Thanks for the replies here on this list. Using the
debug parameters suggested usefully reduced the
amount of information in the log files.
I've requested the Cisco PIX config information -
hopefully I'll get that from the techs at the other
end of the tunnel I am creating this week.
In my isakmpd log the first SA messages refer to the
fact there is no SA set up for the tunnel I need to
form, later an error about a payload length, then
the
SA seems to be create created...
.
.
.
104124.523585 Exch 90 dpd_check_vendor_payload: bad
size 8 != 16
.
.
104124.582274 SA 60 sa_create: sa 0x3c067d00 phase 2 added to exchange
0x3c067a00 (VPN-SZ-WCSQL)
104124.582284 Mesg 90 message_alloc: allocated 0x3c06b700 104124.582292 SA
80 sa_reference: SA 0x3c067900 now has 6 references 104124.582301 Cryp 60
hash_get: requested algorithm 0
104124.582399 Misc 70 attribute_set_constant: no GROUP_DESCRIPTION in the
QM-ESP-3DES-MD5-XF section
104124.582433 Sdep 80 pf_key_v2_write: iov[0]: 104124.582448 Sdep 80 02010002
0a000000 01000000f2100000
104124.582456 Sdep 80 pf_key_v2_write: iov[1]:
104124.582472 Sdep 80 03000500 00000000 10020000 ca949151 00000000 00000000
104124.582480 Sdep 80 pf_key_v2_write: iov[2]: 104124.582496 Sdep 80 03000600
00000000 10020000 cb304f11 00000000 00000000
104124.582504 Sdep 80 pf_key_v2_write: iov[3]: .
.
.
104124.665321 Cryp 30 crypto_decrypt: after decryption:
104124.665340 Cryp 30 0e000014 54f218d1 81b2fec4 56d1ad13 1006f2c6 0000000c
03000000 80140000
104124.665351 Cryp 30 00000000 00000000 104124.665365 Mesg 50
message_parse_payloads: offset 28 payload HASH
104124.665375 Mesg 50 message_parse_payloads: offset 48 payload ATTRIBUTE
104124.665388 Mesg 60 message_validate_payloads: payload HASH at 0x3c06b81c of
message 0x3c06b600
104124.665399 Mesg 60 message_validate_payloads: payload ATTRIBUTE at
0x3c06b830 of message 0x3c06b600
104124.665409 Mesg 70 TYPE: 3
104124.665417 Mesg 70 ID: 0
104124.665428 Exch 90 exchange_validate: checking for required <Unknown
-24112>
104124.665438 Exch 90 exchange_validate: checking for required <Unknown 7170>
104124.665447 Mesg 70 exchange_validate: msg 0x3c06b600 requires missing
<Unknown 7170>
104124.665455 Default exchange_run: exchange_validate failed
104124.665455 Default exchange_run: exchange_validate
failed
104124.665469 Default dropped message from 202.148.145.81 port 500 due to
notification type PAYLOAD_MALFORMED
104124.665487 Timr 10 timer_add_event: event exchange_free_aux(0x3c067b00)
added before sa_soft_expire(0x3c067900), expiration in 120s
104124.665501 Exch 10 exchange_establish_p2: 0x3c067b00 <unnamed> <no policy>
policy initiator phase 2 doi 1 exchange 5 step 0
104124.665512 Exch 10 exchange_establish_p2: icookie 1332ba6460f97397 rcookie
49fdaa74c14081e1
104124.665520 Exch 10 exchange_establish_p2: msgid 2db40593 sa_list
104124.665530 Mesg 90 message_alloc: allocated 0x3c06b880
104124.665539 SA 80 sa_reference: SA 0x3c067900 now
has 7 references
Below is a sanitized version of my isakmpd.conf...
# ./hide /etc/isakmpd/isakmpd.conf
/etc/isakmpd/isakmpd.conf
[Phase 1]
10.0.0.81= peer-machine-WCpix
[Phase 2]
Connections= VPN-SZ-WCSQL
[peer-machine-WCpix]
Phase= 1
Transport= udp
Address= 10.0.0.81
Local-address= 10.1.1.17
Configuration= Default-main-mode
Authentication= shared-secret
[VPN-SZ-WCSQL]
Phase= 2
ISAKMP-peer= peer-machine-WCpix
Configuration= Default-quick-mode
Local-ID= SZ-internal-network
Remote-ID= WCSQL-subnet
[SZ-internal-network]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.157.0
Netmask= 255.255.255.0
[WCSQL-subnet]
ID-type= IPV4_ADDR_SUBNET
Network= 10.3.3.8
Netmask= 255.255.255.248
[Default-main-mode]
DIO= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-MD5
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-MD5-SUITE
[3DES-MD5]
GROUP_DESCRIPTION= MODP_1024
[QM-ESP-3DES-MD5-PFS-SUITE]
GROUP_DESCRIPTION= MODP_1024
# cat /etc/isakmpd/isakmpd.policy
Keynote-version: 2
Authorizer: "POLICY"
Conditions: app_domain == "IPsec
policy" &&
esp_present == "yes"
&&
esp_enc_alg !=
"null"
-> "true";
#
I am not sure if theres enough information below - I
dodn't want to post a 5.5K line output to the list -
I'll give some details on the Cisco config as soon
as
I have some information, but I can supply the full
information directly, or specific lines from the
output if told exactly /what/ information is
relevent.
Cheers and good weekends for all!
Richard
> --- Erik Carlseen <[EMAIL PROTECTED]> wrote:
> > It would be helpful if you could provide sanitized
> > configuration files
> > from both the OpenBSD box and the PIX (just search
> &
> > replace out
> > anything confidential, but pleasebe consistant).
> >
> > Also, I've found (at least for me) that a good
> > command line for debug
> > purposes is:
> >
> > isakmpd -f- -d -L -D0=79 -D1=70 -D2=90 -D3=80
> -D4=99
> > -D5=99 -D6=99
> > -D7=99 -D8=99 -D9=99
> >
> > For Phase 2 debugging, pay extra attention to the
> > 'SA' debug messages.
> >
> > Regards,
> >
> > Erik Carlseen
> >
> >
> > Richard Green wrote:
> > > Hi
> > >
> > > I've been struggling with this one for a while,
> > and
> > > would appeciate some advice from someone with
> more
> > > experiece that I on creating VPN tunnel between
> an
> > > OpenBSD (mine) and Cisco PIX (not mine..).
> > Previously
> > > I /did/ test this using OpenBSD to OpenBSD in a
> > test
> > > environment without problems.
> > >
> > > Phase 1 seems to work (at least, if I use a
> > > deliberatlye incorrect shared secret I don't get
> > this
> > > far...)
> > >
> > > Seems to fail at at phase 2 of creating a
> > connection.
> > >
> > > .
> > > .
> > > .
> > > 183745.235438 Trpt 95 transport_release:
> transport
> > > 0x3c06c3c0 had 2 references
> > > 183745.235447 SA 80 sa_release: SA 0x3c067900
> > had 7
> > > references
> > > 183745.235465 Cryp 10 crypto_decrypt: before
> > > decryption:
> > > 183745.235483 Cryp 10 3de05661 1cf4f34a 3651e699
> > > 729bd793 7bd71a1e 82600c51 d3bdd8b6 799a2de5
> > > 183745.235493 Cryp 10 b8314032 10ac839b
> > > 183745.235507 Cryp 30 crypto_decrypt: after
> > > decryption:
> > > 183745.235526 Cryp 30 0e000014 ade0a7a0 bcefb6d7
> > > a834796c 6f8997da 0000000c 03000000 80140000
> > > 183745.235537 Cryp 30 00000000 00000000
> > > 183745.235547 Mesg 50 message_parse_payloads:
> > offset
> > > 28 payload HASH
> > > 183745.235556 Mesg 50 message_parse_payloads:
> > offset
> > > 48 payload ATTRIBUTE
> > > 183745.235567 Mesg 60 message_validate_payloads:
> > > payload HASH at 0x3c06b81c of message 0x3c06b600
> > > 183745.235577 Mesg 60 message_validate_payloads:
> > > payload ATTRIBUTE at 0x3c06b830 of message
> > 0x3c06b600
> > > 183745.235587 Mesg 70 TYPE: 3
> > > 183745.235596 Mesg 70 ID: 0
> > > 183745.235607 Exch 90 exchange_validate:
> checking
> > for
> > > required <Unknown -24112>
> > > 183745.235619 Exch 90 exchange_validate:
> checking
> > for
> > > required <Unknown 7170>
> > > 183745.235629 Mesg 70 exchange_validate: msg
> > > 0x3c06b600 requires missing <Unknown 7170>
> > > 183745.235637 Default exchange_run:
> > exchange_validate
> > > failed
> > > 183745.235653 Default dropped message from
> > > 202.148.145.81 port 500 due to notification type
> > > PAYLOAD_MALFORMED
> > >
> > > On the Cisco side, the logs are not very
> helpful,
> > nor
> > > is it possible for me to get much detail from
> the
> > > poeple I am connecting to...
> > > 2005 19:24:31: %PIX-6-602202: ISAKMP session
> > connected
> > > (local 212.148.145.181 (responder), remote
> > > 213.148.179.117/)
> > >
> >
> ./20050430/pfw85.wic.webcentral.com.au/messages:Apr
> > 30
> > > 23:35:38 pix.somewhere.net Apr 30
> > > 2005 23:35:33: %PIX-6-109006: Authentication
> > failed
> > > for user '' from 213.148.179.117/0 to
> > 202.148.145.81/0
> > > on interface outside
> > >
> > > My /etc/isakmpd/isakmpd.conf file uses
> transforms
> > and
> > > suites as per the Pix configuration.
> > >
> > > Using OpenBSD 3.6 (up to date).
> > >
> > > I don't really understand the actually error
> > messages
> > > in the isakmpd log (log level is -DA=99) - the
> > error
> > > messages start at about line 24000, so I have
> only
> > > included a few lines from this in this request
> for
> > > assistance working through this problem.
> > >
> > > Regards
> > > Richard
> > >
> > > Find local movie times and trailers on Yahoo!
> > Movies.
> > > http://au.movies.yahoo.com
> > >
> > >
> >
> >
>
> Find local movie times and trailers on Yahoo!
> Movies.
> http://au.movies.yahoo.com
