[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Slew of Firewall-1/OpenBSD VPN Troubles



Still fighting to get a reliable VPN tunnel working. Thanks to  
Hans-Joerg Hoexer for his help before, but that seems to just be the tip 
of the iceburg.

The problem I'm having is, my VPN tunnel works, but it drops a 
significant number of packets, and spews numerous errors on the OpenBSD 
side (Firewall-1 isn't complaining at all).


When starting up isakmpd, I get the following error:

Aug  4 03:48:41 gate1 isakmpd[2737]: exchange_setup_p1: expected 
exchange type ID_PROT got AGGRESSIVE
Aug  4 03:49:11 gate1 last message repeated 2 times


On the firewall-1 side of things, Aggressive is disabled, in trying all 
combinations of Aggressive and ID_PROT (for both Firewall-1 and OBSD), 
It always gives the error above.


The above error is later followed by a -lot- of:

Aug  4 13:46:29 gate1 isakmpd[28518]: message_parse_payloads: reserved 
field non-zero: 20
Aug  4 13:46:29 gate1 isakmpd[28518]: dropped message from 
216.82.85.146 port 500 due to notification type PAYLOAD_MALFORMED
Aug  4 13:46:29 gate1 isakmpd[28518]: message_parse_payloads: reserved 
field non-zero: 20
Aug  4 13:46:29 gate1 isakmpd[28518]: dropped message from 
216.82.85.146 port 500 due to notification type PAYLOAD_MALFORMED
Aug  4 13:46:49 gate1 isakmpd[28518]: message_parse_payloads: invalid 
next payload type 114 in payload of type 8
Aug  4 13:46:49 gate1 isakmpd[28518]: dropped message from 
216.82.85.146 port 500 due to notification type INVALID_PAYLOAD_TYPE
Aug  4 13:46:49 gate1 isakmpd[28518]: message_parse_payloads: invalid 
next payload type 114 in payload of type 8
Aug  4 13:46:49 gate1 isakmpd[28518]: dropped message from 
216.82.85.146 port 500 due to notification type INVALID_PAYLOAD_TYPE
Aug  4 07:46:42 gate1 /bsd: hme4: status=400<MAXPKT>



Notice the out-of-whack time between what isakmpd is reporting and what 
the kernel is reporting. I have ntpd running, and the kernel does have 
the correct time. Even after restarting isakmpd, it still reports the 
time wrong.



I've searched, looked at debugging and isakmpd.pcap output, but have no 
idea what its problem is. I've tried a patched and unpatched isakmpd 
with no change in behaviour (just making sure). I've also turned on 
increased logging with Firewall-1 with little usable output. From the 
looks of it, when the two negotiated it does it several times for 
whatever reason.



Any help on this would be appreciated. As before, below is my current 
configuration.

Thanks,

Chris



isakmpd.conf:
[General]
Default-phase-1-lifetime=       10080,60:604800
Default-phase-2-lifetime=       3600,60:604800

[Phase 1]
216.82.85.146=         gate2-peer

[Phase 2]
Connections=            Office-VPN

[gate2-peer]
Phase=                  1
Transport=              udp
Address=                216.82.85.146
Configuration=          Default-main-mode
Authentication=         xxxxx

[Office-VPN]
Phase=                  2
ISAKMP-peer=            gate2-peer
Configuration=          Default-quick-mode
Local-ID=               Gate1-Internal-network
Remote-ID=              Gate2-Internal-network

[Gate1-Internal-network]
ID-type=                IPV4_ADDR_SUBNET
Network=                192.168.121.0
Netmask=                255.255.255.0

[Gate2-Internal-network]
ID-type=                IPV4_ADDR_SUBNET
Network=                192.168.120.0
Netmask=                255.255.255.0

[Default-main-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          ID_PROT
Transforms=             3DES-SHA

[Default-quick-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          QUICK_MODE
Suites=                 QM-ESP-3DES-SHA-SUITE



isakmpd.policy:
Keynote-version: 2
Authorizer: "POLICY"
Conditions:     app_domain == "IPsec policy" &&
                esp_present == "yes" &&
                esp_enc_alg != "null" -> "true";



isakmpd.pcap:

# tcpdump -vr isakmpd.pcap
tcpdump: WARNING: compensating for unaligned libpcap packets
18:51:24.451683 0.0.0.0.isakmp > 216.82.85.146.isakmp:  [bad udp cksum 
a77f!] isakmp v1.0 exchange ID_PROT
        cookie: e85ce0fda26a521f->0000000000000000 msgid: 00000000 len: 
80
        payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
            payload: PROPOSAL len: 40 proposal: 1 proto: ISAKMP spisz: 0 
xforms: 1
                payload: TRANSFORM len: 32
                    transform: 0 ID: ISAKMP
                        attribute ENCRYPTION_ALGORITHM = 3DES_CBC
                        attribute HASH_ALGORITHM = SHA
                        attribute AUTHENTICATION_METHOD = PRE_SHARED
                        attribute NONE =
                        attribute NONE =
                        attribute NONE =  [ttl 0] (id 1)
18:51:24.457956 216.82.85.146.isakmp > 209.82.103.246.isakmp:  [bad udp 
cksum a77f!] isakmp v1.0 exchange ID_PROT
        cookie: e85ce0fda26a521f->0fd4aee964db42ae msgid: 00000000 len: 
80
        payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
            payload: PROPOSAL len: 40 proposal: 1 proto: ISAKMP spisz: 0 
xforms: 1
                payload: TRANSFORM len: 32
                    transform: 1 ID: ISAKMP
                        attribute ENCRYPTION_ALGORITHM = 3DES_CBC
                        attribute HASH_ALGORITHM = SHA
                        attribute AUTHENTICATION_METHOD = PRE_SHARED
                        attribute NONE =
                        attribute NONE =
                        attribute NONE =  [ttl 0] (id 1)
18:51:24.662689 209.82.103.246.isakmp > 216.82.85.146.isakmp:  [bad udp 
cksum baf!] isakmp v1.0 exchange ID_PROT
        cookie: e85ce0fda26a521f->0fd4aee964db42ae msgid: 00000000 len: 
180
        payload: KEY_EXCH len: 132
        payload: NONCE len: 0 [|isakmp] [ttl 0] (id 1)
18:51:24.670937 216.82.85.146.isakmp > 209.82.103.246.isakmp:  [bad udp 
cksum 1e67!] isakmp v1.0 exchange ID_PROT
        cookie: e85ce0fda26a521f->0fd4aee964db42ae msgid: 00000000 len: 
184
        payload: KEY_EXCH len: 132
        payload: NONCE len: 0 [|isakmp] [ttl 0] (id 1)
18:51:24.917675 209.82.103.246.isakmp > 216.82.85.146.isakmp:  [bad udp 
cksum 853f!] isakmp v1.0 exchange ID_PROT
        cookie: e85ce0fda26a521f->0fd4aee964db42ae msgid: 00000000 len: 
92
        payload: ID len: 12 type: IPV4_ADDR = 209.82.103.246
        payload: HASH len: 24
        payload: NOTIFICATION len: 28
            notification: 0 (unknown) [ttl 0] (id 1)
18:51:24.941871 216.82.85.146.isakmp > 209.82.103.246.isakmp:  [udp sum 
ok] isakmp v1.0 exchange ID_PROT
        cookie: e85ce0fda26a521f->0fd4aee964db42ae msgid: 00000000 len: 
68
        payload: ID len: 12 type: IPV4_ADDR = 216.82.85.146
        payload: HASH len: 24 [ttl 0] (id 1)
18:51:24.944231 209.82.103.246.isakmp > 216.82.85.146.isakmp:  [bad udp 
cksum 1015!] isakmp v1.0 exchange QUICK_MODE
        cookie: e85ce0fda26a521f->0fd4aee964db42ae msgid: 1595370b len: 
152
        payload: HASH len: 24
        payload: SA len: 48 DOI: 1(IPSEC) situation: IDENTITY_ONLY
            payload: PROPOSAL len: 36 proposal: 0 proto: RESERVED spisz: 
0 xforms: 0
        payload: NONCE len: 0 [|isakmp] [ttl 0] (id 1)
18:51:24.951690 216.82.85.146.isakmp > 209.82.103.246.isakmp:  [bad udp 
cksum 4830!] isakmp v1.0 exchange QUICK_MODE
        cookie: e85ce0fda26a521f->0fd4aee964db42ae msgid: 1595370b len: 
164
        payload: HASH len: 24
        payload: SA len: 48 DOI: 1(IPSEC) situation: IDENTITY_ONLY
            payload: PROPOSAL len: 36 proposal: 0 proto: RESERVED spisz: 
0 xforms: 0
        payload: NONCE len: 0 [|isakmp] [ttl 0] (id 1)
18:51:24.953417 209.82.103.246.isakmp > 216.82.85.146.isakmp:  [udp sum 
ok] isakmp v1.0 exchange QUICK_MODE
        cookie: e85ce0fda26a521f->0fd4aee964db42ae msgid: 1595370b len: 
52
        payload: HASH len: 24 [ttl 0] (id 1)
18:51:27.240071 209.82.103.246.isakmp > 216.82.85.146.isakmp:  [udp sum 
ok] isakmp v1.0 exchange INFO
        cookie: 3098fcb858a41db1->0000000000000000 msgid: 00000000 len: 
56
        payload: NOTIFICATION len: 28
            notification: INVALID COOKIE [ttl 0] (id 1)
18:51:31.236143 209.82.103.246.isakmp > 216.82.85.146.isakmp:  [udp sum 
ok] isakmp v1.0 exchange INFO
        cookie: f3e9b11a72e576c1->0000000000000000 msgid: 00000000 len: 
56
        payload: NOTIFICATION len: 28
            notification: INVALID COOKIE [ttl 0] (id 1)
18:51:35.236150 209.82.103.246.isakmp > 216.82.85.146.isakmp:  [udp sum 
ok] isakmp v1.0 exchange INFO
        cookie: c2fe701eed6b58e2->0000000000000000 msgid: 00000000 len: 
56
        payload: NOTIFICATION len: 28
            notification: INVALID COOKIE [ttl 0] (id 1)
18:51:39.235936 209.82.103.246.isakmp > 216.82.85.146.isakmp:  [udp sum 
ok] isakmp v1.0 exchange INFO
        cookie: 0f67a445defb1f19->0000000000000000 msgid: 00000000 len: 
56
        payload: NOTIFICATION len: 28
            notification: INVALID COOKIE [ttl 0] (id 1)
18:51:43.235962 209.82.103.246.isakmp > 216.82.85.146.isakmp:  [udp sum 
ok] isakmp v1.0 exchange INFO
        cookie: 8d9067d2ef7ed9f0->0000000000000000 msgid: 00000000 len: 
56
        payload: NOTIFICATION len: 28
            notification: INVALID COOKIE [ttl 0] (id 1)
18:52:47.553864 209.82.103.246.isakmp > 216.82.85.146.isakmp:  [udp sum 
ok] isakmp v1.0 exchange INFO
        cookie: e85ce0fda26a521f->0fd4aee964db42ae msgid: 0c481fba len: 
68
        payload: HASH len: 24
        payload: DELETE len: 16 [ttl 0] (id 1)


Link to isakmpd -d -DA=90 (740k-ish, hopefully still useable):
http://chris.upnix.com/gate1/isakmpddebug.txt