[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

isakmpd excessive logging



OpenBSD version 3.0 running isakmpd to link a pair of networks using OBSD
firewalls.
 Works just fine but, ocassionally due to network hiccups, the tunnel gets
broken and
I get :

Nov 21 20:42:14 denethor isakmpd[14978]: message_validate_hash: payload out
of sequence
Nov 21 20:42:14 denethor isakmpd[14978]: dropped message from
11.111.111.111 port 500 due to notification type PAYLOAD_MALFORMED
Nov 21 20:42:14 denethor isakmpd[14978]: message_validate_hash: payload out
of sequence
Nov 21 20:42:14 denethor isakmpd[14978]: dropped message from
11.111.111.111 port 500 due to notification type PAYLOAD_MALFORMED

where 11.111.111.111 is the remote gateway.

Is there a way to detect this and and automatically restart isakmpd?  My
concern/complaint is that when this occurs I get
THOUSANDS of these messages - they all go to the console so that I can't
login as root and do anything. They also go to syslog
and that just makes for huge logs.

I killed syslogd from an ssh connection and that stopped the file logging,
but console messages were still scrolling
on the firewall's monitor  faster than a greased tumbleweed on speed.

Is there a way to get isakmpd to limit it's error output? I'm not running
isakmpd with any flags.

My isakmpd.conf:

[General]
Retransmits=            5
Exchange-max-time=      120
Listen-on=      22.222.222.222

[X509-certificates]
CA-directory=           /etc/isakmpd/ca/
Cert-directory=         /etc/isakmpd/certs/
Private-key=            /etc/isakmpd/private/local.key

[Phase 1]
11.111.111.111=         Law

[Phase 2]
Connections=            IPsec-Law-Dun

[Law]
Phase=                  1
Transport=              udp
Address=                11.111.111.111
ID=                     Dun-FQDN
Configuration=          Cert-main-mode

[IPsec-Law-Dun]
Phase=                  2
ISAKMP-peer=            Law
Configuration=          Cert-quick-mode
Local-ID=               Net-Dun
Remote-ID=              Net-Law

[Net-Law]
ID-type=                IPV4_ADDR_SUBNET
Network=                192.168.100.0
Netmask=                255.255.255.0

[Net-Dun]
ID-type=                IPV4_ADDR_SUBNET
Network=                192.168.0.0
Netmask=                255.255.255.0

[Dun-FQDN]
ID-type=                FQDN
Name=                   dunhost1.somwhere.com

[Cert-main-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          ID_PROT
Transforms=             3DES-MD5

[3DES-MD5]
ENCRYPTION_ALGORITHM=   3DES_CBC
HASH_ALGORITHM=         MD5
AUTHENTICATION_METHOD=  RSA_SIG
GROUP_DESCRIPTION=      MODP_1024
Life=                   LIFE_60_SECS,LIFE_1000_KB

[Cert-quick-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          QUICK_MODE
Suites=                 QM-ESP-3DES-MD5-PFS-SUITE



Visit your host, monkey.org