arcon
August 23rd, 2004, 01:40
I am trying to configure isakmpd to create a vpn between two openbsd boxes. I have been given considerable help, including reading the howto on this site, but I still can't quite grasp it! :)

I want to setup a concentrator that will receive passive connections from multiple systems with dynamic ips using pre-shared keys. When I run isakmpd on the contentrator I get the following:
# isakmpd -d
050652.091394 Default exchange_setup_p1: expected exchange type AGGRESSIVE got ID_PROT
050653.081385 Default exchange_setup_p1: expected exchange type AGGRESSIVE got ID_PROT
050655.080188 Default exchange_setup_p1: expected exchange type AGGRESSIVE got ID_PROT

This repeats over and over until I stop isakmpd. What confuses me about the message is that the exchange type on the transforms is aggressive (I think, I am using transforms from someone else's config at this point). This happens before and after running isakmpd on the client.

I have included the concentrator's config file (isakmpd.conf.s), the client's config file (isakmpd.conf.c), and output from isakmpd -d -DA=99 from the contentrator in isakmpd_log.err.

No matter what I do, /kern/ipsec says the following:
# cat /kern/ipsec
Hashmask: 31, policy entries: 0

I am hopelessly lost...

It seems the error log is too large, here is a link to download the files:
http://adam.bregenzer.net/isakmpd.tgz

Kernel_Killer
August 23rd, 2004, 03:24
First off, on your Phase 2 connections, on the .c file, change the IPsec-vpn-arconnect to IPsec-arconnect-vpn. Above that, change the Default= line to 10.10.100.201= ISAKMP-peer-vpn. Then change the ISAKMP-peer-default section, to this:


[ISAKMP-peer-vpn]
Phase= 1
ID= adam@home
Transport= udp
Address= 10.10.100.201
Configuration= Default-aggressive-mode
Authentication= passkey


Let's see how much that does. I'll check it a bit more tomorrow.

arcon
August 23rd, 2004, 09:38
Thanks for the pointers, I did almost everything you described :) The concentrator is NATed behind a separate firewall/gateway. I used its external ip (66.237.235.66) in the client config instead of the internal ip (10.100.100.201). Other than that I think I did it all and am still getting the same errors. I am guessing that I have a problem on the concentrator that I need to resolve before it will even see the client, or are the error messages I am getting just normal?

Kernel_Killer
August 23rd, 2004, 12:07
Did you run 'ipsecadm show' to see if the SAs did establish? Also, check 'netstat -rf encap' and see if any tunnels were added as well. It should be a normal message, but I had to point out some flaws. The only reason that it would be complaining is because it expects a main mode, but you are using aggressive which is ok. Main mode is more secure, but the overhead is much larger than the aggressive.

Just to be completely clear, is this a VPN over the internet, or local LANs tunnel? I assume it's over the internet, but want to make sure. I'll take a look at your concentrator conf here after awhile.

elmore
August 23rd, 2004, 12:52
I propose you do this with your client.conf files:


# isakmpd.conf for vpn
#
#
# A configuration for the isakmpd ISAKMP/Oakley (aka IKE) daemon.

# Incoming phase 1 negotiations are multiplexed on the source IP
# address.

[Phase 1]
Default= ISAKMP-peer-default

# These connections are walked over after config file parsing and
# told to the application layer so that it will inform us when
# traffic wants to pass over them. This means we can do on-demand
# keying.

[Phase 2]
Passive-connections= IPsec-vpn-arconnet

# ISAKMP Phase 1 peer sections
##############################
[ISAKMP-peer-default]
Phase= 1
Transport= udp
Configuration= Default-aggressive-mode

#arcon, Adam Bregenzer
[adam@home]
Phase= 1
Transport= udp
Configuration= Default-aggressive-mode
Authentication= passkey

# IPSec Phase 2 sections
########################

[IPsec-vpn-arconnet]
Phase= 2
ISAKMP-peer= adam@home
Configuration= Default-quick-mode
Local-ID= Net-vpn
Remote-ID= Net-adamnet

# Client ID sections
####################

[Net-vpn]
ID-type= IPV4_ADDR_SUBNET
Network= 10.100.100.0
Netmask= 255.255.255.0

[Net-adamnet]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.0.0
Netmask= 255.255.255.0


[General]
Listen-on= 10.100.100.201
Retransmits= 3
Exchange-max-time= 120
Check-interval= 300
Policy-file= /etc/isakmpd/policy
#
# There is no more node-specific configuration below this point.
#



# isakmpd.conf for vpn client
#
#
# A configuration for the isakmpd ISAKMP/Oakley (aka IKE) daemon.

# Incoming phase 1 negotiations are multiplexed on the source IP
# address.

[Phase 1]
66.237.235.66= ISAKMP-peer-vpn

[Phase 2]
Connections= IPsec-arconnet-VPN

# ISAKMP Phase 1 peer sections
##############################
[ISAKMP-peer-vpn]
Phase= 1
ID= adam@home
Transport= udp
Address= 66.237.235.66
Configuration= Default-aggressive-mode
Authentication= passkey

[adam@home]
ID-Type= USER_FQDN
Name= adam@home

# IPsec Phase 2 sections
####################

[IPsec-arconnet-vpn]
Phase= 2
ISAKMP-peer= ISAKMP-peer-vpn
Configuration= Default-quick-mode
Local-ID= Net-arconnet
Remote-ID= Net-vpn

# Client ID sections
####################

[Net-vpn]
ID-type= IPV4_ADDR_SUBNET
Network= 10.100.100.0
Netmask= 255.255.255.0

[Net-adamnet]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.0.0
Netmask= 255.255.255.0


[General]
Retransmits= 3
Exchange-max-time= 120
Check-interval= 300
Policy-file= /etc/isakmpd/policy
#
# There is no more node-specific configuration below this point.
#

Kernel_Killer
August 23rd, 2004, 15:40
There you go. Just one thing on Elmore's version of the client conf


[Phase 2]
Connections= IPsec-arconnet-VPN


Might want to do:


[Phase 2]
Connections= IPsec-arconnet-vpn


That way you won't have a mis-match with the Phase 2 client section.

arcon
August 23rd, 2004, 16:21
Ok, status update. I added the above config files, I had to change the client config a bit from Net-adamnet to Net-arconnet. However, I am still getting the same issues.

Here's the output from those commands, output is the same on both sides (except for pid) regardless of whether isakpmd is running or not on either side or both:
# ipsecadm show
sadb_dump: satype unspec vers 2 len 2 seq 1 pid 1995
errno 2: No such file or directory

# netstat -rf encap
Routing tables

Encap:
Source Port Destination Port Proto SA(Address/Proto/Type/Direction)

arcon
August 23rd, 2004, 16:27
Kernel Killer: done, still the same messages/output from commands. Actually, it looks like /var/log/messages has a bit more info:

Aug 23 20:17:19 mail last message repeated 18 times
Aug 23 20:18:46 mail isakmpd[26137]: exchange_setup_p1: expected exchange type AGGRESSIVE got ID_PROT
Aug 23 20:19:10 mail isakmpd[11237]: exchange_setup_p1: expected exchange type AGGRESSIVE got ID_PROT
Aug 23 20:19:42 mail last message repeated 6 times
Aug 23 20:20:14 mail last message repeated 6 times
Aug 23 20:20:20 mail isakmpd[11237]: transport_send_messages: giving up on message 0x3c066b00, exchange ISAKMP-peer-default
Aug 23 20:20:20 mail isakmpd[11237]: transport_send_messages: either this message did not reach the other peer
Aug 23 20:20:20 mail isakmpd[11237]: transport_send_messages: or this is an attempted IKE scan
Aug 23 20:20:22 mail isakmpd[11237]: exchange_setup_p1: expected exchange type AGGRESSIVE got ID_PROT
Aug 23 20:20:54 mail last message repeated 6 times

Kernel_Killer
August 23rd, 2004, 18:04
Do both of the confs have matching mode transforms?

Just to double-check the simple stuff, did you make sure there weren't any spaces at the end of any of the lines?

Run 'isakmpd -d' on both sides, concentrator first, and let us know about the output. Also, try letting the concentrator warm up a bit before handling it's first connection. Shouldn't take that long for the first one, but at least wait a bit.

arcon
August 24th, 2004, 10:36
Thanks again for all your help guys, I think I'm a bit closer since the AGGRESSIVE error message that was coming once a second has now stopped completely, however I'm still not getting a connection.

They definately have the same transforms, an egrep '[ ]$' isakmpd.conf returns no lines, and I am waiting until isakmpd's cpu usage on the concentrator goes to 0.0% before starting the client, usually a minute or two. Also, I checked and nmap shows port 500/udp is open on the concentrator's public ip, anything else I should check? Here is the debug output:

concentrator:
# isakmpd -d
140103.341546 Default transport_send_messages: giving up on message 0x3c066b00, exchange ISAKMP-peer-default
140103.342024 Default transport_send_messages: either this message did not reach the other peer
140103.342434 Default transport_send_messages: or this is an attempted IKE scan

(these logs are after stopping the client, then stopping the concentrator, ^C is where I stopped the concentrator)
140603.330981 Default transport_send_messages: giving up on message 0x3c066b00, exchange ISAKMP-peer-default
140603.331584 Default transport_send_messages: either this message did not reach the other peer
140603.332000 Default transport_send_messages: or this is an attempted IKE scan
^C140610.327270 Default isakmpd: shutting down...
140610.327450 Default isakmpd: exit



client (no output):
# isakmpd -d


This was all I got after waiting approx. ten minutes. Also, the commands from before are still giving the same output:

# cat /kern/ipsec
Hashmask: 31, policy entries: 0
# ipsecadm show
sadb_dump: satype unspec vers 2 len 2 seq 1 pid 1141
errno 2: No such file or directory
# netstat -rf encap

Routing tables

Encap:
Source Port Destination Port Proto SA(Address/Proto/Type/Direction)

# cat /kern/ipsec
Hashmask: 31, policy entries: 0
# ipsecadm show
sadb_dump: satype unspec vers 2 len 2 seq 1 pid 32436
errno 2: No such file or directory
# netstat -rf encap
Routing tables

Encap:
Source Port Destination Port Proto SA(Address/Proto/Type/Direction)

Here's my isakmpd.policy file on both ends:
Comment: the most basic policy.
Authorizer: "POLICY"

Lastly, I have attached both the conf files as well as a diff between them for easy reading. ;) Anything else I can try?

elmore
August 24th, 2004, 10:41
hrmmm, that concentrator is on the internal net right? Does it have ip forwarding turned on in /etc/sysctl.conf?

arcon
August 24th, 2004, 11:06
yep

Kernel_Killer
August 24th, 2004, 16:06
You do have UDP port 500 and ESP allowing in and out? I'm sure you do. Just checking.