[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: "FreeS/WAN - isakmpd" news...



> > ... or perhaps more likely isakmpd is not running on OpenBSD.
> > 
> > I've looked at everything, and the tcpdump output from the third machine 
> > cannot possibly match the OpenBSD log output. In the tcpdump output, 
> > Linux tries to send packets to OpenBSD, which has nothing listening on 
> > UDP port 500 (or is perhaps rejecting them because of firewall rules). 
> > In the log messages, i believe i see about three packets, all of them on 
> > their way to building a phase 1 SA. Linux sends something to OpenBSD, 
> > which reponds, then Linux sends the next packet in the phase 1 sequence, 
> > and so on. The Linux logs don't tell me anything. The configuration 
> > files look 100% right.
> > 	So, check for possible firewall rules, check that isakmpd is running 
> > (the best thing to do is to kill all instances of isakmpd, and i mean do 
> > ps aux | grep isakmp and kill them all, stop FreeS/WAN, start isakmpd, 
> > then start FreeS/WAN -- i also noted that FreeS/WAN was sending a packet 
> > to OpenBSD that was for phase 2, which might imply to me that FreeS/WAN 
> > has some stale ISAKMP SA's hanging around), and also make sure that 
> > sysctl -a reports net.inet.esp.enable = 1. Before starting isakmpd and 
> > FreeS/WAN, be sure to start tcpdump and get a clean trace of the whole 
> > thing.
> 
> Firewalls are down, and isakmpd are running... :(
> 09:26:07 ~ # netstat -na| grep 500
> udp        0      0  *.500                  *.*                   
> udp        0      0  192.168.11.127.500     *.*                   
> udp6       0      0  *.500                  *.*            
> 
> 09:26:16 ~ # ps -aux | grep isakmp 
> root      6494  0.0  0.0  1844  1476 p1  S+     9:25AM    0:00.74 isakmpd -d -DA=90 
> 
> I don't know.... :((
> 
> But vpn OpenBSD - FreeS/WAN setup IPsec with manual keying it's ok!
> http://goony.openbeer.it/misc/ipsec.conf.3
> http://goony.openbeer.it/misc/setup
> 
> The problem is only using isakmpd! :(

News... If I start isakmpd with "isakmpd -d" only, I've in output:

09:37:57 /etc/isakmpd # isakmpd -d 
093821.471967 Default check_policy: negotiated SA failed policy check
093821.472499 Default dropped message from 192.168.11.192 port 500 due to notification type NO_PROPOSAL_CHOSEN
093821.472747 Default initiator_recv_HASH_SA_NONCE: policy check failed
093821.807876 Default message_recv: invalid cookie(s) db948f16d6b2eb7c ffe180a90e8087fd
093821.808298 Default dropped message from 192.168.11.192 port 500 due to notification type INVALID_COOKIE
093831.553643 Default check_policy: negotiated SA failed policy check
093831.554094 Default dropped message from 192.168.11.192 port 500 due to notification type NO_PROPOSAL_CHOSEN
093831.554341 Default initiator_recv_HASH_SA_NONCE: policy check failed

ideas? 

 tia,	
		goony


-- 
goony <goony_(_at_)_OpenBEER_(_dot_)_it>
"Beer OpenBSD User Group" founder - http://www.OpenBEER.it
KeyID: 1024D/1CDA1B3D
Fingerprint: CDF5 5246 D424 CF61 0330  A516 93F9 4D38 1CDA 1B3D
GnuPG PubKey: http://www.OpenBEER.it/keys/goony.gpg