Re: ipsec vpn problem

2008-08-22 Thread jared r r spiegel 
On Fri, Aug 22, 2008 at 03:11:16PM +0200, Claus Larsen wrote:
 Well I did get a bit futher with the problem, it seems it was cause by a
 firewall blocking some of the traffic.
 
 So new problem now.
 Using the Greenbow vpn client.
 
 It says Phase 2 algoritm problem.
 
 From the isakmpd output I get (a larger portion of the output included
 below):
 164658.900458 Default responder_recv_HASH_SA_NONCE: peer proposed invalid
 phase 2 IDs: initiator id d5ade2e5: 213.173.226.229, responder id c0a80102:
 192.168.1.2
 164658.901274 Default dropped message from 213.173.226.229 port 500 due to
 notification type NO_PROPOSAL_CHOSEN
 
 Any idea whats going on?

  when this happens to me, it is a config mismatch between the two peers.

  sometimes the mismatch can be excruciatingly subtle.

  but one wrong little anything will make the flow or sa or whatever it
  is that the wrong peer installs end up completely not matching
  what the other has.

  at times i've resorted to doing line-by-line echo $LINE | md5 to
  help speed the process of finding the mismatch along.

  given that in this case, there's 1918 IP on one side and !1918 on the
  other, the 1918 peer is perhaps using its 1918 IP by default but the
  other peer expects him to be sending his public IP.

  you can also see this type of mismatch with loglines that say
  something like Expected: 3DES, Received: $whatever_you're_trying_to_use
  for the algorithm in question; has always been the same thing 
  for me in that case, (potentially subtle) config mismatch.
  
  /etc/ipsec.conf
  ike passive from any to any \
   main auth hmac-sha1 enc 3des group modp1024 \
   quick auth hmac-sha1 enc 3des group none \
   psk openbsdrules

  hrm; i guess i'd assume 'any' would make it not care, so maybe my
  whole suggestion is shot.  maybe for starters, copy that off to a
  new ike setup and specifically define the stuff that it seems
  the remote peer is sending that your end is complaining about, and
  then work back from there after you get that working.

-- 

  jared

ipsec vpn problem

2008-08-21 Thread Claus Larsen 
Have a problem getting a vpn tunnel up between a zyxel vpn gw and my openbsd
4.3 system.

/etc/ipsec.conf
ike passive from any to any \
 main auth hmac-sha1 enc 3des group modp1024 \
 quick auth hmac-sha1 enc 3des group none \
 psk openbsdrules

Below follows output from cmd:
isakmpd -d  -DA=99 -K

In the output is the line:
173307.589683 Exch 90 check_vendor_openbsd: bad size 20 != 16
which does not seem to cause any problems

A then futher down the line:
173307.682833 Default sendmsg (14, 0xcfbd65a0, 0): Permission denied
which does not have any lines before it which (to me) explains what goes
wrong.

These two lines is what I found strange, but I have no idea where to go from
here.

Thanks,
Claus

173307.533538 Trpt 70 transport_setup: added 0x7ce24ac0 to transport list
173307.534309 Trpt 70 transport_setup: added 0x7ce24b00 to transport list
173307.535214 Trpt 50 virtual_clone: old 0x7ce24680 new 0x7ce249c0 (main is
0x7ce24ac0)
173307.536014 Trpt 70 transport_setup: virtual transport 0x7ce249c0
173307.536809 Trpt 95 transport_reference: transport 0x7ce249c0 now has 1
references
173307.537700 Mesg 90 message_alloc: allocated 0x83151280
173307.538473 Mesg 70 message_recv: message 0x83151280
173307.539310 Mesg 70 ICOOKIE: 4558dc89993e4538
173307.540292 Mesg 70 RCOOKIE: 
173307.540993 Mesg 70 NEXT_PAYLOAD: SA
173307.541788 Mesg 70 VERSION: 16
173307.542575 Mesg 70 EXCH_TYPE: ID_PROT
173307.543469 Mesg 70 FLAGS: [ ]
173307.544277 Mesg 70 MESSAGE_ID: 
173307.544951 Mesg 70 LENGTH: 128
173307.546067 Mesg 70 message_recv: 4558dc89 993e4538  
01100200  0080 0d38
173307.547105 Mesg 70 message_recv: 0001 0001 002c 01010001
0024 0101 80010005 80020002
173307.548131 Mesg 70 message_recv: 80030001 80040002 800b0001 000c0004
00015180 0d14 afcad713 68a1f1c9
173307.549317 Mesg 70 message_recv: 6b8696fc 77570100 0018 62502774
9d5ab97f 5616c160 2765cf48 0a3b7d0b
173307.550011 SA   90 sa_find: no SA matched query
173307.550936 Mesg 50 message_parse_payloads: offset 28 payload SA
173307.551623 Mesg 50 message_parse_payloads: offset 84 payload VENDOR
173307.552429 Mesg 50 message_parse_payloads: offset 104 payload VENDOR
173307.553226 Mesg 60 message_validate_payloads: payload SA at 0x8315131c of
message 0x83151280
173307.554202 Mesg 70 DOI: 1
173307.554834 Mesg 70 SIT:
173307.555797 Misc 95 conf_get_str: configuration value not found [Phase 1]:
195.184.124.220
173307.556514 Misc 95 conf_get_str: [Phase 1]:Default-peer-default
173307.557474 Misc 95 conf_get_str: [peer-default]:Configuration-mm-default
173307.558177 Misc 95 conf_get_str: configuration value not found
[mm-default]:DOI
173307.558977 Misc 95 conf_get_str: [mm-default]:EXCHANGE_TYPE-ID_PROT
173307.559852 Misc 95 conf_get_str: [General]:Exchange-max-time-120
173307.560688 Timr 10 timer_add_event: event exchange_free_aux(0x7de79800)
added last, expiration in 120s
173307.561565 Misc 95 conf_get_str: configuration value not found
[peer-default]:Flags
173307.562379 Cryp 60 hash_get: requested algorithm 1
173307.563305 Exch 10 exchange_setup_p1: 0x7de79800 peer-default mm-default
policy responder phase 1 doi 1 exchange 2 step 0
173307.564149 Exch 10 exchange_setup_p1: icookie 4558dc89993e4538 rcookie
a42fec0b4dc4e6f0
173307.564962 Exch 10 exchange_setup_p1: msgid 
173307.565751 Trpt 95 transport_reference: transport 0x7ce249c0 now has 2
references
173307.566558 SA   80 sa_reference: SA 0x7de79900 now has 1 references
173307.567493 SA   70 sa_enter: SA 0x7de79900 added to SA list
173307.568157 SA   80 sa_reference: SA 0x7de79900 now has 2 references
173307.568944 SA   60 sa_create: sa 0x7de79900 phase 1 added to exchange
0x7de79800 (peer-default)
173307.569762 SA   80 sa_reference: SA 0x7de79900 now has 3 references
173307.570682 Mesg 50 message_parse_payloads: offset 40 payload PROPOSAL
173307.571360 Mesg 50 message_parse_payloads: offset 48 payload TRANSFORM
173307.572180 Mesg 50 Transform 1's attributes
173307.572965 Mesg 50 Attribute ENCRYPTION_ALGORITHM value 5
173307.573733 Mesg 50 Attribute HASH_ALGORITHM value 2
173307.574508 Mesg 50 Attribute AUTHENTICATION_METHOD value 1
173307.575286 Mesg 50 Attribute GROUP_DESCRIPTION value 2
173307.576066 Mesg 50 Attribute LIFE_TYPE value 1
173307.576967 Mesg 50 Attribute LIFE_DURATION value 86400
173307.577715 Mesg 60 message_validate_payloads: payload PROPOSAL at
0x83151328 of message 0x83151280
173307.578680 Mesg 70 NO: 1
173307.579317 Mesg 70 PROTO: ISAKMP
173307.580124 Mesg 70 SPI_SZ: 0
173307.580923 Mesg 70 NTRANSFORMS: 1
173307.581695 Mesg 70 SPI:
173307.582492 Mesg 60 message_validate_payloads: payload TRANSFORM at
0x83151330 of message 0x83151280
173307.583461 Mesg 70 NO: 1
173307.584108 Mesg 70 ID: 1
173307.584860 Mesg 70 SA_ATTRS:
173307.585645 Mesg 60 message_validate_payloads: payload VENDOR at
0x83151354 of message 0x83151280
173307.586462 Mesg 70 ID:
173307.587267 Exch 10 dpd_check_vendor_payload: DPD capable peer