[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: FreeS/WAN - isakmpd
Uh, strange. If FreeS/WAN is running, it shouldn't be sending back UDP
port unreachable messages. What happens if You try making FreeS/WAN
active and OpenBSD passive?
-&
goony wrote:
>>Okay, it looks like it may be breaking down in phase 1, but i'm not all
>>that familiar with OpenBSD isakmpd log messages. A tcpdump trace would
>>help, as would debug messages from FreeS/WAN. Set plutodebug=all and/or
>>klipsdebug=all on the Linux side and look in Your log file. Perhaps we
>>should continue this off-list, as log files can be really big
>>(especially from FreeS/WAN).
>
>
> Ok, this after "service ipsec restart":
>
> root@test ~# tail -f /var/log/messages
> Dec 6 16:05:38 test kernel: klips_debug:pfkey_safe_build: error=0
> Dec 6 16:05:38 test kernel: klips_debug:pfkey_safe_build:success.
> Dec 6 16:05:38 test kernel: klips_debug:pfkey_safe_build: error=0
> Dec 6 16:05:38 test kernel: klips_debug:pfkey_safe_build:success.
> Dec 6 16:05:38 test kernel: klips_debug:pfkey_msg_build: pfkey_msg=c6782840 allocated 32 bytes, &(extensions[0])=c74bde04
> Dec 6 16:05:38 test kernel: klips_debug:pfkey_msg_build: copying 16 bytes from extensions[15]=c67828a0 to=c6782850
> Dec 6 16:05:38 test kernel: klips_debug:pfkey_msg_build: extensions permitted=0000c001, seen=00008001, required=00000001.
> Dec 6 16:05:38 test kernel: klips_debug:pfkey_upmsg: allocating 32 bytes...
> Dec 6 16:05:38 test kernel: klips_debug:pfkey_upmsg: ...allocated at c69da660.
> Dec 6 16:05:38 test kernel: klips_debug:pfkey_register_parse: sending up register reply message for satype=9(IPIP) to socket=c6f8dcc0 succ
> eeded.
>
> from tcpdump of third machine...
>
>
> 17:04:15.754681 hate.intranet.500 > 192.168.11.192.500: isakmp: phase 1 I ident:
> (sa: doi=ipsec situation=identity
> (p: #1 protoid=isakmp transform=1
> (t: #0 id=ike (type=enc value=3des)(type=hash value=sha1)(type=auth value=preshared)(type=group desc value=modp1024))))
> 17:04:15.754884 arp who-has hate.intranet tell 192.168.11.192
> 17:04:15.754983 arp reply hate.intranet is-at 0:0:86:44:9f:92
> 17:04:15.755158 192.168.11.192 > hate.intranet: icmp: 192.168.11.192 udp port 500 unreachable [tos 0xc0]
> 17:04:24.767294 hate.intranet.500 > 192.168.11.192.500: isakmp: phase 1 I ident:
> (sa: doi=ipsec situation=identity
> (p: #1 protoid=isakmp transform=1
> (t: #0 id=ike (type=enc value=3des)(type=hash value=sha1)(type=auth value=preshared)(type=group desc value=modp1024))))
> 17:04:35.783648 hate.intranet.500 > 192.168.11.192.500: isakmp: phase 1 I ident:
> (sa: doi=ipsec situation=identity
> (p: #1 protoid=isakmp transform=1
> (t: #0 id=ike (type=enc value=3des)(type=hash value=sha1)(type=auth value=preshared)(type=group desc value=modp1024))))
>
> Note this line from log
> 17:04:15.755158 192.168.11.192 > hate.intranet: icmp: 192.168.11.192 udp port 500 unreachable [tos 0xc0]
>
> 192.168.11.192 is Trustix machine
> 192.168.11.127 (hate) OpenBSD
>
>
> - From OpenBSD box: :(((
>
> 16:11:42 ~ # netstat -na | grep 500
> udp 0 0 *.500 *.*
> udp 0 0 192.168.11.127.500 *.*
> udp6 0 0 *.500 *.*
> 0xd0a4a974 stream 0 0 0x0 0xd0a99500 0x0 0x0
>
>
> 16:11:13 ~ # netstat -rn -f encap
> Routing tables
>
> Encap:
> Source Port Destination Port Proto SA(Address/Proto/Type/Direction)
>
>
> - From Linux box:
>
> root@test ~# netstat -punta
> udp 0 0 192.168.11.192:500 0.0.0.0:* 9700/pluto
>
>
>
>
--
GPG key / Schlüssel -- http://simultan.dyndns.org/~arjones/gpgkey.txt
Encrypt everything. / Alles verschlüsseln.