isakmpd outputs: help interpreting

Previous Topic Next Topic
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

isakmpd outputs: help interpreting

Jacob Yocom-Piatt

i've established IPsec connections originating from several windows xp machines
with public IPs to my openbsd firewall that is running isakmpd. they are working
just fine. however, i have a windows machine here at home behind NAT that is
giving me grief when i try to establish an IPsec connection with my remote
openbsd machine. this windows machine has some generic problem negotiating
IPsec, whether with a public IP or behind my NAT (i get the same debugging
outputs in either case). i would like to use the debugging outputs from isakmpd
to give me some additional insight into what is going on with this silly windows

i am using the following CLs to establish the VPN on the winxp pro machine:

ipseccmd.exe -u
ipseccmd.exe -f 0= -n ESP[3DES,SHA] -t -a
PRESHARE:"somepass" -1s 3DES-SHA-2
ipseccmd.exe -f -n ESP[3DES,SHA] -t -a
PRESHARE:"somepass" -1s 3DES-SHA-2

i have also been careful to make certain that i have all the appropriate
registry settings and the latest "support tools" pack for the winxp pro machine
in question.

i don't see any output on the openbsd side (running a 3.8 snapshot) where i'm
running "sudo isakmpd -dDA=10 -L" until i attempt to ping the subnet.
at this point i get the following output from isakmpd:

222203.684097 Misc 10 monitor_init: privileges dropped for child process
222205.861143 Default log_packet_init: starting IKE packet capture to file
222213.267805 Timr 10 timer_add_event: event exchange_free_aux(0x7c594800) added
last, expiration in 120s
222213.269902 Exch 10 exchange_setup_p1: 0x7c594800 roadwarriorz win-main-mode
policy responder phase 1 doi 1 exchange 2 step 0
222213.271353 Exch 10 exchange_setup_p1: icookie 5f3f8ed8ec596edd rcookie
222213.272756 Exch 10 exchange_setup_p1: msgid 00000000
222213.274715 Exch 10 nat_t_check_vendor_payload: NAT-T capable peer detected
222213.277477 Exch 10 exchange_handle_leftover_payloads: unexpected payload VENDOR
222213.279089 Exch 10 exchange_handle_leftover_payloads: unexpected payload VENDOR
222213.283659 Timr 10 timer_add_event: event message_send_expire(0x8b833480)
added before exchange_free_aux(0x7c594800), expiration in 7s
222220.290123 Timr 10 timer_handle_expirations: event

it looks like phase 1 starts and just doesn't do anything (i don't see any of
the higher steps in phase 1). i get the following output from "sudo tcpdump -nr

22:22:13.266767 >  isakmp v1.0 exchange ID_PROT
        cookie: 5f3f8ed8ec596edd->0000000000000000 msgid: 00000000 len: 148 [ttl 0]
22:22:13.280642 >  isakmp v1.0 exchange ID_PROT
        cookie: 5f3f8ed8ec596edd->305b544a1a74cddd msgid: 00000000 len: 164 [ttl 0]

i know that the isakmpd.conf i'm using on the gateway works just fine since i
can easily connect to it with another openbsd machine, just not this windows
one. here is the isakmpd.conf i'm using (it's setup to just accept roadwarriors):

Retransmits=            5
Exchange-max-time=      120

[Phase 1]
Default=                roadwarriorz

[Phase 2]
Passive-Connections=    testedwarriorz

Phase=                  1
Transport=              udp
Configuration=          win-main-mode
Authentication=         somepass

Phase=                  2
Configuration=          win-quick-mode
Local-ID=               fwnet1
Remote-ID=              dummy-remote

ID-type=                IPV4_ADDR_SUBNET

ID-type=                IPV4_ADDR_SUBNET

ID-type=                IPV4_ADDR

DOI=                    IPSEC
Transforms=             3DES-SHA-GRP2

DOI=                    IPSEC
Suites=                 QM-ESP-3DES-SHA-SUITE

my isakmpd.policy accepts everything.

any light that could be shed on what is going on here would be much appreciated
:). thx for reading.