what ipsec software is running on the clients? What does your ipsec.conf on the firewall look like?
On Sat, Sep 02, 2006 at 04:01:51PM -0400, Axton Grams wrote: > Hoping someone can point me in the right direction to get isakmpd working. > > The scenario: > - the router drops all traffic directed to it from the dmz net > - the router drops all traffic destined for the lan from the dmz > - the router drops all traffic destined for the dmz from the lan > - vlan1 (dmz) has linux hosts > - vlan2 (lan) has windows and linux hosts, for the purpose of this > exercise, I am using a windows host > > The goals: > - create a way by which hosts in the lan can connect to the dmz network > using ipsec/isakmpd > - starting off with simple auth, shared secret passphrase > > The problem: > - I am unable to establish a SA between the router and the lan hosts > isakmpd returns the following: > 155359.461787 Default message_recv: cleartext phase 2 message > 155359.462366 Default dropped message from 10.107.208.20 port 500 due to > notification type INVALID_FLAGS > > Some background Info: > > My network is as follows: > (trunking is next on my list, but for now, I have separate interfaces on > the router for each vlan) > > | > Internet (dynamic ip) > |1.1.1.2 > +------------------------+ > | router/fw/isakmpd | > +------------------------+ > 10.180.16.1 | |10.107.208.1 > dmz | | lan > +--------+ +--------+ > | | > +-----------------------------+ > | switch | > | vlan1 | vlan2 | > +-----------------------------+ > | | > | | > +---------------+ +-------------------+ > | www server | | workstation 1 + > | 10.180.16.250 | | 10.107.208.20 + > +---------------+ +-------------------+ > > - OpenBSD Router: > - relavent ifconfig > ** internet > hme0: > flags=8b63<UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> > mtu 1500 > lladdr xxx > groups: egress > media: Ethernet 100baseTX full-duplex > status: active > inet6 xxx%hme0 prefixlen 64 scopeid 0x2 > inet 1.1.1.2 netmask 0xffffe000 broadcast 1.1.1.255 > ** lan > hme1: > flags=8363<UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,MULTICAST> > mtu 1500 > lladdr 08:00:20:ca:7d:c5 > media: Ethernet 100baseTX > status: active > inet 10.107.208.1 netmask 0xffffff00 broadcast 10.107.208.255 > inet6 fe80::a00:20ff:feca:7dc5%hme1 prefixlen 64 scopeid 0x3 > ** dmz > hme2: > flags=8b63<UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> > mtu 1500 > lladdr 08:00:20:ca:7d:c6 > media: Ethernet autoselect (100baseTX full-duplex) > status: active > inet 10.180.16.1 netmask 0xffffff00 broadcast 10.180.16.255 > inet6 fe80::a00:20ff:feca:7dc6%hme2 prefixlen 64 scopeid 0x4 > > # cat isakmpd.policy > KeyNote-Version: 2 > Authorizer: "POLICY" > Licensees: "passphrase:foobar" > Conditions: app_domain == "IPsec policy" && > esp_present == "yes" && > esp_enc_alg == "3des" && > esp_auth_alg == "hmac-md5" -> "true"; > > # isakmpd -d -4 -DA=10 > 155358.773509 Default log_debug_cmd: log level changed from 0 to 10 for > class 0 [priv] > 155358.775093 Default log_debug_cmd: log level changed from 0 to 10 for > class 1 [priv] > 155358.775757 Default log_debug_cmd: log level changed from 0 to 10 for > class 2 [priv] > 155358.776153 Default log_debug_cmd: log level changed from 0 to 10 for > class 3 [priv] > 155358.776672 Default log_debug_cmd: log level changed from 0 to 10 for > class 4 [priv] > 155358.777056 Default log_debug_cmd: log level changed from 0 to 10 for > class 5 [priv] > 155358.777524 Default log_debug_cmd: log level changed from 0 to 10 for > class 6 [priv] > 155358.777914 Default log_debug_cmd: log level changed from 0 to 10 for > class 7 [priv] > 155358.778416 Default log_debug_cmd: log level changed from 0 to 10 for > class 8 [priv] > 155358.778794 Default log_debug_cmd: log level changed from 0 to 10 for > class 9 [priv] > 155358.779267 Default log_debug_cmd: log level changed from 0 to 10 for > class 10 [priv] > 155358.788915 Misc 10 monitor_init: privileges dropped for child process > 155359.444597 Timr 10 timer_add_event: event > connection_checker(0x4fe41420) added last, expiration in 0s > 155359.451947 Timr 10 timer_handle_expirations: event > connection_checker(0x4fe41420) > 155359.452947 Timr 10 timer_add_event: event > connection_checker(0x4fe41420) added last, expiration in 60s > 155359.453857 Timr 10 timer_add_event: event > exchange_free_aux(0x44908c00) added last, expiration in 120s > 155359.454632 Exch 10 exchange_establish_p1: 0x44908c00 ISAKMP-peer-west > Default-phase-1-configuration policy initiator phase 1 doi 1 exchange 2 > step 0 > 155359.455323 Exch 10 exchange_establish_p1: icookie 4d18594e523695f1 > rcookie 0000000000000000 > 155359.455748 Exch 10 exchange_establish_p1: msgid 00000000 > 155359.457524 Timr 10 timer_add_event: event > message_send_expire(0x4d2dab00) added before > connection_checker(0x4fe41420), expiration in 7s > 155359.459672 Timr 10 timer_add_event: event > exchange_free_aux(0x44909000) added last, expiration in 120s > 155359.460277 Exch 10 exchange_setup_p2: 0x44909000 <unnamed> <no > policy> policy responder phase 2 doi 1 exchange 5 step 0 > 155359.460737 Exch 10 exchange_setup_p2: icookie 4d18594e523695f1 > rcookie a6af81ffd3a2d153 > 155359.461263 Exch 10 exchange_setup_p2: msgid e5eb6990 sa_list > 155359.461787 Default message_recv: cleartext phase 2 message > 155359.462366 Default dropped message from 10.107.208.20 port 500 due to > notification type INVALID_FLAGS > 155359.462856 Timr 10 timer_add_event: event > exchange_free_aux(0x44909200) added last, expiration in 120s > 155359.463566 Exch 10 exchange_establish_p1: 0x44909200 <unnamed> <no > policy> policy initiator phase 1 doi 1 exchange 5 step 0 > 155359.464001 Exch 10 exchange_establish_p1: icookie e82be37d8c1ae997 > rcookie 0000000000000000 > 155359.464539 Exch 10 exchange_establish_p1: msgid 00000000 > 155359.465751 Exch 10 exchange_finalize: 0x44909200 <unnamed> <no > policy> policy initiator phase 1 doi 1 exchange 5 step 1 > 155359.466300 Exch 10 exchange_finalize: icookie e82be37d8c1ae997 > rcookie 0000000000000000 > 155359.466708 Exch 10 exchange_finalize: msgid 00000000 > 155359.467220 Timr 10 timer_remove_event: removing event > exchange_free_aux(0x44909200) > 155406.461707 Timr 10 timer_handle_expirations: event > message_send_expire(0x4d2dab00) > 155406.463417 Timr 10 timer_add_event: event > message_send_expire(0x4d2dab00) added before > connection_checker(0x4fe41420), expiration in 9s > > Thanks, > Axton Grams