Problem with ISAKMPD

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Problem with ISAKMPD

James Mackinnon
Hey everyone

I am hoping I am posting this to the correct list

I am running an AMD 2200+ w/ 512mb of ram and all intel pro cards in my main
location.

I have 14 other locations connecting back to this 1 location and each location
creates 3 tunnels to this system as I have
3 internal network segments I want available via VPN

Platforms are:

Main system: OpenBSD 3.7 Stable
Remote locations: OpenBSD 3.5 and some OpenBSD 3.7

at first, all locations come up fine, but then in approx 1 hour, 3 units stop
communicating to the main firewall.

They all have the same config (minor changes based on location and assigned
ips of course).

I was planning to finally get rid of my main checkpoint box and complete my
migration to BSD but I had to revert back do to lack of time i had left to go
back in case of an issue.


My Main location is on Fiber
All branches on DSL (pretty much same provider)

My main location has approx 50VPN Connection entries in it.
My Branches connect to 3 VPN's.

Example branch isakmpd.conf file

[Phase 1]
12.12.12.12= peer-loc1
13.13.13.13= peer-loc2
14.14.14.14= peer-loc3


[Phase 2]
Connections=    LOC1-SEG1, LOC1-SEG2, LOC1-SEG3, LOC2-SEG1, LOC3-SEG1

[peer-loc1]
Phase=  1
Transport=      udp
Address=        12.12.12.12
Configuration=  Default-main-mode
Authentication= MYSUPERPASS

[peer-loc2]
Phase=  1
Transport=      udp
Address=        13.13.13.13
Configuration=  Default-main-mode
Authentication= MYSUPERPASS

[peer-loc3]
Phase=  1
Transport=      udp
Address=        14.14.14.14
Configuration=  Default-main-mode
Authentication= MYSUPERPASS

[LOC1-SEG1]
Phase=  2
ISAKMP-peer=    peer-loc1
Configuration=  Default-quick-mode
Local-ID=       Loc-Network
Remote-ID=      loc1-seg1-Network

[LOC1-SEG2]
Phase=  2
ISAKMP-peer=    peer-loc1
Configuration=  Default-quick-mode
Local-ID=       Loc-Network
Remote-ID=      loc1-seg2-Network

[LOC1-SEG3]
Phase=  2
ISAKMP-peer=    peer-loc1
Configuration=  Default-quick-mode
Local-ID=       Loc-Network
Remote-ID=      loc1-seg3-Network

[LOC2-SEG1]
Phase=  2
ISAKMP-peer=    peer-loc2
Configuration=  Default-quick-mode
Local-ID=       Loc-Network
Remote-ID=      loc2-seg1-Network

[LOC3-SEG1]
Phase=  2
ISAKMP-peer=    peer-loc3
configuration=  Default-quick-mode
Local-ID=       Loc-Network
Remote-ID=      loc3-seg1-Network

[loc1-seg1-Network]
ID-type=        IPV4_ADDR_SUBNET
Network=        10.20.22.0
Netmask=        255.255.255.0

[loc1-seg2-Network]
ID-type=        IPV4_ADDR_SUBNET
Network=        10.20.23.0
Netmask=        255.255.255.0

[loc1-seg3-Network]
ID-type=        IPV4_ADDR_SUBNET
Network=        10.20.24.0
Netmask=        255.255.255.0

[loc2-seg1-Network]
ID-type=        IPV4_ADDR_SUBNET
Network=        10.20.21.0
Netmask=        255.255.255.0

[loc3-seg1-Network]
ID-type=        IPV4_ADDR_SUBNET
Network=        10.20.20.0
Netmask=        255.255.255.0


[Loc-Network]
ID-type=        IPV4_ADDR_SUBNET
Network=        10.20.25.0
Netmask=        255.255.255.0

[Default-main-mode]
DOI=    IPSEC
EXCHANGE_TYPE=  ID_PROT
Transforms=     3DES-SHA

[Default-quick-mode]
DOI=    IPSEC
EXCHANGE_TYPE=  QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE


My isakmpd.policy file

Keynote-version: 2
Authorizer: "POLICY"
Conditions: app_domain == "IPsec policy" &&
                esp_present == "yes" &&
                esp_enc_alg != "null" -> "true";




I have run isakmpd -L , which I am still reviewing but most errors are below

Nov 13 04:01:14 fw2 isakmpd[16014]: transport_send_messages: giving up on
message 0x3c066800, exchange fw01
Nov 13 04:01:14 fw2 isakmpd[16014]: transport_send_messages: either this
message did not reach the other peer
Nov 13 04:01:14 fw2 isakmpd[16014]: transport_send_messages: or the
responsemessage did not reach us back

Nov 13 05:41:46 fw2 isakmpd[16014]: dropped message from fw01 port 500 due to
notification type PAYLOAD_MALFORMED
Nov 13 05:41:46 fw2 isakmpd[16014]: message_parse_payloads: reserved field
non-zero: ca
Nov 13 05:41:46 fw2 isakmpd[16014]: dropped message from fw01 port 500 due to
notification type PAYLOAD_MALFORMED
Nov 13 21:09:52 fw2 isakmpd[3312]: message_recv: invalid cookie(s)
8710be0bf45687ff 482bbdaf5287d3db
Nov 13 21:09:52 fw2 isakmpd[3312]: dropped message from fw01 port 57834 due to
notification type INVALID_COOKIE
Nov 13 21:11:41 fw2 isakmpd[12205]: message_recv: invalid cookie(s)
91bd63a6716685f7 439a07ad7e83a2e6
Nov 13 21:11:41 fw2 isakmpd[12205]: dropped message from fw01 port 500 due to
notification type INVALID_COOKIE



I am lost at this point because the layout is the same, for all firewalls
including the PF config as I built a generic config and deploy to them all

oh, also, My remote firewalls are running approx 200 states and my main one is
running approx 6000-8000 states, and this is durning low business times, high
business count is hard to determine at this point but I am guessing approx
20000-40000

Anyhow, any suggestions here would be great as it stands right now, I am back
on checkpoint and I am not a fan of it.. I like isakmpd and pf alot and want
it everywhere


Thanks in advance

James

Reply | Threaded
Open this post in threaded view
|

Re: Problem with ISAKMPD

Brian A. Seklecki
Are you expiring lifetime on bandwidth or time?  Probably the defaults
of whatever transforms suite you're using.

Try manually defining it?  If you expire on time, say...10 minutes, you
can tcpdump for udp 500 on either side at the expected time and watch
the renegotiation.

Maybe UDP packets are getting lost at renegotiation time.  I had that
problem once with pf where i was exhausing the max default states at
10,000 and new states were being refused with ICMP.

~BAS

On Sun, 2005-11-13 at 20:45, James Mackinnon wrote:

> Hey everyone
>
> I am hoping I am posting this to the correct list
>
> I am running an AMD 2200+ w/ 512mb of ram and all intel pro cards in my main
> location.
>
> I have 14 other locations connecting back to this 1 location and each location
> creates 3 tunnels to this system as I have
> 3 internal network segments I want available via VPN
>
> Platforms are:
>
> Main system: OpenBSD 3.7 Stable
> Remote locations: OpenBSD 3.5 and some OpenBSD 3.7
>
> at first, all locations come up fine, but then in approx 1 hour, 3 units stop
> communicating to the main firewall.
>
> They all have the same config (minor changes based on location and assigned
> ips of course).
>
> I was planning to finally get rid of my main checkpoint box and complete my
> migration to BSD but I had to revert back do to lack of time i had left to go
> back in case of an issue.
>
>
> My Main location is on Fiber
> All branches on DSL (pretty much same provider)
>
> My main location has approx 50VPN Connection entries in it.
> My Branches connect to 3 VPN's.
>
> Example branch isakmpd.conf file
>
> [Phase 1]
> 12.12.12.12= peer-loc1
> 13.13.13.13= peer-loc2
> 14.14.14.14= peer-loc3
>
>
> [Phase 2]
> Connections=    LOC1-SEG1, LOC1-SEG2, LOC1-SEG3, LOC2-SEG1, LOC3-SEG1
>
> [peer-loc1]
> Phase=  1
> Transport=      udp
> Address=        12.12.12.12
> Configuration=  Default-main-mode
> Authentication= MYSUPERPASS
>
> [peer-loc2]
> Phase=  1
> Transport=      udp
> Address=        13.13.13.13
> Configuration=  Default-main-mode
> Authentication= MYSUPERPASS
>
> [peer-loc3]
> Phase=  1
> Transport=      udp
> Address=        14.14.14.14
> Configuration=  Default-main-mode
> Authentication= MYSUPERPASS
>
> [LOC1-SEG1]
> Phase=  2
> ISAKMP-peer=    peer-loc1
> Configuration=  Default-quick-mode
> Local-ID=       Loc-Network
> Remote-ID=      loc1-seg1-Network
>
> [LOC1-SEG2]
> Phase=  2
> ISAKMP-peer=    peer-loc1
> Configuration=  Default-quick-mode
> Local-ID=       Loc-Network
> Remote-ID=      loc1-seg2-Network
>
> [LOC1-SEG3]
> Phase=  2
> ISAKMP-peer=    peer-loc1
> Configuration=  Default-quick-mode
> Local-ID=       Loc-Network
> Remote-ID=      loc1-seg3-Network
>
> [LOC2-SEG1]
> Phase=  2
> ISAKMP-peer=    peer-loc2
> Configuration=  Default-quick-mode
> Local-ID=       Loc-Network
> Remote-ID=      loc2-seg1-Network
>
> [LOC3-SEG1]
> Phase=  2
> ISAKMP-peer=    peer-loc3
> configuration=  Default-quick-mode
> Local-ID=       Loc-Network
> Remote-ID=      loc3-seg1-Network
>
> [loc1-seg1-Network]
> ID-type=        IPV4_ADDR_SUBNET
> Network=        10.20.22.0
> Netmask=        255.255.255.0
>
> [loc1-seg2-Network]
> ID-type=        IPV4_ADDR_SUBNET
> Network=        10.20.23.0
> Netmask=        255.255.255.0
>
> [loc1-seg3-Network]
> ID-type=        IPV4_ADDR_SUBNET
> Network=        10.20.24.0
> Netmask=        255.255.255.0
>
> [loc2-seg1-Network]
> ID-type=        IPV4_ADDR_SUBNET
> Network=        10.20.21.0
> Netmask=        255.255.255.0
>
> [loc3-seg1-Network]
> ID-type=        IPV4_ADDR_SUBNET
> Network=        10.20.20.0
> Netmask=        255.255.255.0
>
>
> [Loc-Network]
> ID-type=        IPV4_ADDR_SUBNET
> Network=        10.20.25.0
> Netmask=        255.255.255.0
>
> [Default-main-mode]
> DOI=    IPSEC
> EXCHANGE_TYPE=  ID_PROT
> Transforms=     3DES-SHA
>
> [Default-quick-mode]
> DOI=    IPSEC
> EXCHANGE_TYPE=  QUICK_MODE
> Suites= QM-ESP-3DES-SHA-SUITE
>
>
> My isakmpd.policy file
>
> Keynote-version: 2
> Authorizer: "POLICY"
> Conditions: app_domain == "IPsec policy" &&
>                 esp_present == "yes" &&
>                 esp_enc_alg != "null" -> "true";
>
>
>
>
> I have run isakmpd -L , which I am still reviewing but most errors are below
>
> Nov 13 04:01:14 fw2 isakmpd[16014]: transport_send_messages: giving up on
> message 0x3c066800, exchange fw01
> Nov 13 04:01:14 fw2 isakmpd[16014]: transport_send_messages: either this
> message did not reach the other peer
> Nov 13 04:01:14 fw2 isakmpd[16014]: transport_send_messages: or the
> responsemessage did not reach us back
>
> Nov 13 05:41:46 fw2 isakmpd[16014]: dropped message from fw01 port 500 due to
> notification type PAYLOAD_MALFORMED
> Nov 13 05:41:46 fw2 isakmpd[16014]: message_parse_payloads: reserved field
> non-zero: ca
> Nov 13 05:41:46 fw2 isakmpd[16014]: dropped message from fw01 port 500 due to
> notification type PAYLOAD_MALFORMED
> Nov 13 21:09:52 fw2 isakmpd[3312]: message_recv: invalid cookie(s)
> 8710be0bf45687ff 482bbdaf5287d3db
> Nov 13 21:09:52 fw2 isakmpd[3312]: dropped message from fw01 port 57834 due to
> notification type INVALID_COOKIE
> Nov 13 21:11:41 fw2 isakmpd[12205]: message_recv: invalid cookie(s)
> 91bd63a6716685f7 439a07ad7e83a2e6
> Nov 13 21:11:41 fw2 isakmpd[12205]: dropped message from fw01 port 500 due to
> notification type INVALID_COOKIE
>
>
>
> I am lost at this point because the layout is the same, for all firewalls
> including the PF config as I built a generic config and deploy to them all
>
> oh, also, My remote firewalls are running approx 200 states and my main one is
> running approx 6000-8000 states, and this is durning low business times, high
> business count is hard to determine at this point but I am guessing approx
> 20000-40000
>
> Anyhow, any suggestions here would be great as it stands right now, I am back
> on checkpoint and I am not a fan of it.. I like isakmpd and pf alot and want
> it everywhere
>
>
> Thanks in advance
>
> James