[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: obsd<->linux IKE interop. question

To: Henry Spencer <henry@spsystems.net>
Subject: Re: obsd<->linux IKE interop. question
From: "Michael R. Jinks" <mjinks@saecos.com>
Date: Tue, 16 Jan 2001 13:05:24 -0600
Cc: misc@openbsd.org, linux-ipsec@freeswan.org, siggi@marschall.org
Organization: Saecos Corporation
References: <Pine.BSI.3.91.1010115165435.20128C-100000@spsystems.net>

Okay; as per suggestions from Henry and Siggi, I've applied these
changes to my configurations:

On the OpenBSD side, changed

[Default-quick-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          QUICK_MODE
Suites=                 QM-ESP-AES-SHA-PFS-SUITE

...replacing AES with 3DES in the Suites= parameter (I'm an idiot):

Suites=                 QM-ESP-3DES-SHA-PFS-SUITE

On the Linux side, took out the lines with [left,right]id=@[fqdn]

This helped.  Now we make it as far as quick mode, and the log lines on
each side look really good; we all know which subnets we're tunneling
for, we decrypt what look like some handshake messages, and things seem
to be sailing along rather well, until (this taken from the Linux log):

Jan 16 11:11:02 localhost Pluto[7810]: | ***parse ISAKMP Notification
Payload:
Jan 16 11:11:02 localhost Pluto[7810]: |    next payload type:
ISAKMP_NEXT_NONE
Jan 16 11:11:02 localhost Pluto[7810]: |    length: 12
Jan 16 11:11:02 localhost Pluto[7810]: |    DOI: ISAKMP_DOI_IPSEC
Jan 16 11:11:02 localhost Pluto[7810]: |    protocol ID: 1
Jan 16 11:11:02 localhost Pluto[7810]: |    SPI size: 0
Jan 16 11:11:02 localhost Pluto[7810]: |    Notify Message Type:
NO_PROPOSAL_CHOSEN
Jan 16 11:11:02 localhost Pluto[7810]: | removing 4 bytes of padding
Jan 16 11:11:02 localhost Pluto[7810]: "sysvi-saecos" #1: ignoring
informational payload, type NO_PROPOSAL_CHOSEN
Jan 16 11:11:02 localhost Pluto[7810]: | info:
Jan 16 11:11:02 localhost Pluto[7810]: "sysvi-saecos" #1: received and
ignored informational message
Jan 16 11:11:02 localhost Pluto[7810]: | next event EVENT_RETRANSMIT in
19 seconds for #2


[um, help the log file illiterate: The actual error came sometime before
this, didn't it?  Clues for strings to search on? none of the verbage
looks like an obvious 'hey I don't like this' message]

...and this on the OpenBSD side:

123847.482785 Misc 60 conf_get_str:
[QM-ESP-3DES-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA
123847.482799 Misc 60 conf_get_str:
[QM-ESP-3DES-SHA-PFS-XF]:GROUP_DESCRIPTION->MODP_1024
123847.482815 Misc 60 conf_get_str: configuration value not found
[QM-ESP-3DES-SHA-PFS-XF]:KEY_LENGTH
123847.482830 Misc 60 conf_get_str: configuration value not found
[QM-ESP-3DES-SHA-PFS-XF]:KEY_ROUNDS
123847.482845 Misc 60 conf_get_str: configuration value not found
[QM-ESP-3DES-SHA-PFS-XF]:COMPRESS_DICTIONARY_SIZE
123847.482860 Misc 60 conf_get_str: configuration value not found
[QM-ESP-3DES-SHA-PFS-XF]:COMPRESS_PRIVATE_ALGORITHM
123847.482874 Misc 60 conf_get_str:
[QM-ESP-3DES-SHA-PFS-XF]:GROUP_DESCRIPTION->MODP_1024
123847.482898 Sdep 80 pf_key_v2_write: iov[0]:
123847.482919 Sdep 80 02010002 0a000000 03000000 11640000 
123847.482930 Sdep 80 pf_key_v2_write: iov[1]:
123847.482954 Sdep 80 03000500 00000000 10020000 d8502771 00000000
00000000 
123847.482966 Sdep 80 pf_key_v2_write: iov[2]:
123847.482990 Sdep 80 03000600 00000000 10020000 cfe5b121 00000000
00000000 
123847.483002 Sdep 80 pf_key_v2_write: iov[3]:
123847.483021 Sdep 80 02000f00 00010000 ffffffff 00000000 
123847.483229 Sdep 80 pf_key_v2_read: msg:
123847.483265 Sdep 80 02010002 0a000000 03000000 11640000 02000100
8fe3f4c6 00000000 00000000
123847.483296 Sdep 80 03000500 00000000 10020000 d8502771 00000000
00000000 03000600 00000000
123847.483315 Sdep 80 10020000 cfe5b121 00000000 00000000 
123847.483332 Sdep 50 pf_key_v2_get_spi: spi:
123847.483345 Sdep 50 8fe3f4c6 
123847.483362 Misc 60 conf_get_str: configuration value not found
[QM-ESP-3DES-SHA-PFS]:ReplayWindow
123847.483388 Exch 80 exchange_nonce: NONCE_i:
123847.483407 Exch 80 df8919d3 fa2441ad 20156d9e 92e32f84 
123847.483429 Misc 70 group_get: returning 0x118540 of group 2
123847.530054 Misc 80 ipsec_g_x: g^xi:


The part that looks meaningful to me is near the bottom, "configuration
value not found [QM-ESP-3DES-SHA-PFS]:ReplayWindow", but, from the
isakmpd.conf manpage:

            ReplayWindow  The size of the window used for replay pro-
                         tection.  This is normally left alone.  Look
                         at the ESP and AH RFCs for a better descrip-
                         tion.

...which makes me think I shouldn't dink with that value, which makes me
think that I must have done something else wrong.

Groan.  Why might I get this error?  Should I shut off PFS on the Linux
side?  I really don't want to...



-- 
Michael Jinks, IB // Technical Entity // Saecos Corporation
"Trouble Ensues."

Follow-Ups:
- Re: obsd<->linux IKE interop. question
  - From: "Michael R. Jinks" <mjinks@saecos.com>

References:
- Re: obsd<->linux IKE interop. question
  - From: Henry Spencer <henry@spsystems.net>

Prev by Date: Re: Broken "command" in authorized_keys in 2.8?
Next by Date: BootMagic (was: Re: mount_msdos: device not configured)
Prev by thread: Re: obsd<->linux IKE interop. question
Next by thread: Re: obsd<->linux IKE interop. question
Index(es):
- Date
- Thread