ipsec: failure after upgrade

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

ipsec: failure after upgrade

Toni Mueller-10
Hi,

I have

  lan1 -- gw1 --- internet --- gw2 -- lan2


The setup has been working for years. Now I upgraded one side to 4.9,
while the other - so far - is still at 4.6 (I know... :( ).

After that, no connection gets established anymore:


1.2.3.4: OpenBSD 4.6
4.3.2.1: OpenBSD 4.9


13:18:25.029033 1.2.3.4.isakmp > 4.3.2.1.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT
        cookie: 767f6d9ce0fa3890->0000000000000000 msgid: 00000000 len: 184
        payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
            payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1
                payload: TRANSFORM len: 36
                    transform: 0 ID: ISAKMP
                        attribute ENCRYPTION_ALGORITHM = AES_CBC
                        attribute HASH_ALGORITHM = SHA
                        attribute AUTHENTICATION_METHOD = RSA_SIG
                        attribute GROUP_DESCRIPTION = MODP_1024
                        attribute LIFE_TYPE = SECONDS
                        attribute LIFE_DURATION = 3600
                        attribute KEY_LENGTH = 128
        payload: VENDOR len: 20 (supports OpenBSD-4.0)
        payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02)
        payload: VENDOR len: 20 (supports v3 NAT-T, draft-ietf-ipsec-nat-t-ike-03)
        payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
        payload: VENDOR len: 20 (supports DPD v1.0) (ttl 63, id 42430, len 212)
13:18:25.035893 4.3.2.1.isakmp > 1.2.3.4.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT
        cookie: 767f6d9ce0fa3890->7779887f9d620aeb msgid: 00000000 len: 184
        payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
            payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1
                payload: TRANSFORM len: 36
                    transform: 0 ID: ISAKMP
                        attribute ENCRYPTION_ALGORITHM = AES_CBC
                        attribute HASH_ALGORITHM = SHA
                        attribute AUTHENTICATION_METHOD = RSA_SIG
                        attribute GROUP_DESCRIPTION = MODP_1024
                        attribute LIFE_TYPE = SECONDS
                        attribute LIFE_DURATION = 3600
                        attribute KEY_LENGTH = 128
        payload: VENDOR len: 20 (supports OpenBSD-4.0)
        payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02)
        payload: VENDOR len: 20 (supports v3 NAT-T, draft-ietf-ipsec-nat-t-ike-03)
        payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
        payload: VENDOR len: 20 (supports DPD v1.0) (ttl 64, id 42377, len 212)
13:15:45.230823 1.2.3.4.isakmp > 4.3.2.1.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT
        cookie: 8d07fcf0a2492be7->915168361b6b77c1 msgid: 00000000 len: 228
        payload: KEY_EXCH len: 132
        payload: NONCE len: 20
        payload: NAT-D len: 24
        payload: NAT-D len: 24 (ttl 63, id 43396, len 256)
13:15:45.246177 4.3.2.1.isakmp > 1.2.3.4.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT
        cookie: 8d07fcf0a2492be7->915168361b6b77c1 msgid: 00000000 len: 228
        payload: KEY_EXCH len: 132
        payload: NONCE len: 20
        payload: NAT-D len: 24
        payload: NAT-D len: 24 (ttl 64, id 4863, len 256)
13:15:45.457272 1.2.3.4.isakmp > 4.3.2.1.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT encrypted
        cookie: 8d07fcf0a2492be7->915168361b6b77c1 msgid: 00000000 len: 1292 (ttl 63, id 44981, len 1320)
13:15:52.479525 1.2.3.4.isakmp > 4.3.2.1.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT encrypted
        cookie: 8d07fcf0a2492be7->915168361b6b77c1 msgid: 00000000 len: 1292 (ttl 63, id 43438, len 1320)
13:16:01.501279 1.2.3.4.isakmp > 4.3.2.1.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT encrypted
        cookie: 8d07fcf0a2492be7->915168361b6b77c1 msgid: 00000000 len: 1292 (ttl 63, id 54363, len 1320)
13:16:12.516937 1.2.3.4.isakmp > 4.3.2.1.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT encrypted
        cookie: 8d07fcf0a2492be7->915168361b6b77c1 msgid: 00000000 len: 1292 (ttl 63, id 19766, len 1320)
13:16:25.537550 1.2.3.4.isakmp > 4.3.2.1.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT encrypted
        cookie: 8d07fcf0a2492be7->915168361b6b77c1 msgid: 00000000 len: 1292 (ttl 63, id 36623, len 1320)



As you can see, there is no SHA2 problem present (see 47.html).

Switching the phase2 hash to ripemd didn't help.


Any ideas about what to do?


The reason for not yet upgrading everything is that road warriors (NCP)
are stopped dead in much the same way like shown above, when running
against 4.9 (but not if they work against lower versions of OpenBSD,
including 4.8). If I could verify that they'll work, I'd uprade rather
sooner than later.



Kind regards,
--Toni++

Reply | Threaded
Open this post in threaded view
|

Re: ipsec: failure after upgrade [SOLVED]

Toni Mueller-10
Hi,

I solved the site-site part of it. It turned out to be a typo somewhere.

  :(

But the mobile issue is still open.



Kind regards,
--Toni++