Hi All,
Last week I VERY sucessfully replaced our Cisco router with an OpenBSD
box. I had one issue with a OBSD -> Cisco VPN, that the list very
quickly helped me fix, and I'm hoping we can again!
Cisco Ext IP = yyy.yyy.yyy.yyy
My OBSD Ext IP = xxx.xxx.xxx.xxx
My OBSD subnet = xxx.xxx.xxx.0/24
Same setup as before (OBSD 3.9 - well snapshot :) and I'm getting the
following error:
Apr 11 00:09:50 gw1a isakmpd[22193]: message_recv: invalid cookie(s)
a552bd96c83f5f8d 3d6cc0b0e0314d4f
Apr 11 00:09:50 gw1a isakmpd[22193]: dropped message from
yyy.yyy.yyy.yyy port 500 due to notification type INVALID_COOKIE
Apr 11 00:09:59 gw1a isakmpd[22193]: message_recv: invalid cookie(s)
a552bd96c83f5f8d 3d6cc0b0e0314d4f
Apr 11 00:09:59 gw1a isakmpd[22193]: dropped message from
yyy.yyy.yyy.yyy port 500 due to notification type INVALID_COOKIE
Apr 11 00:10:10 gw1a isakmpd[22193]: transport_send_messages: giving
up on exchange IPsec-xxx.xxx.xxx.0/24-yyy.yyy.yyy.yyy, no response
from peer yyy.yyy.yyy.yyy:500
Apr 11 00:10:10 gw1a isakmpd[22193]: message_recv: invalid cookie(s)
a552bd96c83f5f8d 3d6cc0b0e0314d4f
Apr 11 00:10:10 gw1a isakmpd[22193]: dropped message from
yyy.yyy.yyy.yyy port 500 due to notification type INVALID_COOKIE
After doing a capture (-L) I get:
# tcpdump -nvs1300 -r /var/run/isakmpd.pcap
tcpdump: WARNING: snaplen raised from 1300 to 65536
tcpdump: WARNING: compensating for unaligned libpcap packets
23:34:08.126298 0.0.0.0.500 > yyy.yyy.yyy.yyy.500: [udp sum ok]
isakmp v1.0 exchange ID_PROT
cookie: 684e935a84d6b3fb->0000000000000000 msgid: 00000000 len: 160
payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 40 proposal: 1 proto: ISAKMP spisz:
0 xforms: 1
payload: TRANSFORM len: 32
transform: 0 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute HASH_ALGORITHM = MD5
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600
payload: VENDOR len: 20 (supports v2 NAT-T,
draft-ietf-ipsec-nat-t-ike-02)
payload: VENDOR len: 20 (supports v3 NAT-T,
draft-ietf-ipsec-nat-t-ike-03)
payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 188)
23:34:08.301624 yyy.yyy.yyy.yyy.500 > xxx.xxx.xxx.xxx.500: [udp sum
ok] isakmp v1.0 exchange ID_PROT
cookie: 684e935a84d6b3fb->cc088651f4a2dfd1 msgid: 00000000 len: 104
payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 40 proposal: 1 proto: ISAKMP spisz:
0 xforms: 1
payload: TRANSFORM len: 32
transform: 0 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute HASH_ALGORITHM = MD5
attribute GROUP_DESCRIPTION = MODP_1024
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600
payload: VENDOR len: 24 [ttl 0] (id 1, len 132)
23:34:08.303405 xxx.xxx.xxx.xxx.500 > yyy.yyy.yyy.yyy.500: [udp sum
ok] isakmp v1.0 exchange ID_PROT
cookie: 684e935a84d6b3fb->cc088651f4a2dfd1 msgid: 00000000 len: 180
payload: KEY_EXCH len: 132
payload: NONCE len: 20 [ttl 0] (id 1, len 208)
23:34:08.481481 yyy.yyy.yyy.yyy.500 > xxx.xxx.xxx.xxx.500: [udp sum
ok] isakmp v1.0 exchange ID_PROT
cookie: 684e935a84d6b3fb->cc088651f4a2dfd1 msgid: 00000000 len: 256
payload: KEY_EXCH len: 132
payload: NONCE len: 24
payload: VENDOR len: 20
payload: VENDOR len: 12
payload: VENDOR len: 20
payload: VENDOR len: 20 [ttl 0] (id 1, len 284)
23:34:08.483416 xxx.xxx.xxx.xxx.500 > yyy.yyy.yyy.yyy.500: [udp sum
ok] isakmp v1.0 exchange ID_PROT
cookie: 684e935a84d6b3fb->cc088651f4a2dfd1 msgid: 00000000 len: 88
payload: ID len: 12 type: IPV4_ADDR = xxx.xxx.xxx.xxx
payload: HASH len: 20
payload: NOTIFICATION len: 28
notification: INITIAL CONTACT
(684e935a84d6b3fb->cc088651f4a2dfd1) [ttl 0] (id 1, len 116)
23:34:08.620554 yyy.yyy.yyy.yyy.500 > xxx.xxx.xxx.xxx.500: [udp sum
ok] isakmp v1.0 exchange ID_PROT
cookie: 684e935a84d6b3fb->cc088651f4a2dfd1 msgid: 00000000 len: 84
payload: ID len: 12 proto: 17 port: 500 type: IPV4_ADDR =
yyy.yyy.yyy.yyy
payload: HASH len: 20
payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 112)
23:34:08.622414 xxx.xxx.xxx.xxx.500 > yyy.yyy.yyy.yyy.500: [udp sum
ok] isakmp v1.0 exchange QUICK_MODE
cookie: 684e935a84d6b3fb->cc088651f4a2dfd1 msgid: aed9552f len: 280
payload: HASH len: 20
payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 40 proposal: 1 proto: IPSEC_ESP
spisz: 4 xforms: 1 SPI: 0xd557177b
payload: TRANSFORM len: 28
transform: 1 ID: 3DES
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 1200
attribute ENCAPSULATION_MODE = TUNNEL
attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
attribute GROUP_DESCRIPTION = 2
payload: NONCE len: 20
payload: KEY_EXCH len: 132
payload: ID len: 16 type: IPV4_ADDR_SUBNET = xxx.xxx.xxx.0/255.255.255.0
payload: ID len: 12 type: IPV4_ADDR = yyy.yyy.yyy.yyy [ttl 0]
(id 1, len 308)
23:34:08.676798 yyy.yyy.yyy.yyy.500 > xxx.xxx.xxx.xxx.500: [udp sum
ok] isakmp v1.0 exchange INFO
cookie: 684e935a84d6b3fb->cc088651f4a2dfd1 msgid: e9dd5dfc len: 76
payload: HASH len: 20
payload: DELETE len: 28 DOI: 1(IPSEC) proto: ISAKMP nspis: 1
cookie: 684e935a84d6b3fb->cc088651f4a2dfd1 [ttl 0] (id 1, len 104)
23:34:15.653560 xxx.xxx.xxx.xxx.500 > yyy.yyy.yyy.yyy.500: [udp sum
ok] isakmp v1.0 exchange INFO
cookie: 949904791987b3bf->0000000000000000 msgid: 00000000 len: 56
payload: NOTIFICATION len: 28
notification: INVALID COOKIE [ttl 0] (id 1, len 84)
23:34:24.672954 xxx.xxx.xxx.xxx.500 > yyy.yyy.yyy.yyy.500: [udp sum
ok] isakmp v1.0 exchange INFO
cookie: 8382cb7474a0d78d->0000000000000000 msgid: 00000000 len: 56
payload: NOTIFICATION len: 28
notification: INVALID COOKIE [ttl 0] (id 1, len 84)
23:34:35.693257 xxx.xxx.xxx.xxx.500 > yyy.yyy.yyy.yyy.500: [udp sum
ok] isakmp v1.0 exchange INFO
cookie: a520b89ce5e2766f->0000000000000000 msgid: 00000000 len: 56
payload: NOTIFICATION len: 28
notification: INVALID COOKIE [ttl 0] (id 1, len 84)
#
my /etc/ipsec.conf is simple:
ike esp from xxx.xxx.xxx.0/24 to yyy.yyy.yyy.yyy main auth hmac-md5
enc 3des quick auth hmac-md5 enc 3des psk ssshhhhSecret
Ideas?
