[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSec between OpenBSD and FreeBSD



On Thu, Jan 09, 2003 at 06:16:16PM +0100, Hakan Olsson wrote:
> > After starting racoon and isakmpd all traffic fraom dmz to
> > 192.168.2.0/24 goes to the defaultroute 192.168.9.11.
> 
> You have not gotten any VPN negotiated at this point, so normal IP routing
> rules apply.

OK, I hope I solve this whith ipsecadm flow -bypass -addr 192.168.0.0
255.255.255.0 192.168.153.0 255.255.255.0

> I think you would have greater success with this if you do not run the two
> ipsecadm commands before starting isakmpd. isakmpd will create the needes
> SPD entries itself as it negotiates the keys.

Yes, I tested it and it looks better. The above errors doesnt come up
anymore.

> Your isakmpd.conf looks sane, AFAICT, and should work. I'll walk through
> it briefly and point out a couple of things.

Now it looks like that the tunnel work for a small time.

Here are some snapshots from the racoon log:

2003-01-09 19:12:50: ERROR: ipsec_doi.c:1001:get_ph2approvalx(): not matched
2003-01-09 19:12:50: ERROR: ipsec_doi.c:966:get_ph2approval(): no suitable policy found.
2003-01-09 19:12:50: ERROR: isakmp.c:1063:isakmp_ph2begin_r(): failed to pre-process packet.
2003-01-09 19:12:51: INFO: isakmp.c:942:isakmp_ph2begin_i(): initiate new phase 2 negotiation: 192.168.9.11[0]<=>192.168.9.9[0]
2003-01-09 19:12:51: INFO: pfkey.c:1110:pk_recvupdate(): IPsec-SA established: ESP/Tunnel 192.168.9.9->192.168.9.11 spi=169690993(0xa1d4771)
2003-01-09 19:12:51: INFO: pfkey.c:1322:pk_recvadd(): IPsec-SA established: ESP/Tunnel 192.168.9.11->192.168.9.9 spi=35529545(0x21e2349)
003-01-09 19:13:16: INFO: pfkey.c:1368:pk_recvexpire(): IPsec-SA expired: ESP/Tunnel 192.168.9.11->192.168.9.9 spi=35529545(0x21e2349)
2003-01-09 19:13:16: INFO: isakmp.c:942:isakmp_ph2begin_i(): initiate new phase 2 negotiation: 192.168.9.11[0]<=>192.168.9.9[0]
2003-01-09 19:13:16: INFO: pfkey.c:1368:pk_recvexpire(): IPsec-SA expired: ESP/Tunnel 192.168.9.9->192.168.9.11 spi=169690993(0xa1d4771)
2003-01-09 19:13:16: INFO: pfkey.c:1110:pk_recvupdate(): IPsec-SA established: ESP/Tunnel 192.168.9.9->192.168.9.11 spi=83613680(0x4fbd7f0)
2003-01-09 19:13:16: INFO: pfkey.c:1322:pk_recvadd(): IPsec-SA established: ESP/Tunnel 192.168.9.11->192.168.9.9 spi=2614862601(0x9bdba309)
2003-01-09 19:13:17: INFO: isakmp.c:1049:isakmp_ph2begin_r(): respond new phase 2 negotiation: 192.168.9.11[0]<=>192.168.9.9[0]
2003-01-09 19:13:17: ERROR: proposal.c:489:cmpsatrns(): trns_id mismatched: my:3 peer:12
2003-01-09 19:13:17: ERROR: ipsec_doi.c:1001:get_ph2approvalx(): not matched
2003-01-09 19:13:17: ERROR: ipsec_doi.c:966:get_ph2approval(): no suitable policy found.
2003-01-09 19:13:17: ERROR: isakmp.c:1063:isakmp_ph2begin_r(): failed to pre-process packet.
2003-01-09 19:13:30: INFO: isakmp.c:1049:isakmp_ph2begin_r(): respond new phase 2 negotiation: 192.168.9.11[0]<=>192.168.9.9[0]
2003-01-09 19:13:30: ERROR: proposal.c:489:cmpsatrns(): trns_id mismatched: my:3 peer:12
2003-01-09 19:13:30: ERROR: ipsec_doi.c:1001:get_ph2approvalx(): not matched
2003-01-09 19:13:30: ERROR: ipsec_doi.c:966:get_ph2approval(): no suitable policy found.
2003-01-09 19:13:30: ERROR: isakmp.c:1063:isakmp_ph2begin_r(): failed to pre-process packet.
2003-01-09 19:13:45: ERROR: proposal.c:489:cmpsatrns(): trns_id mismatched: my:3 peer:12
2003-01-09 19:13:45: ERROR: ipsec_doi.c:1001:get_ph2approvalx(): not matched
2003-01-09 19:13:45: ERROR: ipsec_doi.c:966:get_ph2approval(): no suitable policy found.
2003-01-09 19:13:45: ERROR: isakmp.c:1063:isakmp_ph2begin_r(): failed to pre-process packet.
2003-01-09 19:13:46: INFO: isakmp_inf.c:925:purge_ipsec_spi(): purged IPsec-SA proto_id=ESP spi=2614862601.
2003-01-09 19:13:50: INFO: isakmp.c:1516:isakmp_ph1expire(): ISAKMP-SA expired 192.168.9.11[500]-192.168.9.9[500] spi:d4399e7206a4b756:a4e956bbb06d16e2
2003-01-09 19:13:51: INFO: isakmp.c:1564:isakmp_ph1delete(): ISAKMP-SA deleted 192.168.9.11[500]-192.168.9.9[500] spi:d4399e7206a4b756:a4e956bbb06d16e2
2003-01-09 19:14:06: INFO: pfkey.c:1368:pk_recvexpire(): IPsec-SA expired: ESP/Tunnel 192.168.9.11->192.168.9.9 spi=162441192(0x9aea7e8)
2003-01-09 19:14:06: INFO: isakmp.c:1703:isakmp_post_acquire(): request for establishing IPsec-SA was queued due to no phase1 found.
2003-01-09 19:14:06: INFO: pfkey.c:1368:pk_recvexpire(): IPsec-SA expired: ESP/Tunnel 192.168.9.9->192.168.9.11 spi=247822823(0xec579e7)
2003-01-09 19:14:37: ERROR: isakmp.c:1776:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 192.168.9.9->192.168.9.11 
2003-01-09 19:14:37: INFO: isakmp.c:1781:isakmp_chkph1there(): delete phase 2 handler.
2003-01-09 19:14:38: INFO: isakmp.c:1703:isakmp_post_acquire(): request for establishing IPsec-SA was queued due to no phase1 found.
2003-01-09 19:14:43: ERROR: isakmp.c:1437:isakmp_ph1resend(): phase1 negotiation failed due to time up. 225b2e2ffcdb3c46:0000000000000000

isakmpd gives only 

191947.597497 Default exchange_setup_p1: expected exchange type ID_PROT got AGGRESSIVE
192007.607474 Default exchange_setup_p1: expected exchange type ID_PROT got AGGRESSIVE
192023.603859 Default transport_send_messages: giving up on message 0x114f00
192027.627640 Default exchange_setup_p1: expected exchange type ID_PROT got AGGRESSIVE
192046.978333 Default exchange_setup_p1: expected exchange type ID_PROT got AGGRESSIVE
192107.090835 Default exchange_setup_p1: expected exchange type ID_PROT got AGGRESSIVE
192153.610737 Default exchange_setup_p1: expected exchange type ID_PROT got AGGRESSIVE
192213.748884 Default exchange_setup_p1: expected exchange type ID_PROT got AGGRESSIVE

The spd on racoon looks like this:

spdadd 192.168.0.0/24 0.0.0.0/0 any -P in ipsec esp/tunnel/192.168.9.9-192.168.9.11;
spdadd 0.0.0.0/0 192.168.0.0/24 any -P out ipsec esp/tunnel/192.168.9.11-192.168.9.9;


Thanks for any hint
Matthias

-- 
Matthias Teege -- matthias_(_at_)_mteege_(_dot_)_de -- http://www.mteege.de
make world not war
PGP-Key auf Anfrage