[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: "FreeS/WAN - isakmpd" monday match... I offer a beer...
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: "FreeS/WAN - isakmpd" monday match... I offer a beer...
- From: Andrew Rucker Jones <arjones_(_at_)_simultan_(_dot_)_dyndns_(_dot_)_org>
- Date: Mon, 09 Dec 2002 21:08:19 +0100
- Organization: Private Individual
... or perhaps more likely isakmpd is not running on OpenBSD.
I've looked at everything, and the tcpdump output from the third machine
cannot possibly match the OpenBSD log output. In the tcpdump output,
Linux tries to send packets to OpenBSD, which has nothing listening on
UDP port 500 (or is perhaps rejecting them because of firewall rules).
In the log messages, i believe i see about three packets, all of them on
their way to building a phase 1 SA. Linux sends something to OpenBSD,
which reponds, then Linux sends the next packet in the phase 1 sequence,
and so on. The Linux logs don't tell me anything. The configuration
files look 100% right.
So, check for possible firewall rules, check that isakmpd is running
(the best thing to do is to kill all instances of isakmpd, and i mean do
ps aux | grep isakmp and kill them all, stop FreeS/WAN, start isakmpd,
then start FreeS/WAN -- i also noted that FreeS/WAN was sending a packet
to OpenBSD that was for phase 2, which might imply to me that FreeS/WAN
has some stale ISAKMP SA's hanging around), and also make sure that
sysctl -a reports net.inet.esp.enable = 1. Before starting isakmpd and
FreeS/WAN, be sure to start tcpdump and get a clean trace of the whole
Stephen J. Bevan wrote:
> Hi all, how are u?! :)
> Log sniff from third machine: 192.168.11.210
This shows that 192.168.11.192 is sending out an ISAKMP message, but
the IKE daemon on hate.intranet is not receiving it (the ICMP port
unreachable). I'm guessing you have a firewall rule on hate.intranet
what is blocking inbound UDP on port 500.
GPG key / Schlüssel -- http://simultan.dyndns.org/~arjones/gpgkey.txt
Encrypt everything. / Alles verschlüsseln.
Visit your host, monkey.org