Hello!
I set up a tunnel between two machines (connected through the
Internet) running OpenBSD 3.6 and everything was fine.
Then I had to upgrade one of the two machines to 3.7 (disk
crash!). Rewrote the config file and restarted the tunnel. The
tunnel is fine and the traffic gets encrypted all right. But if I
run an "ipsecadm show", now I also see a "errno 8: Exec format
error" on the 3.7 machine, and again no error on the 3.6 machine.
I was suggested to try 3.7 -stable. So I set up two new
machines (both with 3.7 -stable) to test on my LAN:
10.0.0.6 -- [ BOX A ] -- 192.168.3.254 /24
192.168.99.254 /24 -- [ BOX B ] -- 192.168.3.17
I have a client PC on the .99 network which can ping the
10.0.0.6 interface (and the traffic is encrypted in the
192.168.3.0/24 network), so apparently all is well.
But now on BOX A I get a "errno 8: Exec format error", and on
BOX B I get an "errno 118: Unknown error: 118" (see below).
Any ideas on what is going on?
Also, does anybody know where I can find some documentation
concerning these error codes?
Many thanks in advance for your help.
---Rob
========== BOX A "ipsecadm show" 192.168.3.254 ===========
-bash-3.00# ipsecadm show
sadb_dump: satype esp vers 2 len 38 seq 0 pid 0
errno 8: Exec format error
sa: spi 0x1c5551f1 auth hmac-sha1 enc aes
state larval replay 0 flags 4
lifetime_cur: alloc 0 bytes 0 add 1131616603 first 0
lifetime_soft: alloc 0 bytes 0 add 1080 first 0
lifetime_hard: alloc 0 bytes 0 add 1200 first 0
address_src: 192.168.3.17
address_dst: 192.168.3.254
identity_src: type prefix id 0: 192.168.3.17/32
identity_dst: type prefix id 0: 192.168.3.254/32
key_auth: bits 160: d5ca6d9959ad17801cf762264d35bc0417063ff8
key_encrypt: bits 128: bf288d4fc105b7091c0d1582df44c738
sadb_dump: satype esp vers 2 len 38 seq 0 pid 0
errno 8: Exec format error
sa: spi 0xbbdef5c1 auth hmac-sha1 enc aes
state larval replay 0 flags 4
lifetime_cur: alloc 0 bytes 0 add 1131616603 first 0
lifetime_soft: alloc 0 bytes 0 add 1080 first 0
lifetime_hard: alloc 0 bytes 0 add 1200 first 0
address_src: 192.168.3.254
address_dst: 192.168.3.17
identity_src: type prefix id 0: 192.168.3.254/32
identity_dst: type prefix id 0: 192.168.3.17/32
key_auth: bits 160: 8ad139ce2bf0af8cd5188ea1551a4cf443e1bb7e
key_encrypt: bits 128: 93511e6c7f7226600919a68cf1195893
========== BOX B "ipsecadm show" 192.168.3.17 ============
-bash-3.00# ipsecadm show
sadb_dump: satype esp vers 2 len 38 seq 0 pid 0
errno 118: Unknown error: 118
sa: spi 0xbbdef5c1 auth hmac-sha1 enc aes
state larval replay 16 flags 4
lifetime_cur: alloc 0 bytes 0 add 1131616563 first 0
lifetime_soft: alloc 0 bytes 0 add 1080 first 0
lifetime_hard: alloc 0 bytes 0 add 1200 first 0
address_src: 192.168.3.254
address_dst: 192.168.3.17
identity_src: type prefix id 0: 192.168.3.254/32
identity_dst: type prefix id 0: 192.168.3.17/32
key_auth: bits 160: 8ad139ce2bf0af8cd5188ea1551a4cf443e1bb7e
key_encrypt: bits 128: 93511e6c7f7226600919a68cf1195893
sadb_dump: satype esp vers 2 len 38 seq 0 pid 0
errno 118: Unknown error: 118
sa: spi 0x1c5551f1 auth hmac-sha1 enc aes
state larval replay 16 flags 4
lifetime_cur: alloc 0 bytes 0 add 1131616563 first 0
lifetime_soft: alloc 0 bytes 0 add 1080 first 0
lifetime_hard: alloc 0 bytes 0 add 1200 first 0
address_src: 192.168.3.17
address_dst: 192.168.3.254
identity_src: type prefix id 0: 192.168.3.17/32
identity_dst: type prefix id 0: 192.168.3.254/32
key_auth: bits 160: d5ca6d9959ad17801cf762264d35bc0417063ff8
key_encrypt: bits 128: bf288d4fc105b7091c0d1582df44c738
========== BOX A isakmpd.conf ============================
-bash-3.00# cat /etc/isakmpd/isakmpd.conf
# $OpenBSD: VPN-west.conf,v 1.14 2003/03/16 08:13:02 matthieu Exp $
# $EOM: VPN-west.conf,v 1.13 2000/10/09 22:08:30 angelos Exp $
# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon.
#
# The network topology of the example net is like this:
#
# 192.168.11.0/24 - west [.11] - 10.1.0.0/24 - [.12] east - 192.168.12.0/24
#
# "west" and "east" are the respective security gateways (aka VPN-nodes).
[General]
Listen-on= 192.168.3.254
[Phase 1]
192.168.3.17= ISAKMP-peer-west
[Phase 2]
Connections= IPsec-east-west
[ISAKMP-peer-west]
Phase= 1
Transport= udp
Local-address= 192.168.3.254
Address= 192.168.3.17
Configuration= Default-main-mode
Authentication= mekmitasdigoat
[IPsec-east-west]
Phase= 2
ISAKMP-peer= ISAKMP-peer-west
Configuration= Default-quick-mode
Local-ID= Net-east
Remote-ID= Net-west
[Net-east]
ID-type= IPV4_ADDR_SUBNET
Network= 10.0.0.0
Netmask= 255.255.255.248
[Net-west]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.99.0
Netmask= 255.255.255.0
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-AES-SHA-PFS-SUITE
========== BOX B isakmpd.conf ============================
-bash-3.00# cat /etc/isakmpd/isakmpd.conf
# $OpenBSD: VPN-west.conf,v 1.14 2003/03/16 08:13:02 matthieu Exp $
# $EOM: VPN-west.conf,v 1.13 2000/10/09 22:08:30 angelos Exp $
# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon.
#
# The network topology of the example net is like this:
#
# 192.168.11.0/24 - west [.11] - 10.1.0.0/24 - [.12] east - 192.168.12.0/24
#
# "west" and "east" are the respective security gateways (aka VPN-nodes).
[General]
Listen-on= 192.168.3.17
[Phase 1]
192.168.3.254= ISAKMP-peer-east
[Phase 2]
Connections= IPsec-west-east
[ISAKMP-peer-east]
Phase= 1
Transport= udp
Local-address= 192.168.3.17
Address= 192.168.3.254
Configuration= Default-main-mode
Authentication= mekmitasdigoat
[IPsec-west-east]
Phase= 2
ISAKMP-peer= ISAKMP-peer-east
Configuration= Default-quick-mode
Local-ID= Net-west
Remote-ID= Net-east
[Net-east]
ID-type= IPV4_ADDR_SUBNET
Network= 10.0.0.0
Netmask= 255.255.255.248
[Net-west]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.99.0
Netmask= 255.255.255.0
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-AES-SHA-PFS-SUITE
