from:"Daïm Willemse"

what do these log messages mean?

2006-02-07 Thread Daïm Willemse

Hello all OpenBSD fans,

Usually I am quite good at debuggin my own isakmpd conns, but now I'm
stuck. I am seeking the following information:
What do these isakmpd debug messages generally mean? Its so hard to find
any documentation on these messages.

172804.454813 Exch 20 exchange_establish_finalize: finalizing exchange
0x7c57a800 with arg 0x83c748f0 (ragweed-slippery)  fail = 1

and

173804.632227 SA   90 sa_find: no SA matched query

thank you,
Daim

isakmpd - only cookies

2006-02-06 Thread Daïm Willemse

Hello all,

Currently my brother and I try to set up a vpn using isakmpd between two
OBSD 3.8 boxes. We had a similar vpn working before. We both changed ADSL
providers and thought it is time for an upgrade. However...

Our vpn refuses to work. We singled out a possible firewall problem. The
pflog is quet and even after a '$pfctl -F rules' we keep the same problem.
A 'tcpdump -i xl1 port 500' shows that both sided receive cookies, but
nothing more:

like this
$ tcpdump -i xl1 port 500
13:24:47.067067 broeahs.net.isakmp  daim.broeahs.net.isakmp: isakmp v1.0
exchange ID_PROT
cookie: 385103343a680645-9c61c0d839d1d9ec msgid:  len: 168
13:24:48.878894 daim.broeahs.net.isakmp  broeahs.net.isakmp: isakmp v1.0
exchange ID_PROT
cookie: 7fd785c9ee93e8fe-31884d57a94e56a0 msgid:  len: 168

The debuggin' info gives messages like this:
132740.737518 Exch 40 exchange_establish_finalize: finalizing exchange
0x7cdb9b0 0 with arg 0x85e318d0 (daim-dimitri)  fail = 1
132740.736495 SA 90 sa_find: no SA matched query
132641.268445 Default transport_send_messages: giving up on exchange
dimitri, no response from peer 194.109.199.156:500

My question is: What is happening here? How is it possible there is
traffic on both sides on port 500 but the two are not able to get decent
contact?


Thank you in advance.
Daom

confs follow:

# cat /etc/isakmpd/isakmpd.policy
KeyNote-Version: 2
Authorizer: POLICY
Licensees: our_bad_passw
Conditions: app_domain == IPsec policy 
esp_present == yes 
esp_enc_alg != null - true;

# cat /etc/isakmpd/isakmpd.conf
# $OpenBSD: VPN-east.conf,v 1.7 1999/10/29 07:46:04 todd Exp $
# $EOM: VPN-east.conf,v 1.7 1999/07/18 09:25:34 niklas Exp $

# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon.

[General]
Retransmits= 5
Exchange-max-time=120
Listen-on= xxx.xxx.xxx.xxx
#Shared-SADB= Defined

# Incoming phase 1 negotiations are multiplexed on the source IP address
[Phase 1]
yyy.yyy.yyy.yyy=dimitri

# These connections are walked over after config file parsing and told
# to the application layer so that it will inform us when traffic wants to
# pass over them. This means we can do on-demand keying.
[Phase 2]
Connections= daim-dimitri

[dimitri]
Phase= 1
Transport= udp
Local-address= xxx.xxx.xxx.xxx
Address= yyy.yyy.yyy.yyy
Configuration= Default-main-mode
Authentication= our_bad_passw

[daim-dimitri]
Phase= 2
ISAKMP-peer= dimitri
Configuration= Default-quick-mode
Local-ID= Net-daim
Remote-ID= Net-dimitri

[Net-daim]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.0.0
Netmask= 255.255.255.0

[Net-dimitri]
ID-type= IPV4_ADDR_SUBNET
Network= 10.10.10.0
Netmask= 255.255.255.0

# Main mode descriptions

[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= DES-SHA

# Main mode transforms
##

# DES

[DES-MD5]
ENCRYPTION_ALGORITHM= DES_CBC
HASH_ALGORITHM= MD5
AUTHENTICATION_METHOD= PRE_SHARED
GROUP_DESCRIPTION= MODP_768
Life= LIFE_600_SECS,LIFE_1000_KB

[DES-MD5-NO-VOL-LIFE]
ENCRYPTION_ALGORITHM= DES_CBC
HASH_ALGORITHM= MD5
AUTHENTICATION_METHOD= PRE_SHARED
GROUP_DESCRIPTION= MODP_768
Life= LIFE_600_SECS

[DES-SHA]
ENCRYPTION_ALGORITHM= DES_CBC
HASH_ALGORITHM= SHA
AUTHENTICATION_METHOD= PRE_SHARED
GROUP_DESCRIPTION= MODP_768
Life= LIFE_600_SECS,LIFE_1000_KB

# 3DES

[3DES-SHA]
ENCRYPTION_ALGORITHM= 3DES_CBC
HASH_ALGORITHM= SHA
AUTHENTICATION_METHOD= PRE_SHARED
GROUP_DESCRIPTION= MODP_1024
Life= LIFE_3600_SECS

# Blowfish

[BLF-SHA-M1024]
ENCRYPTION_ALGORITHM= BLOWFISH_CBC
KEY_LENGTH= 128,96:192
HASH_ALGORITHM= SHA
AUTHENTICATION_METHOD= PRE_SHARED
GROUP_DESCRIPTION= MODP_1024
Life= LIFE_600_SECS,LIFE_1000_KB

[BLF-SHA-EC155]
ENCRYPTION_ALGORITHM= BLOWFISH_CBC
KEY_LENGTH= 128,96:192
HASH_ALGORITHM= SHA
AUTHENTICATION_METHOD= PRE_SHARED
GROUP_DESCRIPTION= EC2N_155
Life= LIFE_600_SECS,LIFE_1000_KB

[BLF-MD5-EC155]
ENCRYPTION_ALGORITHM= BLOWFISH_CBC
KEY_LENGTH= 128,96:192
HASH_ALGORITHM= MD5
AUTHENTICATION_METHOD= PRE_SHARED
GROUP_DESCRIPTION= EC2N_155
Life= LIFE_600_SECS,LIFE_1000_KB

[BLF-SHA-EC185]
ENCRYPTION_ALGORITHM= BLOWFISH_CBC
KEY_LENGTH= 128,96:192
HASH_ALGORITHM= SHA
AUTHENTICATION_METHOD= PRE_SHARED
GROUP_DESCRIPTION= EC2N_185
Life= LIFE_600_SECS,LIFE_1000_KB

[3DES-MD5]
ENCRYPTION_ALGORITHM= 3DES_CBC
HASH_ALGORITHM= MD5
AUTHENTICATION_METHOD= PRE_SHARED
GROUP_DESCRIPTION= MODP_1024
Life= LIFE_1_DAY

[CAST-SHA]
ENCRYPTION_ALGORITHM= CAST_CBC
HASH_ALGORITHM= SHA
AUTHENTICATION_METHOD= PRE_SHARED
GROUP_DESCRIPTION= MODP_1536
Life= LIFE_1_DAY

# Quick mode description


[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites=
QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-DES-MD5-PFS-SUITE

[Greenbow-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-DES-SHA-PFS-SUITE

# Quick mode protection suites
##

# DES

[QM-ESP-DES-SUITE]
Protocols= QM-ESP-DES

[QM-ESP-DES-PFS-SUITE]
Protocols= QM-ESP-DES-PFS

[QM-ESP-DES-MD5-SUITE]
Protocols= QM-ESP-DES-MD5

what do these log messages mean?

isakmpd - only cookies

2 matches

Site Navigation

Mail list logo

Footer information