Today I upgraded a VPN gateway to 3.8-RELEASE. Anyway, when I put isakmpd.conf back and tried to start it, only one VPN connection (connected to a Linksys VPN gateway) came back up, the connection to another OpenBSD gateway (running 3.7) could not be established. On the other gateway, isakmpd logs:
Nov 4 18:15:48 vpn-gw isakmpd[13559]: message_parse_payloads: invalid next payload type RESERVED_MIN in payload of type 10 Nov 4 18:15:48 vpn-gw isakmpd[13559]: dropped message from xxx.xxx.xxx.xxx port 500 due to notification type INVALID_PAYLOAD_TYPE On my freshly installed machine I get: Nov 4 18:15:59 alphen-vpn-gw isakmpd[28891]: transport_send_messages: giving up on exchange ISAKMP-peer-node-ldn, no response from peer xxx.xxx.xxx.xxx:500 I also tried the stock VPN-East configuration files, they give me the same error message about the RESERVED_MIN payload type. I also tried disabling PF on both gateways to no avail. I also checked my entire isakmpd.conf for weird spacing which has given me a lot of trouble in the past. Configuration file on my 3.8 gateway: [Phase 1] xxx.xxx.xxx.xxx= ISAKMP-peer-node-ldn yyy.yyy.yyy.yyy= ISAKMP-peer-node-trr [Phase 2] Connections= IPSec-Conn-alp-ldn,IPSec-Conn-alp-trr # ISAKMP Phase 1 peer sections ############################## [ISAKMP-peer-node-ldn] Phase= 1 Transport= udp Address= xxx.xxx.xxx.xxx Configuration= Default-main-mode Authentication= SECRET [ISAKMP-peer-node-trr] Phase= 1 Transport= udp Address= yyy.yyy.yyy.yyy Configuration= Default-main-mode Authentication= SECRET # IPSec Phase 2 sections ######################## [IPSec-Conn-alp-ldn] Phase= 2 ISAKMP-peer= ISAKMP-peer-node-ldn Configuration= Default-quick-mode Local-ID= MyNet-alp Remote-ID= OtherNet-ldn [IPSec-Conn-alp-trr] Phase= 2 ISAKMP-peer= ISAKMP-peer-node-trr Configuration= Default-main-mode Local-ID= MyNet-alp Remote-ID= OtherNet-trr # Client ID sections #################### [MyNet-alp] ID-type= IPV4_ADDR_SUBNET Network= 192.168.106.0 Netmask= 255.255.255.0 [OtherNet-ldn] ID-type= IPV4_ADDR_SUBNET Network= 192.168.100.0 Netmask= 255.255.255.0 [OtherNet-trr] ID-type= IPV4_ADDR_SUBNET Network= 192.168.107.0 Netmask= 255.255.255.0 # # There is no more node-specific configuration below this point. # # Main mode descriptions [Default-main-mode] DOI= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA,3DES-MD5 # Quick mode description ######################## [Default-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-AES-SHA-PFS-SUITE And on my 3.7 gateway: [Phase 1] xxx.xxx.xxx.xxx= ISAKMP-peer-node-alp aaa.aaa.aaa.aaa= ISAKMP-peer-node-lk bbb.bbb.bbb.bbb= ISAKMP-peer-node-zu ccc.ccc.ccc.ccc= ISAKMP-peer-node-al ddd.ddd.ddd.ddd= ISAKMP-peer-node-br eee.eee.eee.eee= ISAKMP-peer-node-ldorp # These connections are walked over after config file parsing and # told to the application layer so that it will inform us when # traffic wants to pass over them. This means we can do on-demand # keying. In the three-way VPN, each node knows two connections. [Phase 2] Connections= IPsec-Conn-ldn-alp,IPsec-Conn-ldn-lk,IPsec-Conn-ldn-zu,IPsec-Conn-ldn-al,IPsec-Conn-ldn-br,IPsec-Conn-ldn-ldorp # ISAKMP Phase 1 peer sections ############################## [ISAKMP-peer-node-alp] Phase= 1 Transport= udp Address= xxx.xxx.xxx.xxx Configuration= Default-main-mode Authentication= SECRET [ISAKMP-peer-node-lk] Phase= 1 Transport= udp Address= aaa.aaa.aaa.aaa Configuration= Default-main-mode Authentication= SECRET [ISAKMP-peer-node-zu] Phase= 1 Transport= udp Address= bbb.bbb.bbb.bbb Configuration= bef-main-mode Authentication= SECRET [ISAKMP-peer-node-al] Phase= 1 Transport= udp Address= ccc.ccc.ccc.ccc Configuration= Default-main-mode Authentication= SECRET [ISAKMP-peer-node-br] Phase= 1 Transport= udp Address= ddd.ddd.ddd.ddd Configuration= Default-main-mode Authentication= SECRET [ISAKMP-peer-node-ldorp] Phase= 1 Transport= udp Address= eee.eee.eee.eee Configuration= Default-main-mode Authentication= SECRET # IPsec Phase 2 sections ######################## [IPsec-Conn-ldn-alp] Phase= 2 ISAKMP-peer= ISAKMP-peer-node-alp Configuration= Default-quick-mode Local-ID= MyNet-ldn Remote-ID= OtherNet-alp [IPsec-Conn-ldn-ldorp] Phase= 2 ISAKMP-peer= ISAKMP-peer-node-alp Configuration= Default-quick-mode Local-ID= MyNet-ldn Remote-ID= OtherNet-ldr [IPsec-Conn-ldn-lk] Phase= 2 ISAKMP-peer= ISAKMP-peer-node-lk Configuration= Default-quick-mode Local-ID= MyNet-ldn Remote-ID= OtherNet-lk [IPsec-Conn-ldn-zu] Phase= 2 ISAKMP-peer= ISAKMP-peer-node-zu Configuration= bef-quick-mode Local-ID= MyNet-ldn Remote-ID= OtherNet-zu [IPsec-Conn-ldn-al] Phase= 2 ISAKMP-peer= ISAKMP-peer-node-al Configuration= Default-quick-mode Local-ID= MyNet-ldn Remote-ID= OtherNet-al [IPsec-Conn-ldn-br] Phase= 2 ISAKMP-peer= ISAKMP-peer-node-br Configuration= Default-quick-mode Local-ID= MyNet-ldn Remote-ID= Othernet-br # Client ID sections #################### [MyNet-ldn] ID-type= IPV4_ADDR_SUBNET Network= 192.168.100.0 Netmask= 255.255.255.0 [OtherNet-alp] ID-type= IPV4_ADDR_SUBNET Network= 192.168.106.0 Netmask= 255.255.255.0 [OtherNet-ldr] ID-type= IPV4_ADDR_SUBNET Network= 192.168.105.0 Netmask= 255.255.255.0 [Othernet-lk] ID-type= IPV4_ADDR_SUBNET Network= 192.168.102.0 Netmask= 255.255.255.0 [OtherNet-zu] ID-type= IPV4_ADDR_SUBNET Network= 192.168.103.0 Netmask= 255.255.255.0 [OtherNet-al] ID-type= IPV4_ADDR_SUBNET Network= 192.168.104.0 Netmask= 255.255.255.0 [Othernet-br] ID-type= IPV4_ADDR_SUBNET Network= 192.168.101.0 Netmask= 255.255.255.0 # # There is no more node-specific configuration below this point. # # Main mode descriptions [Default-main-mode] DOI= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA,3DES-MD5 [Blowfish-main-mode] DOI= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= BLF-SHA-M1024 # Quick mode description ######################## [Default-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-AES-SHA-PFS-SUITE [bef-main-mode] DOI= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA Life= ANY [bef-quick-mode] DOI= IPSEC EXCHANGE_TYPE= ID_PROT Suites= QM-ESP-3DES-SHA-PFS-SUITE Life= ANY -- Michiel van der Kraats
