initiator is sending the DPD Vendor ID in MM3,
> which was not "acceptable" to ipsec-tools 0.8.0.
>
> I contacted the DPD developer, Yvan Vanhullebus, and let him know that this
> forum provided assistance, and what the assistance was. He agreed to push
> the required change into future versions. He mentioned that strictly
> speaking, Cisco's behavior in this matter does not break RFC compliance. He
> mentioned that the Cisco could send the Vendor ID in the first exchange, but
> RFC 3706 has no 'MUST' or even 'SHOULD' for this.
>
> Finally:
>
> I ran through a test trial once the change was made and posted the results
> to the same ftp site:
>
> ftp://64.160.64.46/ (username: temp, password: temp). The new log files and
> trace file are in the directory titled
> 'trial2-with-modifiec-ipsec-tools-0.8.0'
>
> The events in this trial are:
> 20:26:00 -- racoon and opennhrp started (The cisco hub and spoke
> were started several minutes before this)
>
> 20:26:30 -- opennhrp node initiates a spoke-to-spoke connection with the
> cisco spoke by
> issuing a ping on the opennhrp spoke (specifically, ping 10.0.2.1)
> 20:27:30 -- disconnect the link between N1 and the opennhrp host
> 20:29:00 -- reconnect the link
>
> Thanks very much for all the support with this issue.
>
> frank
>
> end test after ISAKMP re-negotiation and pin resumes. I verified that ESP
> traffic
> resumed between the N1 Cisco Spoke and the opennhrp spoke.
>
>> 1) (0.8 specific):
>> ===
>> -> add the vendor ID in MM2 as responder even if we didnt got it in MM1:
>>
>> file: src/racoon/isakmp_ident.c, patch the following (line 1030 in my
>> file)
>> function: intident_r1send(iph1, msg)
>>
>> #ifdef ENABLE_DPD
>> if (iph1->dpd_support) {
>>
>> by
>>
>> #ifdef ENABLE_DPD
>> (iph1->rmconf == NULL || iph1->rmconf->dpd) {
>
> -----Original Message-----
> From: Jean-Francois Dive [mailto:jf...@gm...]
> Sent: Tuesday, December 06, 2011 14:27
> To: Frank Renwick
> Cc: Artem Makhutov; ope...@li...
> Subject: Re: [opennhrp-devel] ISAKMP Dead Peer Detection with Cisco only
> funtions if a static peer mapping is defined
>
> After compiling it, i realize the second part is not needed, it is handled
> already (the one in int ident_r2recv)
>
> J.
>
> On Tue, Dec 6, 2011 at 10:56 PM, Jean-Francois Dive <jf...@gm...>
> wrote:
>> Well Frank,
>>
>> I jumped too fast to conclusion: i looked at the fedora to hub packet
>> traces, mixed up the ip addresses of which is which ... and went the
>> wrong way. more later on the vendor id payload in which main mode
>> packet story.
>>
>> Back to the real connection: in the pcap traces:
>>
>> frame 53: ios spoke (10.0.0.6) initiate towards fedora (10.0.0.26), no
>> DPD vendor ID payload
>> frame 54: fedora replies, no vendor ID either.
>> frame 55: ios send MM3 and adds more vendor ID payloads, DPD included.
>>
>> This last point didnt made sense and didnt matched what i read in the
>> source of ipsec-tools 0.7. I downloaded 0.8 and .. well the logic in
>> the code changed:
>>
>> -> in 0.7, the decision to add or not the vendor ID is MM2 based on a
>> flag being on off, driven by the remoteconf configuration (the remote
>> peer cfg file construct).
>> -> in 0.8, the same decision is based on the fact that we got before
>> the DPD vendor id in MM1 (and if we are configured too).
>>
>> What i thought confused IOS actually confused racoon and I am confused
>> on why IOS sends this serie of vendor ID later.
>>
>> The issue remains the same: racoon sends DPD's that IOS ignores
>> because it didnt received the DPD vendor ID from fedora.
>>
>> Now the fix. I have not tested this as i dont have an easy 12.4.15T to
>> test with from where i am.
>>
>> racoon, whatever version, does not handle this case properly: it will
>> ignore the vendor ID's received in MM3 when responder.
>>
>> the fix is in 2 places in the code
>>
>> 1) (0.8 specific):
>> ===
>> -> add the vendor ID in MM2 as responder even if we didnt got it in MM1:
>>
>> file: src/racoon/isakmp_ident.c, patch the following (line 1030 in my
>> file)
>> function: intident_r1send(iph1, msg)
>>
>> #ifdef ENABLE_DPD
>> if (iph1->dpd_support) {
>>
>> by
>>
>> #ifdef ENABLE_DPD
>> (iph1->rmconf == NULL || iph1->rmconf->dpd) {
>>
>>
>> 2) handle the vendor ID in MM3:
>> ===
>> file: src/racoon/isakmp_ident.c, patch the following (line 1191 in my
>> file)
>> function: intident_r2recv(iph1, msg)
>>
>> /* passthrough to default... */ #endif
>> default:
>>
>> by:
>>
>> /* passthrough to default... */ #endif
>> case ISAKMP_NPTYPE_VID:
>> int vid_numeric = check_vendorid(pa->ptr);
>> if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd)
>> iph1->dpd_support=1;
>>
>> default:
>>
>>
>> I think that will fix your problem (untested)
>>
>> now, on the IOS side, this behavior might have a good reason which are
>> probably linked to the way the configuration is looked up within the
>> IKE implementation.
>>
>> Tell me how it goes.
>>
>> J.
>>
>> On Sun, Dec 4, 2011 at 7:18 PM, Frank Renwick <fre...@ce...> wrote:
>>> Thanks for taking such a close look at this. The log files you asked
>>> for are attached. I'll state again that if this is not the right
>>> forum for this question please feel free to ask me to stop.
>>>
>>> The description of the problem: When DPD is configured on the
>>> opennhrp spoke, dynamic spoke-to-spoke tunneling with a cisco spoke
>>> initiates but then times out after 45 seconds. (If DPD is disabled
>>> on the opennhrp spoke, the dynamic spoke-to-spoke tunnel works
>>> without any issues discovered to
>>> date.)
>>>
>>> Observation: In the spoke-to-spoke dynamic tunnel setup, in my test
>>> lab, I am using ping from the opennhrp spoke to initiate the
>>> spoke-to-spoke tunnel with the cisco spoke. In every test I've run,
>>> the first ISAKMP packet seen on the wire between the two spokes is
>>> from the Cisco spoke to the opennhrp spoke. As such, it appears that
>>> the failed DPD negotiation may be related to the Cisco being the
>>> initiator. I'm not sure about this, but when the opennhrp spoke
>>> initiated the IKE exhange with the Cisco hub, DPD negotiation is
> successful.
>>>
>>> The attached files are:
>>>
>>> Network.pdf: physical and logical topology views of the test network
>>> Hub-configs.txt: cisco hub 'sh run', 'sh ver' and 'sh dmvpn detail'
>>> N1-configs.txt: cisco spoke 'sh run', 'sh ver' and 'sh dmvpn detail'
>>> Opennhrp.conf,racoon.conf: opennhrp spoke configs
>>>
>>> Log files:
>>> Trace.pcap: sniffer trace captured on the opennhrp spoke
>>> Logfile: racoon log file capture on the opennhrp spoke
>>> Hub-debug-crypto-isakmp.txt: isakmp debugging on the cisco hub
>>> N1-debug-crypto-isakmp.txt: isakmp debuggin on the cisco spoke
>>>
>>> When looking through the log files, which have time synchronization,
>>> the following times are relevant:
>>>
>>> 17:49:00 -- racoon and opennhrp started (The cisco hub and spoke
>>> were started several minutes before this) 17:50:00 -- opennhrp node
>>> initiates a spoke-to-spoke connection with the cisco spoke by issuing
>>> a ping on the opennhrp spoke (specifically, ping
>>> 10.0.2.1)
>>> 17:50:45 -- the ping to the cisco spoke begins to timeout 17:51:00 --
>>> end test
>>>
>>> frank
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: Jean-Francois Dive [mailto:jf...@gm...]
>>> Sent: Sunday, December 04, 2011 01:08
>>> To: Frank Renwick
>>> Cc: Artem Makhutov; ope...@li...
>>> Subject: Re: [opennhrp-devel] ISAKMP Dead Peer Detection with Cisco
>>> only funtions if a static peer mapping is defined
>>>
>>> hello Frank,
>>>
>>> The log message you point in the IOS logs are not relevant. There are
>>> 2 key differences here between the 2 logs you showed:
>>>
>>> -> In the failing state, IOS is the initiator In the failing states,
>>> -> there are 2 phase 1 negotiated between the 2
>>> devices, the initial contact notify payload should drive the delete
>>> of the old one but it seems we are still using it on the racoon side
>>> (seems, hard to make a 100% call from the data we have).
>>>
>>> It is somehow classical that an ike negotiation works ok when
>>> initiated from one side and could fail when initiated from the other.
>>>
>>> it would be good to have a little more data about the 3 devices we
>>> see: 10.0.0.6 (cisco IOS, hub i guess?), 10.0.0.26 and 10.0.0.2., and
>>> the dmvpn configuration:
>>>
>>> on IOS, please collect:
>>>
>>> show version
>>> show dmvpn
>>> show run (interface tunnel X), isakmp and ipsec profile are ok
>>> otherwise you would have a different type of errors.
>>>
>>> and a description of exactly who is initiating/responding to who:
>>> this depends on the dmvpn phase you are using (phase 2 or phase 3)
>>> and therefore the nhrp config + routes distribution of the subnets
>>> behind the spoke (do your spokes are a summary route pointing to the
>>> hub and use nhrp redirect or do you have each routes pointing to each
> spoke's tunnel addresses) ?
>>>
>>> to troubleshoot this, it is important to start with a known state adn
>>> then trigger the problem, collecting precisely the debugs and capture
>>> (sniffer trace could help between IOS and failing openhrp device),
>>> with all the devices time sync'ed to correlate the logs (seems to be
>>> off in the logs you showed).
>>>
>>> Hope this help.
>>>
>>> J.
>>>
>>> PS: my guts feeling tells me racoon does not purge the old phase 1,
>>> IOS uses the new one and purged the old, racoon send DPD on the old,
>>> does not get responses, flushes the entire session.
>>>
>>> On Sat, Dec 3, 2011 at 8:40 PM, Frank Renwick <fre...@ce...>
> wrote:
>>>>
>>>> Sorry, I forgot to attach the capture files.
>>>>
>>>> Frank
>>>>
>>>> -----Original Message-----
>>>> From: Artem Makhutov [mailto:ar...@ma...]
>>>> Sent: Saturday, December 03, 2011 03:05
>>>> To: ope...@li...
>>>> Subject: Re: [opennhrp-devel] ISAKMP Dead Peer Detection with Cisco
>>>> only funtions if a static peer mapping is defined
>>>>
>>>> Hello Frank,
>>>>
>>>> Frank Renwick schrieb:
>>>>> Hello,
>>>>> I'm not sure if this is the proper forum for this question as it
>>>>> may be an
>>>> ipsec-tools related matter.
>>>>> I have a network with a Cisco DMVPN Hub, several Cisco DMVPN
>>>>> spokes, and
>>>> one (at present) opennhrp spoke. As long as Dead Peer Detection
>>>> (DPD) is disabled in racoon.conf, everything is functional,
>>>> including spoke-to-spoke GRE and IPSec tunnels.
>>>>> I am using DPD in the racoon.conf file and on the Cisco routers to
>>>>> assist
>>>> with periodic network outages that occur in the network environment
>>>> I am working in. Without DPD, network outages and/or router reboots
>>>> can result in mis-matched SAs after network communications are
> re-established.
>>>>> The issue is that when using DPD, a Cisco router only properly
>>>>> negotiate
>>>> the DPD capability with the opennhrp node IF the opennhrp node uses
>>>> a static peer mapping for the Cisco. As such, I am forced to place
>>>> static peer mappings for all Cisco nodes in the opennhrp.conf file
>>>> in order to get DPD working as desired. Note that I do NOT need to
>>>> define static mappings on the Cisco spokes, only on the opennhrp spoke.
>>>>> The DPD related configurations I am using are:
>>>>> In racoon.conf:
>>>>> remote anonymous {
>>>>> dpd_delay 20;
>>>>> dpd_retry 5;
>>>>> }
>>>>> On the Cisco routers:
>>>>> crypto isakmp keepalive 20 5 periodic Any ideas related to this
>>>>> issue would be greatly appreciated. If
>>>> additional configuration snippets or packet captures would be
>>>> useful, don't hesitate to ask.
>>>>> frank
>>>>
>>>> I had also DPD and reconnection problems initially.
>>>>
>>>> They were caused that I have created the gre1 interface by device
>>>> name and not by IP adress:
>>>>
>>>> ip tunnel add mode gre key 1234 ttl 64 dev eth0
>>>>
>>>> When you do this that way you need to change racoon-ph1dead.sh from
>>>>
>>>> opennhrpctl cache lowerdown nbma $REMOTE_ADDR local-nbma $LOCAL_ADDR
>>>>
>>>> to
>>>>
>>>> opennhrpctl cache lowerdown nbma $REMOTE_ADDR dev gre1
>>>>
>>>> This solved all my issues.
>>>>
>>>> Regards, Artem
>>>>
>>>>
>>>> --------------------------------------------------------------------
>>>> --
>>>> -------- All the data continuously generated in your IT
>>>> infrastructure contains a definitive record of customers,
>>>> application performance, security threats, fraudulent activity, and
>>>> more. Splunk takes this data and makes sense of it. IT sense. And common
> sense.
>>>> http://p.sf.net/sfu/splunk-novd2d
>>>> _______________________________________________
>>>> opennhrp-devel mailing list
>>>> ope...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/opennhrp-devel
>>>>
>
>
|