Re: isakmpd: message_recv: invalid cookie(s)

2007-07-05 Thread Jason Mader 

On 6/26/07, Jason Mader [EMAIL PROTECTED] wrote:

On two OpenBSD 4.1-stable systems, I get:

isakmpd[31988]: message_recv: invalid cookie(s) 378fd1c537d22b16
38bf2f6699147070
isakmpd[31988]: dropped message from 128.164.144.144 port 500 due to
notification type INVALID_COOKIE

isakmpd is running with the -K option, and ipsec.conf is very simple,

ike esp from 128.164.159.159 to 128.164.144.144 quick enc aesctr

IPsec is working.  I'm unsure why occasionally the cookie becomes
invalid and what it is I can do about it.  What is the problem?


Will the following, more detailed, log from isakmpd help?

isakmpd[13050]: timer_handle_expirations: event sa_hard_expire(0x8b81f900)
isakmpd[13050]: sa_release: SA 0x8b81f900 had 2 references
isakmpd[13050]: sa_find: return SA 0x8b81f900
isakmpd[13050]: conf_get_str: [General]:Exchange-max-time-120
isakmpd[13050]: timer_add_event: event exchange_free_aux(0x8b81f400)
added before sa_soft_expire(0x7f467f00), expiration in 120s
isakmpd[13050]: exchange_establish_p2: 0x8b81f400 unnamed no
policy policy initiator phase 2 doi 1 exchange 5 step 0
isakmpd[13050]: exchange_establish_p2: icookie 19e73d1b7eaa4475
rcookie aabe880dbbf5ccd8
isakmpd[13050]: exchange_establish_p2: msgid 51eb7842 sa_list
isakmpd[13050]: message_alloc: allocated 0x8767e400
isakmpd[13050]: sa_reference: SA 0x8b81f900 now has 2 references
isakmpd[13050]: hash_get: requested algorithm 1
isakmpd[13050]: hash_get: requested algorithm 1
isakmpd[13050]: ipsec_fill_in_hash: SKEYID_a:
isakmpd[13050]: cce6e905 536f8787 9346376d 3db8e6d4 bdb3c637
isakmpd[13050]: hash_get: requested algorithm 1
isakmpd[13050]: ipsec_fill_in_hash: message_id:
isakmpd[13050]: 51eb7842
isakmpd[13050]: ipsec_fill_in_hash: payload 1 after HASH(1):
isakmpd[13050]: 001c 0001 0111 19e73d1b 7eaa4475 aabe880d bbf5ccd8
isakmpd[13050]: ipsec_fill_in_hash: HASH(1):
isakmpd[13050]: d24c103a 21952104 a0a9a99c c26dd69a 541f092b
isakmpd[13050]: exchange_validate: checking for required INFO
isakmpd[13050]: hash_get: requested algorithm 1
isakmpd[13050]: ipsec_get_keystate: final phase 1 IV:
isakmpd[13050]: 9eb0087d 3b382159 f0c89bd1 72e00215
isakmpd[13050]: ipsec_get_keystate: message ID:
isakmpd[13050]: 51eb7842
isakmpd[13050]: crypto_init_iv: initialized IV:
isakmpd[13050]: 16cd1a46 71f6df4a 602bb0a3 2555ab02
isakmpd[13050]: ipsec_get_keystate: phase 2 IV:
isakmpd[13050]: 16cd1a46 71f6df4a 602bb0a3 2555ab02
isakmpd[13050]: crypto_encrypt: before encryption:
isakmpd[13050]: 0c18 d24c103a 21952104 a0a9a99c c26dd69a 541f092b
001c 0001
isakmpd[13050]: 0111 19e73d1b 7eaa4475 aabe880d bbf5ccd8 
 
isakmpd[13050]: crypto_encrypt: after encryption:
isakmpd[13050]: 7d85876e 787714ee 8b2114ef 432558d5 2f6065f3 1cfa01a2
865318eb e11945cf
isakmpd[13050]: fdf9b1c0 ccb63617 2c86c210 e02253eb a77c771f 690c9aa3
e8928ed8 8f4c325a
isakmpd[13050]: crypto_update_iv: updated IV:
isakmpd[13050]: a77c771f 690c9aa3 e8928ed8 8f4c325a
isakmpd[13050]: message_send: message 0x8767e400
isakmpd[13050]: ICOOKIE: 19e73d1b7eaa4475
isakmpd[13050]: RCOOKIE: aabe880dbbf5ccd8
isakmpd[13050]: NEXT_PAYLOAD: HASH
isakmpd[13050]: VERSION: 16
isakmpd[13050]: EXCH_TYPE: INFO
isakmpd[13050]: FLAGS: [ ENC ]
isakmpd[13050]: MESSAGE_ID: 51eb7842
isakmpd[13050]: LENGTH: 92
isakmpd[13050]: message_send: 19e73d1b 7eaa4475 aabe880d bbf5ccd8
08100501 51eb7842 005c 7d85876e
isakmpd[13050]: message_send: 787714ee 8b2114ef 432558d5 2f6065f3
1cfa01a2 865318eb e11945cf fdf9b1c0
isakmpd[13050]: message_send: ccb63617 2c86c210 e02253eb a77c771f
690c9aa3 e8928ed8 8f4c325a
isakmpd[13050]: exchange_run: exchange 0x8b81f400 finished step 0, advancing...
isakmpd[13050]: sa_remove: SA 0x8b81f900 removed from SA list
isakmpd[13050]: sa_release: SA 0x8b81f900 had 2 references
isakmpd[13050]: transport_setup: added 0x7cbedb40 to transport list
isakmpd[13050]: transport_setup: added 0x7d605e40 to transport list
isakmpd[13050]: virtual_clone: old 0x7d6051c0 new 0x7cbed5c0 (main is
0x7cbedb40)
isakmpd[13050]: transport_setup: virtual transport 0x7cbed5c0
isakmpd[13050]: message_alloc: allocated 0x8767ed80
isakmpd[13050]: message_recv: message 0x8767ed80
isakmpd[13050]: ICOOKIE: 19e73d1b7eaa4475
isakmpd[13050]: RCOOKIE: aabe880dbbf5ccd8
isakmpd[13050]: NEXT_PAYLOAD: HASH
isakmpd[13050]: VERSION: 16
isakmpd[13050]: EXCH_TYPE: INFO
isakmpd[13050]: FLAGS: [ ENC ]
isakmpd[13050]: MESSAGE_ID: cb24a722
isakmpd[13050]: LENGTH: 92
isakmpd[13050]: message_recv: 19e73d1b 7eaa4475 aabe880d bbf5ccd8
08100501 cb24a722 005c 70a3da64
isakmpd[13050]: message_recv: aac1f7db 48966b30 879f8153 a51d756f
ae42f215 88d3d400 221f3e42 09c90f4b
isakmpd[13050]: message_recv: ce85d7d5 6aa778b2 97d6810c 987b3d70
ac707e4b 8d417394 369ff9ff
isakmpd[13050]: message_recv: invalid cookie(s) 19e73d1b7eaa4475
aabe880dbbf5ccd8
isakmpd[13050]: dropped message from 128.164.144.144 port 500 due to
notification type INVALID_COOKIE
isakmpd[13050]: conf_get_str: [General]:Exchange-max-time-120

Re: isakmpd: message_recv: invalid cookie(s)

2007-06-26 Thread Steven Surdock 
Jason Mader wrote:
 On two OpenBSD 4.1-stable systems, I get:

 isakmpd[31988]: message_recv: invalid cookie(s) 378fd1c537d22b16
 38bf2f6699147070 isakmpd[31988]: dropped message from 128.164.144.144
 port 500 due to notification type INVALID_COOKIE

 isakmpd is running with the -K option, and ipsec.conf is very simple,

 ike esp from 128.164.159.159 to 128.164.144.144 quick enc aesctr

 IPsec is working.  I'm unsure why occasionally the cookie becomes
 invalid and what it is I can do about it.  What is the problem?

Not that it helps, but I see the same behavior.

-Steve S.