[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Help with isakmpd ( Is there a problem between 2.9 and 3.0 isakmpd)?



I am rebuilding the 2.9 box into a 3.0 box since the 2.9 seems to be the one that is not communicating,


At 10:12 AM 12/18/2001 -0600, you wrote:
I am trying to set up a very simple vpn between two machines on the same test subnet (192.168.35.0/24) I can ping the boxes from each other and I can also use ipsecadm to set up a VPN between the two

here are the specs

credence 192.168.35.8
chinook   192.168.35.100

*ispecadm information on credence
/sbin/ipsecadm new esp -src 192.168.35.8 -dst 192.168.35.100 -forcetunnel -spi 1002 -enc blf -auth sha1 -key 2ea140ac3911cb272ea140ac3911cb272ea140ac -authkey 176cc284bc1631afbd1468fbe976fa729fcb4321
/sbin/ipsecadm new esp -src 192.168.35.100 -dst 192.168.35.8 -forcetunnel -spi 2001 -enc blf -auth sha1 -key 2ea140ac3911cb272ea140ac3911cb272ea140ac -authkey 176cc284bc1631afbd1468fbe976fa729fcb4321
/sbin/ipsecadm flow -proto esp -dst 192.168.35.100 -addr 192.168.35.8 255.255.255.255 192.168.35.100 255.255.255.255


*ipsecadm information on chinookl

/sbin/ipsecadm new esp -src 192.168.35.100 -dst 192.168.35.8 -forcetunnel -spi 2001 -enc blf -auth sha1 -key 2ea140ac3911cb272ea140ac3911cb272ea140ac -authkey 176cc284bc1631afbd1468fbe976fa729fcb4321
/sbin/ipsecadm new esp -src 192.168.35.8 -dst 192.168.35.100 -forcetunnel -spi 1002 -enc blf -auth sha1 -key 2ea140ac3911cb272ea140ac3911cb272ea140ac -authkey 176cc284bc1631afbd1468fbe976fa729fcb4321
/sbin/ipsecadm flow -proto esp -dst 192.168.35.8 -addr 192.168.35.100 255.255.255.255 192.168.35.8 255.255.255.255


Like I said the above works.

so I fill in the blanks for isakmpd which gives me

*isakmpd.conf for credence.

[General]
Retransmits=5
Exchange-max-time=120
Listen-on=192.168.35.8

[Phase 1]
192.168.35.100=Chinook

[Phase 2]
Connections=Chinook-Credence

[Chinook]
Phase=1
Transport=udp
Local-Address=192.168.35.8
Address=192.168.35.100
Configuration=Default-main-mode
Authentication=mekmitasdigoat

[Chinook-Credence]
Phase=2
ISAKMP-peer=Chinook
Configuration=Default-quick-mode

[Default-main-mode]
DOI=IPSEC
EXCHANGE_TYPE=ID_PROT
Transforms=3DES-SHA

[Default-quick-mode]
DOI=IPSEC
EXCHANGE_TYPE=QUICK_MODE
Suites=QM-ESP-AES-SHA-PFS-SUITE

*isakmpd.conf for chinook.

[General]
Retransmits=5
Exchange-max-time=120
Listen-on=192.168.35.100

[Phase 1]
192.168.35.8=Credence

[Phase 2]
Connections=Credence-Chinook

[Credence]
Phase=1
Transport=udp
Local-Address=192.168.35.100
Address=192.168.35.8
Configuration=Default-main-mode
Authentication=mekmitasdigoat

[Credence-Chinook]
Phase=2
ISAKMP-peer=Credence
Configuration=Default-quick-mode

[Default-main-mode]
DOI=IPSEC
EXCHANGE_TYPE=ID_PROT
Transforms=3DES-SHA

[Default-quick-mode]
DOI=IPSEC
EXCHANGE_TYPE=QUICK_MODE
Suites=QM-ESP-AES-SHA-PFS-SUITE

*This is what I have i both of the isakmpd.policy files

KeyNote-Version: 2
Authorizer: "POLICY"

When I start isakmpd -d -DA=99 on credence, I get a lot of stuff that scrolls off the screen and past the buffer (which I can't adjust unfortunately) . What it ends up with is.

020209.599324 Trpt 90 transport_reference: transport 0x10f400 now has 2 references
020209.599933 Trpt 90 transport_reference: transport 0x10f380 now has 2 references
020209.600678 Trpt 90 transport_reference: transport 0x10f300 now has 2 references
020209.601600 Misc 60 conf_get_str: [General]:retransmits->5
020209.602180 Default transport_send_messages: giving up on message 0x10da00
020209.602755 Mesg 20 message_free: freeing 0x10da00
020209.603400 Trpt 90 transport_release: transport 0x10f400 had 2 references
020209.603984 SA 80 sa_release: SA 0x10db00 had 3 references
020209.604648 Trpt 90 transport_release: transport 0x10f400 had 1 references
020209.605226 Trpt 70 transport_release: freeing 0x10f400
020209.605915 Trpt 90 transport_release: transport 0x10f380 had 2 references
020209.607242 Trpt 90 transport_release: transport 0x10f300 had 2 references
020214.190078 Timr 10 timer_handle_expirations: event connection_checker(0x134d90)
020214.190980 Misc 60 conf_get_str: configuration value not found [General]:check-interval
020214.191671 Timr 10 timer_add_event: event connection_checker(0x134d90) added before cookie_reset_event(0x0), expiration in 60s
020214.192548 SA 90 sa_find: no SA matched query
020214.193079 Sdep 70 pf_key_v2_connection_check: SA for Chinook-Credence missing
020214.193790 Misc 60 conf_get_str: [Chinook-Credence]:Phase->2
020214.194375 Exch 90 exchange_lookup_by_name: Chinook-Credence == Chinook && 2 == 1?
020214.195103 Misc 60 conf_get_str: [Chinook-Credence]:ISAKMP-peer->Chinook
020214.195682 SA 90 sa_find: no SA matched query
020214.196326 Misc 60 conf_get_str: [Chinook]:Phase->1
020214.196887 Misc 60 conf_get_str: [Chinook]:Phase->1
020214.197541 Exch 90 exchange_lookup_by_name: Chinook == Chinook && 1 == 1?
020214.198126 Exch 40 exchange_establish: Chinook exchange already exists as 0x10d900


a tcpdump -i fxp0 proto 500 gives this

credence# tcpdump -i fxp1 port 500
tcpdump: listening on fxp1
02:04:14.202511 credence.graysdepot.org.isakmp > 192.168.35.100.isakmp: isakmp v1.0 exchange ID_PROT
cookie: c55030fe505e2b10->0000000000000000 msgid: 00000000 len: 80
02:04:21.221756 credence.graysdepot.org.isakmp > 192.168.35.100.isakmp: isakmp v1.0 exchange ID_PROT
cookie: c55030fe505e2b10->0000000000000000 msgid: 00000000 len: 80
02:04:30.240980 credence.graysdepot.org.isakmp > 192.168.35.100.isakmp: isakmp v1.0 exchange ID_PROT



If I try this from the other side I get a slightly different result.

When I start isakmpd -d -DA=99 on credence, I end up with:

035936.038334 Trpt 90 transport_reference: transport 0x10f200 now has 1 references
035936.038362 Misc 60 conf_get_str: [General]:Listen-on->192.168.35.100
035936.038381 Trpt 70 transport_add: adding 0x10f280
035936.038396 Trpt 90 transport_reference: transport 0x10f280 now has 1 references
035936.038411 Misc 60 conf_get_str: [General]:Listen-on->192.168.35.100
035936.039866 Timr 10 timer_handle_expirations: event connection_checker(0x134d90)
035936.039896 Misc 60 conf_get_str: configuration value not found [General]:check-interval
035936.039916 Timr 10 timer_add_event: event connection_checker(0x134d90) added before cookie_reset_event(0x0), expiration in 60s
035936.039948 SA 90 sa_find: no SA matched query
035936.039961 Sdep 70 pf_key_v2_connection_check: SA for Credence-Chinook missing
035936.039977 Misc 60 conf_get_str: [Credence-Chinook]:Phase->2
035936.039993 Misc 60 conf_get_str: [Credence-Chinook]:ISAKMP-peer->Credence
035936.472415 SA 90 sa_find: no SA matched query
035936.472438 Misc 60 conf_get_str: configuration value not found [Credence ]:Phase
035936.472452 Default exchange_establish: [Credence-Chinook]:ISAKMP-peer's (Credence ) phase is not 1



and tcpdump of a tcpdump -i xl0 proto 500 gives shows nothing

Any help would be appreciated.

Thanks Nick



--
Vides Credendo!
Nick Gray
Senior Network Engineer
Bruzenak inc.
nagray_(_at_)_austin_(_dot_)_rr_(_dot_)_com

-- Vides Credendo! Nick Gray Senior Network Engineer Bruzenak inc. nagray_(_at_)_austin_(_dot_)_rr_(_dot_)_com