OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
isakmpd can't tear down phase 1 SA (3.8-beta/i386)

From: Kurt Miller (trukoptonline.net)
Date: Thu Sep 01 2005 - 09:21:51 CDT

I'm not sure if my problem is user/configuration related or if there
is a problem with isakmpd... I'd like to only initiate connections using
the isakmpd.fifo as needed. When finished with the connection I was
planning on tearing it down using the fifo too.

When I tear down the phase 2 connection, phase 1 remains. Nothing
I do seems to be able to tear down the phase 1 connection. The
remote side tears down its phase 1 connection when the phase
2 one is gone (remote is a SonicWall in this case). When I attempt
to reconnect to the remote site, isakmpd uses the old phase 1 and
can't connect.

I think this is a problem with isakmpd. Below are the commands I'm
issuing and the isakmpd.result info after each step. Also the -DA=90
output for this sequence is available here:

http://intricatesoftware.com:81/OpenBSD/misc/isakmpd.log

$ sudo ksh -c "echo c IPsec-Site1 >> /var/run/isakmpd.fifo"
$ sudo ksh -c "echo S >> /var/run/isakmpd.fifo"
$ more /var/run/isakmpd.result
SA name: ISAKMP-Site1 (Phase 1/Initiator)
src: 172.16.1.24 dst: x.x.x.x
Lifetime: 28800 seconds
Soft timeout in 26429 seconds
Hard timeout in 28791 seconds
icookie af2b308c6583a724 rcookie 32ea88cc20420661

SA name: IPsec-Site1 (Phase 2)
src: 172.16.1.24 dst: x.x.x.x
Lifetime: 1200 seconds
Soft timeout in 1056 seconds
Hard timeout in 1191 seconds
SPI 0: f3d26409
SPI 1: bda5bb6e
Transform: IPsec ESP
Encryption key length: 8
Authentication key length: 16
Encryption algorithm: DES
Authentication algorithm: HMAC-MD5

Everything is working ok at this point. Now tear down IPsec-Site1
and check if phase 1 is still there.

$ sudo ksh -c "echo t IPsec-Site1 >> /var/run/isakmpd.fifo"
$ sudo ksh -c "echo S >> /var/run/isakmpd.fifo"
$ more /var/run/isakmpd.result
SA name: ISAKMP-Site1 (Phase 1/Initiator)
src: 172.16.1.24 dst: x.x.x.x
Lifetime: 28800 seconds
Soft timeout in 26385 seconds
Hard timeout in 28747 seconds
icookie af2b308c6583a724 rcookie 32ea88cc20420661

I can't get rid of this entry using 't ISAKMP-Site1' or
'd af2b308c6583a724 -' or 'd 32ea88cc20420661 -' or
even 'T'. Attempting to reconnect fails and looks like this:

$ sudo ksh -c "echo c IPsec-Site1 >> /var/run/isakmpd.fifo"
$ sudo ksh -c "echo S >> /var/run/isakmpd.fifo"
$ more /var/run/isakmpd.result
SA name: ISAKMP-Site1 (Phase 1/Initiator)
src: 172.16.1.24 dst: x.x.x.x
Lifetime: 28800 seconds
Soft timeout in 26282 seconds
Hard timeout in 28644 seconds
icookie af2b308c6583a724 rcookie 32ea88cc20420661

SA name: <unnamed> (Phase 2)
src: 172.16.1.24 dst: x.x.x.x
SPI 0 not defined.
SPI 1: bd55249b
Transform: IPsec ESP
Encryption key length: 0
Authentication key length: 0
Encryption algorithm: unknown (0)
Authentication algorithm: none

Note the Phase 2 garbage. I have to shutdown isakmpd to clean this up.

Here's my isakmpd.conf:

[General]
Default-phase-1-lifetime= 28800,60:86400

[Phase 1]
x.x.x.x= ISAKMP-Site1

[Phase 2]
Passive-connections= IPsec-Site1

# Phase 1
#######################

[ISAKMP-Site1]
Phase= 1
Address= x.x.x.x
Configuration= SonicWall-main-mode
Default= IPsec-Site1
Authentication= not
ID= SonicWall-Phase1-ID

# Phase 2 sections
##################

[IPsec-Site1]
Phase= 2
ISAKMP-peer= ISAKMP-Site1
Configuration= SonicWall-quick-mode
Local-ID= Default-Phase2-Local-ID
Remote-ID= Site1-Phase2-Remote-ID

# Client ID sections
####################

[SonicWall-Phase1-ID]
ID-type= USER_FQDN
Name= GroupVPN

[Default-Phase2-Local-ID]
ID-type= IPV4_ADDR
Address= default

[Site1-Phase2-Remote-ID]
ID-type= IPV4_ADDR_SUBNET
Network= 172.31.5.0
Netmask= 255.255.255.0

# Transform descriptions
########################

[SonicWall-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-MD5

[SonicWall-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-DES-MD5-SUITE