Hello,
I'm trying to learn how to setup IPsec connection, therefore I stared with
quite simple settings.
I'd like to allow clients from outside to connect my OpenBSD server
through encrypted channel, however I came across some difficulties I'm not
able to solve.
scheme of my environment is following:
client (Windows Vista) ----- NAT (mikrotik) ------- internet -------
(public IP) OpenBSD
I decided to use PSK to simplify my settings:
my ipsec.conf file contains:
ike passive from any to any \
main auth hmac-sha1 enc aes group modp1024 \
quick auth hmac-sha1 enc aes psk my_key
From my understanding this should allow all clients to connect my server
via encrypted channel.
I started isakmpd and setup a client for Windows Vista - for beginning I
used TheGreenBow IPSec VPN Client.
After a few minutes I had working environment so I deiced to use native
Windows Vista IPsec client and here is my problem:
Vista client is not able to communicate with my OpenBSD server for some
reason I do not see.
I was checking settings of the client and did not find any problem, then I
just tried to shutdown isakmpd and to start it again with -T flag
without NAT-T support.
Immediately after this change, Vista client successfully connected to
OpenBSD and communication was encrypted and working.
If I start isakmpd again with NAT-T support then Vista can not negotiate
IPsec with OpenBSD.
I think NAT-T is important for me, because if I understand it well, it
should allow IPsec communication for more clients behind same NAT
simultaneously, however from some reason if I allow NAT-T
support in OpenBSD, Vista can not reach the server anymore. TheGreenBow
IPSec VPN Client works just fine even with NAT-T.
I'm out of ideas and I'd like to kindly ask you for any help.
I started isakmpd with -L switch to provide some additional information
for both clients (working GreenBow and Vista client)
Best regards MK
Vista- NAT-T not working:
0:25:01.013804 84.42.224.147.500 > 217.197.149.135.500: [udp sum ok]
isakmp v1.0 exchange ID_PROT
cookie: c8434925c7d015f1->0000000000000000 msgid: 00000000 len: 232
payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 48 proposal: 1 proto: ISAKMP spisz: 0
xforms: 1
payload: TRANSFORM len: 40
transform: 1 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = AES_CBC
attribute KEY_LENGTH = 128
attribute HASH_ALGORITHM = SHA
attribute GROUP_DESCRIPTION = MODP_1024
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 00000e10
payload: VENDOR len: 24
payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
payload: VENDOR len: 20 (supports v2 NAT-T,
draft-ietf-ipsec-nat-t-ike-02)
payload: VENDOR len: 20
payload: VENDOR len: 20
payload: VENDOR len: 20
payload: VENDOR len: 20 [ttl 0] (id 1, len 260)
00:25:01.014657 217.197.149.135.500 > 84.42.224.147.500: [udp sum ok]
isakmp v1.0 exchange ID_PROT
cookie: c8434925c7d015f1->fbb7ca86fb1f0a6b msgid: 00000000 len: 188
payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 48 proposal: 1 proto: ISAKMP spisz: 0
xforms: 1
payload: TRANSFORM len: 40
transform: 1 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = AES_CBC
attribute KEY_LENGTH = 128
attribute HASH_ALGORITHM = SHA
attribute GROUP_DESCRIPTION = MODP_1024
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 00000e10
payload: VENDOR len: 20 (supports OpenBSD-4.0)
payload: VENDOR len: 20 (supports v2 NAT-T,
draft-ietf-ipsec-nat-t-ike-02)
payload: VENDOR len: 20 (supports v3 NAT-T,
draft-ietf-ipsec-nat-t-ike-03)
payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 216)
00:25:01.078015 84.42.224.147.500 > 217.197.149.135.500: [udp sum ok]
isakmp v1.0 exchange ID_PROT
cookie: c8434925c7d015f1->fbb7ca86fb1f0a6b msgid: 00000000 len: 260
payload: KEY_EXCH len: 132
payload: NONCE len: 52
payload: NAT-D len: 24
payload: NAT-D len: 24 [ttl 0] (id 1, len 288)
00:25:01.113648 217.197.149.135.4500 > 84.42.224.147.4500: [udp sum ok]
udpencap: isakmp v1.0 exchange ID_PROT
cookie: c8434925c7d015f1->fbb7ca86fb1f0a6b msgid: 00000000 len: 260
payload: KEY_EXCH len: 132
payload: NONCE len: 52
payload: NAT-D len: 24
payload: NAT-D len: 24 [ttl 0] (id 1, len 292)
00:25:01.175077 84.42.224.147.4500 > 217.197.149.135.4500: [bad udp cksum
9a88!] udpencap: isakmp v1.0 exchange ID_PROT
cookie: c8434925c7d015f1->fbb7ca86fb1f0a6b msgid: 00000000 len: 76
payload: ID len: 12 type: IPV4_ADDR = 10.0.0.100
payload: HASH len: 24 [ttl 0] (id 1, len 108)
00:25:01.175460 217.197.149.135.4500 > 84.42.224.147.4500: [bad udp cksum
6873!] udpencap: isakmp v1.0 exchange ID_PROT
cookie: c8434925c7d015f1->fbb7ca86fb1f0a6b msgid: 00000000 len: 92
payload: ID len: 12 type: IPV4_ADDR = 217.197.149.135
payload: HASH len: 24
payload: NOTIFICATION len: 28
notification: INITIAL CONTACT
(c8434925c7d015f1->fbb7ca86fb1f0a6b) [ttl 0] (id 1, len 124)
00:25:01.263543 84.42.224.147.4500 > 217.197.149.135.500: [bad udp cksum
23a5!] udpencap: isakmp v1.0 exchange QUICK_MODE
cookie: c8434925c7d015f1->fbb7ca86fb1f0a6b msgid: 00000001 len: 204
payload: HASH len: 24
payload: SA len: 68 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 56 proposal: 1 proto: IPSEC_ESP spisz: 4
xforms: 1 SPI: 0xc939133d
payload: TRANSFORM len: 44
transform: 1 ID: AES
attribute ENCAPSULATION_MODE = UDP_ENCAP_TUNNEL
attribute KEY_LENGTH = 128
attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 00000e10
attribute LIFE_TYPE = KILOBYTES
attribute LIFE_DURATION = 000186a0
payload: NONCE len: 52
payload: ID len: 12 type: IPV4_ADDR = 10.0.0.100
payload: ID len: 12 type: IPV4_ADDR = 217.197.149.135 [ttl 0] (id
1, len 236)
00:25:01.264699 217.197.149.135.4500 > 84.42.224.147.4500: [udp sum ok]
udpencap: isakmp v1.0 exchange QUICK_MODE
cookie: c8434925c7d015f1->fbb7ca86fb1f0a6b msgid: 00000001 len: 196
payload: HASH len: 24
payload: SA len: 68 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 56 proposal: 1 proto: IPSEC_ESP spisz: 4
xforms: 1 SPI: 0xd6023c8a
payload: TRANSFORM len: 44
transform: 1 ID: AES
attribute ENCAPSULATION_MODE = UDP_ENCAP_TUNNEL
attribute KEY_LENGTH = 128
attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 00000e10
attribute LIFE_TYPE = KILOBYTES
attribute LIFE_DURATION = 000186a0
payload: NONCE len: 52
payload: ID len: 12 type: IPV4_ADDR = 10.0.0.100
payload: ID len: 12 type: IPV4_ADDR = 217.197.149.135 [ttl 0] (id
1, len 228)
00:25:08.430581 84.42.224.147.4500 > 217.197.149.135.500: [bad udp cksum
2c00!] udpencap: isakmp v1.0 exchange INFO
cookie: c8434925c7d015f1->fbb7ca86fb1f0a6b msgid: 2f212253 len: 76
payload: HASH len: 24
payload: NOTIFICATION len: 16
notification: INVALID PAYLOAD TYPE [ttl 0] (id 1, len 108)
00:25:16.283492 217.197.149.135.4500 > 84.42.224.147.4500: [udp sum ok]
udpencap: isakmp v1.0 exchange INFO
cookie: c8434925c7d015f1->fbb7ca86fb1f0a6b msgid: bc67da6b len: 68
payload: HASH len: 24
payload: DELETE len: 16 DOI: 1(IPSEC) proto: IPSEC_ESP nspis: 1
SPI: 0xd6023c8a [ttl 0] (id 1, len 100)
00:25:16.284082 217.197.149.135.4500 > 84.42.224.147.4500: [bad udp cksum
c01!] udpencap: isakmp v1.0 exchange INFO
cookie: c8434925c7d015f1->fbb7ca86fb1f0a6b msgid: 5a579ab7 len: 80
payload: HASH len: 24
payload: DELETE len: 28 DOI: 1(IPSEC) proto: ISAKMP nspis: 1
cookie: c8434925c7d015f1->fbb7ca86fb1f0a6b [ttl 0] (id 1, len
112)
and in log I can find this message:
isakmpd[18719]: transport_send_messages: giving up on exchange <unnamed>,
no response from peer 84.42.224.147:4500
GreenBow NAT-T working:
23:58:16.702380 84.42.224.147.500 > 217.197.149.135.500: [udp sum ok]
isakmp v1.0 exchange ID_PROT
cookie: 7902ee2af82aa6b9->0000000000000000 msgid: 00000000 len: 184
payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0
xforms: 1
payload: TRANSFORM len: 36
transform: 0 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = AES_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600
attribute KEY_LENGTH = 128
payload: VENDOR len: 20 (supports v1 NAT-T,
draft-ietf-ipsec-nat-t-ike-00)
payload: VENDOR len: 20 (supports v2 NAT-T,
draft-ietf-ipsec-nat-t-ike-02)
payload: VENDOR len: 20 (supports v3 NAT-T,
draft-ietf-ipsec-nat-t-ike-03)
payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 212)
23:58:16.703197 217.197.149.135.500 > 84.42.224.147.500: [udp sum ok]
isakmp v1.0 exchange ID_PROT
cookie: 7902ee2af82aa6b9->232e866dd0c048cb msgid: 00000000 len: 184
payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0
xforms: 1
payload: TRANSFORM len: 36
transform: 0 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = AES_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600
attribute KEY_LENGTH = 128
payload: VENDOR len: 20 (supports OpenBSD-4.0)
payload: VENDOR len: 20 (supports v2 NAT-T,
draft-ietf-ipsec-nat-t-ike-02)
payload: VENDOR len: 20 (supports v3 NAT-T,
draft-ietf-ipsec-nat-t-ike-03)
payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 212)
23:58:16.747280 84.42.224.147.500 > 217.197.149.135.500: [udp sum ok]
isakmp v1.0 exchange ID_PROT
cookie: 7902ee2af82aa6b9->232e866dd0c048cb msgid: 00000000 len: 228
payload: KEY_EXCH len: 132
payload: NONCE len: 20
payload: NAT-D len: 24
payload: NAT-D len: 24 [ttl 0] (id 1, len 256)
23:58:16.782576 217.197.149.135.4500 > 84.42.224.147.4500: [udp sum ok]
udpencap: isakmp v1.0 exchange ID_PROT
cookie: 7902ee2af82aa6b9->232e866dd0c048cb msgid: 00000000 len: 228
payload: KEY_EXCH len: 132
payload: NONCE len: 20
payload: NAT-D len: 24
payload: NAT-D len: 24 [ttl 0] (id 1, len 260)
23:58:16.870392 84.42.224.147.4500 > 217.197.149.135.4500: [bad udp cksum
8b47!] udpencap: isakmp v1.0 exchange ID_PROT
cookie: 7902ee2af82aa6b9->232e866dd0c048cb msgid: 00000000 len: 92
payload: ID len: 12 type: IPV4_ADDR = 10.0.0.100
payload: HASH len: 24
payload: NOTIFICATION len: 28
notification: INITIAL CONTACT
(7902ee2af82aa6b9->232e866dd0c048cb) [ttl 0] (id 1, len 124)
23:58:16.870824 217.197.149.135.4500 > 84.42.224.147.4500: [bad udp cksum
8b47!] udpencap: isakmp v1.0 exchange ID_PROT
cookie: 7902ee2af82aa6b9->232e866dd0c048cb msgid: 00000000 len: 92
payload: ID len: 12 type: IPV4_ADDR = 217.197.149.135
payload: HASH len: 24
payload: NOTIFICATION len: 28
notification: INITIAL CONTACT
(7902ee2af82aa6b9->232e866dd0c048cb) [ttl 0] (id 1, len 124)
23:58:16.969405 84.42.224.147.4500 > 217.197.149.135.500: [bad udp cksum
9ffd!] udpencap: isakmp v1.0 exchange QUICK_MODE
cookie: 7902ee2af82aa6b9->232e866dd0c048cb msgid: 16e666f8 len: 156
payload: HASH len: 24
payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 40 proposal: 1 proto: IPSEC_ESP spisz: 4
xforms: 1 SPI: 0x5f6d69b8
payload: TRANSFORM len: 28
transform: 1 ID: AES
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600
attribute ENCAPSULATION_MODE = UDP_ENCAP_TUNNEL
attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
attribute KEY_LENGTH = 128
payload: NONCE len: 20
payload: ID len: 12 type: IPV4_ADDR = 10.0.0.100
payload: ID len: 12 type: IPV4_ADDR = 217.197.149.135 [ttl 0] (id
1, len 188)
23:58:16.970558 217.197.149.135.4500 > 84.42.224.147.4500: [udp sum ok]
udpencap: isakmp v1.0 exchange QUICK_MODE
cookie: 7902ee2af82aa6b9->232e866dd0c048cb msgid: 16e666f8 len: 148
payload: HASH len: 24
payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 40 proposal: 1 proto: IPSEC_ESP spisz: 4
xforms: 1 SPI: 0xa27bd23f
payload: TRANSFORM len: 28
transform: 1 ID: AES
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600
attribute ENCAPSULATION_MODE = UDP_ENCAP_TUNNEL
attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
attribute KEY_LENGTH = 128
payload: NONCE len: 20
payload: ID len: 12 type: IPV4_ADDR = 10.0.0.100
payload: ID len: 12 type: IPV4_ADDR = 217.197.149.135 [ttl 0] (id
1, len 180)
23:58:17.066857 84.42.224.147.4500 > 217.197.149.135.4500: [bad udp cksum
100!] udpencap: isakmp v1.0 exchange QUICK_MODE
cookie: 7902ee2af82aa6b9->232e866dd0c048cb msgid: 16e666f8 len: 60
payload: HASH len: 24 [ttl 0] (id 1, len 92)
23:58:27.208035 217.197.149.135.4500 > 84.42.224.147.4500: [bad udp cksum
405!] udpencap: isakmp v1.0 exchange INFO
cookie: 7902ee2af82aa6b9->232e866dd0c048cb msgid: 99943d5c len: 68
payload: HASH len: 24
payload: DELETE len: 16 DOI: 1(IPSEC) proto: IPSEC_ESP nspis: 1
SPI: 0xa27bd23f [ttl 0] (id 1, len 100)
23:58:27.209427 217.197.149.135.4500 > 84.42.224.147.4500: [bad udp cksum
c01!] udpencap: isakmp v1.0 exchange INFO
cookie: 7902ee2af82aa6b9->232e866dd0c048cb msgid: e6455359 len: 80
payload: HASH len: 24
payload: DELETE len: 28 DOI: 1(IPSEC) proto: ISAKMP nspis: 1
cookie: 7902ee2af82aa6b9->232e866dd0c048cb [ttl 0] (id 1, len
112)
