[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

something broken in isakmpd since 3.5

To: tech@openbsd.org
Subject: something broken in isakmpd since 3.5
From: "Alexandre" <alex@vbone.net>
Date: Fri, 18 Jun 2004 12:19:41 +0200 (CEST)
User-Agent: SquirrelMail/1.5.0

Hi,

I have got the same ipsec config running on a 3.4 and a 3.5 box. It works
fine with 3.4 but fails with 3.5. I also tried -current, it does not work
either.

The config allows some routers with dynamic IP to create a tunnel using
aggressive mode. Each router has a different shared key.

What do you suggest to troubleshoot this further?

config and logs:

[General]
Listen-on=      x.x.x.x

[Phase 1]
Default=                ISAKMP-dynamic-ip

[Phase 2]
Passive-connections=    IPSEC-dynamic-ip

[ISAKMP-dynamic-ip]
Phase=                  1
Transport=              udp
Configuration=          Default-aggressive-mode

[IPSEC-dynamic-ip]
Phase=                  2
ISAKMP-peer=            ISAKMP-dynamic-ip
Configuration=          Default-quick-mode
Local-ID=               Net-local
Remote-ID=              Net-any

[Net-local]
ID-type=                IPV4_ADDR_SUBNET
Network=                192.168.x.0
Netmask=                255.255.255.0

[Net-any]
ID-type=                IPV4_ADDR_SUBNET
Network=                0.0.0.0
Netmask=                0.0.0.0

[test@test.com]
Phase=  1
Transport=      udp
Configuration=  Default-aggressive-mode
Authentication= test

[Default-aggressive-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          AGGRESSIVE
Transforms=             3DES-SHA

[Default-quick-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          QUICK_MODE
Suites=                 QM-ESP-3DES-SHA-PFS-SUITE



165138.187499 Exch 10 exchange_setup_p1: 0x3c066800 ISAKMP-dynamic-ip
Default-aggressive-mode policy responder phase 1 doi 1 exchange 4 step 0
165138.187904 Exch 10 exchange_setup_p1: icookie cd42b576277e0599 rcookie
4cf540e78e36b3f0
165138.188404 Exch 10 exchange_setup_p1: msgid 00000000
165138.188853 Mesg 50 message_parse_payloads: offset 40 payload PROPOSAL
165138.189278 Mesg 50 message_parse_payloads: offset 48 payload TRANSFORM
165138.189688 Mesg 50 Transform 1's attributes
165138.190157 Mesg 50 Attribute LIFE_TYPE value 1
165138.190589 Mesg 50 Attribute LIFE_DURATION value 300
165138.191009 Mesg 50 Attribute ENCRYPTION_ALGORITHM value 5
165138.191423 Mesg 50 Attribute AUTHENTICATION_METHOD value 1
165138.191848 Mesg 50 Attribute HASH_ALGORITHM value 2
165138.192259 Mesg 50 Attribute GROUP_DESCRIPTION value 2
165138.192717 Mesg 40 ipsec_validate_id_information: proto 0 port 0 type 3
165138.193165 Misc 30 ipsec_responder: phase 1 exchange 4 step 0
165138.193636 Negt 30 message_negotiate_sa: transform 1 proto 1 proposal 1 ok
165138.194279 Negt 20 ike_phase_1_validate_prop: success
165138.194711 Negt 30 message_negotiate_sa: proposal 1 succeeded
165138.195141 Misc 20 ipsec_decode_transform: transform 1 chosen
165138.195587 Negt 40 ike_phase_1_recv_ID: USER_FQDN:
165138.196047 Negt 40 74657374 616c6578 4070726f 67692e6c 616d
165138.196491 Exch 40 exchange_run: exchange 0x3c066800 finished step 0,
advancing...
165138.196951 Misc 30 ipsec_responder: phase 1 exchange 4 step 1
165138.281609 Cryp 40 crypto_init: key:
165138.282059 Cryp 40 11fd29f0 3fcad779 7789613e 8891b113 f6fdf792 24442ef3
165138.282682 Cryp 50 crypto_init_iv: initialized IV:
165138.283106 Cryp 50 071c2744 d399c681
165138.283607 Negt 40 ike_phase_1_send_ID: IPV4_ADDR:
165138.284022 Negt 40 c233a43c
165138.285024 Exch 40 exchange_run: exchange 0x3c066800 finished step 1,
advancing...
165138.285575 Trpt 30 transport_send_messages: message 0x3c066b00
scheduled for retransmission 1 in 7 secs
165138.286055 Timr 10 timer_add_event: event
message_send_expire(0x3c066b00) added before
exchange_free_aux(0x3c066800), expiration in 7s
165138.874071 Mesg 20 message_free: freeing 0x3c066b00
165138.874474 Timr 10 timer_remove_event: removing event
message_send_expire(0x3c066b00)
165138.874995 Mesg 50 message_parse_payloads: offset 28 payload HASH

165138.875443 Default message_recv: cleartext phase 1 message
165138.875880 Default dropped message from x.x.x.x port 500 due to
notification type INVALID_FLAGS

165138.876377 Timr 10 timer_add_event: event exchange_free_aux(0x3c066b00)
added last, expiration in 120s
165138.876865 Exch 10 exchange_establish_p1: 0x3c066b00 <unnamed> <no
policy> policy initiator phase 1 doi 1 exchange 5 step 0
165138.877332 Exch 10 exchange_establish_p1: icookie ef736b0f61c2c7c9
rcookie 0000000000000000
165138.877792 Exch 10 exchange_establish_p1: msgid 00000000
165138.878333 Exch 40 exchange_run: exchange 0x3c066b00 finished step 0,
advancing...
165138.878765 Mesg 20 message_free: freeing 0x3c066d00
165138.879283 Exch 10 exchange_finalize: 0x3c066b00 <unnamed> <no policy>
policy initiator phase 1 doi 1 exchange 5 step 1
165138.879770 Exch 10 exchange_finalize: icookie ef736b0f61c2c7c9 rcookie
0000000000000000
165138.880208 Exch 10 exchange_finalize: msgid 00000000
165138.880620 Timr 10 timer_remove_event: removing event
exchange_free_aux(0x3c066b00)
165138.881076 Mesg 20 message_free: freeing 0x3c066c00
165138.883185 Default ipsec_get_keystate: no keystate in ISAKMP SA 0x3c066900
165138.883581 Mesg 20 message_free: freeing 0x3c066b00

Regards,
Alexandre

Follow-Ups:
- Re: something broken in isakmpd since 3.5
  - From: hshoexer@openbsd.org

Prev by Date: Re: Porting PIM kernel multicast patches to OpenBSD
Next by Date: Re: Disk unit mixup for bootdev in i386_dkcsum.c::dkcsumattach() - BUG & FIX
Prev by thread: Halp getting the bigest penjs in the hoo today.
Next by thread: Re: something broken in isakmpd since 3.5
Index(es):
- Date
- Thread