Re: Site-to-site IPSec VPN between OpenBSD and Cisco PIX 515E

Thu, 29 Nov 2007 03:29:05 -0800

Finally I have managed that VPN tunnel to work. Actually, everything was fine with VPN connection settings, the problem was with the firewall (Cisco ASA) residing behind the PIX that I've never known about :) [ A.B.C.B ] <-> [ OpenBSD 4.1 (M.N.O.P) ] <-- Internet --> [ ( I.J.K.L) Cisco PIX 515E ] <-- [ CISCO ASA ] --> [ E.F.G.H ]
Now, I have another problem, VPN tunnel dies and I get INVALID_COOKIE messages in /var/log/messages. This usually means that one of the endpoints is using SA that is not available anymore. I guess it is caused by lifetime values mismatch. On OpenBSD side I see SAs, but on Cisco side there are no SAs related with OpenBSD peer. Where can I set SA lifetimes on OpenBSD? What are the default values for them? 

/var/log/messages

Nov 29 13:55:43 app isakmpd[24775]: message_recv: invalid cookie(s) 
f7ed5cd26d071117 bbfcbff3ba3d4fee
Nov 29 13:55:43 app isakmpd[24775]: dropped message from I.J.K.L port 
500 due to notification type INVALID_COOKIE
Nov 29 13:55:45 app isakmpd[24775]: message_recv: invalid cookie(s) 
f7ed5cd26d071117 bbfcbff3ba3d4fee
Nov 29 13:55:45 app isakmpd[24775]: dropped message from I.J.K.L port 
500 due to notification type INVALID_COOKIE
Nov 29 13:55:47 app isakmpd[24775]: message_recv: invalid cookie(s) 
f7ed5cd26d071117 bbfcbff3ba3d4fee
Nov 29 13:55:47 app isakmpd[24775]: dropped message from I.J.K.L port 
500 due to notification type INVALID_COOKIE
Nov 29 13:55:49 app isakmpd[24775]: message_recv: invalid cookie(s) 
f7ed5cd26d071117 bbfcbff3ba3d4fee
Nov 29 13:55:49 app isakmpd[24775]: dropped message from I.J.K.L port 
500 due to notification type INVALID_COOKIE
Nov 29 13:55:49 app isakmpd[24775]: message_recv: invalid cookie(s) 
f7ed5cd26d071117 bbfcbff3ba3d4fee
Nov 29 13:55:49 app isakmpd[24775]: dropped message from I.J.K.L port 
500 due to notification type INVALID_COOKIE


Shohrukh

Shohrukh Shoyoqubov wrote:

# netstat -rn -f encap
Routing tables

Encap:

Source             Port    Destination        Port  Proto     
SA(Address/Proto/Type/Direction)
E.F.G.H/32      0        A.B.C.B/32       0      0            
I.J.K.L/esp/use/in
A.B.C.B/32      0        E.F.G.H/32       0      0            
I.J.K.L/esp/require/out

#


Brian A. Seklecki wrote:

On Thu, 22 Nov 2007, Shohrukh Shoyoqubov wrote:


Date: Thu, 22 Nov 2007 09:46:54 +0500
From: Shohrukh Shoyoqubov <[EMAIL PROTECTED]>
To: misc@openbsd.org
Subject: Re: Site-to-site IPSec VPN between OpenBSD and Cisco PIX 515E

From which machine do I have to do "ping -I A.B.C.D  E.F.G.H"

pf has default config and allows everything

forwarding is enabled


What does "netstat -rn -f encap" look like?

~bas



Christoph Leser wrote:

you could try

ping -I A.B.C.D  E.F.G.H
























					Reply via email to