heya,
i've established IPsec connections originating from several windows xp machines
with public IPs to my openbsd firewall that is running isakmpd. they are working
just fine. however, i have a windows machine here at home behind NAT that is
giving me grief when i try to establish an IPsec connection with my remote
openbsd machine. this windows machine has some generic problem negotiating
IPsec, whether with a public IP or behind my NAT (i get the same debugging
outputs in either case). i would like to use the debugging outputs from isakmpd
to give me some additional insight into what is going on with this silly windows
machine.
i am using the following CLs to establish the VPN on the winxp pro machine:
ipseccmd.exe -u
ipseccmd.exe -f 0=10.9.0.0/255.255.255.0 -n ESP[3DES,SHA] -t 10.9.1.1 -a
PRESHARE:"somepass" -1s 3DES-SHA-2
ipseccmd.exe -f 10.9.0.0/255.255.255.0=0 -n ESP[3DES,SHA] -t 10.9.1.2 -a
PRESHARE:"somepass" -1s 3DES-SHA-2
i have also been careful to make certain that i have all the appropriate
registry settings and the latest "support tools" pack for the winxp pro machine
in question.
i don't see any output on the openbsd side (running a 3.8 snapshot) where i'm
running "sudo isakmpd -dDA=10 -L" until i attempt to ping the 10.9.0.255 subnet.
at this point i get the following output from isakmpd:
222203.684097 Misc 10 monitor_init: privileges dropped for child process
222205.861143 Default log_packet_init: starting IKE packet capture to file
"/var/run/isakmpd.pcap"
222213.267805 Timr 10 timer_add_event: event exchange_free_aux(0x7c594800) added
last, expiration in 120s
222213.269902 Exch 10 exchange_setup_p1: 0x7c594800 roadwarriorz win-main-mode
policy responder phase 1 doi 1 exchange 2 step 0
222213.271353 Exch 10 exchange_setup_p1: icookie 5f3f8ed8ec596edd rcookie
305b544a1a74cddd
222213.272756 Exch 10 exchange_setup_p1: msgid 00000000
222213.274715 Exch 10 nat_t_check_vendor_payload: NAT-T capable peer detected
222213.277477 Exch 10 exchange_handle_leftover_payloads: unexpected payload
VENDOR
222213.279089 Exch 10 exchange_handle_leftover_payloads: unexpected payload
VENDOR
222213.283659 Timr 10 timer_add_event: event message_send_expire(0x8b833480)
added before exchange_free_aux(0x7c594800), expiration in 7s
222220.290123 Timr 10 timer_handle_expirations: event
message_send_expire(0x8b833480)
it looks like phase 1 starts and just doesn't do anything (i don't see any of
the higher steps in phase 1). i get the following output from "sudo tcpdump -nr
/var/run/isakmpd.pcap":
22:22:13.266767 10.9.1.2.500 > 10.9.1.1.500: isakmp v1.0 exchange ID_PROT
cookie: 5f3f8ed8ec596edd->0000000000000000 msgid: 00000000 len: 148
[ttl 0]
22:22:13.280642 10.9.1.1.500 > 10.9.1.2.500: isakmp v1.0 exchange ID_PROT
cookie: 5f3f8ed8ec596edd->305b544a1a74cddd msgid: 00000000 len: 164
[ttl 0]
i know that the isakmpd.conf i'm using on the gateway works just fine since i
can easily connect to it with another openbsd machine, just not this windows
one. here is the isakmpd.conf i'm using (it's setup to just accept
roadwarriors):
[General]
Retransmits= 5
Exchange-max-time= 120
Listen-on= 10.9.1.1
[Phase 1]
Default= roadwarriorz
[Phase 2]
Passive-Connections= testedwarriorz
[roadwarriorz]
Phase= 1
Transport= udp
Configuration= win-main-mode
Authentication= somepass
[testedwarriorz]
Phase= 2
Configuration= win-quick-mode
Local-ID= fwnet1
Remote-ID= dummy-remote
[default-route]
ID-type= IPV4_ADDR_SUBNET
Network= 0.0.0.0
Netmask= 0.0.0.0
[fwnet1]
ID-type= IPV4_ADDR_SUBNET
Network= 10.9.0.0
Netmask= 255.255.255.0
[dummy-remote]
ID-type= IPV4_ADDR
Address= 0.0.0.0
[win-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA-GRP2
[win-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE
my isakmpd.policy accepts everything.
any light that could be shed on what is going on here would be much appreciated
:). thx for reading.
regards,
jake
