Greetings,
I have spent a couple of days on support with this issue and its turning out to be quite difficult. First question is, has anyone sucessfully set up a sonicwall to linksys ipsec with the linksys being behind a 1 to 1 nat?
Three sites, A, B, C.
A=Sonicwall TZ170 (Public Static IP)
B=Linksys befsx41 (Public Static IP)
C=Linksys befsx41 (1-to-1 NAT private IP)
I have been able to establish an ipsec tunnel between a and b, and b and c, but I am not able to establish a tunnel between a and c. You may ask why I do not just setup static routes. Its because this low end linksys does not support cross tunnel communication. I wasted hours on the phone for that as well.
I also spent hours verifying the Phase one policy settings and have tried every conceivable combination. I am having a lower level protocol issue with isakmp ike. Phase 1 never completes.
Through hours of protocol capture and decode I have found two possible issues but I have to admit its a bit beyond my current knowledge.
The first is the packet exchange between a and b, on many of the isakmp packets returning from b the IP packet, type of service, precedence is set to immediate. This never happens to any of the packets from a to c, their packet priorties are allways routine (normal). This may be related to the sonicwall log errors that will be listed later on.
Secondly I have discovered an error occuring during packet exchange between a and c. I will include the full protocol decode at the end of this post.
00C0 36 25 4F B8 FF EA 14 8C 00 04 00 18 00 00 00 54 6%O¸ÿê.Œ.......T
00D0 68 65 20 63 6F 6F 6B 69 65 20 69 73 20 69 6E 76 he cookie is inv
The cookie is invalid. The following is the packet sequence.
Exchange should be:
Payload Type 1 = Security Association
|
Payload Type 4 = Key Exchange
|
Payload Type 5 = Identification
|
Payload Type 8 = Hash
|
Payload type 4 = Key Exchange
Now what is happing in the failure is
Payload Type 1 = Security Association
|
Payload Type 4 = Key Exchange
|
Payload Type 11 = Notification (The cookie is invalid) sent from Sonicwall to Linksys
and then the process repeats. Seems like the hash is not getting sent. The security association proposal payload does seem to be getting accepted.
Here is the repeating error in the log. Normally a basic configuration error will be displayed as red (check your blah blah settings) and it is not. IP's changed.
Site A public IP = 10.10.10.10
Site C public NAT IP = 20.20.20.20
2006-02-02 14:29:38 IKE[2] Tx >> MM_I1 : 10.10.10.10 SA
2006-02-02 14:29:39 IKE[2] Rx << MM_R1 : 10.10.10.10 SA
2006-02-02 14:29:39 IKE[2] ISAKMP SA CKI=[dfc7e9f3 fe4e652c] CKR=[fdbb66b 727f06dc]
2006-02-02 14:29:39 IKE[2] ISAKMP SA 3DES / MD5 / PreShared / MODP_1024 / 28800 sec (*28800 sec)
2006-02-02 14:29:39 IKE[2] Tx >> MM_I2 : 10.10.10.10 KE, NONCE
2006-02-02 14:29:42 IKE[2] Rx << MM_R2 : 10.10.10.10 KE, NONCE, VID, VID
2006-02-02 14:29:42 IKE[2] Tx >> MM_I3 : 10.10.10.10 ID, HASH
2006-02-02 14:29:44 IKE[8] Rx << MM_R2 : 10.10.10.10 KE, NONCE, VID, VID
2006-02-02 14:29:44 IKE[8] Tx >> MM_I3 : 10.10.10.10 ID, HASH
2006-02-02 14:29:45 IKE[2] Rx << MM_R2 : 10.10.10.10 KE, NONCE, VID, VID
2006-02-02 14:29:45 IKE[2] Tx >> MM_I3 : 10.10.10.10 ID, HASH
2006-02-02 14:29:54 IKE[2] Rx << MM_R2 : 10.10.10.10 KE, NONCE, VID, VID
2006-02-02 14:29:54 IKE[2] Tx >> MM_I3 : 10.10.10.10 ID, HASH
Here are the entries of the Sonicwall. This is going to be messy.
02/03/2006 18:38:15.768 - Warning - Received packet retransmission. Drop duplicate packet - 20.20.20.20 - 0.0.0.0 -
02/03/2006 18:38:27.640 - Info - IKE Responder: Received Main Mode request (Phase 1) - 20.20.20.20 - 10.10.10.10 -
02/03/2006 18:38:34.944 - Info - IKE Responder: No response - remote party timeout - 10.10.10.10, 500 - 20.20.20.20, 500 -
02/03/2006 18:38:34.944 - Info - IKE Responder: No response - remote party timeout - 10.10.10.10, 500 - 20.20.20.20, 500 -
02/03/2006 18:38:36.864 - Warning - Received packet retransmission. Drop duplicate packet - 20.20.20.20 - 0.0.0.0 -
02/03/2006 18:38:40.944 - Info - IKE negotiation aborted due to timeout - 10.10.10.10 - 20.20.20.20 -
02/03/2006 18:38:45.944 - Info - IKE Responder: No response - remote party timeout - 10.10.10.10, 500 - 20.20.20.20, 500 -
02/03/2006 18:38:46.736 - Warning - Received packet retransmission. Drop duplicate packet - 20.20.20.20 - 0.0.0.0 -
02/03/2006 18:38:57.576 - Info - IKE Responder: Received Main Mode request (Phase 1) - 20.20.20.20 - 10.10.10.10 -
02/03/2006 18:39:02.944 - Info - IKE Responder: No response - remote party timeout - 10.10.10.10, 500 - 20.20.20.20, 500 -
Here is the capture and decode of the failure between a and c. I hope this comes out readable.
Packet 14: 10.10.10.10.sitea.isp.net 10.10.10.10 00:06:B1:0A:C0:C1 -> 20.20.20.20.siteb-isp.com 20.20.20.20 00:09:43:5F:A7:0C
Network: Ethernet, Frame type: ETHERTYPE
Frame network size: 126 (including 4 bytes CRC)
Time: Feb 3, 2006 13h:43m:48.609 504s
Differential time: 7.194 921 (since previous packet)
Destination Address: 00:09:43:5F:A7:0C
Source Address: 00:06:B1:0A:C0:C1
Protocol: [0x0800]=IP
IP: 10.10.10.10 -> 20.20.20.20
Status: Version = 4, IP Header Length = 20 Bytes
0100....: Version = 4
....0101: IP Header Length = [5] 32 Bit Words = 20 Bytes
Type of Service:
000.....: Precedence = Routine
...0....: Delay = Normal
....0...: Throughput = Normal
.....0..: Reliability = Normal
......0.: Cost = Normal
.......0: Reserved
Total IP length: 108
ID: 0x1DC1 (7617)
Fragment:
0....... ........: Reserved
.0...... ........: Do Not Fragment = False
..0..... ........: More Fragments = False
...00000 00000000: Fragment Offset [0] * 8 = 0 Bytes
Time to live: 255
Protocol: 17 = UDP
Header checksum: 0x6132 (Good)
IP Addresses: Source = 10.10.10.10, Destination = 20.20.20.20
Source: 10.10.10.10
Destination: 20.20.20.20
UDP, [500] isakmp -> [500] isakmp
Source port: [500] isakmp
Destination port: [500] isakmp
UDP length: 88
Checksum: 0x08B7 (Good)
ISAKMP:
Initiator Cookie: 0x0C37AFB759BEEABB
Responder Cookie: 0x7117B27598DC82AF
First Payload Type: [1] = Security Association
Version:
0001....: Major Version 1
....0000: Minor Version 0
Exchange Type: [2] = Identity Protection
Encryption Flags:
.......0: Payload = False
......0.: Commit = False
.....0..: Authentication = False
00000... = Reserved
Message ID: 0x00000000
Total Length: 80
Security Association Payload:
Next Payload Type: [0] = None
Reserved: 0x00
Payload Length: 52
Domain of Interpretation: [1] = IPsec
Situation:
00000000 00000000 00000000 00000...: Reserved
........ ........ ........ .....0..: Integrity = False
........ ........ ........ ......0.: Secrecy = False
........ ........ ........ .......1: Identity Only = True
Proposal Payload:
Next Payload Type: [0] = None
Reserved: 0x00
Payload Length: 40
Proposal Number: 1
Protocol ID: 1
SPI Size: 0
Number of Transforms: 1
Transform Payload:
Next Payload Type: 0 = None
Reserved: 0x00
Payload Length: 32
Transform Number: 1
Transform ID: [1] = KEY_IKE
Reserved: 0x0000
Attribute:
Attribute Type:
1....... ........: TV/TLV Flag = TV
.0000000 00000001: Type [1] = Encryption Algorithm
Attribute Value: [5] = 3DES-CBC
Attribute:
Attribute Type:
1....... ........: TV/TLV Flag = TV
.0000000 00000010: Type [2] = Hash Algorithm
Attribute Value: [1] = MD5
Attribute:
Attribute Type:
1....... ........: TV/TLV Flag = TV
.0000000 00000100: Type [4] = Group Description
Attribute Value: [2] = Alternate 1024-bit MODP
Attribute:
Attribute Type:
1....... ........: TV/TLV Flag = TV
.0000000 00000011: Type [3] = Authentication Method
Attribute Value: [1] = Pre-Shared Key
Attribute:
Attribute Type:
1....... ........: TV/TLV Flag = TV
.0000000 00001011: Type [11] = Life Type
Attribute Value: [1] = Seconds
Attribute:
Attribute Type:
1....... ........: TV/TLV Flag = TV
.0000000 00001100: Type [12] = Life Duration
Attribute Value: 28800
---------------------------------------------------------------
Packet 15: 10.10.10.10.sitea.isp.net 10.10.10.10 00:06:B1:0A:C0:C1 -> 20.20.20.20.siteb-isp.com 20.20.20.20 00:09:43:5F:A7:0C
Network: Ethernet, Frame type: ETHERTYPE
Frame network size: 286 (including 4 bytes CRC)
Time: Feb 3, 2006 13h:43m:50.605 130s
Differential time: 1.995 626 (since previous packet)
Destination Address: 00:09:43:5F:A7:0C
Source Address: 00:06:B1:0A:C0:C1
Protocol: [0x0800]=IP
IP: 10.10.10.10 -> 20.20.20.20
Status: Version = 4, IP Header Length = 20 Bytes
0100....: Version = 4
....0101: IP Header Length = [5] 32 Bit Words = 20 Bytes
Type of Service:
000.....: Precedence = Routine
...0....: Delay = Normal
....0...: Throughput = Normal
.....0..: Reliability = Normal
......0.: Cost = Normal
.......0: Reserved
Total IP length: 268
ID: 0x5A89 (23177)
Fragment:
0....... ........: Reserved
.0...... ........: Do Not Fragment = False
..0..... ........: More Fragments = False
...00000 00000000: Fragment Offset [0] * 8 = 0 Bytes
Time to live: 255
Protocol: 17 = UDP
Header checksum: 0x23CA (Good)
IP Addresses: Source = 10.10.10.10, Destination = 20.20.20.20
Source: 10.10.10.10
Destination: 20.20.20.20
UDP, [500] isakmp -> [500] isakmp
Source port: [500] isakmp
Destination port: [500] isakmp
UDP length: 248
Checksum: 0x1A63 (Good)
ISAKMP:
Initiator Cookie: 0xDB3479990D11E64E
Responder Cookie: 0xC672625369738AB7
First Payload Type: [4] = Key Exchange
Version:
0001....: Major Version 1
....0000: Minor Version 0
Exchange Type: [2] = Identity Protection
Encryption Flags:
.......0: Payload = False
......0.: Commit = False
.....0..: Authentication = False
00000... = Reserved
Message ID: 0x00000000
Total Length: 240
Key Exchange Payload
Next Payload Type: [10] = Nonce
Reserved: 0x00
Payload Length: 132
Payload
0000 89 3C F9 CC F6 60 65 14 A5 B0 7A 9D 01 DE 78 E3 ‰<ùÌö`e.¥°z?.Þxã
0010 11 D4 F2 03 49 78 AB DE B3 BB 66 B1 73 F0 71 C0 .Ôò.Ix«Þ³»f±sðqÀ
0020 7B 7C 9C A3 F7 51 A3 2F CA 31 49 24 33 E0 63 32 {|œ£÷Q£/Ê1I$3àc2
0030 6D 5D 01 A0 3E C9 1F F8 C5 F8 43 F2 73 A8 AB 51 m]. >É.øÅøCòs¨«Q
0040 B4 C7 FF 1E 2C 50 12 F7 E4 43 C0 DD 0F BF BB F4 ´Çÿ.,P.÷äCÀÝ.¿»ô
0050 8B 1A 03 34 09 DC 63 48 3E 8D 35 21 36 DC AA 61 ‹..4.ÜcH>?5!6ܪa
0060 5D E4 3F 25 2F C1 E2 4A B6 73 55 89 34 A3 D5 0D ]ä?%/ÁâJ¶sU‰4£Õ.
0070 10 BC E3 C5 86 85 DA A6 0A AF 0A A7 F0 45 E1 A6 .¼ãņ…Ú¦.¯.§ðEá¦
Nonce Payload
Next Payload Type: [132] =
Reserved: 0x00
Payload Length: 24
Payload
0000 20 1A D4 BD DE 53 0D 65 5E 5A 2B 95 90 92 86 02 .Ô½ÞS.e^Z+•?’†.
0010 6D FB 51 37 mûQ7
Vendor Payload
Next Payload Type: [24] =
Reserved: 0x00
Payload Length: 12
Payload
0000 40 4B F4 39 52 2C A3 F6 @Kô9R,£ö
Vendor Payload
Next Payload Type: [12] = Delete
Reserved: 0x00
Payload Length: 12
Payload
0000 09 00 26 89 DF D6 B7 12 ..&‰ßÖ·.
Vendor Payload
Next Payload Type: [12] = Delete
Reserved: 0x00
Payload Length: 12
Payload
0000 DA 8E 93 78 80 01 00 00 ÚŽ“x€...
Vendor Payload
Next Payload Type: [12] = Delete
Reserved: 0x00
Payload Length: 20
Payload
0000 AF CA D7 13 68 A1 F1 C9 6B 86 96 FC 77 57 01 00 ¯Ê×.h¡ñÉk†–üwW..
---------------------------------------------------------------
Packet 16: 20.20.20.20.siteb-isp.com 20.20.20.20 00:09:43:5F:A7:0C -> 10.10.10.10.sitea.isp.net 10.10.10.10 00:06:B1:0A:C0:C1
Network: Ethernet, Frame type: ETHERTYPE
Frame network size: 230 (including 4 bytes CRC)
Time: Feb 3, 2006 13h:43m:52.453 462s
Differential time: 1.848 332 (since previous packet)
Destination Address: 00:06:B1:0A:C0:C1
Source Address: 00:09:43:5F:A7:0C
Protocol: [0x0800]=IP
IP: 20.20.20.20 -> 10.10.10.10
Status: Version = 4, IP Header Length = 20 Bytes
0100....: Version = 4
....0101: IP Header Length = [5] 32 Bit Words = 20 Bytes
Type of Service:
000.....: Precedence = Routine
...0....: Delay = Normal
....0...: Throughput = Normal
.....0..: Reliability = Normal
......0.: Cost = Normal
.......0: Reserved
Total IP length: 212
ID: 0xC530 (50480)
Fragment:
0....... ........: Reserved
.0...... ........: Do Not Fragment = False
..0..... ........: More Fragments = False
...00000 00000000: Fragment Offset [0] * 8 = 0 Bytes
Time to live: 129
Protocol: 17 = UDP
Header checksum: 0x375B (Good)
IP Addresses: Source = 20.20.20.20, Destination = 10.10.10.10
Source: 20.20.20.20
Destination: 10.10.10.10
UDP, [500] isakmp -> [500] isakmp
Source port: [500] isakmp
Destination port: [500] isakmp
UDP length: 192
Checksum: 0x7AA3 (Good)
ISAKMP:
Initiator Cookie: 0xDB3479990D11E64E
Responder Cookie: 0xC672625369738AB7
First Payload Type: [4] = Key Exchange
Version:
0001....: Major Version 1
....0000: Minor Version 0
Exchange Type: [2] = Identity Protection
Encryption Flags:
.......0: Payload = False
......0.: Commit = False
.....0..: Authentication = False
00000... = Reserved
Message ID: 0x00000000
Total Length: 184
Key Exchange Payload
Next Payload Type: [10] = Nonce
Reserved: 0x00
Payload Length: 132
Payload
0000 6B 2D FE 2B 44 9E 31 02 37 86 5A A1 ED 26 56 47 k-þ+Dž1.7†Z¡í&VG
0010 A8 9A 60 C7 8B 83 8A A2 52 C0 10 51 6F A0 9E 9A ¨š`Ç‹ƒŠ¢RÀ.Qo žš
0020 AC FA 80 2A 4D 60 A3 D1 81 FD 29 98 0B 44 3C 5F ¬ú€*M`£Ñ?ý)˜.D<_
0030 DB E0 4D 88 01 88 22 29 A6 A0 D0 A7 B5 69 80 E6 ÛàMˆ.ˆ")¦ Чµi€æ
0040 37 2E 59 04 E1 5D 8D 1E F8 6A 3C 46 D6 81 CD C5 7.Y.á]?.øj<FÖ?ÍÅ
0050 72 EE 8F 9B F0 EA AA 25 28 19 91 4C C4 5D BA 6A rî?›ðêª%(.‘LÄ]ºj
0060 57 4D 03 14 B3 FC D3 AC CC ED 54 C2 61 1C 28 AC WM..³üÓ¬ÌíTÂa.(¬
0070 9B C3 7A 88 80 EA 97 29 90 23 3E 54 FB 00 4E F7 ›Ãzˆ€ê—)?#>Tû.N÷
Nonce Payload
Next Payload Type: [132] =
Reserved: 0x00
Payload Length: 24
Payload
0000 8A 3A 7B AD 8A 68 3E 7A 5E 41 32 05 36 25 4F B8 Š:{Šh>z^A2.6%O¸
0010 FF EA 14 8C ÿê.Œ
---------------------------------------------------------------
Packet 17: 10.10.10.10.sitea.isp.net 10.10.10.10 00:06:B1:0A:C0:C1 -> 20.20.20.20.siteb-isp.com 20.20.20.20 00:09:43:5F:A7:0C
Network: Ethernet, Frame type: ETHERTYPE
Frame network size: 326 (including 4 bytes CRC)
Time: Feb 3, 2006 13h:43m:52.454 997s
Differential time: 0.001 535 (since previous packet)
Destination Address: 00:09:43:5F:A7:0C
Source Address: 00:06:B1:0A:C0:C1
Protocol: [0x0800]=IP
IP: 10.10.10.10 -> 20.20.20.20
Status: Version = 4, IP Header Length = 20 Bytes
0100....: Version = 4
....0101: IP Header Length = [5] 32 Bit Words = 20 Bytes
Type of Service:
000.....: Precedence = Routine
...0....: Delay = Normal
....0...: Throughput = Normal
.....0..: Reliability = Normal
......0.: Cost = Normal
.......0: Reserved
Total IP length: 308
ID: 0x8783 (34691)
Fragment:
0....... ........: Reserved
.0...... ........: Do Not Fragment = False
..0..... ........: More Fragments = False
...00000 00000000: Fragment Offset [0] * 8 = 0 Bytes
Time to live: 255
Protocol: 17 = UDP
Header checksum: 0xF6A7 (Good)
IP Addresses: Source = 10.10.10.10, Destination = 20.20.20.20
Source: 10.10.10.10
Destination: 20.20.20.20
UDP, [500] isakmp -> [500] isakmp
Source port: [500] isakmp
Destination port: [500] isakmp
UDP length: 288
Checksum: 0xAC48 (Good)
ISAKMP:
Initiator Cookie: 0xDB3479990D11E64E
Responder Cookie: 0xC672625369738AB7
First Payload Type: [11] = Notification
Version:
0001....: Major Version 1
....0000: Minor Version 0
Exchange Type: [5] = Informational
Encryption Flags:
.......0: Payload = False
......0.: Commit = False
.....0..: Authentication = False
00000... = Reserved
Message ID: 0xEB1C1F46
Total Length: 280
Notification Payload
Next Payload Type: [0] = None
Reserved: 0x00
Payload Length: 252
DOI:
Protocol ID: 0
SPI Size: 16
Notify Message Type: [0] = Reserved
SPI
0000 01 10 00 04 DB 34 79 99 0D 11 E6 4E C6 72 62 53 ....Û4y™..æNÆrbS
Payload
0000 69 73 8A B7 00 06 00 04 00 00 00 00 00 02 00 B8 isŠ·...........¸
0010 DB 34 79 99 0D 11 E6 4E C6 72 62 53 69 73 8A B7 Û4y™..æNÆrbSisŠ·
0020 04 10 02 00 00 00 00 00 00 00 00 B8 0A 00 00 84 ...........¸...„
0030 6B 2D FE 2B 44 9E 31 02 37 86 5A A1 ED 26 56 47 k-þ+Dž1.7†Z¡í&VG
0040 A8 9A 60 C7 8B 83 8A A2 52 C0 10 51 6F A0 9E 9A ¨š`Ç‹ƒŠ¢RÀ.Qo žš
0050 AC FA 80 2A 4D 60 A3 D1 81 FD 29 98 0B 44 3C 5F ¬ú€*M`£Ñ?ý)˜.D<_
0060 DB E0 4D 88 01 88 22 29 A6 A0 D0 A7 B5 69 80 E6 ÛàMˆ.ˆ")¦ Чµi€æ
0070 37 2E 59 04 E1 5D 8D 1E F8 6A 3C 46 D6 81 CD C5 7.Y.á]?.øj<FÖ?ÍÅ
0080 72 EE 8F 9B F0 EA AA 25 28 19 91 4C C4 5D BA 6A rî?›ðêª%(.‘LÄ]ºj
0090 57 4D 03 14 B3 FC D3 AC CC ED 54 C2 61 1C 28 AC WM..³üÓ¬ÌíTÂa.(¬
00A0 9B C3 7A 88 80 EA 97 29 90 23 3E 54 FB 00 4E F7 ›Ãzˆ€ê—)?#>Tû.N÷
00B0 00 00 00 18 8A 3A 7B AD 8A 68 3E 7A 5E 41 32 05 ....Š:{Šh>z^A2.
00C0 36 25 4F B8 FF EA 14 8C 00 04 00 18 00 00 00 54 6%O¸ÿê.Œ.......T
00D0 68 65 20 63 6F 6F 6B 69 65 20 69 73 20 69 6E 76 he cookie is inv
If anyone has seen this issue or has any experience with isakmp at the protocol level I sure could use some guidance.
Other note is the Sonicwall suports VPN NAT transversal, however the Linksys does not. Not sure if that would resolve the issue.
Thanks in advance.
Jason
I have spent a couple of days on support with this issue and its turning out to be quite difficult. First question is, has anyone sucessfully set up a sonicwall to linksys ipsec with the linksys being behind a 1 to 1 nat?
Three sites, A, B, C.
A=Sonicwall TZ170 (Public Static IP)
B=Linksys befsx41 (Public Static IP)
C=Linksys befsx41 (1-to-1 NAT private IP)
I have been able to establish an ipsec tunnel between a and b, and b and c, but I am not able to establish a tunnel between a and c. You may ask why I do not just setup static routes. Its because this low end linksys does not support cross tunnel communication. I wasted hours on the phone for that as well.
I also spent hours verifying the Phase one policy settings and have tried every conceivable combination. I am having a lower level protocol issue with isakmp ike. Phase 1 never completes.
Through hours of protocol capture and decode I have found two possible issues but I have to admit its a bit beyond my current knowledge.
The first is the packet exchange between a and b, on many of the isakmp packets returning from b the IP packet, type of service, precedence is set to immediate. This never happens to any of the packets from a to c, their packet priorties are allways routine (normal). This may be related to the sonicwall log errors that will be listed later on.
Secondly I have discovered an error occuring during packet exchange between a and c. I will include the full protocol decode at the end of this post.
00C0 36 25 4F B8 FF EA 14 8C 00 04 00 18 00 00 00 54 6%O¸ÿê.Œ.......T
00D0 68 65 20 63 6F 6F 6B 69 65 20 69 73 20 69 6E 76 he cookie is inv
The cookie is invalid. The following is the packet sequence.
Exchange should be:
Payload Type 1 = Security Association
|
Payload Type 4 = Key Exchange
|
Payload Type 5 = Identification
|
Payload Type 8 = Hash
|
Payload type 4 = Key Exchange
Now what is happing in the failure is
Payload Type 1 = Security Association
|
Payload Type 4 = Key Exchange
|
Payload Type 11 = Notification (The cookie is invalid) sent from Sonicwall to Linksys
and then the process repeats. Seems like the hash is not getting sent. The security association proposal payload does seem to be getting accepted.
Here is the repeating error in the log. Normally a basic configuration error will be displayed as red (check your blah blah settings) and it is not. IP's changed.
Site A public IP = 10.10.10.10
Site C public NAT IP = 20.20.20.20
2006-02-02 14:29:38 IKE[2] Tx >> MM_I1 : 10.10.10.10 SA
2006-02-02 14:29:39 IKE[2] Rx << MM_R1 : 10.10.10.10 SA
2006-02-02 14:29:39 IKE[2] ISAKMP SA CKI=[dfc7e9f3 fe4e652c] CKR=[fdbb66b 727f06dc]
2006-02-02 14:29:39 IKE[2] ISAKMP SA 3DES / MD5 / PreShared / MODP_1024 / 28800 sec (*28800 sec)
2006-02-02 14:29:39 IKE[2] Tx >> MM_I2 : 10.10.10.10 KE, NONCE
2006-02-02 14:29:42 IKE[2] Rx << MM_R2 : 10.10.10.10 KE, NONCE, VID, VID
2006-02-02 14:29:42 IKE[2] Tx >> MM_I3 : 10.10.10.10 ID, HASH
2006-02-02 14:29:44 IKE[8] Rx << MM_R2 : 10.10.10.10 KE, NONCE, VID, VID
2006-02-02 14:29:44 IKE[8] Tx >> MM_I3 : 10.10.10.10 ID, HASH
2006-02-02 14:29:45 IKE[2] Rx << MM_R2 : 10.10.10.10 KE, NONCE, VID, VID
2006-02-02 14:29:45 IKE[2] Tx >> MM_I3 : 10.10.10.10 ID, HASH
2006-02-02 14:29:54 IKE[2] Rx << MM_R2 : 10.10.10.10 KE, NONCE, VID, VID
2006-02-02 14:29:54 IKE[2] Tx >> MM_I3 : 10.10.10.10 ID, HASH
Here are the entries of the Sonicwall. This is going to be messy.
02/03/2006 18:38:15.768 - Warning - Received packet retransmission. Drop duplicate packet - 20.20.20.20 - 0.0.0.0 -
02/03/2006 18:38:27.640 - Info - IKE Responder: Received Main Mode request (Phase 1) - 20.20.20.20 - 10.10.10.10 -
02/03/2006 18:38:34.944 - Info - IKE Responder: No response - remote party timeout - 10.10.10.10, 500 - 20.20.20.20, 500 -
02/03/2006 18:38:34.944 - Info - IKE Responder: No response - remote party timeout - 10.10.10.10, 500 - 20.20.20.20, 500 -
02/03/2006 18:38:36.864 - Warning - Received packet retransmission. Drop duplicate packet - 20.20.20.20 - 0.0.0.0 -
02/03/2006 18:38:40.944 - Info - IKE negotiation aborted due to timeout - 10.10.10.10 - 20.20.20.20 -
02/03/2006 18:38:45.944 - Info - IKE Responder: No response - remote party timeout - 10.10.10.10, 500 - 20.20.20.20, 500 -
02/03/2006 18:38:46.736 - Warning - Received packet retransmission. Drop duplicate packet - 20.20.20.20 - 0.0.0.0 -
02/03/2006 18:38:57.576 - Info - IKE Responder: Received Main Mode request (Phase 1) - 20.20.20.20 - 10.10.10.10 -
02/03/2006 18:39:02.944 - Info - IKE Responder: No response - remote party timeout - 10.10.10.10, 500 - 20.20.20.20, 500 -
Here is the capture and decode of the failure between a and c. I hope this comes out readable.
Packet 14: 10.10.10.10.sitea.isp.net 10.10.10.10 00:06:B1:0A:C0:C1 -> 20.20.20.20.siteb-isp.com 20.20.20.20 00:09:43:5F:A7:0C
Network: Ethernet, Frame type: ETHERTYPE
Frame network size: 126 (including 4 bytes CRC)
Time: Feb 3, 2006 13h:43m:48.609 504s
Differential time: 7.194 921 (since previous packet)
Destination Address: 00:09:43:5F:A7:0C
Source Address: 00:06:B1:0A:C0:C1
Protocol: [0x0800]=IP
IP: 10.10.10.10 -> 20.20.20.20
Status: Version = 4, IP Header Length = 20 Bytes
0100....: Version = 4
....0101: IP Header Length = [5] 32 Bit Words = 20 Bytes
Type of Service:
000.....: Precedence = Routine
...0....: Delay = Normal
....0...: Throughput = Normal
.....0..: Reliability = Normal
......0.: Cost = Normal
.......0: Reserved
Total IP length: 108
ID: 0x1DC1 (7617)
Fragment:
0....... ........: Reserved
.0...... ........: Do Not Fragment = False
..0..... ........: More Fragments = False
...00000 00000000: Fragment Offset [0] * 8 = 0 Bytes
Time to live: 255
Protocol: 17 = UDP
Header checksum: 0x6132 (Good)
IP Addresses: Source = 10.10.10.10, Destination = 20.20.20.20
Source: 10.10.10.10
Destination: 20.20.20.20
UDP, [500] isakmp -> [500] isakmp
Source port: [500] isakmp
Destination port: [500] isakmp
UDP length: 88
Checksum: 0x08B7 (Good)
ISAKMP:
Initiator Cookie: 0x0C37AFB759BEEABB
Responder Cookie: 0x7117B27598DC82AF
First Payload Type: [1] = Security Association
Version:
0001....: Major Version 1
....0000: Minor Version 0
Exchange Type: [2] = Identity Protection
Encryption Flags:
.......0: Payload = False
......0.: Commit = False
.....0..: Authentication = False
00000... = Reserved
Message ID: 0x00000000
Total Length: 80
Security Association Payload:
Next Payload Type: [0] = None
Reserved: 0x00
Payload Length: 52
Domain of Interpretation: [1] = IPsec
Situation:
00000000 00000000 00000000 00000...: Reserved
........ ........ ........ .....0..: Integrity = False
........ ........ ........ ......0.: Secrecy = False
........ ........ ........ .......1: Identity Only = True
Proposal Payload:
Next Payload Type: [0] = None
Reserved: 0x00
Payload Length: 40
Proposal Number: 1
Protocol ID: 1
SPI Size: 0
Number of Transforms: 1
Transform Payload:
Next Payload Type: 0 = None
Reserved: 0x00
Payload Length: 32
Transform Number: 1
Transform ID: [1] = KEY_IKE
Reserved: 0x0000
Attribute:
Attribute Type:
1....... ........: TV/TLV Flag = TV
.0000000 00000001: Type [1] = Encryption Algorithm
Attribute Value: [5] = 3DES-CBC
Attribute:
Attribute Type:
1....... ........: TV/TLV Flag = TV
.0000000 00000010: Type [2] = Hash Algorithm
Attribute Value: [1] = MD5
Attribute:
Attribute Type:
1....... ........: TV/TLV Flag = TV
.0000000 00000100: Type [4] = Group Description
Attribute Value: [2] = Alternate 1024-bit MODP
Attribute:
Attribute Type:
1....... ........: TV/TLV Flag = TV
.0000000 00000011: Type [3] = Authentication Method
Attribute Value: [1] = Pre-Shared Key
Attribute:
Attribute Type:
1....... ........: TV/TLV Flag = TV
.0000000 00001011: Type [11] = Life Type
Attribute Value: [1] = Seconds
Attribute:
Attribute Type:
1....... ........: TV/TLV Flag = TV
.0000000 00001100: Type [12] = Life Duration
Attribute Value: 28800
---------------------------------------------------------------
Packet 15: 10.10.10.10.sitea.isp.net 10.10.10.10 00:06:B1:0A:C0:C1 -> 20.20.20.20.siteb-isp.com 20.20.20.20 00:09:43:5F:A7:0C
Network: Ethernet, Frame type: ETHERTYPE
Frame network size: 286 (including 4 bytes CRC)
Time: Feb 3, 2006 13h:43m:50.605 130s
Differential time: 1.995 626 (since previous packet)
Destination Address: 00:09:43:5F:A7:0C
Source Address: 00:06:B1:0A:C0:C1
Protocol: [0x0800]=IP
IP: 10.10.10.10 -> 20.20.20.20
Status: Version = 4, IP Header Length = 20 Bytes
0100....: Version = 4
....0101: IP Header Length = [5] 32 Bit Words = 20 Bytes
Type of Service:
000.....: Precedence = Routine
...0....: Delay = Normal
....0...: Throughput = Normal
.....0..: Reliability = Normal
......0.: Cost = Normal
.......0: Reserved
Total IP length: 268
ID: 0x5A89 (23177)
Fragment:
0....... ........: Reserved
.0...... ........: Do Not Fragment = False
..0..... ........: More Fragments = False
...00000 00000000: Fragment Offset [0] * 8 = 0 Bytes
Time to live: 255
Protocol: 17 = UDP
Header checksum: 0x23CA (Good)
IP Addresses: Source = 10.10.10.10, Destination = 20.20.20.20
Source: 10.10.10.10
Destination: 20.20.20.20
UDP, [500] isakmp -> [500] isakmp
Source port: [500] isakmp
Destination port: [500] isakmp
UDP length: 248
Checksum: 0x1A63 (Good)
ISAKMP:
Initiator Cookie: 0xDB3479990D11E64E
Responder Cookie: 0xC672625369738AB7
First Payload Type: [4] = Key Exchange
Version:
0001....: Major Version 1
....0000: Minor Version 0
Exchange Type: [2] = Identity Protection
Encryption Flags:
.......0: Payload = False
......0.: Commit = False
.....0..: Authentication = False
00000... = Reserved
Message ID: 0x00000000
Total Length: 240
Key Exchange Payload
Next Payload Type: [10] = Nonce
Reserved: 0x00
Payload Length: 132
Payload
0000 89 3C F9 CC F6 60 65 14 A5 B0 7A 9D 01 DE 78 E3 ‰<ùÌö`e.¥°z?.Þxã
0010 11 D4 F2 03 49 78 AB DE B3 BB 66 B1 73 F0 71 C0 .Ôò.Ix«Þ³»f±sðqÀ
0020 7B 7C 9C A3 F7 51 A3 2F CA 31 49 24 33 E0 63 32 {|œ£÷Q£/Ê1I$3àc2
0030 6D 5D 01 A0 3E C9 1F F8 C5 F8 43 F2 73 A8 AB 51 m]. >É.øÅøCòs¨«Q
0040 B4 C7 FF 1E 2C 50 12 F7 E4 43 C0 DD 0F BF BB F4 ´Çÿ.,P.÷äCÀÝ.¿»ô
0050 8B 1A 03 34 09 DC 63 48 3E 8D 35 21 36 DC AA 61 ‹..4.ÜcH>?5!6ܪa
0060 5D E4 3F 25 2F C1 E2 4A B6 73 55 89 34 A3 D5 0D ]ä?%/ÁâJ¶sU‰4£Õ.
0070 10 BC E3 C5 86 85 DA A6 0A AF 0A A7 F0 45 E1 A6 .¼ãņ…Ú¦.¯.§ðEá¦
Nonce Payload
Next Payload Type: [132] =
Reserved: 0x00
Payload Length: 24
Payload
0000 20 1A D4 BD DE 53 0D 65 5E 5A 2B 95 90 92 86 02 .Ô½ÞS.e^Z+•?’†.
0010 6D FB 51 37 mûQ7
Vendor Payload
Next Payload Type: [24] =
Reserved: 0x00
Payload Length: 12
Payload
0000 40 4B F4 39 52 2C A3 F6 @Kô9R,£ö
Vendor Payload
Next Payload Type: [12] = Delete
Reserved: 0x00
Payload Length: 12
Payload
0000 09 00 26 89 DF D6 B7 12 ..&‰ßÖ·.
Vendor Payload
Next Payload Type: [12] = Delete
Reserved: 0x00
Payload Length: 12
Payload
0000 DA 8E 93 78 80 01 00 00 ÚŽ“x€...
Vendor Payload
Next Payload Type: [12] = Delete
Reserved: 0x00
Payload Length: 20
Payload
0000 AF CA D7 13 68 A1 F1 C9 6B 86 96 FC 77 57 01 00 ¯Ê×.h¡ñÉk†–üwW..
---------------------------------------------------------------
Packet 16: 20.20.20.20.siteb-isp.com 20.20.20.20 00:09:43:5F:A7:0C -> 10.10.10.10.sitea.isp.net 10.10.10.10 00:06:B1:0A:C0:C1
Network: Ethernet, Frame type: ETHERTYPE
Frame network size: 230 (including 4 bytes CRC)
Time: Feb 3, 2006 13h:43m:52.453 462s
Differential time: 1.848 332 (since previous packet)
Destination Address: 00:06:B1:0A:C0:C1
Source Address: 00:09:43:5F:A7:0C
Protocol: [0x0800]=IP
IP: 20.20.20.20 -> 10.10.10.10
Status: Version = 4, IP Header Length = 20 Bytes
0100....: Version = 4
....0101: IP Header Length = [5] 32 Bit Words = 20 Bytes
Type of Service:
000.....: Precedence = Routine
...0....: Delay = Normal
....0...: Throughput = Normal
.....0..: Reliability = Normal
......0.: Cost = Normal
.......0: Reserved
Total IP length: 212
ID: 0xC530 (50480)
Fragment:
0....... ........: Reserved
.0...... ........: Do Not Fragment = False
..0..... ........: More Fragments = False
...00000 00000000: Fragment Offset [0] * 8 = 0 Bytes
Time to live: 129
Protocol: 17 = UDP
Header checksum: 0x375B (Good)
IP Addresses: Source = 20.20.20.20, Destination = 10.10.10.10
Source: 20.20.20.20
Destination: 10.10.10.10
UDP, [500] isakmp -> [500] isakmp
Source port: [500] isakmp
Destination port: [500] isakmp
UDP length: 192
Checksum: 0x7AA3 (Good)
ISAKMP:
Initiator Cookie: 0xDB3479990D11E64E
Responder Cookie: 0xC672625369738AB7
First Payload Type: [4] = Key Exchange
Version:
0001....: Major Version 1
....0000: Minor Version 0
Exchange Type: [2] = Identity Protection
Encryption Flags:
.......0: Payload = False
......0.: Commit = False
.....0..: Authentication = False
00000... = Reserved
Message ID: 0x00000000
Total Length: 184
Key Exchange Payload
Next Payload Type: [10] = Nonce
Reserved: 0x00
Payload Length: 132
Payload
0000 6B 2D FE 2B 44 9E 31 02 37 86 5A A1 ED 26 56 47 k-þ+Dž1.7†Z¡í&VG
0010 A8 9A 60 C7 8B 83 8A A2 52 C0 10 51 6F A0 9E 9A ¨š`Ç‹ƒŠ¢RÀ.Qo žš
0020 AC FA 80 2A 4D 60 A3 D1 81 FD 29 98 0B 44 3C 5F ¬ú€*M`£Ñ?ý)˜.D<_
0030 DB E0 4D 88 01 88 22 29 A6 A0 D0 A7 B5 69 80 E6 ÛàMˆ.ˆ")¦ Чµi€æ
0040 37 2E 59 04 E1 5D 8D 1E F8 6A 3C 46 D6 81 CD C5 7.Y.á]?.øj<FÖ?ÍÅ
0050 72 EE 8F 9B F0 EA AA 25 28 19 91 4C C4 5D BA 6A rî?›ðêª%(.‘LÄ]ºj
0060 57 4D 03 14 B3 FC D3 AC CC ED 54 C2 61 1C 28 AC WM..³üÓ¬ÌíTÂa.(¬
0070 9B C3 7A 88 80 EA 97 29 90 23 3E 54 FB 00 4E F7 ›Ãzˆ€ê—)?#>Tû.N÷
Nonce Payload
Next Payload Type: [132] =
Reserved: 0x00
Payload Length: 24
Payload
0000 8A 3A 7B AD 8A 68 3E 7A 5E 41 32 05 36 25 4F B8 Š:{Šh>z^A2.6%O¸
0010 FF EA 14 8C ÿê.Œ
---------------------------------------------------------------
Packet 17: 10.10.10.10.sitea.isp.net 10.10.10.10 00:06:B1:0A:C0:C1 -> 20.20.20.20.siteb-isp.com 20.20.20.20 00:09:43:5F:A7:0C
Network: Ethernet, Frame type: ETHERTYPE
Frame network size: 326 (including 4 bytes CRC)
Time: Feb 3, 2006 13h:43m:52.454 997s
Differential time: 0.001 535 (since previous packet)
Destination Address: 00:09:43:5F:A7:0C
Source Address: 00:06:B1:0A:C0:C1
Protocol: [0x0800]=IP
IP: 10.10.10.10 -> 20.20.20.20
Status: Version = 4, IP Header Length = 20 Bytes
0100....: Version = 4
....0101: IP Header Length = [5] 32 Bit Words = 20 Bytes
Type of Service:
000.....: Precedence = Routine
...0....: Delay = Normal
....0...: Throughput = Normal
.....0..: Reliability = Normal
......0.: Cost = Normal
.......0: Reserved
Total IP length: 308
ID: 0x8783 (34691)
Fragment:
0....... ........: Reserved
.0...... ........: Do Not Fragment = False
..0..... ........: More Fragments = False
...00000 00000000: Fragment Offset [0] * 8 = 0 Bytes
Time to live: 255
Protocol: 17 = UDP
Header checksum: 0xF6A7 (Good)
IP Addresses: Source = 10.10.10.10, Destination = 20.20.20.20
Source: 10.10.10.10
Destination: 20.20.20.20
UDP, [500] isakmp -> [500] isakmp
Source port: [500] isakmp
Destination port: [500] isakmp
UDP length: 288
Checksum: 0xAC48 (Good)
ISAKMP:
Initiator Cookie: 0xDB3479990D11E64E
Responder Cookie: 0xC672625369738AB7
First Payload Type: [11] = Notification
Version:
0001....: Major Version 1
....0000: Minor Version 0
Exchange Type: [5] = Informational
Encryption Flags:
.......0: Payload = False
......0.: Commit = False
.....0..: Authentication = False
00000... = Reserved
Message ID: 0xEB1C1F46
Total Length: 280
Notification Payload
Next Payload Type: [0] = None
Reserved: 0x00
Payload Length: 252
DOI:
Protocol ID: 0
SPI Size: 16
Notify Message Type: [0] = Reserved
SPI
0000 01 10 00 04 DB 34 79 99 0D 11 E6 4E C6 72 62 53 ....Û4y™..æNÆrbS
Payload
0000 69 73 8A B7 00 06 00 04 00 00 00 00 00 02 00 B8 isŠ·...........¸
0010 DB 34 79 99 0D 11 E6 4E C6 72 62 53 69 73 8A B7 Û4y™..æNÆrbSisŠ·
0020 04 10 02 00 00 00 00 00 00 00 00 B8 0A 00 00 84 ...........¸...„
0030 6B 2D FE 2B 44 9E 31 02 37 86 5A A1 ED 26 56 47 k-þ+Dž1.7†Z¡í&VG
0040 A8 9A 60 C7 8B 83 8A A2 52 C0 10 51 6F A0 9E 9A ¨š`Ç‹ƒŠ¢RÀ.Qo žš
0050 AC FA 80 2A 4D 60 A3 D1 81 FD 29 98 0B 44 3C 5F ¬ú€*M`£Ñ?ý)˜.D<_
0060 DB E0 4D 88 01 88 22 29 A6 A0 D0 A7 B5 69 80 E6 ÛàMˆ.ˆ")¦ Чµi€æ
0070 37 2E 59 04 E1 5D 8D 1E F8 6A 3C 46 D6 81 CD C5 7.Y.á]?.øj<FÖ?ÍÅ
0080 72 EE 8F 9B F0 EA AA 25 28 19 91 4C C4 5D BA 6A rî?›ðêª%(.‘LÄ]ºj
0090 57 4D 03 14 B3 FC D3 AC CC ED 54 C2 61 1C 28 AC WM..³üÓ¬ÌíTÂa.(¬
00A0 9B C3 7A 88 80 EA 97 29 90 23 3E 54 FB 00 4E F7 ›Ãzˆ€ê—)?#>Tû.N÷
00B0 00 00 00 18 8A 3A 7B AD 8A 68 3E 7A 5E 41 32 05 ....Š:{Šh>z^A2.
00C0 36 25 4F B8 FF EA 14 8C 00 04 00 18 00 00 00 54 6%O¸ÿê.Œ.......T
00D0 68 65 20 63 6F 6F 6B 69 65 20 69 73 20 69 6E 76 he cookie is inv
If anyone has seen this issue or has any experience with isakmp at the protocol level I sure could use some guidance.
Other note is the Sonicwall suports VPN NAT transversal, however the Linksys does not. Not sure if that would resolve the issue.
Thanks in advance.
Jason