isakmpd outputs: help interpreting

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

isakmpd outputs: help interpreting

Jacob Yocom-Piatt
heya,

i've established IPsec connections originating from several windows xp machines
with public IPs to my openbsd firewall that is running isakmpd. they are working
just fine. however, i have a windows machine here at home behind NAT that is
giving me grief when i try to establish an IPsec connection with my remote
openbsd machine. this windows machine has some generic problem negotiating
IPsec, whether with a public IP or behind my NAT (i get the same debugging
outputs in either case). i would like to use the debugging outputs from isakmpd
to give me some additional insight into what is going on with this silly windows
machine.

i am using the following CLs to establish the VPN on the winxp pro machine:

ipseccmd.exe -u
ipseccmd.exe -f 0=10.9.0.0/255.255.255.0 -n ESP[3DES,SHA] -t 10.9.1.1 -a
PRESHARE:"somepass" -1s 3DES-SHA-2
ipseccmd.exe -f 10.9.0.0/255.255.255.0=0 -n ESP[3DES,SHA] -t 10.9.1.2 -a
PRESHARE:"somepass" -1s 3DES-SHA-2

i have also been careful to make certain that i have all the appropriate
registry settings and the latest "support tools" pack for the winxp pro machine
in question.

i don't see any output on the openbsd side (running a 3.8 snapshot) where i'm
running "sudo isakmpd -dDA=10 -L" until i attempt to ping the 10.9.0.255 subnet.
at this point i get the following output from isakmpd:

222203.684097 Misc 10 monitor_init: privileges dropped for child process
222205.861143 Default log_packet_init: starting IKE packet capture to file
"/var/run/isakmpd.pcap"
222213.267805 Timr 10 timer_add_event: event exchange_free_aux(0x7c594800) added
last, expiration in 120s
222213.269902 Exch 10 exchange_setup_p1: 0x7c594800 roadwarriorz win-main-mode
policy responder phase 1 doi 1 exchange 2 step 0
222213.271353 Exch 10 exchange_setup_p1: icookie 5f3f8ed8ec596edd rcookie
305b544a1a74cddd
222213.272756 Exch 10 exchange_setup_p1: msgid 00000000
222213.274715 Exch 10 nat_t_check_vendor_payload: NAT-T capable peer detected
222213.277477 Exch 10 exchange_handle_leftover_payloads: unexpected payload VENDOR
222213.279089 Exch 10 exchange_handle_leftover_payloads: unexpected payload VENDOR
222213.283659 Timr 10 timer_add_event: event message_send_expire(0x8b833480)
added before exchange_free_aux(0x7c594800), expiration in 7s
222220.290123 Timr 10 timer_handle_expirations: event
message_send_expire(0x8b833480)

it looks like phase 1 starts and just doesn't do anything (i don't see any of
the higher steps in phase 1). i get the following output from "sudo tcpdump -nr
/var/run/isakmpd.pcap":

22:22:13.266767 10.9.1.2.500 > 10.9.1.1.500:  isakmp v1.0 exchange ID_PROT
        cookie: 5f3f8ed8ec596edd->0000000000000000 msgid: 00000000 len: 148 [ttl 0]
22:22:13.280642 10.9.1.1.500 > 10.9.1.2.500:  isakmp v1.0 exchange ID_PROT
        cookie: 5f3f8ed8ec596edd->305b544a1a74cddd msgid: 00000000 len: 164 [ttl 0]

i know that the isakmpd.conf i'm using on the gateway works just fine since i
can easily connect to it with another openbsd machine, just not this windows
one. here is the isakmpd.conf i'm using (it's setup to just accept roadwarriors):

[General]
Retransmits=            5
Exchange-max-time=      120
Listen-on=              10.9.1.1

[Phase 1]
Default=                roadwarriorz

[Phase 2]
Passive-Connections=    testedwarriorz

[roadwarriorz]
Phase=                  1
Transport=              udp
Configuration=          win-main-mode
Authentication=         somepass

[testedwarriorz]
Phase=                  2
Configuration=          win-quick-mode
Local-ID=               fwnet1
Remote-ID=              dummy-remote

[default-route]
ID-type=                IPV4_ADDR_SUBNET
Network=                0.0.0.0
Netmask=                0.0.0.0

[fwnet1]
ID-type=                IPV4_ADDR_SUBNET
Network=                10.9.0.0
Netmask=                255.255.255.0

[dummy-remote]
ID-type=                IPV4_ADDR
Address=                0.0.0.0

[win-main-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          ID_PROT
Transforms=             3DES-SHA-GRP2

[win-quick-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          QUICK_MODE
Suites=                 QM-ESP-3DES-SHA-SUITE

my isakmpd.policy accepts everything.

any light that could be shed on what is going on here would be much appreciated
:). thx for reading.

regards,
jake