[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Fwd: isakmpd Phase 2 negotiation]
- To: tech_(_at_)_openbsd_(_dot_)_org
- Subject: [Fwd: isakmpd Phase 2 negotiation]
- From: Niels Lowensen <nlowen_(_at_)_idealnet_(_dot_)_net>
- Date: Thu, 26 Aug 1999 17:29:03 +0300
- Organization: European Dynamics S.A.
I posted the following already yesterday to isakmpd_(_at_)_gsnig_(_dot_)_net but it seems
to be a rather low volume mailing lists which would explain (perhaps :-))
why I did not get an answer, yet.
Anybody here has an idea?
> Hello there,
> I am running OpenBSD 2.5 for i386 with the patches relevant to ipsec,
> pf_key etc. applied to the kernel (but no other modifications from the
> GENERIC kernel).
> I finally got isakmpd to work using the example given in the man
> isakmpd.conf page, with the changes needed for my setup (i.e. I changed
> General, Phase 1, Phase 2 and the ISAKMP-xx and IPsec-xx respectively)
> as well as the following addition to the transform section
> GROUP_DESCRIPTION=MODP_1024 <--- new entry
> Thanks to Hakan for pointing out to me that the Group descriptions need
> to be the same for all suites offered in the Default-quick-mode section
> (perhaps that should be changed in the man page example :-))
> Now I was playing around a bit with isakmpd and looking at the actually
> exchanged packets with tcpdump on one of the machines using tcpdump -i
> xl1 udp port 500.
> What strikes me (forgive me if this is in the RFC or elsewhere defined
> as normal behaviour of isakmpd and I simply missed it) is the fact that
> both my machines initiate every minute an exchange of packets (3 packets
> are exchanged in total) and as a result the SPI shown with netstat -rn
> changes on both machines. BTW this happens independently of the
> load/traffic between the two machines.
> Since I assumed so far that there are only the Phase 1 and Phase 2
> exchanges, I would think that this is a Phase 2 exchange, which would
> mean that the keys used to encrypt the data are re-negotiated. If that
> is the case, it would mean that the defined "Life"s in isakmpd.conf
> would not be applied, since the Life-time for the transforms used in the
> man isakmpd.conf example is 600 secs.
> Is this perhaps a bug in the implementation or just a bug in my mind
> Could anyone please shed some light on this for me?
> Best regards and thanks in advance,
> P.S. tcpdump output of the packets exchanged which repeats itself every
> (I changed the hostnames, so that thigs are easier to read)
> 10:03:23.566846 obsd2.isakmp > obsd1.isakmp: udp 332
> 10:03:23.954857 obsd1.isakmp > obsd2.isakmp: udp 292
> 10:03:23.956586 obsd2.isakmp > obsd1.isakmp: udp 52
> 10:03:40.659709 obsd1.isakmp > obsd2.isakmp: udp 332
> 10:03:40.720298 obsd2.isakmp > obsd1.isakmp: udp 292
> 10:03:40.726010 obsd1.isakmp > obsd2.isakmp: udp 52
I also now had a look at /kern/ipsec in order to see more info on the
generated SPIs and I found that they are (supposingly) expired according to
the Life-value set in the configuration file. However, they are not _used_
for their entire lifetime.
Best regards and thanks a lot in advance for your help,
Visit your host, monkey.org