Help needed in configuring group-vpn sever



  • Hi

    I am not able to interop juniper group-vpn server with cisco’s group member. Cisco Establishing phase1 SA and it fails while processing 2nd packet of pull exchange.

    Does this scenario (Juniper group-server and Cisco group-member) works???, if yes, kindly verify my configuration

    Please find the topology and configuration below

    Cisco (GM)–--------- Juniper (group- server)
                50.50.50.2      50.50.50.1

    Juniper config

    Last changed: 2011-06-20 18:16:13 UTC

    version 10.4R3.4;
    groups {
        global {
            security {
                policies {
                    default-policy {
                        permit-all;
                    }
                }
                forwarding-options {
                    family {
                        inet6 {
                            mode flow-based;
                        }
                    }
                }
            }
        }
    }
    system {
        host-name SRX100;
        root-authentication {
            encrypted-password “$1$22LwHWA5$ImcB/L5Nm3B5TWK3rIXzr/”; ## SECRET-DATA
        }
        login {
            user oauser1 {
                uid 2000;
                class super-user;
                authentication {
                    encrypted-password “$1$FMlM0/MO$5i9CPIuiPfRQc2OOJMGjn0”; ## SECRET-DATA
                }
            }
        }
        services {
            ssh;
            telnet;
            web-management {
                http;
            }
        }
    }
    interfaces {
        fe-0/0/0 {
            unit 0 {
                family inet {             
                    address 10.4.32.52/20;
                }
            }
        }
        fe-0/0/1 {
            unit 0 {
                family inet {
                    address 50.50.50.1/24;
                }
            }
        }
        fe-0/0/2 {
            unit 0 {
                family inet {
                    address 4.4.4.1/24;
                }
            }
        }
        fe-0/0/3 {
            unit 0 {
                family inet {
                    address 192.168.1.2/24;
                }                         
            }
        }
        st0 {
            unit 0 {
                family inet;
            }
        }
    }
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 10.4.32.100;
            route 10.4.16.0/20 next-hop [ 10.4.32.0 10.4.32.100 ];
            route 5.5.5.0/24 next-hop 50.50.50.2;
            route 172.168.1.0/24 next-hop 4.4.4.2;
            route 192.168.1.0/32 next-hop st0.0;
            route 7.7.7.0/24 next-hop 50.50.50.2;
            route 6.6.6.0/24 next-hop 50.50.50.2;
        }
    }
    security {
        ike {
            traceoptions {
                file sec1 size 107374182; 
                flag ike;
                flag policy-manager;
                flag parse;
                flag general;
                flag all;
            }
        }
        group-vpn {
            server {
                traceoptions {
                    file gks size 107374182;
                    flag all;
                }
                ike {
                    proposal ike_proposal {
                        authentication-method pre-shared-keys;
                        dh-group group1;
                        authentication-algorithm md5;
                        encryption-algorithm aes-256-cbc;
                    }
                    policy ike_policy {
                        mode main;
                        proposals ike_proposal;
                        pre-shared-key ascii-text “$9$uZKZ0EyMWxbs4WL”; ## SECRET-DATA
                    }
                    gateway GM1 {
                        ike-policy ike_policy;
                        address 50.50.50.2;
                    }
                    gateway GM2 {
                        ike-policy ike_policy;
                        address 6.6.6.1;
                    }
                }
                ipsec {
                    proposal sa_prop {
                        authentication-algorithm hmac-md5-96;
                        encryption-algorithm 3des-cbc;
                        lifetime-seconds 1000;
                    }
                }
                group Juniper_group {
                    group-id 12345;
                    ike-gateway GM1;
                    ike-gateway GM2;       
                    anti-replay-time-window 100;
                    server-address 50.50.50.1;
                    ipsec-sa ipsec_sa {
                        proposal sa_prop;
                        match-policy getacl {
                            source 0.0.0.0/0;
                            destination 0.0.0.0/0;
                            source-port 0;
                            destination-port 0;
                            protocol 0;
                        }
                    }
                }
            }
        }
        zones {
            security-zone TRUST {
                interfaces {
                    fe-0/0/1.0 {
                        host-inbound-traffic {
                            system-services {
                                ping;
                                ike;       
                                http;
                                telnet;
                            }
                        }
                    }
                    fe-0/0/0.0;
                }
            }
        }
        traceoptions {
            file sec;
            flag all;
        }
    }

    [edit]
    oauser1@SRX100#

    Cisco config

    fahad#show run
    fahad#show running-config
    Building configuration…

    Current configuration : 1823 bytes
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname fahad
    !
    boot-start-marker
    boot-end-marker
    !
    !card type command needed for slot 1
    logging message-counter syslog
    no logging console
    !
    no aaa new-model
    !
    dot11 syslog
    ip source-route
    !
    !
    ip cef
    !
    !
    no ipv6 cef
    ntp server 120.88.46.10
    !
    multilink bundle-name authenticated
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    voice-card 0
    !
    !
    !
    !
    !
    username oauser password 0 oauser
    archive
    log config
      hidekeys
    !
    !
    crypto isakmp policy 1
    encr aes 256
    hash md5
    authentication pre-share
    crypto isakmp key temp address 50.50.50.1
    !
    !
    crypto gdoi group gdoigroup
    identity number 12345
    server address ipv4 50.50.50.1
    !
    !
    crypto map CMAP2 1 gdoi
    set group gdoigroup
    !
    !
    !
    !
    !
    !
    !
    interface FastEthernet0/0
    ip address 10.4.32.51 255.255.240.0
    duplex auto
    speed auto
    !
    interface FastEthernet0/1
    ip address 50.50.50.2 255.255.255.0
    duplex auto
    speed auto
    crypto map CMAP2
    !
    interface FastEthernet0/1.14
    shutdown
    !
    interface FastEthernet0/1.15
    shutdown
    !
    interface BRI0/0/0
    no ip address
    encapsulation hdlc
    shutdown
    !
    ip forward-protocol nd
    ip route 1.1.1.0 255.255.255.0 5.5.5.2
    ip route 2.2.2.0 255.255.255.0 5.5.5.2
    ip route 7.7.7.0 255.255.255.0 5.5.5.2
    ip route 8.8.8.0 255.255.255.0 5.5.5.2
    ip route 10.4.16.0 255.255.255.0 10.4.32.100
    no ip http server
    no ip http secure-server
    !
    !
    !
    !
    !
    !
    !
    !
    !
    control-plane
    !
    !
    !
    !
    mgcp fax t38 ecm
    mgcp behavior g729-variants static-pt
    !
    !
    !
    !
    !
    !
    line con 0
    exec-timeout 0 0
    length 0
    line aux 0
    line vty 0 4
    exec-timeout 30000 0
    privilege level 15
    password oauser
    login
    length 0
    transport input telnet
    line vty 5 15
    access-class 23 in
    privilege level 15
    login local
    transport input telnet ssh
    !
    scheduler allocate 20000 1000
    end

    fahad#

    oauser1@SRX100# run show version
    Hostname: SRX100
    Model: srx100h
    JUNOS Software Release [10.4R3.4]

    [edit]
    oauser1@SRX100#

    Cisco Logs

    fahad#clear crypto gdoi
    % The Key Server and Group Member will destroy created and downloaded policies.
    % All Group Members are required to re-register.

    Are you sure you want to proceed ? [yes/no]: yes
    fahad#
    *Jun 21 06:43:19.219: GDOI:REPLAY:(gdoigroup:0):gdoi_ks_start_stop_sync_timer: Invalid local server
    *Jun 21 06:43:19.219: del_node src 50.50.50.2:848 dst 50.50.50.1:848 fvrf 0x0, ivrf 0x0
    *Jun 21 06:43:19.219: ISAKMP:(1007):peer does not do paranoid keepalives.

    *Jun 21 06:43:19.223: GDOI:INFRA:(0):rekey SA not found for group gdoigroup
    *Jun 21 06:43:19.223: del_node src 50.50.50.2:848 dst 50.50.50.1:848 fvrf 0x0, ivrf 0x0
    *Jun 21 06:43:19.223: ISAKMP:(1007):peer does not do paranoid keepalives.

    *Jun 21 06:43:19.223: %GDOI-4-GM_RE_REGISTER: The IPSec SA created for group gdoigroup may have expired/been cleared, or didn’t go through. Re-register to KS.
    *Jun 21 06:43:19.223: %CRYPTO-5-GM_REGSTER: Start registration to KS 50.50.50.1 for group gdoigroup using address 50.50.50.2
    *Jun 21 06:43:19.223: GDOI:COOP:(gdoigroup:0):clear coop ks: Success for group gdoigroup

    *Jun 21 06:43:19.223: ISAKMP:(0): SA request profile is (NULL)
    *Jun 21 06:43:19.223: ISAKMP: Created a peer struct for 50.50.50.1, peer port 848
    *Jun 21 06:43:19.223: ISAKMP: New peer created peer = 0x493564E0 peer_handle = 0x8000000A
    *Jun 21 06:43:19.227: ISAKMP: Locking peer struct 0x493564E0, refcount 1 for isakmp_initiator
    *Jun 21 06:43:19.227: ISAKMP: local port 848, remote port 848
    *Jun 21 06:43:19.227: ISAKMP: set new node 0 to QM_IDLE     
    *Jun 21 06:43:19.227: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 4910AFA0
    *Jun 21 06:43:19.227: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
    *Jun 21 06:43:19.227: ISAKMP:(0):found peer pre-shared key matching 50.50.50.1
    *Jun 21 06:43:19.227: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
    *Jun 21 06:43:19.227: ISAKMP:(0): constructed NAT-T vendor-07 ID
    *Jun 21 06:43:19.227: ISAKMP:(0): constructed NAT-T vendor-03 ID
    *Jun 21 06:43:19.227: ISAKMP:(0): constructed NAT-T vendor-02 ID
    *Jun 21 06:43:19.227: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
    *Jun 21 06:43:19.227: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

    *Jun 21 06:43:19.227: ISAKMP:(0): beginning Main Mode exchange
    *Jun 21 06:43:19.227: ISAKMP:(0): sending packet to 50.50.50.1 my_port 848 peer_port 848 (I) MM_NO_STATE
    *Jun 21 06:43:19.227: ISAKMP:(0):Sending an IKE IPv4 Packet.
    *Jun 21 06:43:19.243: ISAKMP (0): received packet from 50.50.50.1 dport 848 sport 848 Global (I) MM_NO_STATE
    *Jun 21 06:43:19.247: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    *Jun 21 06:43:19.247: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2

    *Jun 21 06:43:19.247: ISAKMP:(0): processing SA payload. message ID = 0
    *Jun 21 06:43:19.247: ISAKMP:(0): processing vendor id payload
    *Jun 21 06:43:19.247: ISAKMP:(0): vendor ID is DPD
    *Jun 21 06:43:19.247: ISAKMP:(0): processing vendor id payload
    *Jun 21 06:43:19.247: ISAKMP:(0): vendor ID seems Unity/DPD but major 201 mismatch
    *Jun 21 06:43:19.247: ISAKMP:(0):found peer pre-shared key matching 50.50.50.1
    *Jun 21 06:43:19.247: ISAKMP:(0): local preshared key found
    *Jun 21 06:43:19.247: ISAKMP : Scanning profiles for xauth …
    *Jun 21 06:43:19.247: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
    *Jun 21 06:43:19.247: ISAKMP:      encryption AES-CBC
    *Jun 21 06:43:19.247: ISAKMP:      keylength of 256
    *Jun 21 06:43:19.247: ISAKMP:      hash MD5
    *Jun 21 06:43:19.247: ISAKMP:      default group 1
    *Jun 21 06:43:19.247: ISAKMP:      auth pre-share
    *Jun 21 06:43:19.247: ISAKMP:      life type in seconds
    *Jun 21 06:43:19.247: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
    *Jun 21 06:43:19.247: ISAKMP:(0):atts are acceptable. Next payload is 0
    *Jun 21 06:43:19.247: ISAKMP:(0):Acceptable atts:actual life: 0
    *Jun 21 06:43:19.247: ISAKMP:(0):Acceptable atts:life: 0
    *Jun 21 06:43:19.247: ISAKMP:(0):Fill atts in sa vpi_length:4
    *Jun 21 06:43:19.247: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
    *Jun 21 06:43:19.247: ISAKMP:(0):Returning Actual lifetime: 86400
    *Jun 21 06:43:19.247: ISAKMP:(0)::Started lifetime timer: 86400.

    *Jun 21 06:43:19.247: ISAKMP:(0): processing vendor id payload
    *Jun 21 06:43:19.247: ISAKMP:(0): vendor ID is DPD
    *Jun 21 06:43:19.247: ISAKMP:(0): processing vendor id payload
    *Jun 21 06:43:19.247: ISAKMP:(0): vendor ID seems Unity/DPD but major 201 mismatch
    *Jun 21 06:43:19.251: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    *Jun 21 06:43:19.251: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

    *Jun 21 06:43:19.251: ISAKMP:(0): sending packet to 50.50.50.1 my_port 848 peer_port 848 (I) MM_SA_SETUP
    *Jun 21 06:43:19.251: ISAKMP:(0):Sending an IKE IPv4 Packet.
    *Jun 21 06:43:19.251: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    *Jun 21 06:43:19.251: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

    *Jun 21 06:43:19.315: ISAKMP (0): received packet from 50.50.50.1 dport 848 sport 848 Global (I) MM_SA_SETUP
    *Jun 21 06:43:19.315: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    *Jun 21 06:43:19.315: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

    *Jun 21 06:43:19.315: ISAKMP:(0): processing KE payload. message ID = 0
    *Jun 21 06:43:19.343: ISAKMP:(0): processing NONCE payload. message ID = 0
    *Jun 21 06:43:19.343: ISAKMP:(0):found peer pre-shared key matching 50.50.50.1
    *Jun 21 06:43:19.343: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    *Jun 21 06:43:19.343: ISAKMP:(1008):Old State = IKE_I_MM4  New State = IKE_I_MM4

    *Jun 21 06:43:19.347: ISAKMP:(1008):Send initial contact
    *Jun 21 06:43:19.347: ISAKMP:(1008):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
    *Jun 21 06:43:19.347: ISAKMP (1008): ID payload
            next-payload : 8
            type        : 1
            address      : 50.50.50.2
            protocol    : 17
            port        : 848
            length      : 12
    *Jun 21 06:43:19.347: ISAKMP:(1008):Total payload length: 12
    *Jun 21 06:43:19.347: ISAKMP:(1008): sending packet to 50.50.50.1 my_port 848 peer_port 848 (I) MM_KEY_EXCH
    *Jun 21 06:43:19.347: ISAKMP:(1008):Sending an IKE IPv4 Packet.
    *Jun 21 06:43:19.347: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    *Jun 21 06:43:19.347: ISAKMP:(1008):Old State = IKE_I_MM4  New State = IKE_I_MM5

    *Jun 21 06:43:19.363: ISAKMP (1008): received packet from 50.50.50.1 dport 848 sport 848 Global (I) MM_KEY_EXCH
    *Jun 21 06:43:19.363: ISAKMP:(1008): processing ID payload. message ID = 0
    *Jun 21 06:43:19.363: ISAKMP (1008): ID payload
            next-payload : 8
            type        : 1
            address      : 50.50.50.1
            protocol    : 0
            port        : 0
            length      : 12
    *Jun 21 06:43:19.363: ISAKMP:(0):: peer matches none of the profiles
    *Jun 21 06:43:19.363: ISAKMP:(1008): processing HASH payload. message ID = 0
    *Jun 21 06:43:19.363: ISAKMP:(1008):SA authentication status:
            authenticated
    *Jun 21 06:43:19.363: ISAKMP:(1008):SA has been authenticated with 50.50.50.1
    *Jun 21 06:43:19.363: ISAKMP: Trying to insert a peer 50.50.50.2/50.50.50.1/848/,  and inserted successfully 493564E0.
    *Jun 21 06:43:19.363: ISAKMP:(1008):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    *Jun 21 06:43:19.363: ISAKMP:(1008):Old State = IKE_I_MM5  New State = IKE_I_MM6

    *Jun 21 06:43:19.367: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    *Jun 21 06:43:19.367: ISAKMP:(1008):Old State = IKE_I_MM6  New State = IKE_I_MM6

    *Jun 21 06:43:19.367: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    *Jun 21 06:43:19.367: ISAKMP:(1008):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

    *Jun 21 06:43:19.367: GDOI:INFRA:(1008:12345):beginning GDOI exchange, M-ID of 2086604029
    *Jun 21 06:43:19.367: ISAKMP:(1008): sending packet to 50.50.50.1 my_port 848 peer_port 848 (I) GDOI_IDLE     
    *Jun 21 06:43:19.367: ISAKMP:(1008):Sending an IKE IPv4 Packet.
    *Jun 21 06:43:19.371: GDOI:INFRA:(1008:12345):GDOI: GDOI ID sent successfully
    *Jun 21 06:43:19.371: ISAKMP:(1008):Node 2086604029, Input = IKE_MESG_INTERNAL, IKE_INIT_GDOI
    *Jun 21 06:43:19.371: ISAKMP:(1008):Old State = GDOI_GM_AWAIT_SA  New State = GDOI_GM_AWAIT_SA
    *Jun 21 06:43:19.371: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
    *Jun 21 06:43:19.371: ISAKMP:(1008):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

    *Jun 21 06:43:19.387: ISAKMP (1008): received packet from 50.50.50.1 dport 848 sport 848 Global (I) GDOI_IDLE     
    *Jun 21 06:43:19.387: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 50.50.50.1 failed its sanity check or is malformed
    *Jun 21 06:43:19.387: ISAKMP: set new node -1327040633 to GDOI_IDLE     
    *Jun 21 06:43:19.387: ISAKMP:(1008):Sending NOTIFY PAYLOAD_MALFORMED protocol 1
            spi 0, message ID = -1327040633
    *Jun 21 06:43:19.387: ISAKMP:(1008): sending packet to 50.50.50.1 my_port 848 peer_port 848 (I) GDOI_IDLE     
    *Jun 21 06:43:19.391: ISAKMP:(1008):Sending an IKE IPv4 Packet.
    *Jun 21 06:43:19.391: ISAKMP:(1008):purging node -1327040633
    *Jun 21 06:43:19.391: ISAKMP:(1008):cleaning up GDOI node -1327040633
    *Jun 21 06:43:19.391: ISAKMP (1008): incrementing error counter on node, attempt 1 of 3: reset_retransmission
    *Jun 21 06:43:20.391: ISAKMP:(1008): retransmitting phase 2 GDOI_IDLE      2086604029 …
    *Jun 21 06:43:20.391: ISAKMP (1008): incrementing error counter on node, attempt 2 of 3: retransmit phase 2
    *Jun 21 06:43:20.391: ISAKMP (1008): incrementing error counter on sa, attempt 1 of 3: retransmit phase 2
    *Jun 21 06:43:20.391: ISAKMP:(1008): retransmitting phase 2 2086604029 GDOI_IDLE     
    *Jun 21 06:43:20.391: ISAKMP:(1008): sending packet to 50.50.50.1 my_port 848 peer_port 848 (I) GDOI_IDLE     
    *Jun 21 06:43:20.391: ISAKMP:(1008):Sending an IKE IPv4 Packet.
    *Jun 21 06:43:20.735: ISAKMP:(1007):purging node -330944488
    *Jun 21 06:43:20.735: ISAKMP:(1007):cleaning up GDOI node -330944488
    *Jun 21 06:43:30.391: ISAKMP:(1008): retransmitting phase 2 GDOI_IDLE      2086604029 …
    *Jun 21 06:43:30.391: ISAKMP (1008): incrementing error counter on node, attempt 3 of 3: retransmit phase 2
    *Jun 21 06:43:30.391: ISAKMP (1008): incrementing error counter on sa, attempt 2 of 3: retransmit phase 2
    *Jun 21 06:43:30.391: ISAKMP:(1008): retransmitting phase 2 2086604029 GDOI_IDLE     
    *Jun 21 06:43:30.391: ISAKMP:(1008): sending packet to 50.50.50.1 my_port 848 peer_port 848 (I) GDOI_IDLE     
    *Jun 21 06:43:30.391: ISAKMP:(1008):Sending an IKE IPv4 Packet.
    *Jun 21 06:43:30.735: ISAKMP:(1007):purging SA., sa=49F33170, delme=49F33170
    *Jun 21 06:43:40.391: ISAKMP:(1008): retransmitting phase 2 GDOI_IDLE      2086604029 …
    *Jun 21 06:43:40.391: ISAKMP (1008): incrementing error counter on node, attempt 4 of 3: retransmit phase 2
    *Jun 21 06:43:40.391: ISAKMP (1008): incrementing error counter on sa, attempt 3 of 3: retransmit phase 2
    *Jun 21 06:43:40.391: ISAKMP:(1008): retransmitting phase 2 2086604029 GDOI_IDLE     
    *Jun 21 06:43:40.391: ISAKMP:(1008): sending packet to 50.50.50.1 my_port 848 peer_port 848 (I) GDOI_IDLE     
    *Jun 21 06:43:40.391: ISAKMP:(1008):Sending an IKE IPv4 Packet.


 

51
Online

38.4k
Users

12.7k
Topics

44.5k
Posts