[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

isakmpd help needed



I originally setup a manually keyed vpn between 2 openbsd 2.7
machines.  It works great, but I am trying to convert that system to
use the isakmpd key exchange daemon, but I am having trouble getting
the SA's setup.

Here is the isakmpd.conf file from one of the machines (the other is
similar).  It was modeled after the VPN-east.conf from obtained off of
cvsweb.  I have tried using both Suites in the Default-quick-mode.

I think that phase 1 goes ok, but phase 2 never completes.  I must be
making some kind of stupid mistake, but I am at a loss here.  Any help
would be appreciated.

Cam


Here is the daemon output with no debugging:
--------------------
073622.538176 Default check_policy: negotiated SA failed policy check
073622.538319 Default check_policy: negotiated SA failed policy check
073622.538359 Default message_negotiate_sa: no compatible proposal found
073622.538405 Default dropped message from 11.22.33.44 port 500 due to notif
ication type NO_PROPOSAL_CHOSEN
073622.539045 Default responder_recv_HASH_SA_NONCE: KEY_EXCH payload without a g
roup desc. attribute
073622.539100 Default dropped message from 11.22.33.44 port 500 due to notif
ication type NO_PROPOSAL_CHOSEN
073622.539331 Default group_get: group ID (0) out of range
--------------------


Here is the relevant information of my setup.

isakmpd.conf
--------------------
[Phase 1]
11.22.33.44=	ISAKMP-peer-east

[Phase 2]
Connections=		IPsec-east-west

[ISAKMP-peer-east]
Phase=			1
Transport=		udp
Address=		11.22.33.44
Configuration=		Default-main-mode
Authentication=		mypassphrase

[IPsec-east-west]
Phase=			2
ISAKMP-peer=		ISAKMP-peer-east
Configuration=		Default-quick-mode
Local-ID=		Net-west
Remote-ID=		Net-east

[Net-west]
ID-type=		IPV4_ADDR_SUBNET
Network=		10.0.1.0
Netmask=		255.255.255.0

[Net-east]
ID-type=		IPV4_ADDR_SUBNET
Network=		10.0.0.0
Netmask=		255.255.255.0

[Default-main-mode]
DOI=			IPSEC
EXCHANGE_TYPE=		ID_PROT
Transforms=		3DES-SHA

[Default-quick-mode]
DOI=			IPSEC
EXCHANGE_TYPE=		QUICK_MODE
Suites=			QM-ESP-BLF-SHA-PFS-SUITE,QM-ESP-3DES-SHA-PFS-SUITE
#Suites=                 QM-ESP-AES-SHA-PFS-SUITE
--------------------

Here is my policy file (isakmpd.polify)
--------------------
KeyNote-Version: 2
Comment: This policy accepts ESP SAs from a remote that uses the right password
Authorizer: "POLICY"
Licensees: "passphrase:mypassphrase"
Conditions: app_domain == "IPsec policy" &&
            esp_present == "yes" &&
            esp_enc_alg == "aes" &&
            esp_auth_alg == "sha" -> "true";
--------------------

And here is the last few lines of debugging output from the isakpmd 
(/sbin/isakmpd -d -DA=99 -D1=70)
--------------------
062250.741114 Default responder_recv_HASH_SA_NONCE: KEY_EXCH payload without a group desc. attribute
062250.741144 Default dropped message from 11.22.33.44 port 500 due to notification type NO_PROPOSAL_CHOSEN
062250.741169 Misc 60 conf_get_str: [General]:Exchange-max-time->120
062250.741198 Timr 10 timer_add_event: event exchange_free_aux(0xf4d00) added before cookie_reset_event(0x0), expiration in 120s
062250.741228 Exch 10 exchange_establish_p2: 0xf4d00 <unnamed> <no policy> policy initiator phase 2 doi 1 exchange 5 step 0
062250.741252 Exch 10 exchange_establish_p2: icookie c69acb02bbfa73f0 rcookie 21cf77e7e558a6ad
062250.741273 Exch 10 exchange_establish_p2: msgid 9819c306 sa_list 
[...]
062250.745102 Exch 80 exchange_free_aux: freeing exchange 0xf4b00
062250.745123 Mesg 20 message_free: freeing 0xf4c00
062250.745195 Exch 10 exchange_finalize: 0xf4d00 <unnamed> <no policy> policy initiator phase 2 doi 1 exchange 5 step 1
062250.745973 Exch 10 exchange_finalize: icookie c69acb02bbfa73f0 rcookie 21cf77e7e558a6ad
062250.745995 Exch 10 exchange_finalize: msgid 9819c306 sa_list 
062250.746016 Timr 10 timer_remove_event: removing event exchange_free_aux(0xf4d00)
062250.746036 Exch 80 exchange_free_aux: freeing exchange 0xf4d00
062250.746057 Mesg 20 message_free: freeing 0xf4e00
062307.044864 Timr 10 timer_handle_expirations: event connection_checker(0xf1800)
062307.044968 Misc 60 conf_get_str: configuration value not found [General]:check-interval
062307.045001 Timr 10 timer_add_event: event connection_checker(0xf1800) added before exchange_free_aux(0xf4500), expiration in 60s
062307.045027 SA   90 sa_find: no SA matched query
062307.045046 Sdep 70 pf_key_v2_connection_check: SA for IPsec-east-west missing
062307.045071 Misc 60 conf_get_str: [IPsec-east-west]:Phase->2
062307.045096 Exch 90 exchange_lookup_by_name: IPsec-east-west == <unnamed> && 2 == 2?
062307.045118 Exch 90 exchange_lookup_by_name: IPsec-east-west == IPsec-east-west && 2 == 2?
062307.045139 Exch 40 exchange_establish: IPsec-east-west exchange already exists as 0xf4000
--------------------


-- 
Cam Schaus
cam_(_at_)_cds_(_dot_)_realcase_(_dot_)_com