ISAKMPD errors n. 8 and n. 118

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

ISAKMPD errors n. 8 and n. 118

robdenz@libero.it
Hello!

   I set up a tunnel between two machines (connected through the
Internet) running OpenBSD 3.6 and everything was fine.

   Then I had to upgrade one of the two machines to 3.7 (disk
crash!). Rewrote the config file and restarted the tunnel. The
tunnel is fine and the traffic gets encrypted all right. But if I
run an "ipsecadm show", now I also see a "errno 8: Exec format
error" on the 3.7 machine, and again no error on the 3.6 machine.

   I was suggested to try 3.7 -stable. So I set up two new
machines (both with 3.7 -stable) to test on my LAN:

10.0.0.6 -- [ BOX A ] -- 192.168.3.254 /24
       

192.168.99.254 /24 -- [ BOX B ] -- 192.168.3.17

   I have a client PC on the .99 network which can ping the
10.0.0.6 interface (and the traffic is encrypted in the
192.168.3.0/24 network), so apparently all is well.


   But now on BOX A I get a "errno 8: Exec format error", and on
BOX B I get an "errno 118: Unknown error: 118" (see below).

Any ideas on what is going on?

Also, does anybody know where I can find some documentation
concerning these error codes?

Many thanks in advance for your help.

   ---Rob


==========   BOX A   "ipsecadm show"  192.168.3.254 ===========
-bash-3.00# ipsecadm show
sadb_dump: satype esp vers 2 len 38 seq 0 pid 0
        errno 8: Exec format error
        sa: spi 0x1c5551f1 auth hmac-sha1 enc aes
                state larval replay 0 flags 4
        lifetime_cur: alloc 0 bytes 0 add 1131616603 first 0
        lifetime_soft: alloc 0 bytes 0 add 1080 first 0
        lifetime_hard: alloc 0 bytes 0 add 1200 first 0
        address_src: 192.168.3.17
        address_dst: 192.168.3.254
        identity_src: type prefix id 0: 192.168.3.17/32
        identity_dst: type prefix id 0: 192.168.3.254/32
        key_auth: bits 160: d5ca6d9959ad17801cf762264d35bc0417063ff8
        key_encrypt: bits 128: bf288d4fc105b7091c0d1582df44c738
sadb_dump: satype esp vers 2 len 38 seq 0 pid 0
        errno 8: Exec format error
        sa: spi 0xbbdef5c1 auth hmac-sha1 enc aes
                state larval replay 0 flags 4
        lifetime_cur: alloc 0 bytes 0 add 1131616603 first 0
        lifetime_soft: alloc 0 bytes 0 add 1080 first 0
        lifetime_hard: alloc 0 bytes 0 add 1200 first 0
        address_src: 192.168.3.254
        address_dst: 192.168.3.17
        identity_src: type prefix id 0: 192.168.3.254/32
        identity_dst: type prefix id 0: 192.168.3.17/32
        key_auth: bits 160: 8ad139ce2bf0af8cd5188ea1551a4cf443e1bb7e
        key_encrypt: bits 128: 93511e6c7f7226600919a68cf1195893



==========   BOX B   "ipsecadm show"  192.168.3.17 ============
-bash-3.00# ipsecadm show
sadb_dump: satype esp vers 2 len 38 seq 0 pid 0
        errno 118: Unknown error: 118
        sa: spi 0xbbdef5c1 auth hmac-sha1 enc aes
                state larval replay 16 flags 4
        lifetime_cur: alloc 0 bytes 0 add 1131616563 first 0
        lifetime_soft: alloc 0 bytes 0 add 1080 first 0
        lifetime_hard: alloc 0 bytes 0 add 1200 first 0
        address_src: 192.168.3.254
        address_dst: 192.168.3.17
        identity_src: type prefix id 0: 192.168.3.254/32
        identity_dst: type prefix id 0: 192.168.3.17/32
        key_auth: bits 160: 8ad139ce2bf0af8cd5188ea1551a4cf443e1bb7e
        key_encrypt: bits 128: 93511e6c7f7226600919a68cf1195893
sadb_dump: satype esp vers 2 len 38 seq 0 pid 0
        errno 118: Unknown error: 118
        sa: spi 0x1c5551f1 auth hmac-sha1 enc aes
                state larval replay 16 flags 4
        lifetime_cur: alloc 0 bytes 0 add 1131616563 first 0
        lifetime_soft: alloc 0 bytes 0 add 1080 first 0
        lifetime_hard: alloc 0 bytes 0 add 1200 first 0
        address_src: 192.168.3.17
        address_dst: 192.168.3.254
        identity_src: type prefix id 0: 192.168.3.17/32
        identity_dst: type prefix id 0: 192.168.3.254/32
        key_auth: bits 160: d5ca6d9959ad17801cf762264d35bc0417063ff8
        key_encrypt: bits 128: bf288d4fc105b7091c0d1582df44c738



==========   BOX A   isakmpd.conf ============================
-bash-3.00# cat /etc/isakmpd/isakmpd.conf
#       $OpenBSD: VPN-west.conf,v 1.14 2003/03/16 08:13:02 matthieu Exp $
#       $EOM: VPN-west.conf,v 1.13 2000/10/09 22:08:30 angelos Exp $

# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon.
#
# The network topology of the example net is like this:
#
# 192.168.11.0/24 - west [.11] - 10.1.0.0/24 - [.12] east - 192.168.12.0/24
#
# "west" and "east" are the respective security gateways (aka VPN-nodes).

[General]
Listen-on=              192.168.3.254

[Phase 1]
192.168.3.17=           ISAKMP-peer-west

[Phase 2]
Connections=            IPsec-east-west

[ISAKMP-peer-west]
Phase=                  1
Transport=              udp
Local-address=          192.168.3.254
Address=                192.168.3.17
Configuration=          Default-main-mode
Authentication=         mekmitasdigoat

[IPsec-east-west]
Phase=                  2
ISAKMP-peer=            ISAKMP-peer-west
Configuration=          Default-quick-mode
Local-ID=               Net-east
Remote-ID=              Net-west

[Net-east]
ID-type=                IPV4_ADDR_SUBNET
Network=                10.0.0.0
Netmask=                255.255.255.248

[Net-west]
ID-type=                IPV4_ADDR_SUBNET
Network=                192.168.99.0
Netmask=                255.255.255.0

[Default-main-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          ID_PROT
Transforms=             3DES-SHA

[Default-quick-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          QUICK_MODE
Suites=                 QM-ESP-AES-SHA-PFS-SUITE




==========   BOX B   isakmpd.conf ============================
-bash-3.00# cat /etc/isakmpd/isakmpd.conf
#       $OpenBSD: VPN-west.conf,v 1.14 2003/03/16 08:13:02 matthieu Exp $
#       $EOM: VPN-west.conf,v 1.13 2000/10/09 22:08:30 angelos Exp $

# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon.
#
# The network topology of the example net is like this:
#
# 192.168.11.0/24 - west [.11] - 10.1.0.0/24 - [.12] east - 192.168.12.0/24
#
# "west" and "east" are the respective security gateways (aka VPN-nodes).

[General]
Listen-on=              192.168.3.17

[Phase 1]
192.168.3.254=          ISAKMP-peer-east

[Phase 2]
Connections=            IPsec-west-east

[ISAKMP-peer-east]
Phase=                  1
Transport=              udp
Local-address=          192.168.3.17
Address=                192.168.3.254
Configuration=          Default-main-mode
Authentication=         mekmitasdigoat

[IPsec-west-east]
Phase=                  2
ISAKMP-peer=            ISAKMP-peer-east
Configuration=          Default-quick-mode
Local-ID=               Net-west
Remote-ID=              Net-east

[Net-east]
ID-type=                IPV4_ADDR_SUBNET
Network=                10.0.0.0
Netmask=                255.255.255.248

[Net-west]
ID-type=                IPV4_ADDR_SUBNET
Network=                192.168.99.0
Netmask=                255.255.255.0

[Default-main-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          ID_PROT
Transforms=             3DES-SHA

[Default-quick-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          QUICK_MODE
Suites=                 QM-ESP-AES-SHA-PFS-SUITE

Reply | Threaded
Open this post in threaded view
|

Re: ISAKMPD errors n. 8 and n. 118

Hans-Joerg Hoexer
Hi,

the errno shown be ipsecadm can be ignored, nothing to worry about
(and this was fixed post 3.7-stable).  Besides this message the vpn
is working as expected?

HJ.

On Thu, Nov 10, 2005 at 11:30:58AM +0100, [hidden email] wrote:

> Hello!
>
>    I set up a tunnel between two machines (connected through the
> Internet) running OpenBSD 3.6 and everything was fine.
>
>    Then I had to upgrade one of the two machines to 3.7 (disk
> crash!). Rewrote the config file and restarted the tunnel. The
> tunnel is fine and the traffic gets encrypted all right. But if I
> run an "ipsecadm show", now I also see a "errno 8: Exec format
> error" on the 3.7 machine, and again no error on the 3.6 machine.
>
>    I was suggested to try 3.7 -stable. So I set up two new
> machines (both with 3.7 -stable) to test on my LAN:
>
> 10.0.0.6 -- [ BOX A ] -- 192.168.3.254 /24
>        
>
> 192.168.99.254 /24 -- [ BOX B ] -- 192.168.3.17
>
>    I have a client PC on the .99 network which can ping the
> 10.0.0.6 interface (and the traffic is encrypted in the
> 192.168.3.0/24 network), so apparently all is well.
>
>
>    But now on BOX A I get a "errno 8: Exec format error", and on
> BOX B I get an "errno 118: Unknown error: 118" (see below).
>
> Any ideas on what is going on?
>
> Also, does anybody know where I can find some documentation
> concerning these error codes?
>
> Many thanks in advance for your help.
>
>    ---Rob
>
>
> ==========   BOX A   "ipsecadm show"  192.168.3.254 ===========
> -bash-3.00# ipsecadm show
> sadb_dump: satype esp vers 2 len 38 seq 0 pid 0
>         errno 8: Exec format error
>         sa: spi 0x1c5551f1 auth hmac-sha1 enc aes
>                 state larval replay 0 flags 4
>         lifetime_cur: alloc 0 bytes 0 add 1131616603 first 0
>         lifetime_soft: alloc 0 bytes 0 add 1080 first 0
>         lifetime_hard: alloc 0 bytes 0 add 1200 first 0
>         address_src: 192.168.3.17
>         address_dst: 192.168.3.254
>         identity_src: type prefix id 0: 192.168.3.17/32
>         identity_dst: type prefix id 0: 192.168.3.254/32
>         key_auth: bits 160: d5ca6d9959ad17801cf762264d35bc0417063ff8
>         key_encrypt: bits 128: bf288d4fc105b7091c0d1582df44c738
> sadb_dump: satype esp vers 2 len 38 seq 0 pid 0
>         errno 8: Exec format error
>         sa: spi 0xbbdef5c1 auth hmac-sha1 enc aes
>                 state larval replay 0 flags 4
>         lifetime_cur: alloc 0 bytes 0 add 1131616603 first 0
>         lifetime_soft: alloc 0 bytes 0 add 1080 first 0
>         lifetime_hard: alloc 0 bytes 0 add 1200 first 0
>         address_src: 192.168.3.254
>         address_dst: 192.168.3.17
>         identity_src: type prefix id 0: 192.168.3.254/32
>         identity_dst: type prefix id 0: 192.168.3.17/32
>         key_auth: bits 160: 8ad139ce2bf0af8cd5188ea1551a4cf443e1bb7e
>         key_encrypt: bits 128: 93511e6c7f7226600919a68cf1195893
>
>
>
> ==========   BOX B   "ipsecadm show"  192.168.3.17 ============
> -bash-3.00# ipsecadm show
> sadb_dump: satype esp vers 2 len 38 seq 0 pid 0
>         errno 118: Unknown error: 118
>         sa: spi 0xbbdef5c1 auth hmac-sha1 enc aes
>                 state larval replay 16 flags 4
>         lifetime_cur: alloc 0 bytes 0 add 1131616563 first 0
>         lifetime_soft: alloc 0 bytes 0 add 1080 first 0
>         lifetime_hard: alloc 0 bytes 0 add 1200 first 0
>         address_src: 192.168.3.254
>         address_dst: 192.168.3.17
>         identity_src: type prefix id 0: 192.168.3.254/32
>         identity_dst: type prefix id 0: 192.168.3.17/32
>         key_auth: bits 160: 8ad139ce2bf0af8cd5188ea1551a4cf443e1bb7e
>         key_encrypt: bits 128: 93511e6c7f7226600919a68cf1195893
> sadb_dump: satype esp vers 2 len 38 seq 0 pid 0
>         errno 118: Unknown error: 118
>         sa: spi 0x1c5551f1 auth hmac-sha1 enc aes
>                 state larval replay 16 flags 4
>         lifetime_cur: alloc 0 bytes 0 add 1131616563 first 0
>         lifetime_soft: alloc 0 bytes 0 add 1080 first 0
>         lifetime_hard: alloc 0 bytes 0 add 1200 first 0
>         address_src: 192.168.3.17
>         address_dst: 192.168.3.254
>         identity_src: type prefix id 0: 192.168.3.17/32
>         identity_dst: type prefix id 0: 192.168.3.254/32
>         key_auth: bits 160: d5ca6d9959ad17801cf762264d35bc0417063ff8
>         key_encrypt: bits 128: bf288d4fc105b7091c0d1582df44c738
>
>
>
> ==========   BOX A   isakmpd.conf ============================
> -bash-3.00# cat /etc/isakmpd/isakmpd.conf
> #       $OpenBSD: VPN-west.conf,v 1.14 2003/03/16 08:13:02 matthieu Exp $
> #       $EOM: VPN-west.conf,v 1.13 2000/10/09 22:08:30 angelos Exp $
>
> # A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon.
> #
> # The network topology of the example net is like this:
> #
> # 192.168.11.0/24 - west [.11] - 10.1.0.0/24 - [.12] east - 192.168.12.0/24
> #
> # "west" and "east" are the respective security gateways (aka VPN-nodes).
>
> [General]
> Listen-on=              192.168.3.254
>
> [Phase 1]
> 192.168.3.17=           ISAKMP-peer-west
>
> [Phase 2]
> Connections=            IPsec-east-west
>
> [ISAKMP-peer-west]
> Phase=                  1
> Transport=              udp
> Local-address=          192.168.3.254
> Address=                192.168.3.17
> Configuration=          Default-main-mode
> Authentication=         mekmitasdigoat
>
> [IPsec-east-west]
> Phase=                  2
> ISAKMP-peer=            ISAKMP-peer-west
> Configuration=          Default-quick-mode
> Local-ID=               Net-east
> Remote-ID=              Net-west
>
> [Net-east]
> ID-type=                IPV4_ADDR_SUBNET
> Network=                10.0.0.0
> Netmask=                255.255.255.248
>
> [Net-west]
> ID-type=                IPV4_ADDR_SUBNET
> Network=                192.168.99.0
> Netmask=                255.255.255.0
>
> [Default-main-mode]
> DOI=                    IPSEC
> EXCHANGE_TYPE=          ID_PROT
> Transforms=             3DES-SHA
>
> [Default-quick-mode]
> DOI=                    IPSEC
> EXCHANGE_TYPE=          QUICK_MODE
> Suites=                 QM-ESP-AES-SHA-PFS-SUITE
>
>
>
>
> ==========   BOX B   isakmpd.conf ============================
> -bash-3.00# cat /etc/isakmpd/isakmpd.conf
> #       $OpenBSD: VPN-west.conf,v 1.14 2003/03/16 08:13:02 matthieu Exp $
> #       $EOM: VPN-west.conf,v 1.13 2000/10/09 22:08:30 angelos Exp $
>
> # A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon.
> #
> # The network topology of the example net is like this:
> #
> # 192.168.11.0/24 - west [.11] - 10.1.0.0/24 - [.12] east - 192.168.12.0/24
> #
> # "west" and "east" are the respective security gateways (aka VPN-nodes).
>
> [General]
> Listen-on=              192.168.3.17
>
> [Phase 1]
> 192.168.3.254=          ISAKMP-peer-east
>
> [Phase 2]
> Connections=            IPsec-west-east
>
> [ISAKMP-peer-east]
> Phase=                  1
> Transport=              udp
> Local-address=          192.168.3.17
> Address=                192.168.3.254
> Configuration=          Default-main-mode
> Authentication=         mekmitasdigoat
>
> [IPsec-west-east]
> Phase=                  2
> ISAKMP-peer=            ISAKMP-peer-east
> Configuration=          Default-quick-mode
> Local-ID=               Net-west
> Remote-ID=              Net-east
>
> [Net-east]
> ID-type=                IPV4_ADDR_SUBNET
> Network=                10.0.0.0
> Netmask=                255.255.255.248
>
> [Net-west]
> ID-type=                IPV4_ADDR_SUBNET
> Network=                192.168.99.0
> Netmask=                255.255.255.0
>
> [Default-main-mode]
> DOI=                    IPSEC
> EXCHANGE_TYPE=          ID_PROT
> Transforms=             3DES-SHA
>
> [Default-quick-mode]
> DOI=                    IPSEC
> EXCHANGE_TYPE=          QUICK_MODE
> Suites=                 QM-ESP-AES-SHA-PFS-SUITE

Reply | Threaded
Open this post in threaded view
|

Re: ISAKMPD errors n. 8 and n. 118

Markus Friedl
In reply to this post by robdenz@libero.it
On Thu, Nov 10, 2005 at 11:30:58AM +0100, [hidden email] wrote:
> -bash-3.00# ipsecadm show
> sadb_dump: satype esp vers 2 len 38 seq 0 pid 0
>         errno 8: Exec format error
>         sa: spi 0x1c5551f1 auth hmac-sha1 enc aes

that's a bug in ipsecadm show.

Reply | Threaded
Open this post in threaded view
|

Re: ISAKMPD errors n. 8 and n. 118

robdenz@libero.it
In reply to this post by robdenz@libero.it
Hello!

   Thanks for your reply, first of all.


> Hi,
>
> the errno shown be ipsecadm can be ignored, nothing to worry about
> (and this was fixed post 3.7-stable).  Besides this message the vpn
> is working as expected?


   Yes, as I said the VPN appears to be working just fine.
So, *both* errors can be ignored, right (errno 8 and 118)?

Have you got any link to this kind of documentation, by the way?

Thanks again!

  --Rob

Reply | Threaded
Open this post in threaded view
|

Re: ISAKMPD errors n. 8 and n. 118

Hans-Joerg Hoexer
man 3 errno

On Thu, Nov 10, 2005 at 01:53:27PM +0100, [hidden email] wrote:

> Hello!
>
>    Thanks for your reply, first of all.
>
>
> > Hi,
> >
> > the errno shown be ipsecadm can be ignored, nothing to worry about
> > (and this was fixed post 3.7-stable).  Besides this message the vpn
> > is working as expected?
>
>
>    Yes, as I said the VPN appears to be working just fine.
> So, *both* errors can be ignored, right (errno 8 and 118)?
>
> Have you got any link to this kind of documentation, by the way?
>
> Thanks again!
>
>   --Rob