IKE phase 2 failing, but don't see any obvious problem

Sat, 27 Feb 2016 18:25:43 -0800 

Hi all,

I'm working on bringing up a remote-access L2TP + IPSec VPN on an OpenBSD 5.8
workstation. Note that this system is the client side L2TP LAC, not a
server-side L2TP LNS. Therefore I am using xl2tpd instead of npppd, which will
only handle server-side configurations. My issue actually seems unrelated to
the underlying tunneling protocol. I'm running into an IKE phase 2 failure,
specifically when first moving into quick mode.

My OpenBSD system sends the first quick mode message that contains its
advertised remote and local network information. In this case, it's very
simple as it's simply the traffic between what will become the L2TP endpoints,
so:
proto usb from 1.1.1.1 to 2.2.2.2 port 1701

1.1.1.1 is my local IP and 2.2.2.2 is the remote endpoint. When my system
sends this as the ID information in the quick mode message however, the remote
endpoint responds with: INVALID ID INFORMATION. I've tried a variety of
things, but I can't determine what's wrong here. Phase 1 completes without
issue. Below is the isakmpd.pcap output showing the failure:

08:32:37.154146 1.1.1.1.4500 > 2.2.2.2.4500: [bad udp cksum e7bc! -> 3d4d]
udpencap: isakmp v1.0 exchange QUICK_MODE
        cookie: aaaaaaaaaaaaaaaa->bbbbbbbbbbbbbbbb msgid: d8e18d0e len: 148
        payload: HASH len: 24
        payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
            payload: PROPOSAL len: 40 proposal: 1 proto: IPSEC_ESP spisz: 4
xforms: 1 SPI: 0xdad40d72
                payload: TRANSFORM len: 28
                    transform: 1 ID: AES
                        attribute LIFE_TYPE = SECONDS
                        attribute LIFE_DURATION = 3600
                        attribute ENCAPSULATION_MODE = TUNNEL
                        attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
                        attribute KEY_LENGTH = 128
        payload: NONCE len: 20
        payload: ID len: 12 proto: 17 port: 0 type: IPV4_ADDR = 1.1.1.1
        payload: ID len: 12 proto: 17 port: 1701 type: IPV4_ADDR = 2.2.2.2
[ttl 0] (id 1, len 180)

08:32:37.167755 2.2.2.2.4500 > 1.1.1.1.500: [bad udp cksum a74b! -> a767]
udpencap: isakmp v1.0 exchange INFO
        cookie: aaaaaaaaaaaaaaaa->bbbbbbbbbbbbbbbb msgid: 16fb376e len: 76
        payload: HASH len: 24
        payload: NOTIFICATION len: 16
            notification: INVALID ID INFORMATION [ttl 0] (id 1, len 108)


Perhaps another set of eyes might catch what I have not. Any input would be
greatly appreciated. :)


Warm regards,
Andrew

Reply via email to