Hello all, Currently my brother and I try to set up a vpn using isakmpd between two OBSD 3.8 boxes. We had a similar vpn working before. We both changed ADSL providers and thought it is time for an upgrade. However...
Our vpn refuses to work. We singled out a possible firewall problem. The pflog is quet and even after a '$pfctl -F rules' we keep the same problem. A 'tcpdump -i xl1 port 500' shows that both sided receive cookies, but nothing more: like this $ tcpdump -i xl1 port 500 13:24:47.067067 broeahs.net.isakmp > daim.broeahs.net.isakmp: isakmp v1.0 exchange ID_PROT cookie: 385103343a680645->9c61c0d839d1d9ec msgid: 00000000 len: 168 13:24:48.878894 daim.broeahs.net.isakmp > broeahs.net.isakmp: isakmp v1.0 exchange ID_PROT cookie: 7fd785c9ee93e8fe->31884d57a94e56a0 msgid: 00000000 len: 168 The debuggin' info gives messages like this: 132740.737518 Exch 40 exchange_establish_finalize: finalizing exchange 0x7cdb9b0 0 with arg 0x85e318d0 (daim-dimitri) & fail = 1 132740.736495 SA 90 sa_find: no SA matched query 132641.268445 Default transport_send_messages: giving up on exchange dimitri, no response from peer 194.109.199.156:500 My question is: What is happening here? How is it possible there is traffic on both sides on port 500 but the two are not able to get decent contact? Thank you in advance. Daom confs follow: # cat /etc/isakmpd/isakmpd.policy KeyNote-Version: 2 Authorizer: "POLICY" Licensees: "our_bad_passw" Conditions: app_domain == "IPsec policy" && esp_present == "yes" && esp_enc_alg != "null" -> "true"; # cat /etc/isakmpd/isakmpd.conf # $OpenBSD: VPN-east.conf,v 1.7 1999/10/29 07:46:04 todd Exp $ # $EOM: VPN-east.conf,v 1.7 1999/07/18 09:25:34 niklas Exp $ # A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon. [General] Retransmits= 5 Exchange-max-time=120 Listen-on= xxx.xxx.xxx.xxx #Shared-SADB= Defined # Incoming phase 1 negotiations are multiplexed on the source IP address [Phase 1] yyy.yyy.yyy.yyy=dimitri # These connections are walked over after config file parsing and told # to the application layer so that it will inform us when traffic wants to # pass over them. This means we can do on-demand keying. [Phase 2] Connections= daim-dimitri [dimitri] Phase= 1 Transport= udp Local-address= xxx.xxx.xxx.xxx Address= yyy.yyy.yyy.yyy Configuration= Default-main-mode Authentication= our_bad_passw [daim-dimitri] Phase= 2 ISAKMP-peer= dimitri Configuration= Default-quick-mode Local-ID= Net-daim Remote-ID= Net-dimitri [Net-daim] ID-type= IPV4_ADDR_SUBNET Network= 192.168.0.0 Netmask= 255.255.255.0 [Net-dimitri] ID-type= IPV4_ADDR_SUBNET Network= 10.10.10.0 Netmask= 255.255.255.0 # Main mode descriptions [Default-main-mode] DOI= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= DES-SHA # Main mode transforms ###################### # DES [DES-MD5] ENCRYPTION_ALGORITHM= DES_CBC HASH_ALGORITHM= MD5 AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_768 Life= LIFE_600_SECS,LIFE_1000_KB [DES-MD5-NO-VOL-LIFE] ENCRYPTION_ALGORITHM= DES_CBC HASH_ALGORITHM= MD5 AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_768 Life= LIFE_600_SECS [DES-SHA] ENCRYPTION_ALGORITHM= DES_CBC HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_768 Life= LIFE_600_SECS,LIFE_1000_KB # 3DES [3DES-SHA] ENCRYPTION_ALGORITHM= 3DES_CBC HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_1024 Life= LIFE_3600_SECS # Blowfish [BLF-SHA-M1024] ENCRYPTION_ALGORITHM= BLOWFISH_CBC KEY_LENGTH= 128,96:192 HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_1024 Life= LIFE_600_SECS,LIFE_1000_KB [BLF-SHA-EC155] ENCRYPTION_ALGORITHM= BLOWFISH_CBC KEY_LENGTH= 128,96:192 HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= EC2N_155 Life= LIFE_600_SECS,LIFE_1000_KB [BLF-MD5-EC155] ENCRYPTION_ALGORITHM= BLOWFISH_CBC KEY_LENGTH= 128,96:192 HASH_ALGORITHM= MD5 AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= EC2N_155 Life= LIFE_600_SECS,LIFE_1000_KB [BLF-SHA-EC185] ENCRYPTION_ALGORITHM= BLOWFISH_CBC KEY_LENGTH= 128,96:192 HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= EC2N_185 Life= LIFE_600_SECS,LIFE_1000_KB [3DES-MD5] ENCRYPTION_ALGORITHM= 3DES_CBC HASH_ALGORITHM= MD5 AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_1024 Life= LIFE_1_DAY [CAST-SHA] ENCRYPTION_ALGORITHM= CAST_CBC HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_1536 Life= LIFE_1_DAY # Quick mode description ######################## [Default-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-DES-MD5-PFS-SUITE [Greenbow-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-DES-SHA-PFS-SUITE # Quick mode protection suites ############################## # DES [QM-ESP-DES-SUITE] Protocols= QM-ESP-DES [QM-ESP-DES-PFS-SUITE] Protocols= QM-ESP-DES-PFS [QM-ESP-DES-MD5-SUITE] Protocols= QM-ESP-DES-MD5 [QM-ESP-DES-MD5-PFS-SUITE] Protocols= QM-ESP-DES-MD5-PFS [QM-ESP-DES-SHA-SUITE] Protocols= QM-ESP-DES-SHA [QM-ESP-DES-SHA-PFS-SUITE] Protocols= QM-ESP-DES-SHA-PFS # 3DES [QM-ESP-3DES-SHA-SUITE] Protocols= QM-ESP-3DES-SHA [QM-ESP-3DES-SHA-PFS-SUITE] Protocols= QM-ESP-3DES-SHA-PFS # AH [QM-AH-MD5-SUITE] Protocols= QM-AH-MD5 [QM-AH-MD5-PFS-SUITE] Protocols= QM-AH-MD5-PFS # AH + ESP [QM-AH-MD5-ESP-DES-SUITE] Protocols= QM-AH-MD5,QM-ESP-DES [QM-AH-MD5-ESP-DES-MD5-SUITE] Protocols= QM-AH-MD5,QM-ESP-DES-MD5 [QM-ESP-DES-MD5-AH-MD5-SUITE] Protocols= QM-ESP-DES-MD5,QM-AH-MD5 # Quick mode protocols # DES [QM-ESP-DES] PROTOCOL_ID= IPSEC_ESP Transforms= QM-ESP-DES-XF [QM-ESP-DES-MD5] PROTOCOL_ID= IPSEC_ESP Transforms= QM-ESP-DES-MD5-XF [QM-ESP-DES-MD5-PFS] PROTOCOL_ID= IPSEC_ESP Transforms= QM-ESP-DES-MD5-PFS-XF [QM-ESP-DES-SHA] PROTOCOL_ID= IPSEC_ESP Transforms= QM-ESP-DES-SHA-XF # 3DES [QM-ESP-3DES-SHA] PROTOCOL_ID= IPSEC_ESP Transforms= QM-ESP-3DES-SHA-XF [QM-ESP-3DES-SHA-PFS] PROTOCOL_ID= IPSEC_ESP Transforms= QM-ESP-3DES-SHA-PFS-XF [QM-ESP-3DES-SHA-TRP] PROTOCOL_ID= IPSEC_ESP Transforms= QM-ESP-3DES-SHA-TRP-XF # AH MD5 [QM-AH-MD5] PROTOCOL_ID= IPSEC_AH Transforms= QM-AH-MD5-XF [QM-AH-MD5-PFS] PROTOCOL_ID= IPSEC_AH Transforms= QM-AH-MD5-PFS-XF # Quick mode transforms # ESP DES+MD5 [QM-ESP-DES-XF] TRANSFORM_ID= DES ENCAPSULATION_MODE= TUNNEL Life= LIFE_600_SECS [QM-ESP-DES-MD5-XF] TRANSFORM_ID= DES ENCAPSULATION_MODE= TUNNEL AUTHENTICATION_ALGORITHM= HMAC_MD5 Life= LIFE_600_SECS [QM-ESP-DES-MD5-PFS-XF] TRANSFORM_ID= DES ENCAPSULATION_MODE= TUNNEL GROUP_DESCRIPTION= MODP_1024 AUTHENTICATION_ALGORITHM= HMAC_MD5 Life= LIFE_600_SECS [QM-ESP-DES-SHA-XF] TRANSFORM_ID= DES ENCAPSULATION_MODE= TUNNEL AUTHENTICATION_ALGORITHM= HMAC_SHA Life= LIFE_600_SECS # 3DES [QM-ESP-3DES-SHA-XF] TRANSFORM_ID= 3DES ENCAPSULATION_MODE= TUNNEL AUTHENTICATION_ALGORITHM= HMAC_SHA Life= LIFE_600_SECS [QM-ESP-3DES-SHA-PFS-XF] TRANSFORM_ID= 3DES ENCAPSULATION_MODE= TUNNEL AUTHENTICATION_ALGORITHM= HMAC_SHA GROUP_DESCRIPTION= MODP_1024 Life= LIFE_600_SECS [QM-ESP-3DES-SHA-TRP-XF] TRANSFORM_ID= 3DES ENCAPSULATION_MODE= TRANSPORT AUTHENTICATION_ALGORITHM= HMAC_SHA Life= LIFE_600_SECS # AH [QM-AH-MD5-XF] TRANSFORM_ID= MD5 ENCAPSULATION_MODE= TUNNEL AUTHENTICATION_ALGORITHM= HMAC_MD5 Life= LIFE_600_SECS [QM-AH-MD5-PFS-XF] TRANSFORM_ID= MD5 ENCAPSULATION_MODE= TUNNEL GROUP_DESCRIPTION= MODP_768 Life= LIFE_600_SECS [LIFE_600_SECS] LIFE_TYPE= SECONDS LIFE_DURATION= 600,450:720 [LIFE_3600_SECS] LIFE_TYPE= SECONDS LIFE_DURATION= 3600,1800:7200 [LIFE_1000_KB] LIFE_TYPE= KILOBYTES LIFE_DURATION= 1000,768:1536 [LIFE_32_MB] LIFE_TYPE= KILOBYTES LIFE_DURATION= 32768,16384:65536 [LIFE_4.5_GB] LIFE_TYPE= KILOBYTES LIFE_DURATION= 4608000,4096000:8192000 # Certificates stored in PEM format [X509-certificates] CA-directory= /etc/isakmpd/ca/ Cert-directory= /etc/isakmpd/certs/ #Accept-self-signed= defined Private-key= /etc/isakmpd/private/local.key
