Hi All, Last week I VERY sucessfully replaced our Cisco router with an OpenBSD box. I had one issue with a OBSD -> Cisco VPN, that the list very quickly helped me fix, and I'm hoping we can again!
Cisco Ext IP = yyy.yyy.yyy.yyy My OBSD Ext IP = xxx.xxx.xxx.xxx My OBSD subnet = xxx.xxx.xxx.0/24 Same setup as before (OBSD 3.9 - well snapshot :) and I'm getting the following error: Apr 11 00:09:50 gw1a isakmpd[22193]: message_recv: invalid cookie(s) a552bd96c83f5f8d 3d6cc0b0e0314d4f Apr 11 00:09:50 gw1a isakmpd[22193]: dropped message from yyy.yyy.yyy.yyy port 500 due to notification type INVALID_COOKIE Apr 11 00:09:59 gw1a isakmpd[22193]: message_recv: invalid cookie(s) a552bd96c83f5f8d 3d6cc0b0e0314d4f Apr 11 00:09:59 gw1a isakmpd[22193]: dropped message from yyy.yyy.yyy.yyy port 500 due to notification type INVALID_COOKIE Apr 11 00:10:10 gw1a isakmpd[22193]: transport_send_messages: giving up on exchange IPsec-xxx.xxx.xxx.0/24-yyy.yyy.yyy.yyy, no response from peer yyy.yyy.yyy.yyy:500 Apr 11 00:10:10 gw1a isakmpd[22193]: message_recv: invalid cookie(s) a552bd96c83f5f8d 3d6cc0b0e0314d4f Apr 11 00:10:10 gw1a isakmpd[22193]: dropped message from yyy.yyy.yyy.yyy port 500 due to notification type INVALID_COOKIE After doing a capture (-L) I get: # tcpdump -nvs1300 -r /var/run/isakmpd.pcap tcpdump: WARNING: snaplen raised from 1300 to 65536 tcpdump: WARNING: compensating for unaligned libpcap packets 23:34:08.126298 0.0.0.0.500 > yyy.yyy.yyy.yyy.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 684e935a84d6b3fb->0000000000000000 msgid: 00000000 len: 160 payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 40 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 32 transform: 0 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = 3DES_CBC attribute HASH_ALGORITHM = MD5 attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_1024 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 3600 payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02) payload: VENDOR len: 20 (supports v3 NAT-T, draft-ietf-ipsec-nat-t-ike-03) payload: VENDOR len: 20 (supports NAT-T, RFC 3947) payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 188) 23:34:08.301624 yyy.yyy.yyy.yyy.500 > xxx.xxx.xxx.xxx.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 684e935a84d6b3fb->cc088651f4a2dfd1 msgid: 00000000 len: 104 payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 40 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 32 transform: 0 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = 3DES_CBC attribute HASH_ALGORITHM = MD5 attribute GROUP_DESCRIPTION = MODP_1024 attribute AUTHENTICATION_METHOD = PRE_SHARED attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 3600 payload: VENDOR len: 24 [ttl 0] (id 1, len 132) 23:34:08.303405 xxx.xxx.xxx.xxx.500 > yyy.yyy.yyy.yyy.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 684e935a84d6b3fb->cc088651f4a2dfd1 msgid: 00000000 len: 180 payload: KEY_EXCH len: 132 payload: NONCE len: 20 [ttl 0] (id 1, len 208) 23:34:08.481481 yyy.yyy.yyy.yyy.500 > xxx.xxx.xxx.xxx.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 684e935a84d6b3fb->cc088651f4a2dfd1 msgid: 00000000 len: 256 payload: KEY_EXCH len: 132 payload: NONCE len: 24 payload: VENDOR len: 20 payload: VENDOR len: 12 payload: VENDOR len: 20 payload: VENDOR len: 20 [ttl 0] (id 1, len 284) 23:34:08.483416 xxx.xxx.xxx.xxx.500 > yyy.yyy.yyy.yyy.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 684e935a84d6b3fb->cc088651f4a2dfd1 msgid: 00000000 len: 88 payload: ID len: 12 type: IPV4_ADDR = xxx.xxx.xxx.xxx payload: HASH len: 20 payload: NOTIFICATION len: 28 notification: INITIAL CONTACT (684e935a84d6b3fb->cc088651f4a2dfd1) [ttl 0] (id 1, len 116) 23:34:08.620554 yyy.yyy.yyy.yyy.500 > xxx.xxx.xxx.xxx.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 684e935a84d6b3fb->cc088651f4a2dfd1 msgid: 00000000 len: 84 payload: ID len: 12 proto: 17 port: 500 type: IPV4_ADDR = yyy.yyy.yyy.yyy payload: HASH len: 20 payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 112) 23:34:08.622414 xxx.xxx.xxx.xxx.500 > yyy.yyy.yyy.yyy.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: 684e935a84d6b3fb->cc088651f4a2dfd1 msgid: aed9552f len: 280 payload: HASH len: 20 payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 40 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0xd557177b payload: TRANSFORM len: 28 transform: 1 ID: 3DES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 1200 attribute ENCAPSULATION_MODE = TUNNEL attribute AUTHENTICATION_ALGORITHM = HMAC_MD5 attribute GROUP_DESCRIPTION = 2 payload: NONCE len: 20 payload: KEY_EXCH len: 132 payload: ID len: 16 type: IPV4_ADDR_SUBNET = xxx.xxx.xxx.0/255.255.255.0 payload: ID len: 12 type: IPV4_ADDR = yyy.yyy.yyy.yyy [ttl 0] (id 1, len 308) 23:34:08.676798 yyy.yyy.yyy.yyy.500 > xxx.xxx.xxx.xxx.500: [udp sum ok] isakmp v1.0 exchange INFO cookie: 684e935a84d6b3fb->cc088651f4a2dfd1 msgid: e9dd5dfc len: 76 payload: HASH len: 20 payload: DELETE len: 28 DOI: 1(IPSEC) proto: ISAKMP nspis: 1 cookie: 684e935a84d6b3fb->cc088651f4a2dfd1 [ttl 0] (id 1, len 104) 23:34:15.653560 xxx.xxx.xxx.xxx.500 > yyy.yyy.yyy.yyy.500: [udp sum ok] isakmp v1.0 exchange INFO cookie: 949904791987b3bf->0000000000000000 msgid: 00000000 len: 56 payload: NOTIFICATION len: 28 notification: INVALID COOKIE [ttl 0] (id 1, len 84) 23:34:24.672954 xxx.xxx.xxx.xxx.500 > yyy.yyy.yyy.yyy.500: [udp sum ok] isakmp v1.0 exchange INFO cookie: 8382cb7474a0d78d->0000000000000000 msgid: 00000000 len: 56 payload: NOTIFICATION len: 28 notification: INVALID COOKIE [ttl 0] (id 1, len 84) 23:34:35.693257 xxx.xxx.xxx.xxx.500 > yyy.yyy.yyy.yyy.500: [udp sum ok] isakmp v1.0 exchange INFO cookie: a520b89ce5e2766f->0000000000000000 msgid: 00000000 len: 56 payload: NOTIFICATION len: 28 notification: INVALID COOKIE [ttl 0] (id 1, len 84) # my /etc/ipsec.conf is simple: ike esp from xxx.xxx.xxx.0/24 to yyy.yyy.yyy.yyy main auth hmac-md5 enc 3des quick auth hmac-md5 enc 3des psk ssshhhhSecret Ideas?