Hello all,
Currently my brother and I try to set up a vpn using isakmpd between two
OBSD 3.8 boxes. We had a similar vpn working before. We both changed ADSL
providers and thought it is time for an upgrade. However...
Our vpn refuses to work. We singled out a possible firewall problem. The
pflog is quet and even after a '$pfctl -F rules' we keep the same problem. A
'tcpdump -i xl1 port 500' shows that both sided receive cookies, but nothing
more:
like this
$ tcpdump -i xl1 port 500
13:24:47.067067 broeahs.net.isakmp > daim.broeahs.net.isakmp: isakmp v1.0
exchange ID_PROT
cookie: 385103343a680645->9c61c0d839d1d9ec msgid: 00000000 len: 168
13:24:48.878894 daim.broeahs.net.isakmp > broeahs.net.isakmp: isakmp v1.0
exchange ID_PROT
cookie: 7fd785c9ee93e8fe->31884d57a94e56a0 msgid: 00000000 len: 168
The debuggin' info gives messages like this:
132740.737518 Exch 40 exchange_establish_finalize: finalizing exchange
0x7cdb9b0 0 with arg 0x85e318d0 (daim-dimitri) & fail = 1
132740.736495 SA 90 sa_find: no SA matched query
132641.268445 Default transport_send_messages: giving up on exchange
dimitri, no response from peer 194.109.199.156:500
My question is: What is happening here? How is it possible there is traffic
on both sides on port 500 but the two are not able to get decent contact?
Thank you in advance.
Daom
confs follow:
# cat /etc/isakmpd/isakmpd.policy
KeyNote-Version: 2
Authorizer: "POLICY"
Licensees: "our_bad_passw"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg != "null" -> "true";
# cat /etc/isakmpd/isakmpd.conf
# $OpenBSD: VPN-east.conf,v 1.7 1999/10/29 07:46:04 todd Exp $
# $EOM: VPN-east.conf,v 1.7 1999/07/18 09:25:34 niklas Exp $
# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon.
[General]
Retransmits= 5
Exchange-max-time=120
Listen-on= xxx.xxx.xxx.xxx
#Shared-SADB= Defined
# Incoming phase 1 negotiations are multiplexed on the source IP address
[Phase 1]
yyy.yyy.yyy.yyy=dimitri
# These connections are walked over after config file parsing and told
# to the application layer so that it will inform us when traffic wants to
# pass over them. This means we can do on-demand keying.
[Phase 2]
Connections= daim-dimitri
[dimitri]
Phase= 1
Transport= udp
Local-address= xxx.xxx.xxx.xxx
Address= yyy.yyy.yyy.yyy
Configuration= Default-main-mode
Authentication= our_bad_passw
[daim-dimitri]
Phase= 2
ISAKMP-peer= dimitri
Configuration= Default-quick-mode
Local-ID= Net-daim
Remote-ID= Net-dimitri
[Net-daim]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.0.0
Netmask= 255.255.255.0
[Net-dimitri]
ID-type= IPV4_ADDR_SUBNET
Network= 10.10.10.0
Netmask= 255.255.255.0
# Main mode descriptions
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= DES-SHA
# Main mode transforms
######################
# DES
[DES-MD5]
ENCRYPTION_ALGORITHM= DES_CBC
HASH_ALGORITHM= MD5
AUTHENTICATION_METHOD= PRE_SHARED
GROUP_DESCRIPTION= MODP_768
Life= LIFE_600_SECS,LIFE_1000_KB
[DES-MD5-NO-VOL-LIFE]
ENCRYPTION_ALGORITHM= DES_CBC
HASH_ALGORITHM= MD5
AUTHENTICATION_METHOD= PRE_SHARED
GROUP_DESCRIPTION= MODP_768
Life= LIFE_600_SECS
[DES-SHA]
ENCRYPTION_ALGORITHM= DES_CBC
HASH_ALGORITHM= SHA
AUTHENTICATION_METHOD= PRE_SHARED
GROUP_DESCRIPTION= MODP_768
Life= LIFE_600_SECS,LIFE_1000_KB
# 3DES
[3DES-SHA]
ENCRYPTION_ALGORITHM= 3DES_CBC
HASH_ALGORITHM= SHA
AUTHENTICATION_METHOD= PRE_SHARED
GROUP_DESCRIPTION= MODP_1024
Life= LIFE_3600_SECS
# Blowfish
[BLF-SHA-M1024]
ENCRYPTION_ALGORITHM= BLOWFISH_CBC
KEY_LENGTH= 128,96:192
HASH_ALGORITHM= SHA
AUTHENTICATION_METHOD= PRE_SHARED
GROUP_DESCRIPTION= MODP_1024
Life= LIFE_600_SECS,LIFE_1000_KB
[BLF-SHA-EC155]
ENCRYPTION_ALGORITHM= BLOWFISH_CBC
KEY_LENGTH= 128,96:192
HASH_ALGORITHM= SHA
AUTHENTICATION_METHOD= PRE_SHARED
GROUP_DESCRIPTION= EC2N_155
Life= LIFE_600_SECS,LIFE_1000_KB
[BLF-MD5-EC155]
ENCRYPTION_ALGORITHM= BLOWFISH_CBC
KEY_LENGTH= 128,96:192
HASH_ALGORITHM= MD5
AUTHENTICATION_METHOD= PRE_SHARED
GROUP_DESCRIPTION= EC2N_155
Life= LIFE_600_SECS,LIFE_1000_KB
[BLF-SHA-EC185]
ENCRYPTION_ALGORITHM= BLOWFISH_CBC
KEY_LENGTH= 128,96:192
HASH_ALGORITHM= SHA
AUTHENTICATION_METHOD= PRE_SHARED
GROUP_DESCRIPTION= EC2N_185
Life= LIFE_600_SECS,LIFE_1000_KB
[3DES-MD5]
ENCRYPTION_ALGORITHM= 3DES_CBC
HASH_ALGORITHM= MD5
AUTHENTICATION_METHOD= PRE_SHARED
GROUP_DESCRIPTION= MODP_1024
Life= LIFE_1_DAY
[CAST-SHA]
ENCRYPTION_ALGORITHM= CAST_CBC
HASH_ALGORITHM= SHA
AUTHENTICATION_METHOD= PRE_SHARED
GROUP_DESCRIPTION= MODP_1536
Life= LIFE_1_DAY
# Quick mode description
########################
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites=
QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-DES-MD5-PFS-SUITE
[Greenbow-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-DES-SHA-PFS-SUITE
# Quick mode protection suites
##############################
# DES
[QM-ESP-DES-SUITE]
Protocols= QM-ESP-DES
[QM-ESP-DES-PFS-SUITE]
Protocols= QM-ESP-DES-PFS
[QM-ESP-DES-MD5-SUITE]
Protocols= QM-ESP-DES-MD5
[QM-ESP-DES-MD5-PFS-SUITE]
Protocols= QM-ESP-DES-MD5-PFS
[QM-ESP-DES-SHA-SUITE]
Protocols= QM-ESP-DES-SHA
[QM-ESP-DES-SHA-PFS-SUITE]
Protocols= QM-ESP-DES-SHA-PFS
# 3DES
[QM-ESP-3DES-SHA-SUITE]
Protocols= QM-ESP-3DES-SHA
[QM-ESP-3DES-SHA-PFS-SUITE]
Protocols= QM-ESP-3DES-SHA-PFS
# AH
[QM-AH-MD5-SUITE]
Protocols= QM-AH-MD5
[QM-AH-MD5-PFS-SUITE]
Protocols= QM-AH-MD5-PFS
# AH + ESP
[QM-AH-MD5-ESP-DES-SUITE]
Protocols= QM-AH-MD5,QM-ESP-DES
[QM-AH-MD5-ESP-DES-MD5-SUITE]
Protocols= QM-AH-MD5,QM-ESP-DES-MD5
[QM-ESP-DES-MD5-AH-MD5-SUITE]
Protocols= QM-ESP-DES-MD5,QM-AH-MD5
# Quick mode protocols
# DES
[QM-ESP-DES]
PROTOCOL_ID= IPSEC_ESP
Transforms= QM-ESP-DES-XF
[QM-ESP-DES-MD5]
PROTOCOL_ID= IPSEC_ESP
Transforms= QM-ESP-DES-MD5-XF
[QM-ESP-DES-MD5-PFS]
PROTOCOL_ID= IPSEC_ESP
Transforms= QM-ESP-DES-MD5-PFS-XF
[QM-ESP-DES-SHA]
PROTOCOL_ID= IPSEC_ESP
Transforms= QM-ESP-DES-SHA-XF
# 3DES
[QM-ESP-3DES-SHA]
PROTOCOL_ID= IPSEC_ESP
Transforms= QM-ESP-3DES-SHA-XF
[QM-ESP-3DES-SHA-PFS]
PROTOCOL_ID= IPSEC_ESP
Transforms= QM-ESP-3DES-SHA-PFS-XF
[QM-ESP-3DES-SHA-TRP]
PROTOCOL_ID= IPSEC_ESP
Transforms= QM-ESP-3DES-SHA-TRP-XF
# AH MD5
[QM-AH-MD5]
PROTOCOL_ID= IPSEC_AH
Transforms= QM-AH-MD5-XF
[QM-AH-MD5-PFS]
PROTOCOL_ID= IPSEC_AH
Transforms= QM-AH-MD5-PFS-XF
# Quick mode transforms
# ESP DES+MD5
[QM-ESP-DES-XF]
TRANSFORM_ID= DES
ENCAPSULATION_MODE= TUNNEL
Life= LIFE_600_SECS
[QM-ESP-DES-MD5-XF]
TRANSFORM_ID= DES
ENCAPSULATION_MODE= TUNNEL
AUTHENTICATION_ALGORITHM= HMAC_MD5
Life= LIFE_600_SECS
[QM-ESP-DES-MD5-PFS-XF]
TRANSFORM_ID= DES
ENCAPSULATION_MODE= TUNNEL
GROUP_DESCRIPTION= MODP_1024
AUTHENTICATION_ALGORITHM= HMAC_MD5
Life= LIFE_600_SECS
[QM-ESP-DES-SHA-XF]
TRANSFORM_ID= DES
ENCAPSULATION_MODE= TUNNEL
AUTHENTICATION_ALGORITHM= HMAC_SHA
Life= LIFE_600_SECS
# 3DES
[QM-ESP-3DES-SHA-XF]
TRANSFORM_ID= 3DES
ENCAPSULATION_MODE= TUNNEL
AUTHENTICATION_ALGORITHM= HMAC_SHA
Life= LIFE_600_SECS
[QM-ESP-3DES-SHA-PFS-XF]
TRANSFORM_ID= 3DES
ENCAPSULATION_MODE= TUNNEL
AUTHENTICATION_ALGORITHM= HMAC_SHA
GROUP_DESCRIPTION= MODP_1024
Life= LIFE_600_SECS
[QM-ESP-3DES-SHA-TRP-XF]
TRANSFORM_ID= 3DES
ENCAPSULATION_MODE= TRANSPORT
AUTHENTICATION_ALGORITHM= HMAC_SHA
Life= LIFE_600_SECS
# AH
[QM-AH-MD5-XF]
TRANSFORM_ID= MD5
ENCAPSULATION_MODE= TUNNEL
AUTHENTICATION_ALGORITHM= HMAC_MD5
Life= LIFE_600_SECS
[QM-AH-MD5-PFS-XF]
TRANSFORM_ID= MD5
ENCAPSULATION_MODE= TUNNEL
GROUP_DESCRIPTION= MODP_768
Life= LIFE_600_SECS
[LIFE_600_SECS]
LIFE_TYPE= SECONDS
LIFE_DURATION= 600,450:720
[LIFE_3600_SECS]
LIFE_TYPE= SECONDS
LIFE_DURATION= 3600,1800:7200
[LIFE_1000_KB]
LIFE_TYPE= KILOBYTES
LIFE_DURATION= 1000,768:1536
[LIFE_32_MB]
LIFE_TYPE= KILOBYTES
LIFE_DURATION= 32768,16384:65536
[LIFE_4.5_GB]
LIFE_TYPE= KILOBYTES
LIFE_DURATION= 4608000,4096000:8192000
# Certificates stored in PEM format
[X509-certificates]
CA-directory= /etc/isakmpd/ca/
Cert-directory= /etc/isakmpd/certs/
#Accept-self-signed= defined
Private-key= /etc/isakmpd/private/local.key
