hello, all
I can ping peer host, but no esp packets on the tcpdump.
could you help me check where problem is ?
Thanks
jiabo
I configure the openswan on the host, see following info:
vi ipsec.conf
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
protostack=netkey
#nat_traversal=yes
interfaces="ipsec0=eth0"
klipsdebug=none
plutodebug=all
conn test
type=tunnel
left=3ffe:501:ffff:103:20a:ebff:fe85:9e56
right=3ffe:501:ffff:104::2
ikev2=insist
esp=3des-sha1
#ah=hmac-sha1
ike=3des-sha1-modp1024
#aggrmode=yes
ikelifetime=1h
#dpddelay=3600
keyexchange=ike
pfs=no
auto=start
authby=secret
I configurate the cisco router :
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key redhat address ipv6
3FFE:501:FFFF:103:20A:EBFF:FE85:9E56/64
!
!
crypto ipsec transform-set myset0 ah-sha-hmac esp-3des
!
crypto ipsec profile profile0
set transform-set myset0
!
!
interface Tunnel1
no ip address
ipv6 enable
tunnel source FastEthernet0/0
tunnel destination 3FFE:501:FFFF:103:20A:EBFF:FE85:9E56
tunnel mode ipsec ipv6
tunnel protection ipsec profile profile0
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
ipv6 address 3FFE:501:FFFF:104::2/64
!
I got the debug isakmp info
ipv6 address 3FFE:501*Dec 15 10:34:36.281: IKE Dispatcher: IKEv2
version 2 detected, Dropping packet!
*Dec 15 10:34:44.169: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Dec 15 10:34:44.169: ISAKMP (0:0): incrementing error counter on sa,
attempt 1 of 5: retransmit phase 1
*Dec 15 10:34:44.169: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Dec 15 10:34:44.169: ISAKMP:(0): sending packet to
3FFE:501:FFFF:103:20A:EBFF:FE85:9E56 my_port 500 peer_port 500 (I)
MM_NO_STATE
*Dec 15 10:34:44.169: ISAKMP:(0):Sending an IKE IPv6 Packet.
*Dec 15 10:34:44.229: ISAKMP (0:0): received packet from
3FFE:501:FFFF:103:20A:EBFF:FE85:9E56 dport 500 sport 500 Global (I)
MM_NO_STATE
*Dec 15 10:34:44.229: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Dec 15 10:34:44.229: ISAKMP:(0):Old State = IKE_I_MM1 New State =
IKE_I_MM2
*Dec 15 10:34:44.229: ISAKMP:(0): processing SA payload. message ID = 0
*Dec 15 10:34:44.229: ISAKMP:(0): processing vendor id payload
*Dec 15 10:34:44.229: ISAKMP:(0): vendor ID seems Unity/DPD but major 0
mismatch
*Dec 15 10:34:44.229: ISAKMP:(0): processing vendor id payload
*Dec 15 10:34:44.229: ISAKMP:(0): vendor ID is DPD
*Dec 15 10:34:44.229: ISAKMP:(0):found peer pre-shared key matching
3FFE:501:FFFF:103:20A:EBFF:FE85:9E56
*Dec 15 10:34:44.229: ISAKMP:(0): local preshared key found
*Dec 15 10:34:44.229: ISAKMP : Scanning profiles for xauth ...
*Dec 15 10:34:44.229: ISAKMP:(0):Checking ISAKMP transform 1 against
priority 1 policy
*Dec 15 10:34:44.229: ISAKMP: encryption 3DES-CBC
*Dec 15 10:34:44.229: ISAKMP: hash SHA
*Dec 15 10:34:44.229: ISAKMP: default group 2
*Dec 15 10:34:44.229: ISAKMP: auth pre-share
*Dec 15 10:34:44.229: ISAKMP: life type in seconds
*Dec 15 10:34:44.233: ISAKMP: life duration (basic) of 3600
*Dec 15 10:34:44.233: ISAKMP:(0):atts are acceptable. Next payload is 0
*Dec 15 10:34:44.233: ISAKMP:(0):Acceptable atts:actual life: 0
*Dec 15 10:34:44.233: ISAKMP:(0):Acceptable atts:life: 0
*Dec 15 10:34:44.233: ISAKMP:(0):Basic life_in_seconds:3600
*Dec 15 10:34:44.233: ISAKMP:(0):Returning Actual lifetime: 3600
*Dec 15 10:34:44.233: ISAKMP:(0)::Started lifetime timer: 3600.
*Dec 15 10:34:44.233: ISAKMP:(0): processing vendor id payload
*Dec 15 10:34:44.233: ISAKMP:(0): vendor ID seems Unity/DPD but major 0
mismatch
*Dec 15 10:34:44.233: ISAKMP:(0): processing vendor id payload
*Dec 15 10:34:44.233: ISAKMP:(0): vendor ID is DPD
*Dec 15 10:34:44.233: ISAKMP:(0):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE
*Dec 15 10:34:44.233: ISAKMP:(0):Old State = IKE_I_MM2 New State =
IKE_I_MM2
*Dec 15 10:34:44.233: ISAKMP:(0): sending packet to
3FFE:501:FFFF:103:20A:EBFF:FE85:9E56 my_port 500 peer_port 500 (I)
MM_SA_SETUP
*Dec 15 10:34:44.233: ISAKMP:(0):Sending an IKE IPv6 Packet.
*Dec 15 10:34:44.233: ISAKMP:(0):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLETE
*Dec 15 10:34:44.233: ISAKMP:(0):Old State = IKE_I_MM2 New State =
IKE_I_MM3
*Dec 15 10:34:44.329: ISAKMP (0:0): received packet from
3FFE:501:FFFF:103:20A:EBFF:FE85:9E56 dport 500 sport 500 Global (I)
MM_SA_SETUP
*Dec 15 10:34:44.329: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Dec 15 10:34:44.329: ISAKMP:(0):Old State = IKE_I_MM3 New State =
IKE_I_MM4
*Dec 15 10:34:44.329: ISAKMP:(0): processing KE payload. message ID = 0
*Dec 15 10:34:44.377: ISAKMP:(0): processing NONCE payload. message ID = 0
*Dec 15 10:34:44.377: ISAKMP:(0):found peer pre-shared key matching
3FFE:501:FFFF:103:20A:EBFF:FE85:9E56
*Dec 15 10:34:44.377: ISAKMP:(1040):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE
*Dec 15 10:34:44.377: ISAKMP:(1040):Old State = IKE_I_MM4 New State =
IKE_I_MM4
*Dec 15 10:34:44.381: ISAKMP:(1040):Send initial contact
*Dec 15 10:34:44.381: ISAKMP:(1040):SA is doing pre-shared key
authentication using id type ID_IPV6_ADDR
*Dec 15 10:34:44.381: ISAKMP (0:1040): ID payload
next-payload : 8
type : 5
address : 3FFE:501:FFFF:104::2
protocol : 17
port : 500
length : 24
*Dec 15 10:34:44.381: ISAKMP:(1040):Total payload length: 24
*Dec 15 10:34:44.381: ISAKMP:(1040): sending packet to
3FFE:501:FFFF:103:20A:EBFF:FE85:9E56 my_port 500 peer_port 500 (I)
MM_KEY_EXCH
*Dec 15 10:34:44.381: ISAKMP:(1040):Sending an IKE IPv6 Packet.
*Dec 15 10:34:44.381: ISAKMP:(1040):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLETE
*Dec 15 10:34:44.381: ISAKMP:(1040):Old State = IKE_I_MM4 New State =
IKE_I_MM5
*Dec 15 10:34:44.449: ISAKMP (0:1040): received packet from
3FFE:501:FFFF:103:20A:EBFF:FE85:9E56 dport 500 sport 500 Global (I)
MM_KEY_EXCH
*Dec 15 10:34:44.449: ISAKMP:(1040): processing ID payload. message ID = 0
*Dec 15 10:34:44.449: ISAKMP (0:1040): ID payload
next-payload : 8
type : 5
address : 3FFE:501:FFFF:103:20A:EBFF:FE85:9E56
protocol : 0
port : 0
length : 24
*Dec 15 10:34:44.449: ISAKMP:(0):: peer matches *none* of the profiles
*Dec 15 10:34:44.449: ISAKMP:(1040): processing HASH payload. message ID = 0
*Dec 15 10:34:44.453: ISAKMP:(1040): processing vendor id payload
*Dec 15 10:34:44.453: ISAKMP:(1040): vendor ID seems Unity/DPD but major
2 mismatch
*Dec 15 10:34:44.453: ISAKMP:(1040):SA authentication status:
authenticated
*Dec 15 10:34:44.453: ISAKMP:(1040):SA has been authenticated with
3FFE:501:FFFF:103:20A:EBFF:FE85:9E56
*Dec 15 10:34:44.453: ISAKMP: Trying to insert a peer
3FFE:501:FFFF:104::2/3FFE:501:FFFF:103:20A:EBFF:FE85:9E56/500/, and
inserted successfully 4805.
*Dec 15 10:34:44.453: ISAKMP:(1040):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Dec 15 10:34:44.453: ISAKMP:(1040):Old State = IKE_I_MM5 New State =
IKE_I_MM6
*Dec 15 10:34:44.453: ISAKMP:(1040):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE
*Dec 15 10:34:44.453: ISAKMP:(1040):Old State = IKE_I_MM6 New State =
IKE_I_MM6
*Dec 15 10:34:44.453: ISAKMP:(1040):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLETE
*Dec 15 10:34:44.453: ISAKMP:(1040):Old State = IKE_I_MM6 New State =
IKE_P1_COMPLETE
*Dec 15 10:34:44.457: ISAKMP:(1040):beginning Quick Mode exchange, M-ID
of -1342208034
*Dec 15 10:34:44.457: ISAKMP:(1040):QM Initiator gets spi
*Dec 15 10:34:44.457: ISAKMP:(1040): sending packet to
3FFE:501:FFFF:103:20A:EBFF:FE85:9E56 my_port 500 peer_port 500 (I)
QM_IDLE
*Dec 15 10:34:44.457: ISAKMP:(1040):Sending an IKE IPv6 Packet.
*Dec 15 10:34:44.457: ISAKMP:(1040):Node -1342208034, Input =
IKE_MESG_INTERNAL, IKE_INIT_QM
*Dec 15 10:34:44.457: ISAKMP:(1040):Old State = IKE_QM_READY New State
= IKE_QM_I_QM1
*Dec 15 10:34:44.457: ISAKMP:(1040):Input = IKE_MESG_INTERNAL,
IKE_PHASE1_COMPLETE
*Dec 15 10:34:44.457: ISAKMP:(1040):Old State = IKE_P1_COMPLETE New
State = IKE_P1_COMPLETE
*Dec 15 10:34:44.537: ISAKMP (0:1040): received packet from
3FFE:501:FFFF:103:20A:EBFF:FE85:9E56 dport 500 sport 500 Global (I)
QM_IDLE
*Dec 15 10:34:44.537: ISAKMP: set new node 39006246 to QM_IDLE
*Dec 15 10:34:44.537: ISAKMP:(1040): processing HASH payload. message ID
= 39006246
*Dec 15 10:34:44.537: ISAKMP:(1040): processing NOTIFY INVALID_ID_INFO
protocol 1
spi 0, message ID = 39006246, sa = 47808980
*Dec 15 10:34:44.537: ISAKMP:(1040):peer does not do paranoid keepalives.
*Dec 15 10:34:44.537: ISAKMP:(1040):deleting SA reason "Recevied fatal
informational" state (I) QM_IDLE (peer
3FFE:501:FFFF:103:20A:EBFF:FE85:9)
*Dec 15 10:34:44.537: ISAKMP:(1040):deleting node 39006246 error FALSE
reason "Informational (in) state 1"
*Dec 15 10:34:44.537: ISAKMP:(1040):Input = IKE_MESG_FROM_PEER,
IKE_INFO_NOTIFY
*Dec 15 10:34:44.537: ISAKMP:(1040):Old State = IKE_P1_COMPLETE New
State = IKE_P1_COMPLETE
*Dec 15 10:34:44.537: ISAKMP: set new node -989577333 to QM_IDLE
*Dec 15 10:34:44.541: ISAKMP:(1040): sending packet to
3FFE:501:FFFF:103:20A:EBFF:FE85:9E56 my_port 500 peer_port 500 (I)
QM_IDLE
*Dec 15 10:34:44.541: ISAKMP:(1040):Sending an IKE IPv6 Packet.
*Dec 15 10:34:44.541: ISAKMP:(1040):purging node -989577333
*Dec 15 10:34:44.541: ISAKMP:(1040):Input = IKE_MESG_INTERNAL,
IKE_PHASE1_DEL
*Dec 15 10:34:44.541: ISAKMP:(1040):Old State = IKE_P1_COMPLETE New
State = IKE_DEST_SA
*Dec 15 10:34:44.541: ISAKMP:(1040):deleting SA reason "Recevied fatal
informational" state (I) QM_IDLE (peer
3FFE:501:FFFF:103:20A:EBFF:FE85:9
*Dec 15 10:34:44.541: ISAKMP:(0):Can't decrement IKE Call Admission
Control stat outgoing_active since it's already 0.
*Dec 15 10:34:44.541: ISAKMP: Unlocking peer struct 0x4805A380 for
isadb_mark_sa_deleted(), count 0
*Dec 15 10:34:44.541: ISAKMP: Deleting peer node by peer_reap for
3FFE:501:FFFF:103:20A:EBFF:FE85:9E56: 4805A380
*Dec 15 10:34:44.541: ISAKMP:(1040):deleting node -1342208034 error
FALSE reason "IKE deleted"
*Dec 15 10:34:44.541: ISAKMP:(1040):deleting node 39006246 error FALSE
reason "IKE deleted"
*Dec 15 10:34:44.545: ISAKMP:(1040):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Dec 15 10:34:44.545: ISAKMP:(1040):Old State = IKE_DEST_SA New State =
IKE_DEST_SA
*Dec 15 10:34:44.593: ISAKMP (0:1040): received packet from
3FFE:501:FFFF:103:20A:EBFF:FE85:9E56 dport 500 sport 500 Global (I)
MM_NO_STATE
:FFFF:104::2/64
!