Attached.
On 9/3/07, Hans-Joerg Hoexer <[EMAIL PROTECTED]> wrote:
> Hi,
>
> could you please run isakmpd with the "-L" (see isakmpd(8)) flag and could
> you provide we the generated pcap file?
>
> On Mon, Sep 03, 2007 at 04:17:22PM +0100, JosC) Costa wrote:
> > Okay, I've altered the range from 10.0.0.1 to 10.0.0.255 -> 10.0.0.0
> > to 10.0.0.255.
> >
> > FLOWS:
> > flow esp in from 172.26.10.83 to 10.0.0.0/24 peer 172.26.10.83 srcid
> > obsd1.my.domain dstid 172.26.10.83/32 type use
> > flow esp out from 10.0.0.0/24 to 172.26.10.83 peer 172.26.10.83 srcid
> > obsd1.my.domain dstid 172.26.10.83/32 type require
> >
> > SAD:
> > esp tunnel from 172.26.10.83 to 172.26.10.82 spi 0x3fe97772 auth
> > hmac-sha1 enc 3des-cbc
> > esp tunnel from 172.26.10.82 to 172.26.10.83 spi 0x981a7980 auth
> > hmac-sha1 enc 3des-cbc
> >
> > BUT there's another error:
> >
> > Sep 3 16:12:08 obsd1 isakmpd[16423]: exchange_run: exchange_validate failed
> > Sep 3 16:12:08 obsd1 isakmpd[16423]: dropped message from
> > 172.26.10.83 port 500 due to notification type PAYLOAD_MALFORMED
> >
> >
> > On 9/3/07, Hans-Joerg Hoexer <[EMAIL PROTECTED]> wrote:
> > > Hi,
> > >
> > > On Mon, Sep 03, 2007 at 03:11:35PM +0100, JosC) Costa wrote:
> > > > Sep 3 15:05:16 obsd1 isakmpd[25239]: dropped message from
> > > > 172.26.10.83 port 500 due to notification type NO_PROPOSAL_CHOSEN
> > > > Sep 3 15:05:16 obsd1 isakmpd[25239]: responder_recv_HASH_SA_NONCE:
> > > > KEY_EXCH payload without a group desc. attribute
> > > > Sep 3 15:05:16 obsd1 isakmpd[25239]: dropped message from
> > > > 172.26.10.83 port 500 due to notification type NO_PROPOSAL_CHOSEN
> > > > Sep 3 15:05:16 obsd1 isakmpd[25239]: responder_recv_HASH_SA_NONCE:
> > > > peer proposed invalid phase 2 IDs: initiator id ac1a0a53:
> > > > 172.26.10.83, responder id 0a000080/ffffff80:
> > > > 10.0.0.128/255.255.255.128
> > >
> > > isakmpd tells you, that the peer sent the wront phase 2 ID.
> > >
> > > Here, you tell ISA to propose these IDs, but...
> > >
> > > > Remote Network 'OBSD1' IP Subnets:
> > > > Subnet: 10.0.0.1/255.255.255.255
> > > > Subnet: 10.0.0.2/255.255.255.254
> > > > Subnet: 10.0.0.4/255.255.255.252
> > > > Subnet: 10.0.0.8/255.255.255.248
> > > > Subnet: 10.0.0.16/255.255.255.240
> > > > Subnet: 10.0.0.32/255.255.255.224
> > > > Subnet: 10.0.0.64/255.255.255.192
> > > > Subnet: 10.0.0.128/255.255.255.128
> > >
> > > here you tell isakmpd to accept only 10.0.1.0/24, which is never proposed
> > > by the peer:
> > >
> > > --- /etc/ipsec.conf ---
> > >
> > > ike dynamic esp from 10.0.0.0/24 to 10.0.1.0/24 peer 172.26.10.83 \
> > > main auth hmac-sha1 enc 3des group modp1024 \
> > > quick auth hmac-sha1 enc 3des \
> > > psk teste tag teste
> > >
> > >
> > > To get started, tell ISA to only use one remote subnet, ie. 10.0.1.0/24
tcpdump: WARNING: snaplen raised from 96 to 65536
17:12:40.500794 172.26.10.83.500 > 172.26.10.82.500: [udp sum ok] isakmp v1.0
exchange QUICK_MODE
cookie: 45e904f3a6260510->116cb8bcab6a79b2 msgid: 518e3038 len: 292
payload: HASH len: 24
payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 44 proposal: 1 proto: IPSEC_ESP spisz: 4
xforms: 1 SPI: 0x17b3274e
payload: TRANSFORM len: 32
transform: 1 ID: 3DES
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 00000e10
attribute ENCAPSULATION_MODE = TUNNEL
attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
attribute GROUP_DESCRIPTION = 2
payload: KEY_EXCH len: 132
payload: NONCE len: 24
payload: ID len: 12 type: IPV4_ADDR = 172.26.10.83
payload: ID len: 16 type: IPV4_ADDR_SUBNET = 10.0.0.0/255.255.255.0
[ttl 0] (id 1, len 320)
17:12:40.510601 172.26.10.82.500 > 172.26.10.83.500: [udp sum ok] isakmp v1.0
exchange QUICK_MODE
cookie: 45e904f3a6260510->116cb8bcab6a79b2 msgid: 518e3038 len: 292
payload: HASH len: 24
payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 44 proposal: 1 proto: IPSEC_ESP spisz: 4
xforms: 1 SPI: 0xeb318a59
payload: TRANSFORM len: 32
transform: 1 ID: 3DES
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 00000e10
attribute ENCAPSULATION_MODE = TUNNEL
attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
attribute GROUP_DESCRIPTION = 2
payload: NONCE len: 24
payload: KEY_EXCH len: 132
payload: ID len: 12 type: IPV4_ADDR = 172.26.10.83
payload: ID len: 16 type: IPV4_ADDR_SUBNET = 10.0.0.0/255.255.255.0
[ttl 0] (id 1, len 320)
17:12:40.530390 172.26.10.83.500 > 172.26.10.82.500: [udp sum ok] isakmp v1.0
exchange QUICK_MODE
cookie: 45e904f3a6260510->116cb8bcab6a79b2 msgid: 518e3038 len: 52
payload: HASH len: 24 [ttl 0] (id 1, len 80)
17:59:32.728642 172.26.10.83.500 > 172.26.10.82.500: [udp sum ok] isakmp v1.0
exchange INFO
cookie: 45e904f3a6260510->116cb8bcab6a79b2 msgid: d4f8d311 len: 68
payload: HASH len: 24
payload: DELETE len: 16 DOI: 1(IPSEC) proto: IPSEC_ESP nspis: 1
SPI: 0x78543e11 [ttl 0] (id 1, len 96)
17:59:47.662884 172.26.10.82.500 > 172.26.10.83.500: [udp sum ok] isakmp v1.0
exchange QUICK_MODE
cookie: 45e904f3a6260510->116cb8bcab6a79b2 msgid: b7a314d5 len: 288
payload: HASH len: 24
payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 40 proposal: 1 proto: IPSEC_ESP spisz: 4
xforms: 1 SPI: 0xe926d709
payload: TRANSFORM len: 28
transform: 1 ID: 3DES
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 1200
attribute ENCAPSULATION_MODE = TUNNEL
attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
attribute GROUP_DESCRIPTION = 2
payload: NONCE len: 20
payload: KEY_EXCH len: 132
payload: ID len: 16 type: IPV4_ADDR_SUBNET = 10.0.0.0/255.255.255.0
payload: ID len: 16 type: IPV4_ADDR_SUBNET = 10.0.1.0/255.255.255.0
[ttl 0] (id 1, len 316)
17:59:47.713313 172.26.10.83.500 > 172.26.10.82.500: [udp sum ok] isakmp v1.0
exchange QUICK_MODE commit
cookie: 45e904f3a6260510->116cb8bcab6a79b2 msgid: b7a314d5 len: 300
payload: HASH len: 24
payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 44 proposal: 1 proto: IPSEC_ESP spisz: 4
xforms: 1 SPI: 0xfdaadf5e
payload: TRANSFORM len: 32
transform: 1 ID: 3DES
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 000004b0
attribute ENCAPSULATION_MODE = TUNNEL
attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
attribute GROUP_DESCRIPTION = 2
payload: KEY_EXCH len: 132
payload: NONCE len: 24
payload: ID len: 16 type: IPV4_ADDR_SUBNET = 10.0.0.0/255.255.255.0
payload: ID len: 16 type: IPV4_ADDR_SUBNET = 10.0.1.0/255.255.255.0
[ttl 0] (id 1, len 328)
17:59:47.713490 172.26.10.82.500 > 172.26.10.83.500: [udp sum ok] isakmp v1.0
exchange QUICK_MODE
cookie: 45e904f3a6260510->116cb8bcab6a79b2 msgid: b7a314d5 len: 52
payload: HASH len: 24 [ttl 0] (id 1, len 80)
17:59:47.726407 172.26.10.83.500 > 172.26.10.82.500: [udp sum ok] isakmp v1.0
exchange QUICK_MODE commit
cookie: 45e904f3a6260510->116cb8bcab6a79b2 msgid: b7a314d5 len: 76
payload: HASH len: 24
payload: NOTIFICATION len: 24
notification: 16384 (unknown) [ttl 0] (id 1, len 104)
17:59:47.730118 172.26.10.82.500 > 172.26.10.83.500: [udp sum ok] isakmp v1.0
exchange INFO
cookie: 45e904f3a6260510->116cb8bcab6a79b2 msgid: 0f879510 len: 64
payload: HASH len: 24
payload: NOTIFICATION len: 12
notification: PAYLOAD MALFORMED [ttl 0] (id 1, len 92)
