[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Fwd: isakmpd Phase 2 negotiation]

To: tech_(_at_)_openbsd_(_dot_)_org
Subject: [Fwd: isakmpd Phase 2 negotiation]
From: Niels Lowensen <nlowen_(_at_)_idealnet_(_dot_)_net>
Date: Thu, 26 Aug 1999 17:29:03 +0300
Organization: European Dynamics S.A.

Hello there,

I posted the following already yesterday to isakmpd_(_at_)_gsnig_(_dot_)_net but it seems
to be a rather low volume mailing lists which would explain (perhaps :-))
why I did not get an answer, yet.
Anybody here has an idea?

nlowen_(_at_)_idealnet_(_dot_)_net wrote:

> Hello there,
>
> I am running OpenBSD 2.5 for i386 with the patches relevant to ipsec,
> pf_key etc. applied to the kernel (but no other modifications from the
> GENERIC kernel).
> I finally got isakmpd to work using the example given in the man
> isakmpd.conf page, with the changes needed for my setup (i.e. I changed
> General, Phase 1, Phase 2 and the ISAKMP-xx and IPsec-xx respectively)
> as well as the following addition to the transform section
> QM-ESP-DES-MD5-XF:
>
> [QM-ESP-DES-MD5-XF]
> TRANSFORM_ID=DES
> ENCAPSULATION_MODE=TUNNEL
> AUTHENTICATION_ALGORITHM=HMAC_MD5
> GROUP_DESCRIPTION=MODP_1024        <--- new entry
> Life=LIFE_600_SECS
>
> Thanks to Hakan for pointing out to me that the Group descriptions need
> to be the same for all suites offered in the Default-quick-mode section
> (perhaps that should be changed in the man page example :-))
>
> Now I was playing around a bit with isakmpd and looking at the actually
> exchanged packets with tcpdump on one of the machines using tcpdump -i
> xl1 udp port 500.
> What strikes me (forgive me if this is in the RFC or elsewhere defined
> as normal behaviour of isakmpd and I simply missed it) is the fact that
> both my machines initiate every minute an exchange of packets (3 packets
> are exchanged in total) and as a result the SPI shown with netstat -rn
> changes on both machines. BTW this happens independently of the
> load/traffic between the two machines.
> Since I assumed so far that there are only the Phase 1 and Phase 2
> exchanges, I would think that this is a Phase 2 exchange, which would
> mean that the keys used to encrypt the data are re-negotiated. If that
> is the case, it would mean that the defined "Life"s in isakmpd.conf
> would not be applied, since the Life-time for the transforms used in the
> man isakmpd.conf example is 600 secs.
>
> Is this perhaps a bug in the implementation or just a bug in my mind
> :-)?
> Could anyone please shed some light on this for me?
>
> Best regards and thanks in advance,
>
>     Niels
>
> P.S. tcpdump output of the packets exchanged which repeats itself every
> minute:
>         (I changed the hostnames, so that thigs are easier to read)
>
> 10:03:23.566846 obsd2.isakmp > obsd1.isakmp: udp 332
> 10:03:23.954857 obsd1.isakmp > obsd2.isakmp: udp 292
> 10:03:23.956586 obsd2.isakmp > obsd1.isakmp: udp 52
>
> 10:03:40.659709 obsd1.isakmp > obsd2.isakmp: udp 332
> 10:03:40.720298 obsd2.isakmp > obsd1.isakmp: udp 292
> 10:03:40.726010 obsd1.isakmp > obsd2.isakmp: udp 52

I also now had a look at /kern/ipsec in order to see more info on the
generated SPIs and I found that they are (supposingly) expired according to
the Life-value set in the configuration file. However, they are not _used_
for their entire lifetime.

Best regards and thanks a lot in advance for your help,

    Niels

Prev by Date: /usr/src/lib/libossaudio/soundcard.h
Next by Date: OSI fix wanted
Previous by thread: /usr/src/lib/libossaudio/soundcard.h
Next by thread: OSI fix wanted
Index(es):
- Date
- Thread

Visit your host, monkey.org