[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: "FreeS/WAN - isakmpd" monday match... I offer a beer...

... or perhaps more likely isakmpd is not running on OpenBSD.

I've looked at everything, and the tcpdump output from the third machine cannot possibly match the OpenBSD log output. In the tcpdump output, Linux tries to send packets to OpenBSD, which has nothing listening on UDP port 500 (or is perhaps rejecting them because of firewall rules). In the log messages, i believe i see about three packets, all of them on their way to building a phase 1 SA. Linux sends something to OpenBSD, which reponds, then Linux sends the next packet in the phase 1 sequence, and so on. The Linux logs don't tell me anything. The configuration files look 100% right.
So, check for possible firewall rules, check that isakmpd is running (the best thing to do is to kill all instances of isakmpd, and i mean do ps aux | grep isakmp and kill them all, stop FreeS/WAN, start isakmpd, then start FreeS/WAN -- i also noted that FreeS/WAN was sending a packet to OpenBSD that was for phase 2, which might imply to me that FreeS/WAN has some stale ISAKMP SA's hanging around), and also make sure that sysctl -a reports net.inet.esp.enable = 1. Before starting isakmpd and FreeS/WAN, be sure to start tcpdump and get a clean trace of the whole thing.


Stephen J. Bevan wrote:
goony writes:
 > Hi all, how are u?! :)
 > Log sniff from third machine:
 > http://goony.openbeer.it/misc/testvpn/snif

This shows that is sending out an ISAKMP message, but
the IKE daemon on hate.intranet is not receiving it (the ICMP port
unreachable).  I'm guessing you have a firewall rule on hate.intranet
what is blocking inbound UDP on port 500.

GPG key / Schlüssel -- http://simultan.dyndns.org/~arjones/gpgkey.txt
Encrypt everything. / Alles verschlüsseln.

Visit your host, monkey.org