On Wed, Oct 28, 2009 at 06:40:41AM -0500, stan wrote:
> I have 2 OpenBSD machines providing a bridge between 2 physical locations
> for a specific subnet. Last night, I got the following error messages on
> them:
>
> Oct 28 07:23:13 pb48 isakmpd[11605]: message_recv: invalid cookie(s)
> +0e113721bf798717 6b4e0004066c308e
> Oct 28 07:23:13 pb48 isakmpd[11605]: dropped message from 10.209.120.15
> port 500
> +due to notification type INVALID_COOKIE
>
> and on the other:
>
> Oct 28 07:23:13 pblab isakmpd[2851]: message_recv: invalid cookie(s)
> +0e113721bf798717 6b4e0004066c308e
> Oct 28 07:23:13 pblab isakmpd[2851]: dropped message from 10.209.142.156
> port
> +500 due to notification type INVALID_COOKIE
>
> Would I be correct in assuming thta these indicate packet coruption on the
> network connecting these 2 machines?
>
> BTW, we have been having a lot of trouble with UDP based protocols here, I
> have even switched NFS over to TCP to try to work around this. Is this
> error UDP? Or TCP?
Without NAT-traversal, which does use UDP, IPv4 IPsec uses a special IP
protocol (that is, a "sibling" of TCP, not a "child"). See `grep IPSEC
/etc/protocols`.
I'm not sure what caused that message, although corrupted packets might
be a possibility. You should look into that, really - networks shouldn't
randomly corrupt packets. (Are you aware that ping(8) takes -p and -s
options?)
Joachim
