[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Can't get isakmpd working
Justin Krejci wrote:
> Try pasting the text into the e-mail instead of sending as attachments.
Oh, I didn't realise the list stripped attachments. They're at the
bottom of this email.
> Did you try the troubleshooting section in the FAQ? if so what are the
> results?
Yes:
"netstat -rn -f encap" on vpn-ee-obsd gives
Routing tables
Encap:
Source Port Destination Port Proto SA(Address/Proto/Type/Direction)
0.0.0.0/32 0 0/0 0 0 10.0.2.5/50/use/in
0/0 0 0.0.0.0/32 0 0 10.0.2.5/50/require/out
and on vpn-cj-obsd gives
0/0 0 0.0.0.0/32 0 0 10.0.2.2/50/use/in
0.0.0.0/32 0 0/0 0 0 10.0.2.2/50/require/out
"cat /kern/ipsec" on vpn-ee-obsd gives
Hashmask: 31, policy entries: 2
SPI = 383ceefb, Destination = 10.0.2.5, Sproto = 50
Established 2 seconds ago
Source = 10.0.2.2
Remote credential type 2
Remote auth type 2
Flags (00001082) = <tunneling>
Crypto ID: 1
xform = <IPsec ESP>
Encryption = <3DES>
Authentication = <HMAC-MD5>
0 bytes processed by this SA
Expirations:
Hard expiration(1) in 58 seconds
Soft expiration(1) in 52 seconds
SPI = 33e2cba3, Destination = 10.0.2.2, Sproto = 50
Established 2 seconds ago
Source = 10.0.2.5
Remote credential type 2
Remote auth type 2
Flags (00001082) = <tunneling>
Crypto ID: 2
xform = <IPsec ESP>
Encryption = <3DES>
Authentication = <HMAC-MD5>
0 bytes processed by this SA
Expirations:
Hard expiration(1) in 58 seconds
Soft expiration(1) in 52 seconds
These outputs puzzle me in themselves because I didn't get anything last
time I tried. So now it would seem there is some connectivity going on,
however when I try to ping the 192.168.189.0/24 network (the network
behind vpn-ee-obsd) from vpn-cj-obsd, there's no response (and tcpdump
shows nothing going between the hosts). And if I ping vpn-ee-obsd,
tcpdump shows the packets going out in the clear.
So what's the stupid mistake I've made?
isakmpd.conf for vpn-ee-obsd:
# Global options
[General]
Retransmits= 5
Exchange-max-time= 120
Check-interval= 60
Listen-on= 10.0.2.2
# X.509 certificate locations
[X509-certificates]
CA-directory= /etc/isakmpd/ca/
Cert-directory= /etc/isakmpd/certs/
Private-key= /etc/isakmpd/private/local.key
# IKE Phase 1 & 2
[Phase 1]
Default= Client-phase1
[Phase 2]
Passive-Connections= Client-phase2
# Clients, phase 1 and 2
[Client-phase1]
Phase= 1
Transport= udp
Local-address= 10.0.2.2
Configuration= Client-main-mode
ID= My-ID
[My-ID]
ID-type= USER_FQDN
Name= ee@vpntest
[Client-phase2]
Phase= 2
Configuration= Client-quick-mode
Local-ID= All-networks
Remote-ID= Unknown-address
# Network details
[All-networks]
ID-Type= IPV4_ADDR_SUBNET
Network= 0.0.0.0
Netmask= 0.0.0.0
[Unknown-address]
ID-Type= IPV4_ADDR
Address= 0.0.0.0
# Main -and quick mode transforms
[Client-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-MD5-Client
[Client-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-MD5-SUITE
# Encryption/Authentication suite definitions
[3DES-MD5-Client]
ENCRYPTION_ALGORITHM= 3DES_CBC
HASH_ALGORITHM= MD5
AUTHENTICATION_METHOD= RSA_SIG
GROUP_DESCRIPTION= MODP_1536
Life= LIFE_9000_SECS
[QM-ESP-3DES-MD5-SUITE]
Protocols= QM-ESP-3DES-MD5
[QM-ESP-3DES-MD5]
PROTOCOL_ID= IPSEC_ESP
Transforms= QM-ESP-3DES-MD5-XF
[QM-ESP-3DES-MD5-XF]
TRANSFORM_ID= 3DES
ENCAPSULATION_MODE= TUNNEL
AUTHENTICATION_ALGORITHM= HMAC_MD5
GROUP_DESCRIPTION= MODP_1024
Life= LIFE_3600_SECS
# Lifetime definitions
[LIFE_3600_SECS]
LIFE_TYPE= SECONDS
LIFE_DURATION= 3600,1800:7200
[LIFE_9000_SECS]
LIFE_TYPE= SECONDS
LIFE_DURATION= 9000,4500:18000
isakmpd.conf for vpn-cj-obsd
[General]
Policy-File= /etc/isakmpd/policy
Retransmits= 5
Exchange-max-time= 120
[Phase 1]
10.0.2.2= work-gw
[Phase 2]
Connections= work-gw-home-gw
[work-gw]
Phase= 1
Transport= udp
Address= 10.0.2.2 # Peer address
ID= home-ID
Configuration= Default-main-mode
[home-ID]
ID-type= USER_FQDN
Name= cj@vpntest
[work-gw-home-gw]
Phase= 2
ISAKMP-peer= work-gw
Configuration= Default-quick-mode
Local-ID= Net-west
Remote-ID= Net-east
[Net-west]
ID-type= IPV4_ADDR
Address= 0.0.0.0
[Net-east]
ID-type= IPV4_ADDR_SUBNET
Network= 0.0.0.0
Netmask= 0.0.0.0
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-MD5
[X509-certificates]
CA-directory= /etc/isakmpd/ca/
Cert-directory= /etc/isakmpd/certs/
Private-key= /etc/isakmpd/private/local.key
[3DES-MD5]
ENCRYPTION_ALGORITHM= 3DES_CBC
HASH_ALGORITHM= MD5
AUTHENTICATION_METHOD= RSA_SIG
GROUP_DESCRIPTION= MODP_1536
Life= LIFE_9000_SECS
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-MD5-PFS-SUITE
[QM-ESP-3DES-MD5-SUITE]
Protocols= QM-ESP-3DES-MD5
# 3DES
[QM-ESP-3DES-MD5]
PROTOCOL_ID= IPSEC_ESP
Transforms= QM-ESP-3DES-MD5-XF
[QM-ESP-3DES-MD5-PFS-XF]
TRANSFORM_ID= 3DES
ENCAPSULATION_MODE= TUNNEL
AUTHENTICATION_ALGORITHM= HMAC_MD5
GROUP_DESCRIPTION= MODP_1024
Life= LIFE_3600_SECS
[LIFE_3600_SECS]
LIFE_TYPE= SECONDS
LIFE_DURATION= 60,45:72
[LIFE_9000_SECS]
LIFE_TYPE= SECONDS
LIFE_DURATION= 9000,4500:18000
both hosts policy file is simply
authorizer: "POLICY"
The output from /sbin/isakmpd -d -DA=90
for vpn-ee-obsd
073804.050491 Default log_debug_cmd: log level changed from 0 to 90 for
class 0
<snip>
073804.101697 Default log_debug_cmd: log level changed from 0 to 90 for
class 9
073804.141239 Sdep 80 pf_key_v2_write: iov[0]:
073804.141428 Sdep 80 02070002 02000000 01000000 576e0000
073804.171486 Sdep 80 pf_key_v2_read: msg:
073804.171673 Sdep 80 02070002 0f000000 01000000 576e0000 04000e00
00000000 0300a000 a0000000
073804.171897 Sdep 80 02008000 80000000 0800a000 a0000000 07000f00
00000000 02404000 40000000
073804.171988 Sdep 80 0340c000 c0000000 07402800 c0010000 06402800
80000000 f9405000 50000000
073804.172068 Sdep 80 0c804000 00010000 02001e00 00000000 02000000 00000000
073804.172164 Sdep 80 pf_key_v2_write: iov[0]:
073804.172240 Sdep 80 02070001 02000000 02000000 576e0000
073804.173037 Sdep 80 pf_key_v2_read: msg:
073804.173159 Sdep 80 02070001 0f000000 02000000 576e0000 04000e00
00000000 0300a000 a0000000
073804.173245 Sdep 80 02008000 80000000 0800a000 a0000000 07000f00
00000000 02404000 40000000
073804.173331 Sdep 80 0340c000 c0000000 07402800 c0010000 06402800
80000000 f9405000 50000000
073804.173411 Sdep 80 0c804000 00010000 02001e00 00000000 02000000 00000000
073804.173493 Sdep 80 pf_key_v2_write: iov[0]:
073804.173568 Sdep 80 02070009 02000000 03000000 576e0000
073804.174373 Sdep 80 pf_key_v2_read: msg:
073804.174494 Sdep 80 02070009 0f000000 03000000 576e0000 04000e00
00000000 0300a000 a0000000
073804.174647 Sdep 80 02008000 80000000 0800a000 a0000000 07000f00
00000000 02404000 40000000
073804.174734 Sdep 80 0340c000 c0000000 07402800 c0010000 06402800
80000000 f9405000 50000000
073804.174814 Sdep 80 0c804000 00010000 02001e00 00000000 02000000 00000000
073804.831091 Misc 90 conf_load_defaults : main mode DES-MD5-GRP1
<snip>
073804.850762 Misc 90 conf_load_defaults : main mode CAST-SHA-RSA_SIG
073804.851183 Misc 90 conf_load_defaults : quick mode
QM-ESP-DES-MD5-GRP1-SUITE
<snip>
073804.990633 Misc 90 conf_load_defaults : quick mode
QM-AH-TRP-AES-RIPEMD-PFS-SUITE
073805.123173 Misc 60 connection_record_passive: passive connection
"Client-phase2" added
073805.133413 Plcy 30 policy_init: initializing
073805.195639 Cryp 40 x509_read_from_dir: reading certs from
/etc/isakmpd/ca/
073805.240491 Cryp 60 x509_read_from_dir: reading certificate ca.crt
073805.333614 Cryp 40 x509_read_from_dir: reading certs from
/etc/isakmpd/certs/
073805.360337 Cryp 60 x509_read_from_dir: reading certificate ee.crt
073805.383529 Cryp 70 x509_hash_enter: cert 0x116680 added to bucket 39
073805.383636 Cryp 70 x509_hash_enter: cert 0x116680 added to bucket 54
073805.383817 Cryp 40 x509_read_crls_from_dir: reading CRLs from
/etc/isakmpd/crls/
073805.413839 Trpt 70 transport_add: adding 0x117180
073805.414985 Trpt 70 transport_add: adding 0x117240
output on vpn-cj-obsd
073804.050491 Default log_debug_cmd: log level changed from 0 to 90 for
class 0
<snip>
073804.101697 Default log_debug_cmd: log level changed from 0 to 90 for
class 9
073804.141239 Sdep 80 pf_key_v2_write: iov[0]:
073804.141428 Sdep 80 02070002 02000000 01000000 576e0000
073804.171486 Sdep 80 pf_key_v2_read: msg:
073804.171673 Sdep 80 02070002 0f000000 01000000 576e0000 04000e00
00000000 0300a000 a0000000
073804.171897 Sdep 80 02008000 80000000 0800a000 a0000000 07000f00
00000000 02404000 40000000
073804.171988 Sdep 80 0340c000 c0000000 07402800 c0010000 06402800
80000000 f9405000 50000000
073804.172068 Sdep 80 0c804000 00010000 02001e00 00000000 02000000 00000000
073804.172164 Sdep 80 pf_key_v2_write: iov[0]:
073804.172240 Sdep 80 02070001 02000000 02000000 576e0000
073804.173037 Sdep 80 pf_key_v2_read: msg:
073804.173159 Sdep 80 02070001 0f000000 02000000 576e0000 04000e00
00000000 0300a000 a0000000
073804.173245 Sdep 80 02008000 80000000 0800a000 a0000000 07000f00
00000000 02404000 40000000
073804.173331 Sdep 80 0340c000 c0000000 07402800 c0010000 06402800
80000000 f9405000 50000000
073804.173411 Sdep 80 0c804000 00010000 02001e00 00000000 02000000 00000000
073804.173493 Sdep 80 pf_key_v2_write: iov[0]:
073804.173568 Sdep 80 02070009 02000000 03000000 576e0000
073804.174373 Sdep 80 pf_key_v2_read: msg:
073804.174494 Sdep 80 02070009 0f000000 03000000 576e0000 04000e00
00000000 0300a000 a0000000
073804.174647 Sdep 80 02008000 80000000 0800a000 a0000000 07000f00
00000000 02404000 40000000
073804.174734 Sdep 80 0340c000 c0000000 07402800 c0010000 06402800
80000000 f9405000 50000000
073804.174814 Sdep 80 0c804000 00010000 02001e00 00000000 02000000 00000000
073804.831091 Misc 90 conf_load_defaults : main mode DES-MD5-GRP1
<snip>
073804.850762 Misc 90 conf_load_defaults : main mode CAST-SHA-RSA_SIG
073804.851183 Misc 90 conf_load_defaults : quick mode
QM-ESP-DES-MD5-GRP1-SUITE
<snip>
073804.990633 Misc 90 conf_load_defaults : quick mode
QM-AH-TRP-AES-RIPEMD-PFS-SUITE
073805.123173 Misc 60 connection_record_passive: passive connection
"Client-phase2" added
073805.133413 Plcy 30 policy_init: initializing
073805.195639 Cryp 40 x509_read_from_dir: reading certs from
/etc/isakmpd/ca/
073805.240491 Cryp 60 x509_read_from_dir: reading certificate ca.crt
073805.333614 Cryp 40 x509_read_from_dir: reading certs from
/etc/isakmpd/certs/
073805.360337 Cryp 60 x509_read_from_dir: reading certificate ee.crt
073805.383529 Cryp 70 x509_hash_enter: cert 0x116680 added to bucket 39
073805.383636 Cryp 70 x509_hash_enter: cert 0x116680 added to bucket 54
073805.383817 Cryp 40 x509_read_crls_from_dir: reading CRLs from
/etc/isakmpd/crls/
073805.413839 Trpt 70 transport_add: adding 0x117180
073805.414985 Trpt 70 transport_add: adding 0x117240
--
---------------------------------------------------------------------
Chris Jensen cjensen@edex.com.au
Educational Experience (Australia)
Postal Address: PO Box 860, Newcastle NSW 2300
Freecall: 1-800-025 270 International: +61-2-4923 8222
Fax: (02) 4942 1991 International: +61-2-4942 1991
Visit our online Toy store! http://www.toysandmore.com.au/
---------------------------------------------------------------------