Re: "FreeS/WAN - isakmpd" monday match... I offer a beer...

[Andrew Rucker Jones <arjones_(_at_)_simultan_(_dot_)_dyndns_(_dot_)_org>]

... or perhaps more likely isakmpd is not running on OpenBSD.

I've looked at everything, and the tcpdump output from the third machine 
cannot possibly match the OpenBSD log output. In the tcpdump output, 
Linux tries to send packets to OpenBSD, which has nothing listening on 
UDP port 500 (or is perhaps rejecting them because of firewall rules). 
In the log messages, i believe i see about three packets, all of them on 
their way to building a phase 1 SA. Linux sends something to OpenBSD, 
which reponds, then Linux sends the next packet in the phase 1 sequence, 
and so on. The Linux logs don't tell me anything. The configuration 
files look 100% right.
	So, check for possible firewall rules, check that isakmpd is running 
(the best thing to do is to kill all instances of isakmpd, and i mean do 
ps aux | grep isakmp and kill them all, stop FreeS/WAN, start isakmpd, 
then start FreeS/WAN -- i also noted that FreeS/WAN was sending a packet 
to OpenBSD that was for phase 2, which might imply to me that FreeS/WAN 
has some stale ISAKMP SA's hanging around), and also make sure that 
sysctl -a reports net.inet.esp.enable = 1. Before starting isakmpd and 
FreeS/WAN, be sure to start tcpdump and get a clean trace of the whole 
thing.

			-&


Stephen J. Bevan wrote:
> goony writes:
>  > Hi all, how are u?! :)
>  > Log sniff from third machine: 192.168.11.210
>  > http://goony.openbeer.it/misc/testvpn/snif
>
> This shows that 192.168.11.192 is sending out an ISAKMP message, but
> the IKE daemon on hate.intranet is not receiving it (the ICMP port
> unreachable).  I'm guessing you have a firewall rule on hate.intranet
> what is blocking inbound UDP on port 500.


--
GPG key / Schlüssel -- http://simultan.dyndns.org/~arjones/gpgkey.txt
Encrypt everything. / Alles verschlüsseln.