[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: "FreeS/WAN - isakmpd" news...
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: "FreeS/WAN - isakmpd" news...
- From: goony <goony_(_at_)_OpenBEER_(_dot_)_it>
- Date: Tue, 10 Dec 2002 09:39:32 +0100
- Cc: arjones_(_at_)_simultan_(_dot_)_dyndns_(_dot_)_org, stephen_(_at_)_dino_(_dot_)_dnsalias_(_dot_)_com, ho_(_at_)_crt_(_dot_)_se
- Organization: OpenBEER
> > ... or perhaps more likely isakmpd is not running on OpenBSD.
> > I've looked at everything, and the tcpdump output from the third machine
> > cannot possibly match the OpenBSD log output. In the tcpdump output,
> > Linux tries to send packets to OpenBSD, which has nothing listening on
> > UDP port 500 (or is perhaps rejecting them because of firewall rules).
> > In the log messages, i believe i see about three packets, all of them on
> > their way to building a phase 1 SA. Linux sends something to OpenBSD,
> > which reponds, then Linux sends the next packet in the phase 1 sequence,
> > and so on. The Linux logs don't tell me anything. The configuration
> > files look 100% right.
> > So, check for possible firewall rules, check that isakmpd is running
> > (the best thing to do is to kill all instances of isakmpd, and i mean do
> > ps aux | grep isakmp and kill them all, stop FreeS/WAN, start isakmpd,
> > then start FreeS/WAN -- i also noted that FreeS/WAN was sending a packet
> > to OpenBSD that was for phase 2, which might imply to me that FreeS/WAN
> > has some stale ISAKMP SA's hanging around), and also make sure that
> > sysctl -a reports net.inet.esp.enable = 1. Before starting isakmpd and
> > FreeS/WAN, be sure to start tcpdump and get a clean trace of the whole
> > thing.
> Firewalls are down, and isakmpd are running... :(
> 09:26:07 ~ # netstat -na| grep 500
> udp 0 0 *.500 *.*
> udp 0 0 192.168.11.127.500 *.*
> udp6 0 0 *.500 *.*
> 09:26:16 ~ # ps -aux | grep isakmp
> root 6494 0.0 0.0 1844 1476 p1 S+ 9:25AM 0:00.74 isakmpd -d -DA=90
> I don't know.... :((
> But vpn OpenBSD - FreeS/WAN setup IPsec with manual keying it's ok!
> The problem is only using isakmpd! :(
News... If I start isakmpd with "isakmpd -d" only, I've in output:
09:37:57 /etc/isakmpd # isakmpd -d
093821.471967 Default check_policy: negotiated SA failed policy check
093821.472499 Default dropped message from 192.168.11.192 port 500 due to notification type NO_PROPOSAL_CHOSEN
093821.472747 Default initiator_recv_HASH_SA_NONCE: policy check failed
093821.807876 Default message_recv: invalid cookie(s) db948f16d6b2eb7c ffe180a90e8087fd
093821.808298 Default dropped message from 192.168.11.192 port 500 due to notification type INVALID_COOKIE
093831.553643 Default check_policy: negotiated SA failed policy check
093831.554094 Default dropped message from 192.168.11.192 port 500 due to notification type NO_PROPOSAL_CHOSEN
093831.554341 Default initiator_recv_HASH_SA_NONCE: policy check failed
"Beer OpenBSD User Group" founder - http://www.OpenBEER.it
Fingerprint: CDF5 5246 D424 CF61 0330 A516 93F9 4D38 1CDA 1B3D
GnuPG PubKey: http://www.OpenBEER.it/keys/goony.gpg