isakmpd: openbsd - cisco = problems

2005-09-13 Thread Mattias R. Lindgren 
 I'm using an OpenBSD 3.7 box to try to connect to our cisco concentrator at
work. Here is what I was sent by our network admin:

10.0.0.0/0.0.0.255
192.168.240.0/0.0.15.255
172.22.0.0/0.0.0.255
10.10.0.0/0.0.255.255
10.20.0.0/0.0.255.255

as networks I would need to tunnel to. Here is my isakmpd.conf file with the
proper edits:

[General]
Listen-On= xx.xxx.xxx.xx

[Phase 1]
yy.yyy.yyy.yy= concentrator

[Phase 2]
Connections= VPN-home-240, VPN-home-10_0, VPN-home-172, VPN-home-10_10,
VPN-home-10_20

[concentrator]
Phase= 1
Transport= udp
Address= yy.yyy.yyy.yy
Configuration= Default-main-mode
Authentication= my_shared_secret

[VPN-home-240]
Phase= 2
ISAKMP-peer= concentrator
Configuration= Default-quick-mode
Local-ID= home-net
Remote-ID= work_240

[VPN-home-10_0]
Phase= 2
ISAKMP-peer= concentrator
Configuration= Default-quick-mode
Local-ID= home-net
Remote-ID= work-10_0

[VPN-home-172]
Phase= 2
ISAKMP-peer= concentrator
Configuration= Default-quick-mode
Local-ID= home-net
Remote-ID= work-172

[VPN-home-10_10]
Phase= 2
ISAKMP-peer= concentrator
Configuration= Default-quick-mode
Local-ID= home-net
Remote-ID= work-10_10

[VPN-home-10_20]
Phase= 2
ISAKMP-peer= concentrator
Configuration= Default-quick-mode
Local-ID= home-net
Remote-ID= work-10_20



 Network Defs ##


[home-net]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.0.0
Netmask= 0.0.255.255

[work_240]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.240.0
Netmask= 0.0.15.255

[work-10_0]
ID-type= IPV4_ADDR_SUBNET
Network= 10.0.0.0
Netmask= 0.0.0.255

[work-172]
ID-type= IPV4_ADDR_SUBNET
Network= 172.22.0.0
Netmask= 0.0.0.255

[work-10_10]
ID-type= IPV4_ADDR_SUBNET
Network= 10.10.0.0
Netmask= 0.0.255.255

[work-10_20]
ID-type= IPV4_ADDR_SUBNET
Network= 10.20.0.0
Netmask= 0.0.255.255


#Mode Defs #


[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-MD5

[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE

where x's represent my ip address and y's represent the concentrator. Here is
my isakmpd.policy file:

Keynote-version: 2
Authorizer: POLICY
Conditions: app_domain == IPsec policy 
esp_present == yes 
esp_enc_alg != null - true;

and the output of isakmpd -d

bash-3.00# isakmpd -d
191943.477359 Default ipsec_validate_id_information: dubious ID information
accepted
191951.404865 Default ipsec_validate_id_information: dubious ID information
accepted
192010.536856 Default transport_send_messages: giving up on message
0x3c069780, exchange VPN-home-240
192010.537309 Default transport_send_messages: giving up on message
0x3c069900, exchange VPN-home-10_0
192010.537697 Default transport_send_messages: giving up on message
0x3c069a80, exchange VPN-home-172
192010.538067 Default transport_send_messages: giving up on message
0x3c069c00, exchange VPN-home-10_10
192010.538467 Default transport_send_messages: giving up on message
0x3c069d80, exchange VPN-home-10_20

relevant sections of my pf.conf file:

pass in proto esp from any to any
pass out proto esp from any to any keep state
pass in on enc0 from any to any
pass out on enc0 from any to any
pass in on $ext_if proto udp from any to any port 500
pass out on $ext_if proto udp from ($ext_if) to any port 500

which I know is way relaxed, but just wanting to rule out any pf related
issues. Ultimately I'm trying to reach 192.168.250.111 which is a voip server.
I don't get any reples when I try to ping it, nor do I see anything on the
enc0 interface. Let me know if you have any thoughts or if you need more
information. I've really been banging my head against the wall trying to
figure this one out.

Re: isakmpd: openbsd - cisco = problems

2005-09-13 Thread j knight 
--- Quoting Mattias R. Lindgren on 2005/09/13 at 19:31 -0600:

 bash-3.00# isakmpd -d
 191943.477359 Default ipsec_validate_id_information: dubious ID information
 accepted
 191951.404865 Default ipsec_validate_id_information: dubious ID information
 accepted
 192010.536856 Default transport_send_messages: giving up on message
 0x3c069780, exchange VPN-home-240
 192010.537309 Default transport_send_messages: giving up on message
 0x3c069900, exchange VPN-home-10_0
 192010.537697 Default transport_send_messages: giving up on message
 0x3c069a80, exchange VPN-home-172
 192010.538067 Default transport_send_messages: giving up on message
 0x3c069c00, exchange VPN-home-10_10
 192010.538467 Default transport_send_messages: giving up on message
 0x3c069d80, exchange VPN-home-10_20

Crank up the debugging info by using the -D switch to isakmpd and see
what you see then.
 


.joel

Re: isakmpd: openbsd - cisco = problems

2005-09-13 Thread Rod Dorman 
On Tuesday, September 13, 2005, 21:31:51, Mattias R. Lindgren wrote:
 I'm using an OpenBSD 3.7 box to try to connect to our cisco
 concentrator at work. Here is what I was sent by our network admin:

 10.0.0.0/0.0.0.255
 192.168.240.0/0.0.15.255
 172.22.0.0/0.0.0.255
 10.10.0.0/0.0.255.255
 10.20.0.0/0.0.255.255

OK,  instead  of  netmasks  it  looks  like  he  gave you Cisco wildcard
patterns  where  the  0's are the bits that are constant and the 1's are
the bits allowed to change.

For  this  trivial  case  of a sequence of zeros followed by ones simply
take the ones complement to get the desired netmask.

  ...
 [work-10_10]
 ID-type= IPV4_ADDR_SUBNET
 Network= 10.10.0.0
 Netmask= 0.0.255.255

Use 255.255.0.0 to identify the 10.10/16 network.

-- 
[EMAIL PROTECTED] The avalanche has already started, it is too
Rod Dorman  late for the pebbles to vote.  Ambassador Kosh