On Tue, May 10, 2011 at 03:08:43PM +0200, Pawel Wieleba wrote:
> >Number: 6601
> >Category: pending
> >Synopsis: [isakmpd] IPSEC SA is established with different keys
> >key_authkey and key_encrypt on both peers. The problem repeats every few
> >days.
Hello,
The same problem (different enckeys on both peers, as well as different
authkeys on both peers) also exists when running two OpenBSD 4.9 peers.
The initial post (OpenBSD 4.6 and 4.8) is describing the production environment.
Therefore I set up an example laboratory/testing configuration with both
OpenBSD 4.9 peers (obsd49b and obsd49c) running in KVM to reconstruct the
problem.
Both OpenBSD operating systems use the same Generic kernel. Specially fresh
OpenBSD 4.9 installation was proceeded.
obsd49b:~# uname -a
OpenBSD obsd49b.my.domain 4.9 GENERIC#671 i386
obsd49c:~# uname -a
OpenBSD obsd49c.my.domain 4.9 GENERIC#671 i386
The following simple IPSEC configuration was set up.
obsd49c:~# cat /etc/ipsec.conf
ike esp from { 192.168.186.0/24 } to { 192.168.185.0/24 } local 192.168.10.186
peer 192.168.10.185 main auth hmac-sha1 enc aes group modp1024 quick auth
hmac-sha1 enc aes group modp1024 psk "<shared_key>"
obsd49b:~# cat /etc/ipsec.conf
ike passive esp from { 192.168.185.0/24 } to { 192.168.186.0/24 } local
192.168.10.185 peer 192.168.10.186 main auth hmac-sha1 enc aes group modp1024
quick auth hmac-sha1 enc aes group modp1024 psk "<shared_key>"
obsd49c:~# cat /etc/isakmpd/isakmpd.conf
[General]
Listen-on=192.168.10.186
DPD-check-interval=60
Default-phase-1-lifetime=240,60:86400
Default-phase-2-lifetime=120,60:86400
obsd49b:~# cat /etc/isakmpd/isakmpd.conf
[General]
Listen-on=192.168.10.185
DPD-check-interval=60
* Running isakmpd
obsd49c:~# /sbin/isakmpd -K -vv -4 -L
obsd49b:~# /sbin/isakmpd -K -vv -4 -L
obsd49c:~# ifconfig lo0 inet alias 192.168.186.1 255.255.255.0
obsd49b:~# ifconfig lo0 inet alias 192.168.185.1 255.255.255.0
obsd49c:~# ping -I 192.168.186.1 192.168.185.1
obsd49b:~# ping -I 192.168.185.1 192.168.186.1
* To monitor the VPN connection between two hosts, the following script is
being run by cron every minute.
obsd49c:~# crontab -l|tail -n 1
* * * * * /root/test_vpn.sh
obsd49b:~# crontab -l|tail -n 1
* * * * * /root/test_vpn.sh
* The monitoring script tests the VPN connection by running test ping.
If the ping fails it collects some data about the isakmpd and ipsec.
Then saves the data to the log file and also sends it by e-mail, to
the specified e-mail address by the variable MAIL.
obsd49c:~# cat /root/test_vpn.sh
#!/bin/sh
#
# Author: Pawel Wieleba
# License: BSD
#
# Crontab entry: * * * * * /root/test_vpn.sh
#
DATE=`date +%Y%m%d-%H%M%S`
LOGFILE="/var/log/test_vpn"
TMPLOG="/tmp/test_vpn-$DATE"
MAIL="<your@mail>"
echo -n "[$DATE] : " >> $LOGFILE
OUTPUT_PING="`ping -q -c 2 -n -w 1 -I 192.168.186.1 192.168.185.1`"
RET=$?
echo $OUTPUT_PING | tr '^M' ':' >> $LOGFILE
if [ "$RET" != "0" ]; then
echo "======================= ! obsd vpn problem !
==========================" > $TMPLOG
echo "# ipsecctl -s all -v -k" >> $TMPLOG
ipsecctl -s all -v -k >> $TMPLOG
echo "# echo 'S' > /var/run/isakmpd.fifo" >> $TMPLOG
test -e /var/run/isakmpd.fifo && echo 'S' > /var/run/isakmpd.fifo
echo "# cat /var/run/isakmpd.result" >> $TMPLOG
cat /var/run/isakmpd.result >> $TMPLOG
echo "# grep isakmpd /var/log/daemon | tail -n 10" >> $TMPLOG
grep isakmpd /var/log/daemon | tail -n 10 >> $TMPLOG
echo "======================== ! $DATE ! ==========================="
>> $TMPLOG
cat $TMPLOG >> $LOGFILE
cat $TMPLOG | mail -s "`hostname -s`: obsd vpn problem" $MAIL;
fi
obsd49c:~#
The difference in /root/test_vpn.sh script on both VPN peers is as follows:
obsd49c:~# grep ping /root/test_vpn.sh
OUTPUT_PING="`ping -q -c 2 -n -w 1 -I 192.168.186.1 192.168.185.1`"
obsd49b:~# grep ping /root/test_vpn.sh
OUTPUT_PING="`ping -q -c 2 -n -w 1 -I 192.168.185.1 192.168.186.1`"
---------------------------------------------------------------------
The problem with different IPSEC SA keys (authkey and enckey) on both peers,
also exists, when OpenBSD 4.9 is being run.
Here I present the IPSEC SA which was added on both hosts at the time specified
by epoch 1305309153, which is 'Fri May 13 19:52:33 CEST 2011'
* Some collected log data from peers being the result of the test_vpn.sh
script, which was presented above:
obsd49c:~# cat /tmp/test_vpn-20110513-195304
======================= ! obsd vpn problem ! ==========================
# ipsecctl -s all -v -k
FLOWS:
flow esp in from 192.168.185.0/24 to 192.168.186.0/24 peer 192.168.10.185 srcid
192.168.10.186/32 dstid 192.168.10.185/32 type use
flow esp out from 192.168.186.0/24 to 192.168.185.0/24 peer 192.168.10.185
srcid 192.168.10.186/32 dstid 192.168.10.185/32 type require
SAD:
esp tunnel from 192.168.10.186 to 192.168.10.185 spi 0xccb89ba7 auth hmac-sha1
enc aes \
authkey 0xc79028dd91e9e6190ab68e992efdaa5e0c085865 \
enckey 0x60c9b30e5367e39af15875485a7ffe81
sa: spi 0xccb89ba7 auth hmac-sha1 enc aes
state mature replay 16 flags 4
lifetime_cur: alloc 0 bytes 168 add 1305309153 first 1305309184
lifetime_hard: alloc 0 bytes 0 add 120 first 0
lifetime_soft: alloc 0 bytes 0 add 108 first 0
address_src: 192.168.10.186
address_dst: 192.168.10.185
key_auth: bits 160: c79028dd91e9e6190ab68e992efdaa5e0c085865
key_encrypt: bits 128: 60c9b30e5367e39af15875485a7ffe81
identity_src: type prefix id 0: 192.168.10.186/32
identity_dst: type prefix id 0: 192.168.10.185/32
src_mask: 255.255.255.0
dst_mask: 255.255.255.0
protocol: proto 0 flags 0
flow_type: type use direction out
src_flow: 192.168.186.0
dst_flow: 192.168.185.0
lifetime_lastuse: alloc 0 bytes 0 add 0 first 1305309185
esp tunnel from 192.168.10.185 to 192.168.10.186 spi 0xeffb7477 auth hmac-sha1
enc aes \
authkey 0xd5ea7237843897ab0fd31454a17fcdc71b16380c \
enckey 0xa414d3a2e0d8d76875f0345ed4087671
sa: spi 0xeffb7477 auth hmac-sha1 enc aes
state mature replay 16 flags 4
lifetime_cur: alloc 0 bytes 192 add 1305309153 first 1305309181
lifetime_hard: alloc 0 bytes 0 add 120 first 0
lifetime_soft: alloc 0 bytes 0 add 108 first 0
address_src: 192.168.10.185
address_dst: 192.168.10.186
key_auth: bits 160: d5ea7237843897ab0fd31454a17fcdc71b16380c
key_encrypt: bits 128: a414d3a2e0d8d76875f0345ed4087671
identity_src: type prefix id 0: 192.168.10.185/32
identity_dst: type prefix id 0: 192.168.10.186/32
src_mask: 255.255.255.0
dst_mask: 255.255.255.0
protocol: proto 0 flags 0
flow_type: type use direction in
src_flow: 192.168.185.0
dst_flow: 192.168.186.0
# echo 'S' > /var/run/isakmpd.fifo
# cat /var/run/isakmpd.result
SA name: peer-192.168.10.185-local-192.168.10.186 (Phase 1/Initiator)
src: 192.168.10.186 dst: 192.168.10.185
Lifetime: 240 seconds
Soft timeout in 20 seconds
Hard timeout in 49 seconds
Flags 0x00000083
icookie f15023f69efe17d9 rcookie 11cdc191696d731d
SA name: from-192.168.186.0/24-to-192.168.185.0/24 (Phase 2)
src: 192.168.10.186 dst: 192.168.10.185
Lifetime: 120 seconds
Soft timeout in 30 seconds
Hard timeout in 47 seconds
Flags 0x00000003
SPI 0: ef95ad33
SPI 1: d7c080fb
Transform: IPsec ESP
Encryption key length: 16
Authentication key length: 20
Encryption algorithm: AES-128 (CBC)
Authentication algorithm: HMAC-SHA1
# grep isakmpd /var/log/daemon | tail -n 10
May 13 19:41:35 obsd49c isakmpd[8650]: isakmpd: quick mode done: src:
192.168.10.186 dst: 192.168.10.185
May 13 19:43:14 obsd49c isakmpd[8650]: isakmpd: phase 1 done: initiator id
192.168.10.186, responder id 192.168.10.185, src: 192.168.10.186 dst:
192.168.10.185
May 13 19:43:25 obsd49c isakmpd[8650]: isakmpd: quick mode done: src:
192.168.10.186 dst: 192.168.10.185
May 13 19:45:13 obsd49c isakmpd[8650]: isakmpd: quick mode done: src:
192.168.10.186 dst: 192.168.10.185
May 13 19:46:50 obsd49c isakmpd[8650]: isakmpd: phase 1 done: initiator id
192.168.10.186, responder id 192.168.10.185, src: 192.168.10.186 dst:
192.168.10.185
May 13 19:46:57 obsd49c isakmpd[8650]: isakmpd: quick mode done: src:
192.168.10.186 dst: 192.168.10.185
May 13 19:48:48 obsd49c isakmpd[8650]: isakmpd: quick mode done: src:
192.168.10.186 dst: 192.168.10.185
May 13 19:50:38 obsd49c isakmpd[8650]: isakmpd: phase 1 done: initiator id
192.168.10.186, responder id 192.168.10.185, src: 192.168.10.186 dst:
192.168.10.185
May 13 19:50:39 obsd49c isakmpd[8650]: isakmpd: quick mode done: src:
192.168.10.186 dst: 192.168.10.185
May 13 19:52:33 obsd49c isakmpd[8650]: isakmpd: quick mode done: src:
192.168.10.186 dst: 192.168.10.185
======================== ! 20110513-195304 ! ===========================
obsd49b:~# cat /tmp/test_vpn-20110513-195301
======================= ! obsd vpn problem ! ==========================
# ipsecctl -s all -v -k
FLOWS:
flow esp in from 192.168.186.0/24 to 192.168.185.0/24 peer 192.168.10.186 srcid
192.168.10.185/32 dstid 192.168.10.186/32 type use
flow esp out from 192.168.185.0/24 to 192.168.186.0/24 peer 192.168.10.186
srcid 192.168.10.185/32 dstid 192.168.10.186/32 type require
SAD:
esp tunnel from 192.168.10.186 to 192.168.10.185 spi 0xccb89ba7 auth hmac-sha1
enc aes \
authkey 0xb312c14353607c130ec684a5e0679b368d7d2838 \
enckey 0x4dac8589cb91cbe1e929e757d7e36192
sa: spi 0xccb89ba7 auth hmac-sha1 enc aes
state mature replay 16 flags 4
lifetime_cur: alloc 0 bytes 0 add 1305309153 first 0
lifetime_hard: alloc 0 bytes 0 add 120 first 0
lifetime_soft: alloc 0 bytes 0 add 108 first 0
address_src: 192.168.10.186
address_dst: 192.168.10.185
key_auth: bits 160: b312c14353607c130ec684a5e0679b368d7d2838
key_encrypt: bits 128: 4dac8589cb91cbe1e929e757d7e36192
identity_src: type prefix id 0: 192.168.10.186/32
identity_dst: type prefix id 0: 192.168.10.185/32
src_mask: 255.255.255.0
dst_mask: 255.255.255.0
protocol: proto 0 flags 0
flow_type: type use direction in
src_flow: 192.168.186.0
dst_flow: 192.168.185.0
esp tunnel from 192.168.10.185 to 192.168.10.186 spi 0xeffb7477 auth hmac-sha1
enc aes \
authkey 0x943750361cfba2a024fcc00f8ee5e9d2633e72ea \
enckey 0xf53107855c8d9ebbcfd4eef912f5f77a
sa: spi 0xeffb7477 auth hmac-sha1 enc aes
state mature replay 16 flags 4
lifetime_cur: alloc 0 bytes 168 add 1305309153 first 1305309181
lifetime_hard: alloc 0 bytes 0 add 120 first 0
lifetime_soft: alloc 0 bytes 0 add 108 first 0
address_src: 192.168.10.185
address_dst: 192.168.10.186
key_auth: bits 160: 943750361cfba2a024fcc00f8ee5e9d2633e72ea
key_encrypt: bits 128: f53107855c8d9ebbcfd4eef912f5f77a
identity_src: type prefix id 0: 192.168.10.185/32
identity_dst: type prefix id 0: 192.168.10.186/32
src_mask: 255.255.255.0
dst_mask: 255.255.255.0
protocol: proto 0 flags 0
flow_type: type use direction out
src_flow: 192.168.185.0
dst_flow: 192.168.186.0
lifetime_lastuse: alloc 0 bytes 0 add 0 first 1305309182
# echo 'S' > /var/run/isakmpd.fifo
# cat /var/run/isakmpd.result
SA name: peer-192.168.10.186-local-192.168.10.185 (Phase 1/Responder)
src: 192.168.10.185 dst: 192.168.10.186
Lifetime: 240 seconds
Soft timeout in 22 seconds
Hard timeout in 49 seconds
Flags 0x00000081
icookie f15023f69efe17d9 rcookie 11cdc191696d731d
SA name: from-192.168.185.0/24-to-192.168.186.0/24 (Phase 2)
src: 192.168.10.185 dst: 192.168.10.186
Lifetime: 120 seconds
Soft timeout in 32 seconds
Hard timeout in 48 seconds
Flags 0x00000001
SPI 0: d7c080fb
SPI 1: ef95ad33
Transform: IPsec ESP
Encryption key length: 16
Authentication key length: 20
Encryption algorithm: AES-128 (CBC)
Authentication algorithm: HMAC-SHA1
# grep isakmpd /var/log/daemon | tail -n 10
May 13 19:41:34 obsd49b isakmpd[29527]: isakmpd: quick mode done: src:
192.168.10.185 dst: 192.168.10.186
May 13 19:43:12 obsd49b isakmpd[29527]: isakmpd: phase 1 done: initiator id
192.168.10.186, responder id 192.168.10.185, src: 192.168.10.185 dst:
192.168.10.186
May 13 19:43:23 obsd49b isakmpd[29527]: isakmpd: quick mode done: src:
192.168.10.185 dst: 192.168.10.186
May 13 19:45:11 obsd49b isakmpd[29527]: isakmpd: quick mode done: src:
192.168.10.185 dst: 192.168.10.186
May 13 19:46:48 obsd49b isakmpd[29527]: isakmpd: phase 1 done: initiator id
192.168.10.186, responder id 192.168.10.185, src: 192.168.10.185 dst:
192.168.10.186
May 13 19:46:56 obsd49b isakmpd[29527]: isakmpd: quick mode done: src:
192.168.10.185 dst: 192.168.10.186
May 13 19:48:47 obsd49b isakmpd[29527]: isakmpd: quick mode done: src:
192.168.10.185 dst: 192.168.10.186
May 13 19:50:38 obsd49b isakmpd[29527]: isakmpd: phase 1 done: initiator id
192.168.10.186, responder id 192.168.10.185, src: 192.168.10.185 dst:
192.168.10.186
May 13 19:50:39 obsd49b isakmpd[29527]: isakmpd: quick mode done: src:
192.168.10.185 dst: 192.168.10.186
May 13 19:52:33 obsd49b isakmpd[29527]: isakmpd: quick mode done: src:
192.168.10.185 dst: 192.168.10.186
======================== ! 20110513-195301 ! ===========================
* And here I present selected traffic between two peers to set up SA:
# tcpdump -r /var/run/isakmpd.pcap -nvvvl
[...]
19:50:38.384045 192.168.10.186.500 > 192.168.10.185.500: [udp sum ok] isakmp
v1.0 exchange ID_PROT
cookie: 59f6f1f1d74c27ea->0000000000000000 msgid: 00000000 len: 184
payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0
xforms: 1
payload: TRANSFORM len: 36
transform: 0 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = AES_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 240
attribute KEY_LENGTH = 128
payload: VENDOR len: 20 (supports OpenBSD-4.0)
payload: VENDOR len: 20 (supports v2 NAT-T,
draft-ietf-ipsec-nat-t-ike-02)
payload: VENDOR len: 20 (supports v3 NAT-T,
draft-ietf-ipsec-nat-t-ike-03)
payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 212)
19:50:38.391950 192.168.10.185.500 > 192.168.10.186.500: [udp sum ok] isakmp
v1.0 exchange ID_PROT
cookie: 59f6f1f1d74c27ea->ccc8c347bed815bf msgid: 00000000 len: 184
payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0
xforms: 1
payload: TRANSFORM len: 36
transform: 0 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = AES_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 240
attribute KEY_LENGTH = 128
payload: VENDOR len: 20 (supports OpenBSD-4.0)
payload: VENDOR len: 20 (supports v2 NAT-T,
draft-ietf-ipsec-nat-t-ike-02)
payload: VENDOR len: 20 (supports v3 NAT-T,
draft-ietf-ipsec-nat-t-ike-03)
payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 212)
19:50:38.464133 192.168.10.186.500 > 192.168.10.185.500: [udp sum ok] isakmp
v1.0 exchange ID_PROT
cookie: 59f6f1f1d74c27ea->ccc8c347bed815bf msgid: 00000000 len: 228
payload: KEY_EXCH len: 132
payload: NONCE len: 20
payload: NAT-D len: 24
payload: NAT-D len: 24 [ttl 0] (id 1, len 256)
19:50:38.542845 192.168.10.185.500 > 192.168.10.186.500: [udp sum ok] isakmp
v1.0 exchange ID_PROT
cookie: 59f6f1f1d74c27ea->ccc8c347bed815bf msgid: 00000000 len: 228
payload: KEY_EXCH len: 132
payload: NONCE len: 20
payload: NAT-D len: 24
payload: NAT-D len: 24 [ttl 0] (id 1, len 256)
19:50:38.618213 192.168.10.186.500 > 192.168.10.185.500: [udp sum ok] isakmp
v1.0 exchange ID_PROT
cookie: 59f6f1f1d74c27ea->ccc8c347bed815bf msgid: 00000000 len: 64
payload: ID len: 12 type: IPV4_ADDR = 192.168.10.186
19:50:38.623723 192.168.10.185.500 > 192.168.10.186.500: [udp sum ok] isakmp
v1.0 exchange ID_PROT
cookie: 59f6f1f1d74c27ea->ccc8c347bed815bf msgid: 00000000 len: 76
payload: ID len: 12 type: IPV4_ADDR = 192.168.10.185
payload: HASH len: 24 [ttl 0] (id 1, len 104)
19:50:39.804720 192.168.10.186.500 > 192.168.10.185.500: [udp sum ok] isakmp
v1.0 exchange QUICK_MODE
cookie: 59f6f1f1d74c27ea->ccc8c347bed815bf msgid: d6684034 len: 292
payload: HASH len: 24
payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 44 proposal: 1 proto: IPSEC_ESP spisz: 4
xforms: 1 SPI: 0xb50940ed
payload: TRANSFORM len: 32
transform: 1 ID: AES
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 120
attribute ENCAPSULATION_MODE = TUNNEL
attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
attribute GROUP_DESCRIPTION = 2
attribute KEY_LENGTH = 128
payload: NONCE len: 20
payload: KEY_EXCH len: 132
payload: ID len: 16 type: IPV4_ADDR_SUBNET = 192.168.186.0/255.255.255.0
payload: ID len: 16 type: IPV4_ADDR_SUBNET =
192.168.185.0/255.255.255.0 [ttl 0] (id 1, len 320)
19:50:39.884290 192.168.10.185.500 > 192.168.10.186.500: [udp sum ok] isakmp
v1.0 exchange QUICK_MODE
cookie: 59f6f1f1d74c27ea->ccc8c347bed815bf msgid: d6684034 len: 300
payload: HASH len: 24
payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 44 proposal: 1 proto: IPSEC_ESP spisz: 4
xforms: 1 SPI: 0xb9c80865
payload: TRANSFORM len: 32
transform: 1 ID: AES
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 120
attribute ENCAPSULATION_MODE = TUNNEL
attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
attribute GROUP_DESCRIPTION = 2
attribute KEY_LENGTH = 128
payload: NONCE len: 20
payload: KEY_EXCH len: 132
payload: ID len: 16 type: IPV4_ADDR_SUBNET = 192.168.186.0/255.255.255.0
payload: ID len: 16 type: IPV4_ADDR_SUBNET =
192.168.185.0/255.255.255.0 [ttl 0] (id 1, len 328)
19:50:39.885794 192.168.10.186.500 > 192.168.10.185.500: [udp sum ok] isakmp
v1.0 exchange QUICK_MODE
cookie: 59f6f1f1d74c27ea->ccc8c347bed815bf msgid: d6684034 len: 52
payload: HASH len: 24 [ttl 0] (id 1, len 80)
19:50:48.107833 192.168.10.185.500 > 192.168.10.186.500: [udp sum ok] isakmp
v1.0 exchange INFO
cookie: a9cc0087f003fa2e->4438b6bcd18210bb msgid: e8df71d5 len: 76
payload: HASH len: 24
payload: DELETE len: 16 DOI: 1(IPSEC) proto: IPSEC_ESP nspis: 1
SPI: 0xbb8b5d84 [ttl 0] (id 1, len 104)
19:50:48.886696 192.168.10.185.500 > 192.168.10.186.500: [udp sum ok] isakmp
v1.0 exchange INFO
cookie: a9cc0087f003fa2e->4438b6bcd18210bb msgid: 0b6bcc52 len: 92
payload: HASH len: 24
payload: DELETE len: 28 DOI: 1(IPSEC) proto: ISAKMP nspis: 1
cookie: a9cc0087f003fa2e->4438b6bcd18210bb [ttl 0] (id 1, len 120)
19:52:33.082843 192.168.10.186.500 > 192.168.10.185.500: [udp sum ok] isakmp
v1.0 exchange QUICK_MODE
cookie: 59f6f1f1d74c27ea->ccc8c347bed815bf msgid: 078d8137 len: 292
payload: HASH len: 24
payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 44 proposal: 1 proto: IPSEC_ESP spisz: 4
xforms: 1 SPI: 0xeffb7477
payload: TRANSFORM len: 32
transform: 1 ID: AES
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 120
attribute ENCAPSULATION_MODE = TUNNEL
attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
attribute GROUP_DESCRIPTION = 2
attribute KEY_LENGTH = 128
payload: NONCE len: 20
payload: KEY_EXCH len: 132
payload: ID len: 16 type: IPV4_ADDR_SUBNET = 192.168.186.0/255.255.255.0
payload: ID len: 16 type: IPV4_ADDR_SUBNET =
192.168.185.0/255.255.255.0 [ttl 0] (id 1, len 320)
19:52:33.163537 192.168.10.185.500 > 192.168.10.186.500: [udp sum ok] isakmp
v1.0 exchange QUICK_MODE
cookie: 59f6f1f1d74c27ea->ccc8c347bed815bf msgid: 078d8137 len: 300
payload: HASH len: 24
payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 44 proposal: 1 proto: IPSEC_ESP spisz: 4
xforms: 1 SPI: 0xccb89ba7
payload: TRANSFORM len: 32
transform: 1 ID: AES
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 120
attribute ENCAPSULATION_MODE = TUNNEL
attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
attribute GROUP_DESCRIPTION = 2
attribute KEY_LENGTH = 128
payload: NONCE len: 20
payload: KEY_EXCH len: 132
payload: ID len: 16 type: IPV4_ADDR_SUBNET = 192.168.186.0/255.255.255.0
payload: ID len: 16 type: IPV4_ADDR_SUBNET =
192.168.185.0/255.255.255.0 [ttl 0] (id 1, len 328)
19:52:33.164938 192.168.10.186.500 > 192.168.10.185.500: [udp sum ok] isakmp
v1.0 exchange QUICK_MODE
cookie: 59f6f1f1d74c27ea->ccc8c347bed815bf msgid: 078d8137 len: 52
payload: HASH len: 24 [ttl 0] (id 1, len 80)
19:52:39.668305 192.168.10.185.500 > 192.168.10.186.500: [udp sum ok] isakmp
v1.0 exchange INFO
cookie: 59f6f1f1d74c27ea->ccc8c347bed815bf msgid: e977b269 len: 76
payload: HASH len: 24
payload: DELETE len: 16 DOI: 1(IPSEC) proto: IPSEC_ESP nspis: 1
SPI: 0xb9c80865 [ttl 0] (id 1, len 104)
19:53:03.598450 192.168.10.185.500 > 192.168.10.186.500: [udp sum ok] isakmp
v1.0 exchange INFO
cookie: 59f6f1f1d74c27ea->ccc8c347bed815bf msgid: 3418ec72 len: 92
payload: HASH len: 24
payload: NOTIFICATION len: 32
notification: STATUS_DPD_R_U_THERE seq 28751 [ttl 0] (id 1, len 120)
19:53:03.599562 192.168.10.186.500 > 192.168.10.185.500: [udp sum ok] isakmp
v1.0 exchange INFO
cookie: 59f6f1f1d74c27ea->ccc8c347bed815bf msgid: 7f052978 len: 84
payload: HASH len: 24
payload: NOTIFICATION len: 32
notification: STATUS_DPD_R_U_THERE_ACK seq 28751 [ttl 0] (id 1, len
112)
[...]
* By investigated the log file /var/log/test_vpn created by /root/test_vpn.sh
(described above), which is run from cron, I can see that previous
communication worked fine:
obsd49c:~# grep '^\[20110513-195[1-6]' /var/log/test_vpn
[20110513-195103] : PING 192.168.185.1 (192.168.185.1): 56 data bytes :---
192.168.185.1 ping statistics --- 2 packets transmitted, 2 packets received,
0.0% packet loss round-trip min/avg/max/std-dev = 2.369/2.651/2.934/0.287 ms
[20110513-195203] : PING 192.168.185.1 (192.168.185.1): 56 data bytes :---
192.168.185.1 ping statistics --- 2 packets transmitted, 2 packets received,
0.0% packet loss round-trip min/avg/max/std-dev = 2.624/2.831/3.039/0.214 ms
[20110513-195304] : :--- 192.168.185.1 ping statistics --- 2 packets
transmitted, 0 packets received, 100.0% packet loss
[20110513-195404] : :--- 192.168.185.1 ping statistics --- 2 packets
transmitted, 0 packets received, 100.0% packet loss
[20110513-195503] : PING 192.168.185.1 (192.168.185.1): 56 data bytes :---
192.168.185.1 ping statistics --- 2 packets transmitted, 2 packets received,
0.0% packet loss round-trip min/avg/max/std-dev = 2.677/2.860/3.044/0.191 ms
[20110513-195603] : PING 192.168.185.1 (192.168.185.1): 56 data bytes :---
192.168.185.1 ping statistics --- 2 packets transmitted, 2 packets received,
0.0% packet loss round-trip min/avg/max/std-dev = 1.940/2.332/2.724/0.392 ms
Only problematic IPSEC SAs with different keys (authkey and enckey) set on both
peers (obsd49b and obsd49c) do not work.
The described problem repeats every few hours for this configuration (default
lifetimes for phase 1 is 240secs and phase 2 is 120secs).
The problem exists and was tested on two vanilla OpenBSD 4.9 operating systems,
as well as, while using VPN configuration between OpenBSD 4.8 (peer1) and
OpenBSD 4.6 (peer2).
If you need any futher data please inform.
Best regards,
Pawel Wieleba
