Re: ISAKMPD errors n. 8 and n. 118

Thu, 10 Nov 2005 04:28:03 -0800 

Hi,

the errno shown be ipsecadm can be ignored, nothing to worry about
(and this was fixed post 3.7-stable).  Besides this message the vpn
is working as expected?

HJ.

On Thu, Nov 10, 2005 at 11:30:58AM +0100, [EMAIL PROTECTED] wrote:
> Hello!
> 
>    I set up a tunnel between two machines (connected through the
> Internet) running OpenBSD 3.6 and everything was fine.
> 
>    Then I had to upgrade one of the two machines to 3.7 (disk
> crash!). Rewrote the config file and restarted the tunnel. The
> tunnel is fine and the traffic gets encrypted all right. But if I
> run an "ipsecadm show", now I also see a "errno 8: Exec format
> error" on the 3.7 machine, and again no error on the 3.6 machine.
> 
>    I was suggested to try 3.7 -stable. So I set up two new
> machines (both with 3.7 -stable) to test on my LAN:
> 
> 10.0.0.6 -- [ BOX A ] -- 192.168.3.254 /24
>        
> 
> 192.168.99.254 /24 -- [ BOX B ] -- 192.168.3.17
> 
>    I have a client PC on the .99 network which can ping the
> 10.0.0.6 interface (and the traffic is encrypted in the
> 192.168.3.0/24 network), so apparently all is well. 
> 
> 
>    But now on BOX A I get a "errno 8: Exec format error", and on
> BOX B I get an "errno 118: Unknown error: 118" (see below).
> 
> Any ideas on what is going on?
> 
> Also, does anybody know where I can find some documentation
> concerning these error codes?
> 
> Many thanks in advance for your help.
> 
>    ---Rob
> 
> 
> ==========   BOX A   "ipsecadm show"  192.168.3.254 ===========
> -bash-3.00# ipsecadm show
> sadb_dump: satype esp vers 2 len 38 seq 0 pid 0
>         errno 8: Exec format error
>         sa: spi 0x1c5551f1 auth hmac-sha1 enc aes
>                 state larval replay 0 flags 4
>         lifetime_cur: alloc 0 bytes 0 add 1131616603 first 0
>         lifetime_soft: alloc 0 bytes 0 add 1080 first 0
>         lifetime_hard: alloc 0 bytes 0 add 1200 first 0
>         address_src: 192.168.3.17
>         address_dst: 192.168.3.254
>         identity_src: type prefix id 0: 192.168.3.17/32
>         identity_dst: type prefix id 0: 192.168.3.254/32
>         key_auth: bits 160: d5ca6d9959ad17801cf762264d35bc0417063ff8
>         key_encrypt: bits 128: bf288d4fc105b7091c0d1582df44c738
> sadb_dump: satype esp vers 2 len 38 seq 0 pid 0
>         errno 8: Exec format error
>         sa: spi 0xbbdef5c1 auth hmac-sha1 enc aes
>                 state larval replay 0 flags 4
>         lifetime_cur: alloc 0 bytes 0 add 1131616603 first 0
>         lifetime_soft: alloc 0 bytes 0 add 1080 first 0
>         lifetime_hard: alloc 0 bytes 0 add 1200 first 0
>         address_src: 192.168.3.254
>         address_dst: 192.168.3.17
>         identity_src: type prefix id 0: 192.168.3.254/32
>         identity_dst: type prefix id 0: 192.168.3.17/32
>         key_auth: bits 160: 8ad139ce2bf0af8cd5188ea1551a4cf443e1bb7e
>         key_encrypt: bits 128: 93511e6c7f7226600919a68cf1195893
> 
> 
> 
> ==========   BOX B   "ipsecadm show"  192.168.3.17 ============
> -bash-3.00# ipsecadm show
> sadb_dump: satype esp vers 2 len 38 seq 0 pid 0
>         errno 118: Unknown error: 118
>         sa: spi 0xbbdef5c1 auth hmac-sha1 enc aes
>                 state larval replay 16 flags 4
>         lifetime_cur: alloc 0 bytes 0 add 1131616563 first 0
>         lifetime_soft: alloc 0 bytes 0 add 1080 first 0
>         lifetime_hard: alloc 0 bytes 0 add 1200 first 0
>         address_src: 192.168.3.254
>         address_dst: 192.168.3.17
>         identity_src: type prefix id 0: 192.168.3.254/32
>         identity_dst: type prefix id 0: 192.168.3.17/32
>         key_auth: bits 160: 8ad139ce2bf0af8cd5188ea1551a4cf443e1bb7e
>         key_encrypt: bits 128: 93511e6c7f7226600919a68cf1195893
> sadb_dump: satype esp vers 2 len 38 seq 0 pid 0
>         errno 118: Unknown error: 118
>         sa: spi 0x1c5551f1 auth hmac-sha1 enc aes
>                 state larval replay 16 flags 4
>         lifetime_cur: alloc 0 bytes 0 add 1131616563 first 0
>         lifetime_soft: alloc 0 bytes 0 add 1080 first 0
>         lifetime_hard: alloc 0 bytes 0 add 1200 first 0
>         address_src: 192.168.3.17
>         address_dst: 192.168.3.254
>         identity_src: type prefix id 0: 192.168.3.17/32
>         identity_dst: type prefix id 0: 192.168.3.254/32
>         key_auth: bits 160: d5ca6d9959ad17801cf762264d35bc0417063ff8
>         key_encrypt: bits 128: bf288d4fc105b7091c0d1582df44c738
> 
> 
> 
> ==========   BOX A   isakmpd.conf ============================
> -bash-3.00# cat /etc/isakmpd/isakmpd.conf
> #       $OpenBSD: VPN-west.conf,v 1.14 2003/03/16 08:13:02 matthieu Exp $
> #       $EOM: VPN-west.conf,v 1.13 2000/10/09 22:08:30 angelos Exp $
> 
> # A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon.
> #
> # The network topology of the example net is like this:
> #
> # 192.168.11.0/24 - west [.11] - 10.1.0.0/24 - [.12] east - 192.168.12.0/24
> #
> # "west" and "east" are the respective security gateways (aka VPN-nodes).
> 
> [General]
> Listen-on=              192.168.3.254
> 
> [Phase 1]
> 192.168.3.17=           ISAKMP-peer-west
> 
> [Phase 2]
> Connections=            IPsec-east-west
> 
> [ISAKMP-peer-west]
> Phase=                  1
> Transport=              udp
> Local-address=          192.168.3.254
> Address=                192.168.3.17
> Configuration=          Default-main-mode
> Authentication=         mekmitasdigoat
> 
> [IPsec-east-west]
> Phase=                  2
> ISAKMP-peer=            ISAKMP-peer-west
> Configuration=          Default-quick-mode
> Local-ID=               Net-east
> Remote-ID=              Net-west
> 
> [Net-east]
> ID-type=                IPV4_ADDR_SUBNET
> Network=                10.0.0.0
> Netmask=                255.255.255.248
> 
> [Net-west]
> ID-type=                IPV4_ADDR_SUBNET
> Network=                192.168.99.0
> Netmask=                255.255.255.0
> 
> [Default-main-mode]
> DOI=                    IPSEC
> EXCHANGE_TYPE=          ID_PROT
> Transforms=             3DES-SHA
> 
> [Default-quick-mode]
> DOI=                    IPSEC
> EXCHANGE_TYPE=          QUICK_MODE
> Suites=                 QM-ESP-AES-SHA-PFS-SUITE
> 
> 
> 
> 
> ==========   BOX B   isakmpd.conf ============================
> -bash-3.00# cat /etc/isakmpd/isakmpd.conf
> #       $OpenBSD: VPN-west.conf,v 1.14 2003/03/16 08:13:02 matthieu Exp $
> #       $EOM: VPN-west.conf,v 1.13 2000/10/09 22:08:30 angelos Exp $
> 
> # A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon.
> #
> # The network topology of the example net is like this:
> #
> # 192.168.11.0/24 - west [.11] - 10.1.0.0/24 - [.12] east - 192.168.12.0/24
> #
> # "west" and "east" are the respective security gateways (aka VPN-nodes).
> 
> [General]
> Listen-on=              192.168.3.17
> 
> [Phase 1]
> 192.168.3.254=          ISAKMP-peer-east
> 
> [Phase 2]
> Connections=            IPsec-west-east
> 
> [ISAKMP-peer-east]
> Phase=                  1
> Transport=              udp
> Local-address=          192.168.3.17
> Address=                192.168.3.254
> Configuration=          Default-main-mode
> Authentication=         mekmitasdigoat
> 
> [IPsec-west-east]
> Phase=                  2
> ISAKMP-peer=            ISAKMP-peer-east
> Configuration=          Default-quick-mode
> Local-ID=               Net-west
> Remote-ID=              Net-east
> 
> [Net-east]
> ID-type=                IPV4_ADDR_SUBNET
> Network=                10.0.0.0
> Netmask=                255.255.255.248
> 
> [Net-west]
> ID-type=                IPV4_ADDR_SUBNET
> Network=                192.168.99.0
> Netmask=                255.255.255.0
> 
> [Default-main-mode]
> DOI=                    IPSEC
> EXCHANGE_TYPE=          ID_PROT
> Transforms=             3DES-SHA
> 
> [Default-quick-mode]
> DOI=                    IPSEC
> EXCHANGE_TYPE=          QUICK_MODE
> Suites=                 QM-ESP-AES-SHA-PFS-SUITE

Reply via email to