Greetings, I recently converted from isakmpd.conf to ipsec.conf and I
seem to be having problem bringing up a second tunnel to a PIX. It
_appears_ that the OBSD side is trying to use the default hmac
(sha2_256) even though it is configured to use md5 for the second
tunnel. Oddly, the first tunnel comes up fine. Any insight or
trouble-shooting tips would be appreciated. BTW, Is there anyway to see
what flows have been "configured"? "ipsecctl -sf" seemed to only show a
flow when phase I was complete.
ipsecctl -sf
--------
flow esp in from 192.168.60.192/28 to 10.10.0.0/16 peer 192.168.40.8
srcid 192.168.13.4/32 dstid 192.168.40.8 type use
flow esp out from 10.10.0.0/16 to 192.168.60.192/28 peer 192.168.40.8
srcid 192.168.13.4/32 dstid 192.168.40.8 type require
++++++++
The local peer (OpenBSD 4.0-stable (GENERIC) #6: Fri Apr 13 07:23:48 EDT
2007) is configured like:
--------
ike esp from { 10.10.0.0/16 , 10.5.0.0/24 } to 192.168.60.192/28 \
peer 192.168.40.8 \
local 192.168.13.4 \
main auth hmac-md5 enc aes group modp1024 \
psk "Hereismylovelykey"
++++++++
/var/log/messages:
--------
Apr 23 12:28:52 fw1 isakmpd[965]: transport_send_messages: giving up on
exchange IPsec-10.5.0.0/24-192.168.60.192/28, no response from peer
192.168.40.8:500
Apr 23 12:28:52 fw1 isakmpd[965]: message_recv: bad message length
Apr 23 12:28:52 fw1 isakmpd[965]: dropped message from 192.168.40.8 port
500 due to notification type <Unknown 0>
...more of the above
Apr 23 12:29:37 fw1 isakmpd[965]: dropped message from 192.168.40.8 port
500 due to notification type <Unknown 0>
Apr 23 12:30:25 fw1 isakmpd[965]: message_validate_notify: protocol not
supported
Apr 23 12:30:33 fw1 isakmpd[965]: message_recv: bad message length
++++++++
The remote is a PIX configured like:
--------
access-list 100 permit ip 192.168.60.192 255.255.255.240 10.10.0.0
255.255.0.0
access-list 100 permit ip 192.168.60.192 255.255.255.240 10.5.0.0
255.255.255.0
sysopt connection permit-ipsec
crypto ipsec transform-set RMT esp-aes esp-md5-hmac
crypto map RMT 10 ipsec-isakmp
crypto map RMT 10 match address 100
crypto map RMT 10 set peer 192.168.13.4
crypto map RMT 10 set transform-set RMT
crypto map RMT interface outside
isakmp enable outside
isakmp key ******** address 192.168.13.4 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
++++++++
The PIX debug says:
--------
crypto_isakmp_process_block:src:192.168.13.4, dest:192.168.40.8 spt:500
dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 3599058422
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 1200
ISAKMP: encaps is 1
ISAKMP: authentication algorithm... What? 5?
ISAKMP: group is 2
ISAKMP: key length is 128IPSEC(validate_proposal): transform
proposal (prot 3, trans 12, hmac_alg 5) not supported
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 0
return status is IKMP_ERR_NO_RETRANS
crypto_isakmp_process_block:src:192.168.13.4, dest:192.168.40.8 spt:500
dpt:500
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response
ISAKMP (0): retransmitting phase 2 (0/1)... mess_id 0xd68545f6
crypto_isakmp_process_block:src:192.168.13.4, dest:192.168.40.8 spt:500
dpt:500
ISAKMP: phase 2 packet is a duplicate of a previous packet
crypto_isakmp_process_block:src:192.168.13.4, dest:192.168.40.8 spt:500
dpt:500
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response
ISAKMP (0): retransmitting phase 2 (1/1)... mess_id 0xd68545f6
++++++++
