Strange IPSEC error

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by compwhiz, Oct 12, 2006.

  1. compwhiz

    compwhiz Network Guru Member

    I am trying to establish a tunnel between RV042 and Netopia 3300 ADSL router. I configured both RV042 and Netopia based on whatever documentation I could find. However, I cannot get the tunnel to come up.

    In the VPN Log on the RV042, I get the following

    Protocol in Phase 1 ID Payload must be 0 or 17 ,Port number must be 0 or 500 but now are 17/62465 (Protocol/Port)

    That's after it receives 6th packet.

    I did some searches, but could not find any relevant info. Why would the tunnel not come up?
  2. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    " Protocol in Phase 1 ID Payload must be 0 or 17".
    Phase I uses UDP (User Datagram Protocol) which is encapsulated in IP Packets as protocol # 17

    " Port number must be 0 or 500 but now are 17/62465"
    Phase I is supposed to use UDP port 500, but according to the log there is UDP (remember protocol 17) port 62465 traffic in the Phase I setup.

    Someone's not playing by the rules! Does the Netopia have some proprietary thing that it does in Phase I? I know from experience that the RV042 is protocol/RFC-compliant.

  3. HughR

    HughR LI Guru Member

    Eric is right.

    The copy of the FreeS/WAN source I'm looking at (2.06) has a little different message. I don't have access to the CVS so I don't remember when it changed. The comments in the code may be helpful:

    /* I think that RFC2407 (IPSEC DOI) 4.6.2 is confused.
    * It talks about the protocol ID and Port fields of the ID
    * Payload, but they don't exist as such in Phase 1.
    * We use more appropriate names.
    * isaid_doi_specific_a is in place of Protocol ID.
    * isaid_doi_specific_b is in place of Port.
    * Besides, there is no good reason for allowing these to be
    * other than 0 in Phase 1.
    * Restated:
    * The Phase I ID payload layout should be defined in a
    * DOI-independent way. Protocol and Port are IPsec-specific rather
    * than being generic to IKE. Furthermore, There is no information
    * being conveyed in these fields in Phase I.
    * This section of the RFC requires 0/0 (sensible) or 17/50 (silly)
    * and does not allow any other combination. It says that any other
    * combination MUST be treated as an error and that the
    * security association setup MUST be aborted.

    Anyway, this means that the Netopia isn't conformant to strict IPSec. Perhaps this is something to do with NAT (not supported by strict IPSec).
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice