[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
VPN OBSD <-> FW1
- To: misc@openbsd.org
- Subject: VPN OBSD <-> FW1
- From: Rafael Coninck Teigão <rafael.coninck.teigao@gmail.com>
- Date: Mon, 1 Nov 2004 21:49:41 -0200
- DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding; b=HpTTGGQsFuWaz7Y+t5VkwrRz09nBMeYRPROXppHkmQv7StlZctAjSH5n+1wGD3evGUjsgGuGLV5uD0LgvWTFgerfdkqscxdhUju0z9dxQuHuGXr3as2bAv0AJAANXNXZbVAzPIsjvZ0Xsb6J28IZ7CfTL/qJp9ypyj0M2v8JNOM=
Hi, pp.
I'm trying to create a VPN between a OBSD 3.5 and a FW1 server, but
I'm getting this error message:
Nov 1 20:49:40 marte isakmpd[1035]: transport_send_messages: giving
up on message 0x3c12c600, exchange Andritz
Nov 1 20:49:40 marte isakmpd[1035]: transport_send_messages: either
this message did not reach the other peer
Nov 1 20:49:40 marte isakmpd[1035]: transport_send_messages: or the
responsemessage did not reach us back
My isakmpd.conf looks like this:
marte# cat /etc/isakmpd/isakmpd.conf
[General]
Default-phase-1-lifetime= ANY
Default-phase-2-lifetime= ANY
[Phase 1]
Default= Andritz
[Phase 2]
Connections= IPSec-Andritz-Curitiba
[Andritz]
Phase= 1
Transport= udp
Local-address= 200.150.68.74
Address= 194.252.180.30
Configuration= Default-main-mode
Authentication= xxxxxxxxxxx
[IPSec-Andritz-Curitiba]
Phase= 2
ISAKMP-peer= Andritz
Configuration= Default-quick-mode
Local-ID= Net-Curitiba
Remote-ID= Net-Andritz
[Net-Curitiba]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.0.0
Netmask= 255.255.255.0
[Net-Andritz]
ID-type= IPV4_ADDR_SUBNET
Network= 143.161.97.0
Netmask= 255.255.255.0
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE
and my isakmpd.policy:
KeyNote-Version: 2
Authorizer: "POLICY"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg != "null" -> "true";
When I run tcpdump -nvs1400 -i xl0 port 500 I get:
tcpdump -nvs1400 -i xl0 port 500
tcpdump: listening on xl0
20:55:50.412269 200.150.68.74.500 > 194.252.180.30.500: [bad udp
cksum a6be!] isakmp v1.0 exchange ID_PROT
cookie: c2b9625799f6f05e->0000000000000000 msgid: 00000000 len: 76
payload: SA len: 48 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 36 proposal: 1 proto: ISAKMP spisz:
0 xforms: 1
payload: TRANSFORM len: 28
transform: 0 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS (ttl 64, id
32346, bad cksum 54!)
20:55:50.702726 194.252.180.30.500 > 200.150.68.74.500: [udp sum ok]
isakmp v1.0 exchange ID_PROT
cookie: c2b9625799f6f05e->24b2c3db14c7cf41 msgid: 00000000 len: 76
payload: SA len: 48 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 36 proposal: 1 proto: ISAKMP spisz:
0 xforms: 1
payload: TRANSFORM len: 28
transform: 1 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS (ttl 39, id 32074)
20:55:50.712311 200.150.68.74.500 > 194.252.180.30.500: [bad udp
cksum 2b65!] isakmp v1.0 exchange ID_PROT
cookie: c2b9625799f6f05e->24b2c3db14c7cf41 msgid: 00000000 len: 180
payload: KEY_EXCH len: 132
payload: NONCE len: 20 (ttl 64, id 4306, bad cksum bc!)
20:55:51.002622 194.252.180.30.500 > 200.150.68.74.500: [udp sum ok]
isakmp v1.0 exchange ID_PROT
cookie: c2b9625799f6f05e->24b2c3db14c7cf41 msgid: 00000000 len: 184
payload: KEY_EXCH len: 132
payload: NONCE len: 24 (ttl 39, id 32075)
20:55:51.013587 200.150.68.74.500 > 194.252.180.30.500: [bad udp
cksum a299!] isakmp v1.0 exchange ID_PROT encrypted
cookie: c2b9625799f6f05e->24b2c3db14c7cf41 msgid: 00000000
len: 92 (ttl 64, id 13946, bad cksum 64!)
20:55:51.309252 194.252.180.30.500 > 200.150.68.74.500: [udp sum ok]
isakmp v1.0 exchange INFO
cookie: c2b9625799f6f05e->24b2c3db14c7cf41 msgid: 2bdd1eae len: 40
payload: NOTIFICATION len: 12
notification: PAYLOAD MALFORMED (ttl 39, id 32077)
20:55:58.020127 200.150.68.74.500 > 194.252.180.30.500: [bad udp
cksum a299!] isakmp v1.0 exchange ID_PROT encrypted
cookie: c2b9625799f6f05e->24b2c3db14c7cf41 msgid: 00000000
len: 92 (ttl 64, id 9407, bad cksum 64!)
20:56:07.030106 200.150.68.74.500 > 194.252.180.30.500: [bad udp
cksum a299!] isakmp v1.0 exchange ID_PROT encrypted
cookie: c2b9625799f6f05e->24b2c3db14c7cf41 msgid: 00000000
len: 92 (ttl 64, id 5761, bad cksum 64!)
Nov 1 22:56:18 marte isakmpd[13732]: transport_send_messages: giving
up on message 0x3c12c600, exchange Andritz
Nov 1 22:56:18 marte isakmpd[13732]: transport_send_messages: either
this message did not reach the other peer
Nov 1 22:56:18 marte isakmpd[13732]: transport_send_messages: or the
responsemessage did not reach us back
20:56:18.040103 200.150.68.74.500 > 194.252.180.30.500: [bad udp
cksum a299!] isakmp v1.0 exchange ID_PROT encrypted
cookie: c2b9625799f6f05e->24b2c3db14c7cf41 msgid: 00000000
len: 92 (ttl 64, id 31732, bad cksum 64!)
Does anyone know what's wrong here? Any help would be apreciated...
Oh, and by the way, before I got here, I's seeing this error message:
essage_recv: cleartext phase 2 message
But I've read somewhere that this was indeed a problem with FW1 and
that the following block of code should be commented in the source
(messages.c):
/* Require encryption as soon as we have the keystate for it. */
/*
if ((flags & ISAKMP_FLAGS_ENC) == 0 &&
(msg->exchange->phase == 2 || msg->exchange->keystate))
{
log_print ("message_recv: cleartext phase %d message",
msg->exchange->phase);
message_drop (msg, ISAKMP_NOTIFY_INVALID_FLAGS, 0, 1, 1);
return -1;
}
*/
I feel that this could be causing some problem as well.
Thanks,
Rafael.