[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

problems with ipsec on OpenBSD 2.8 ; KAME-Snap of 04122000

To: tech_(_at_)_openbsd_(_dot_)_org
Subject: problems with ipsec on OpenBSD 2.8 ; KAME-Snap of 04122000
From: Christian Ruediger Bahls <christian_(_at_)_it-netservice_(_dot_)_de>
Date: Thu, 7 Dec 2000 17:21:53 +0100 (CET)

sorry for bothering you with this ..
but may be somebody might have a look on this
and can tell me, what i am doing wrong

i try to set up a VPN between to Computers left & right
[they are on the left and right side of my office desk]
toplogy something like this:
  [left:10.0.0.2] <--> [right:10.0.0.1]

it seems to me, that the exchange goes as far
as quickmode .. but they seem to have problems
to set the SADB in the kernel
this is what i get on right:   
isakmpd: pf_key_v2_write: writev (3, 0x1273c0, 8) failed: Invalid argument
this from left:
isakmpd: transport_send_messages: giving up on message 0x124700

>>tcpdump of exchange
15:21:28.799293 left.isakmp > right.isakmp:  isakmp v1.0 exchange ID_PROT
	cookie: b86a8a45435d3542->0000000000000000 msgid: 00000000 len: 80
15:21:42.271177 right.isakmp > left.isakmp:  isakmp v1.0 exchange ID_PROT
	cookie: dee3898e036bc42c->0000000000000000 msgid: 00000000 len: 80
15:21:42.298990 left.isakmp > right.isakmp:  isakmp v1.0 exchange ID_PROT
	cookie: dee3898e036bc42c->7068a745c6c0b3df msgid: 00000000 len: 80
15:21:42.498221 right.isakmp > left.isakmp:  isakmp v1.0 exchange ID_PROT
	cookie: dee3898e036bc42c->7068a745c6c0b3df msgid: 00000000 len: 180
15:21:42.886823 left.isakmp > right.isakmp:  isakmp v1.0 exchange ID_PROT
	cookie: dee3898e036bc42c->7068a745c6c0b3df msgid: 00000000 len: 180
15:21:43.089448 right.isakmp > left.isakmp:  isakmp v1.0 exchange ID_PROT encrypted
	cookie: dee3898e036bc42c->7068a745c6c0b3df msgid: 00000000 len: 92
15:21:43.265915 left.isakmp > right.isakmp:  isakmp v1.0 exchange ID_PROT encrypted
	cookie: dee3898e036bc42c->7068a745c6c0b3df msgid: 00000000 len: 92
15:21:43.452642 right.isakmp > left.isakmp:  isakmp v1.0 exchange QUICK_MODE encrypted
	cookie: dee3898e036bc42c->7068a745c6c0b3df msgid: a7eada40 len: 284
15:21:43.837842 left.isakmp > right.isakmp:  isakmp v1.0 exchange QUICK_MODE encrypted
	cookie: dee3898e036bc42c->7068a745c6c0b3df msgid: a7eada40 len: 284
15:21:43.843426 right.isakmp > left.isakmp:  isakmp v1.0 exchange QUICK_MODE encrypted
	cookie: dee3898e036bc42c->7068a745c6c0b3df msgid: a7eada40 len: 52

>>system
OpenBSD right.ipsec.intern.itns.de 2.8 KAMEKERNEL#0 i386


>>isakmpd.policy
KeyNote-Version: 2
Comment: This policy accepts ESP SAs from a remote that uses the right password
 	$OpenBSD: policy,v 1.5 2000/10/09 23:27:29 niklas Exp $
	$EOM: policy,v 1.6 2000/10/09 22:08:30 angelos Exp $
Authorizer: "POLICY"
Licensees: "passphrase:mekmitasdigoat"
Conditions: app_domain == "IPsec policy" && esp_present == "yes" && esp_enc_alg != "null" -> "true";
 


I tried some manual keying .. this i what i got from it:

>>this is a test for manual keying
ipsecadm new esp -spi 3443 -src 10.0.0.2 -dst 10.0.0.1\
             -forcetunnel -enc blf -auth sha1\
             -key 32306eb3d81b97fb325b8825be3db9b274ac0b68\
             -authkey 6fe6d1395ab39389e00d0f2089562a5ae7c7209a
write: Invalid argument
ipsecadm new esp -spi 4334 -dst 10.0.0.2 -src 10.0.0.1\
             -forcetunnel -enc blf -auth sha1\
             -key b2e72202a97b605d8cc0fa73459f7c338253280D\
             -authkey 08586bf83ac336166f8907103ae81227298c85bf
write: Invalid argument
ipsecadm flow -proto esp -dst 10.0.0.1 -spi 3443\
             -addr 10.0.0.2 255.255.255.255 10.0.0.1 255.255.255.255
ipsecadm: use of flag "-spi" is deprecated with flow creation or deletion
write: Invalid argument

thank you very much in advance

your sincerely

Christian Bahls

Prev by Date: i960 RAID Controllers
Next by Date: ip nat limitation
Previous by thread: i960 RAID Controllers
Next by thread: ip nat limitation
Index(es):
- Date
- Thread

Visit your host, monkey.org