I have a problem with ipsec/isakmpd.
I have setup about 20 vpn's to various other sites, all using tunnel mode (
active ).
All but one are working fine.
One connection exhibits the following behaviour:
After isakmpd starts, the vpn starts correctly, main and quick mode are
successfully negotiated and I can ping or ssh the remote site. I can see the
route with netstat -rnf encap and the SA and FLOW corresponding to this vpn in
ipsecctl -s output.
When I leave the connection idle for some time, the routing entry vanishes, as
do the flow and sa in ipsecctl output.
When I ping the remote site, I get 'no route to host'. isakmpd does not try to
restart the connection: using tcpdump on the external interface I see no
packets travelling to the remote site.
Here is a trace rom isakmpd.pcap, showing the last packets before the vpn
connection fails:
12:34:49.770248 yyy.yyy.96.195.500 > xxx.xxx.193.254.500: [udp sum ok] isakmp
v1.0 exchange INFO
cookie: b10f8a7f26c972af->aaae3029f2561bf8 msgid: c6de5870 len: 92
payload: HASH len: 24
payload: NOTIFICATION len: 32
notification: STATUS_DPD_R_U_THERE seq 2013739885 [ttl 0] (id 1,
len 120)
12:34:49.770670 xxx.xxx.193.254.500 > yyy.yyy.96.195.500: [udp sum ok] isakmp
v1.0 exchange INFO
cookie: b10f8a7f26c972af->aaae3029f2561bf8 msgid: 1dd317ee len: 84
payload: HASH len: 24
payload: NOTIFICATION len: 32
notification: STATUS_DPD_R_U_THERE_ACK seq 2013739885 [ttl 0] (id
1, len 112)
12:35:49.811361 yyy.yyy.96.195.500 > xxx.xxx.193.254.500: [udp sum ok] isakmp
v1.0 exchange INFO
cookie: b10f8a7f26c972af->aaae3029f2561bf8 msgid: 5cd1ec2c len: 92
payload: HASH len: 24
payload: NOTIFICATION len: 32
notification: STATUS_DPD_R_U_THERE seq 2013739886 [ttl 0] (id 1,
len 120)
12:35:49.811751 xxx.xxx.193.254.500 > yyy.yyy.96.195.500: [udp sum ok] isakmp
v1.0 exchange INFO
cookie: b10f8a7f26c972af->aaae3029f2561bf8 msgid: dedfee25 len: 84
payload: HASH len: 24
payload: NOTIFICATION len: 32
notification: STATUS_DPD_R_U_THERE_ACK seq 2013739886 [ttl 0] (id
1, len 112)
12:36:23.879320 yyy.yyy.96.195.500 > xxx.xxx.193.254.500: [udp sum ok] isakmp
v1.0 exchange INFO
cookie: b10f8a7f26c972af->aaae3029f2561bf8 msgid: b4875e25 len: 76
payload: HASH len: 24
payload: DELETE len: 16 DOI: 1(IPSEC) proto: IPSEC_ESP nspis: 1
SPI: 0x7a08d616 [ttl 0] (id 1, len 104)
12:36:23.891020 yyy.yyy.96.195.500 > xxx.xxx.193.254.500: [udp sum ok] isakmp
v1.0 exchange INFO
cookie: b10f8a7f26c972af->aaae3029f2561bf8 msgid: 1c7e734f len: 92
payload: HASH len: 24
payload: DELETE len: 28 DOI: 1(IPSEC) proto: ISAKMP nspis: 1
cookie: b10f8a7f26c972af->aaae3029f2561bf8 [ttl 0] (id 1, len
120)
xxx.xxx is my local external ip address, yyy.yyy is the remote peer.
So after a few R_U_THERE exchanges, the remote site deletes the SA ( or at
least that is what I think it does ).
Consequently, the routing entries on my local machine disappear, as said
above.
Under normal circumstances, my machine ( isakmpd ) immediately restarts the
connection, which completes without problem. But sometimes, id does not. In
thiese cases, the above shown messages are the last I see.
After killing and restarting isakmpd, the vpn is established without
problems.
One strange observation I can add. I dumped the isakmpd state with echo S
>/var/runisakmpd.fifo, I get the following:
SA name: VPN-1 (Phase 2)
src: xxx.xxx.193.254 dst: aaa.aaa.aaa.aaa
Lifetime: 2000 seconds
Soft timeout in 1597 seconds
Hard timeout in 1803 seconds
Lifetime: 200000 kilobytes
Flags 0x0000000b
SPI 0: 11fd2770
SPI 1: af8ec4b7
Transform: IPsec ESP
Encryption key length: 16
Authentication key length: 16
Encryption algorithm: AES-128 (CBC)
Authentication algorithm: HMAC-MD5
SA name: VPN-1 (Phase 2)
src: 87.234.193.254 dst: bbb.bbb.bbb.bbb
Lifetime: 3600 seconds
Soft timeout in 911 seconds
Hard timeout in 1372 seconds
Flags 0x00000003
SPI 0: 88cce18f
SPI 1: 93baf3e0
Transform: IPsec ESP
Encryption key length: 24
Authentication key length: 20
Encryption algorithm: 3DES
Authentication algorithm: HMAC-SHA1
I find no phase 1 entry for VPN-1, but two phase 2 entries, and both have
destination address ( aaa.aaa.aaa.aaa and bbb.bbb.bbb.bbb ) which have nothing
to do with the peer address of VPN-1. These to addresses are the peer
addresses of two of my other vpns.
My policy file is just default, my openBSD is 4.1.
Presumeably this is a configuration error, but I have no idea what to look
for.
Thanks
Christoph
