|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
VPN OBSD <-> FW1
From: Rafael Coninck Teigão (rafael.coninck.teigao
gmail.com)
Date: Mon Nov 01 2004 - 17:49:41 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi, pp.
I'm trying to create a VPN between a OBSD 3.5 and a FW1 server, but
I'm getting this error message:
Nov 1 20:49:40 marte isakmpd[1035]: transport_send_messages: giving
up on message 0x3c12c600, exchange Andritz
Nov 1 20:49:40 marte isakmpd[1035]: transport_send_messages: either
this message did not reach the other peer
Nov 1 20:49:40 marte isakmpd[1035]: transport_send_messages: or the
responsemessage did not reach us back
My isakmpd.conf looks like this:
marte# cat /etc/isakmpd/isakmpd.conf
[General]
Default-phase-1-lifetime= ANY
Default-phase-2-lifetime= ANY
[Phase 1]
Default= Andritz
[Phase 2]
Connections= IPSec-Andritz-Curitiba
[Andritz]
Phase= 1
Transport= udp
Local-address= 200.150.68.74
Address= 194.252.180.30
Configuration= Default-main-mode
Authentication= xxxxxxxxxxx
[IPSec-Andritz-Curitiba]
Phase= 2
ISAKMP-peer= Andritz
Configuration= Default-quick-mode
Local-ID= Net-Curitiba
Remote-ID= Net-Andritz
[Net-Curitiba]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.0.0
Netmask= 255.255.255.0
[Net-Andritz]
ID-type= IPV4_ADDR_SUBNET
Network= 143.161.97.0
Netmask= 255.255.255.0
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE
and my isakmpd.policy:
KeyNote-Version: 2
Authorizer: "POLICY"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg != "null" -> "true";
When I run tcpdump -nvs1400 -i xl0 port 500 I get:
tcpdump -nvs1400 -i xl0 port 500
tcpdump: listening on xl0
20:55:50.412269 200.150.68.74.500 > 194.252.180.30.500: [bad udp
cksum a6be!] isakmp v1.0 exchange ID_PROT
cookie: c2b9625799f6f05e->0000000000000000 msgid: 00000000 len: 76
payload: SA len: 48 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 36 proposal: 1 proto: ISAKMP spisz:
0 xforms: 1
payload: TRANSFORM len: 28
transform: 0 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS (ttl 64, id
32346, bad cksum 54!)
20:55:50.702726 194.252.180.30.500 > 200.150.68.74.500: [udp sum ok]
isakmp v1.0 exchange ID_PROT
cookie: c2b9625799f6f05e->24b2c3db14c7cf41 msgid: 00000000 len: 76
payload: SA len: 48 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 36 proposal: 1 proto: ISAKMP spisz:
0 xforms: 1
payload: TRANSFORM len: 28
transform: 1 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS (ttl 39, id 32074)
20:55:50.712311 200.150.68.74.500 > 194.252.180.30.500: [bad udp
cksum 2b65!] isakmp v1.0 exchange ID_PROT
cookie: c2b9625799f6f05e->24b2c3db14c7cf41 msgid: 00000000 len: 180
payload: KEY_EXCH len: 132
payload: NONCE len: 20 (ttl 64, id 4306, bad cksum bc!)
20:55:51.002622 194.252.180.30.500 > 200.150.68.74.500: [udp sum ok]
isakmp v1.0 exchange ID_PROT
cookie: c2b9625799f6f05e->24b2c3db14c7cf41 msgid: 00000000 len: 184
payload: KEY_EXCH len: 132
payload: NONCE len: 24 (ttl 39, id 32075)
20:55:51.013587 200.150.68.74.500 > 194.252.180.30.500: [bad udp
cksum a299!] isakmp v1.0 exchange ID_PROT encrypted
cookie: c2b9625799f6f05e->24b2c3db14c7cf41 msgid: 00000000
len: 92 (ttl 64, id 13946, bad cksum 64!)
20:55:51.309252 194.252.180.30.500 > 200.150.68.74.500: [udp sum ok]
isakmp v1.0 exchange INFO
cookie: c2b9625799f6f05e->24b2c3db14c7cf41 msgid: 2bdd1eae len: 40
payload: NOTIFICATION len: 12
notification: PAYLOAD MALFORMED (ttl 39, id 32077)
20:55:58.020127 200.150.68.74.500 > 194.252.180.30.500: [bad udp
cksum a299!] isakmp v1.0 exchange ID_PROT encrypted
cookie: c2b9625799f6f05e->24b2c3db14c7cf41 msgid: 00000000
len: 92 (ttl 64, id 9407, bad cksum 64!)
20:56:07.030106 200.150.68.74.500 > 194.252.180.30.500: [bad udp
cksum a299!] isakmp v1.0 exchange ID_PROT encrypted
cookie: c2b9625799f6f05e->24b2c3db14c7cf41 msgid: 00000000
len: 92 (ttl 64, id 5761, bad cksum 64!)
Nov 1 22:56:18 marte isakmpd[13732]: transport_send_messages: giving
up on message 0x3c12c600, exchange Andritz
Nov 1 22:56:18 marte isakmpd[13732]: transport_send_messages: either
this message did not reach the other peer
Nov 1 22:56:18 marte isakmpd[13732]: transport_send_messages: or the
responsemessage did not reach us back
20:56:18.040103 200.150.68.74.500 > 194.252.180.30.500: [bad udp
cksum a299!] isakmp v1.0 exchange ID_PROT encrypted
cookie: c2b9625799f6f05e->24b2c3db14c7cf41 msgid: 00000000
len: 92 (ttl 64, id 31732, bad cksum 64!)
Does anyone know what's wrong here? Any help would be apreciated...
Oh, and by the way, before I got here, I's seeing this error message:
essage_recv: cleartext phase 2 message
But I've read somewhere that this was indeed a problem with FW1 and
that the following block of code should be commented in the source
(messages.c):
/* Require encryption as soon as we have the keystate for it. */
/*
if ((flags & ISAKMP_FLAGS_ENC) == 0 &&
(msg->exchange->phase == 2 || msg->exchange->keystate))
{
log_print ("message_recv: cleartext phase %d message",
msg->exchange->phase);
message_drop (msg, ISAKMP_NOTIFY_INVALID_FLAGS, 0, 1, 1);
return -1;
}
*/
I feel that this could be causing some problem as well.
Thanks,
Rafael.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]