[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ipsec prb.



Hi;

I have a IPSEC Tunnel between OpenBSD 3.2 and a Watchguard Firebox III which works great. The same isakmpd.conf  
file also works with FreeBSD 4.8 and ISAKMPD from the FreeBSD ports. Now i tried OpenBSD 3.3 and found that 
the Tunnel does not work anymore. Are their any changes in isakmpd ? 

runing isakmpd shows this :

# isakmpd -d 

171648.671086 Default pf_key_v2_get_spi: GETSPI: Operation not supported
171648.671135 Default initiator_send_HASH_SA_NONCE: doi->get_spi failed
171648.671157 Default exchange_run: doi->initiator (0x170000) failed
171658.692308 Default message_recv: phase 1 message after ISAKMP SA is ready
171708.702537 Default message_recv: phase 1 message after ISAKMP SA is ready
171718.710389 Default message_recv: phase 1 message after ISAKMP SA is ready
171729.476180 Default message_recv: phase 1 message after ISAKMP SA is ready
171739.484021 Default message_recv: phase 1 message after ISAKMP SA is ready
171948.420435 Default pf_key_v2_get_spi: GETSPI: Operation not supported
171948.420481 Default initiator_send_HASH_SA_NONCE: doi->get_spi failed
171948.420503 Default exchange_run: doi->initiator (0x119a00) failed

171956.900164 Default x509_crl_init: x509_read_from_dir failed
171957.227397 Default pf_key_v2_get_spi: GETSPI: Operation not supported
171957.227446 Default initiator_send_HASH_SA_NONCE: doi->get_spi failed
171957.227496 Default exchange_run: doi->initiator (0x170000) failed
172007.230765 Default message_recv: phase 1 message after ISAKMP SA is ready
172017.241672 Default message_recv: phase 1 message after ISAKMP SA is ready
172027.265733 Default message_recv: phase 1 message after ISAKMP SA is ready
172037.270744 Default message_recv: phase 1 message after ISAKMP SA is ready
172047.290165 Default message_recv: phase 1 message after ISAKMP SA is ready

any idea what went wrong or what to change/try ?


isakmpd.conf

[General]
Policy-File=/etc/isakmpd/isakmpd.policy
Retransmits=5
Exchange-max-time=120
Listen-on=a.b.c.d
Shared-SADB=Defined
Default-phase-2-lifetime=10080,1200:14400
 
[Phase 1]
w.x.y.z=ISAKMP-peer-wg
Default=ISAKMP-peer-wg
 
[Phase 2]
Connections=IPSEC-bsd-wg
 
[ISAKMP-peer-wg]
Phase=1
Transport=udp
Local-address=a.b.c.d
Address=w.x.y.z
Configuration=Default-main-mode
Authentication=some-shared-secret

[IPSEC-bsd-wg]
Phase=2
ISAKMP-peer=ISAKMP-peer-wg
Configuration=Default-quick-mode
Local-ID=net-bsd
Remote-ID=net-wg
 
[net-bsd]
ID-Type=IPV4_ADDR_SUBNET
Network=192.168.160.0
Netmask=255.255.255.0
 
[net-wg]
ID-type=IPV4_ADDR_SUBNET
Network=192.168.161.0
Netmask=255.255.255.0
 
[Default-main-mode]
DOI=IPSEC
EXCHANGE_TYPE=ID_PROT
Transforms=DES-MD5,DES-SHA,3DES-MD5,3DES-SHA

[Default-quick-mode]
DOI=IPSEC
EXCHANGE_TYPE=QUICK_MODE
Suites=QM-ESP-3DES-SHA-SUITE