2011/1/10, Christoph Leser le...@sup-logistik.de:
Hello,
I have an IPSEC VPNs in Tunnelmode, configured in ipsec.conf with a line
like:
ike active esp tunnel from my_internal_net to his_internal_net peer
his_gateway_address main_mode_parameters quick_mode_parameters
preshared_key
My isakmpd.policy file is
# cat /etc/isakmpd/isakmpd.policy
Keynote-version: 2
Authorizer: POLICY
Conditions: app_domain == IPsec policy
esp_present == yes
esp_enc_alg != null - true;
Every thing works fine.
But today, one of the remote_gateways was replaced by a misconfigured
new one, leading to the following phase-2 packet:
13:29:01.098526 remote_gateway_ip.500 my_gateway_ip.500: [udp sum
ok] isakmp v1.0 exchange QUICK_MODE
cookie: 70de03ee348066c9-76aabe706bed52c2 msgid: 301c68c8 len:
300
payload: HASH len: 24
payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 44 proposal: 1 proto: IPSEC_ESP
spisz: 4 xforms: 1 SPI: 0xcb2d2b94
payload: TRANSFORM len: 32
transform: 1 ID: AES
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 28800
attribute ENCAPSULATION_MODE = TUNNEL
attribute KEY_LENGTH = 128
attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
attribute GROUP_DESCRIPTION = 2
payload: NONCE len: 20
payload: KEY_EXCH len: 132
payload: ID len: 16 type: IPV4_ADDR_SUBNET = 0.0.0.0/0.0.0.0
payload: ID len: 16 type: IPV4_ADDR_SUBNET = 0.0.0.0/0.0.0.0
[ttl 0] (id 1, len 328)
Please note that both ID parameters in this packet are 0.0.0.0.
This lead to a routing entry ( made by isakmpd, I suppose ):
# netstat -rn | grep his_ip
default0 default0 0
remote_gateway_ip/esp/use/in
default0 default0 0
remote_gateway_ip/esp/require/out
This route virtually disconnected my gateway from the external and from
the internal network, no ping to any address was successful.
I would like to ask:
1. Is it true, that isakmpd is supposed to accept any ID parameter of
type IPV4_ADDR_SUBNET ) in quick mode and set up a corresponing route,
even when it is the 'default' route?
2. What would I have to change to only accept those remote network Ids
that are configured in ipsec.conf?
Thanks
--
Martin PelikC!n, Steadynet
E-mail: martin.peli...@gmail.com, gpg key 0x7176E4C9
Tel: +420 724 818 573
Jabber: sztor...@jabber.cz
web: http://cap.potazmo.cz/