Announcement

Collapse
No announcement yet.

IPsec VPN between ASA 5505 and Allied AR450s - bad pad length?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • IPsec VPN between ASA 5505 and Allied AR450s - bad pad length?

    Hello,

    I am trying to get an IPsec VPN built between a Ciso ASA 5505 and an Allied Telesys AR450s in my lab, but am encountering a strange issue.

    Layout

    [ASA5505]----[AR450s]

    If I initiate the tunnel from the AR450s side, the tunnel is built with no problem and I am able to pass traffic from either side.

    If I initiate the tunnel from the Cisco ASA side, the following occurs:
    -According to ASA, both isakmp and IPsec SAs are created (verified with show ipsec sa and show isakmp sa)
    -From AR450s side, isakmp SA is built, but there are no IPsec SAs. However, if I check the isakmp exchange state, it appears stuck on phase 2

    Debug:
    I ran debugs on each device:
    -Cisco ASA: no errors, I get a PHASE 2 COMPLETE message but after that the ASA keeps receiving some traffic from the AR450s causing a *duplicate phase 2 packet detected* eror. This basically repeats forever until I stop trying to pass traffic and the SA is torn down.
    -AR450s: During the last exchange of Phase 2 (where initator (ASA5505) sends a final hash) the AR450s receives this message from the ASA but it reports a "bad pad length" error.

    What are some things I should be looking at?

    As for configurations, they are about as basic as I can get them. No NAT, no fancy access lists, etc.
    ----------------------
    ASA config:
    -----------------------
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.100.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address 65.211.65.10 255.255.255.0
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1

    access-list 100 extended permit ip any any
    access-list outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.200.0 255.255.255.0
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    arp timeout 14400
    access-group 100 in interface outside
    route outside 0.0.0.0 0.0.0.0 65.211.65.11 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set peer 65.211.65.11
    crypto map outside_map 1 set transform-set ESP-DES-SHA
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption des
    hash sha
    group 1
    lifetime 86400

    threat-detection basic-threat
    threat-detection statistics access-list
    tunnel-group 65.211.65.11 type ipsec-l2l
    tunnel-group 65.211.65.11 ipsec-attributes
    pre-shared-key *
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    !
    service-policy global_policy global
    prompt hostname context

    -------------------------------
    AR450s config:
    -------------------------------
    # User configuration
    set user=manager pass=3af00c6cad11f7ab5db4467b66ce503eff priv=manager lo=yes
    set user=manager telnet=yes desc="Manager Account"
    add user=secoff pass=5486b4af453c7830dcea12f347137b07ff priv=securityOfficer lo=yes
    set user=secoff telnet=no netmask=255.255.255.255

    # IP configuration
    enable ip
    add ip int=eth0 ip=65.211.65.11 mask=255.255.255.0
    add ip int=eth1 ip=192.168.200.1
    add ip rou=0.0.0.0 mask=0.0.0.0 int=eth0 next=0.0.0.0

    # IPSEC configuration
    create ipsec sas=1 key=isakmp prot=esp enc=des hasha=sha
    create ipsec bund=1 key=isakmp string="1"
    create ipsec pol="office_vpn_isakmp" int=eth0 ac=permit
    set ipsec pol="office_vpn_isakmp" lp=500 rp=500
    create ipsec pol="office_vpn_ipsec" int=eth0 ac=ipsec key=isakmp bund=1 peer=65.211.65.10
    set ipsec pol="office_vpn_ipsec" lad=192.168.200.0 lma=255.255.255.0 rad=192.168.100.0 rma=255.255.255.0
    enable ipsec

    # ISAKMP configuration
    create isakmp pol="office_isakmp_policy" pe=65.211.65.10 key=1
    enable isakmp


    -----
    debug excerpts
    -----

    ASA
    ----
    Jul 06 19:38:20 [IKEv1]: IP = 65.211.65.11, IKE_DECODE SENDING Message (msgid=782ddb8a) with payloads : HDR + HASH ( + NONE (0) total length : 76

    BEFORE ENCRYPTION
    RAW PACKET DUMP on SEND
    7f 05 dd 1d 83 ef 9b 13 73 7c 2e 54 4d 3c c5 10 | .......s|.TM<..
    08 10 20 00 8a db 2d 78 1c 00 00 00 00 00 00 18 | .. ...-x........
    53 7d 3c 8c f7 c3 c5 f2 37 a5 6c e0 b7 0b 90 cf | S}<.....7.l.....
    d0 51 ad d7 00 00 00 00 00 00 00 00 00 00 00 00 | .Q..............
    00 00 00 00 00 00 00 00 00 00 00 00 | ............

    ISAKMP Header
    Initiator COOKIE: 7f 05 dd 1d 83 ef 9b 13
    Responder COOKIE: 73 7c 2e 54 4d 3c c5 10
    Next Payload: Hash
    Version: 1.0
    Exchange Type: Quick Mode
    Flags: (none)
    MessageID: 8ADB2D78
    Length: 469762048
    Payload Hash
    Next Payload: None
    Reserved: 00
    Payload Length: 24
    Data:
    53 7d 3c 8c f7 c3 c5 f2 37 a5 6c e0 b7 0b 90 cf
    d0 51 ad d7
    Jul 06 19:38:20 [IKEv1 DEBUG]: Group = 65.211.65.11, IP = 65.211.65.11, IKE got a KEY_ADD msg for SA: SPI = 0x90108def
    Jul 06 19:38:20 [IKEv1 DEBUG]: Group = 65.211.65.11, IP = 65.211.65.11, Pitcher: received KEY_UPDATE, spi 0x20d78031

    ISAKMP Header
    Initiator COOKIE: 7f 05 dd 1d 83 ef 9b 13
    Responder COOKIE: 73 7c 2e 54 4d 3c c5 10
    Next Payload: Hash
    Version: 1.0
    Exchange Type: Quick Mode
    Flags: (Encryption)
    MessageID: 782DDB8A
    Length: 76
    Jul 06 19:38:20 [IKEv1 DEBUG]: Group = 65.211.65.11, IP = 65.211.65.11, Starting P2 rekey timer: 24480 seconds.
    Jul 06 19:38:20 [IKEv1]: Group = 65.211.65.11, IP = 65.211.65.11, PHASE 2 COMPLETED (msgid=782ddb8a)

    --------------
    AR405S
    --------------
    ISAKMP Network Rx:
    remotePort=500 localPort=500
    7f 05 dd 1d 83 ef 9b 13 73 7c 2e 54 4d 3c c5 10 08 10 20 01
    78 2d db 8a 00 00 00 4c 24 e9 cd de 6b 42 71 e8 61 6b 72 d1
    c9 4a d9 44 24 09 5a 3c 7b c0 1f bf d0 fe a4 98 40 57 d7 04
    fe 57 ea 02 13 01 80 ec 93 8f 72 cc 01 89 ae f9
    ISAKMP Rx (decrypted)<---
    7f 05 dd 1d 83 ef 9b 13 73 7c 2e 54 4d 3c c5 10 08 10 20 01
    78 2d db 8a 00 00 00 4c 00 00 00 18 53 7d 3c 8c f7 c3 c5 f2
    37 a5 6c e0 b7 0b 90 cf d0 51 ad d7 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    ISAKMP CORE: Rx decrypted: exchange 34: bad pad length: 24



    Three things that concern me about the debug logs:
    1 why is the ASA padding the packet with all those 0s? When I view logs where I have initiated the tunnel from the AR405s side, this doesn't happen

    2 Shouldn't the received decrypted packet (on the AT450s side) match the cisco packet before encyrption?

    3 After decrypting the packet, I notice that the encryption flag is still on... I don't know if this has something to do with this issue.

  • #2
    Re: IPsec VPN between ASA 5505 and Allied AR450s - bad pad length?

    Issues like these I would work with vendors, but I would try 3DES/MD5 to see if there's an issue with the algorithms between vendors.

    Comment


    • #3
      Re: IPsec VPN between ASA 5505 and Allied AR450s - bad pad length?

      Thank you Garen. I am currently dealing with one of the vendors now, but so far no progress.

      As for trying 3DES/MD5 the Allied device does not have a 3DES license installed, according to the error that shows up when I try to enable it.

      I think the key is that padding the ASA is adding to that final phase 2 packet. The extra 0s add up to 24 octets, which is the exact number from the error. I don't know what could be causing all that padding though, as I mentioned before when I build the tunnel from the Allied end, no such padding occurs and the VPN is up and running.

      Comment


      • #4
        Re: IPsec VPN between ASA 5505 and Allied AR450s - bad pad length?

        Did you ever get this resolved? We have the exact same issue here.

        Comment

        Working...
        X