Random notes & other stuff... » vpn http://leucos.lstilde.org/wp ...about Linux, electronics, digital photography, whatever... Wed, 16 Dec 2009 00:29:27 +0000 http://wordpress.org/?v=2.9.1 en hourly 1 Fixing ‘IPSEC(initialize_sas): Invalid Proxy IDs’ with dynamic VPNs http://leucos.lstilde.org/wp/2008/12/fixing-ipsecinitialize_sas-invalid-proxy-ids-with-dynamic-vpns/ http://leucos.lstilde.org/wp/2008/12/fixing-ipsecinitialize_sas-invalid-proxy-ids-with-dynamic-vpns/#comments Mon, 08 Dec 2008 23:49:23 +0000 leucos http://leucos.lstilde.org/wp/?p=176 Dynamic VPNs is a Cisco feature that makes a central router accept VPN establishment without specifying a peer or an ACL for the SA.

The configuration is very simple (even simpler than normal, statically specified tunnels) so when the tunnel doesn’t come up, it is quite frustrating.

And when you get ‘IPSEC(initialize_sas): Invalid Proxy IDs’, meaning SA ACL doesn’t match on both sides, you start to pull your hairs out : how can’t they match when they are not needer on the headend side ??

Well, it seems that the headend is checking the remote SA specification (Proxy ID) anyway, and bails out from isakmp when things go wrong.

Consider this log, saw on a router sitting at 172.22.1.130/27 with

 debug crypto ipsec

and

debug crypto isakmp
*Mar  1 00:45:39.227: ISAKMP: set new node 909606036 to QM_IDLE
*Mar  1 00:45:39.227: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = 909606036
*Mar  1 00:45:39.227: ISAKMP:(0:1:SW:1): processing SA payload. message ID = 909606036
*Mar  1 00:45:39.231: ISAKMP:(0:1:SW:1):Checking IPSec proposal 1
*Mar  1 00:45:39.231: ISAKMP: transform 1, ESP_3DES
*Mar  1 00:45:39.231: ISAKMP:   attributes in transform:
*Mar  1 00:45:39.231: ISAKMP:      encaps is 1 (Tunnel)
*Mar  1 00:45:39.231: ISAKMP:      SA life type in seconds
*Mar  1 00:45:39.231: ISAKMP:      SA life duration (basic) of 3600
*Mar  1 00:45:39.231: ISAKMP:      SA life type in kilobytes
*Mar  1 00:45:39.231: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
*Mar  1 00:45:39.231: ISAKMP:      authenticator is HMAC-SHA
*Mar  1 00:45:39.231: ISAKMP:(0:1:SW:1):atts are acceptable.
*Mar  1 00:45:39.231: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 172.22.1.130, remote= 172.22.80.129,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 172.22.80.128/255.255.255.193/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
*Mar  1 00:45:39.231: IPSEC(initialize_sas): invalid proxy IDs
*Mar  1 00:45:39.231: ISAKMP:(0:1:SW:1): IPSec policy invalidated proposal
*Mar  1 00:45:39.231: ISAKMP:(0:1:SW:1): phase 2 SA policy not acceptable! (local 172.22.1.130 remote 172.22.80.129)

See it ?

remote_proxy= 172.22.80.128/255.255.255.193/0/0 (type=4),

the subnet mask 255.255.255.193 comes from a wrong ACL specification :

permit ip 172.22.80.128 0.0.0.62 192.168.1.0 0.0.0.255

instead of

permit ip 172.22.80.128 0.0.0.63 192.168.1.0 0.0.0.255

So 255.255.255.193 last byte yields a discontinuous mask (11000001) which is not so commonly used :)
That’s why the tunnel is not coming up, and how you lost the last hour.

]]> http://leucos.lstilde.org/wp/2008/12/fixing-ipsecinitialize_sas-invalid-proxy-ids-with-dynamic-vpns/feed/ 0