DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 20th December 2015
mikygee mikygee is offline
Port Guard
 
Join Date: Oct 2011
Posts: 15
Default IPSec set up with isakmpd

Hello,

I'm trying to debug an IPSec connection which won't work.
One end is OpenBSD (mine) the other end is some kind of linux based box.

My Openbsd complaines of a payload malformed, the other end sends me a no proposal chosen.

I really did check numerous times the phase1 parameters, including the shared key

PHP Code:
11:33:53.877661 BOX.500 OPENBSD.500: [udp sum okisakmp v1.0 exchange ID_PROT
        cookie
17d16e16a42a1fd1->0000000000000000 msgid00000000 len256
        payload
SA len56 DOI1(IPSECsituationIDENTITY_ONLY
            payload
PROPOSAL len44 proposal0 protoISAKMP spisz0 xforms1
                payload
TRANSFORM len36
                    transform
0 IDISAKMP
                        attribute LIFE_TYPE 
SECONDS
                        attribute LIFE_DURATION 
28800
                        attribute ENCRYPTION_ALGORITHM 
AES_CBC
                        attribute HASH_ALGORITHM 
SHA
                        attribute KEY_LENGTH 
128
                        attribute AUTHENTICATION_METHOD 
PRE_SHARED
                        attribute GROUP_DESCRIPTION 
MODP_1536
        payload
VENDOR len20
        payload
VENDOR len20 (supports Cisco Unity)
        
payloadVENDOR len12 (supports draft-ietf-ipsra-isakmp-xauth-06.txt)
        
payloadVENDOR len20 (supports DPD v1.0)
        
payloadVENDOR len20 (supports NAT-TRFC 3947)
        
payloadVENDOR len20 (supports v3 NAT-Tdraft-ietf-ipsec-nat-t-ike-03)
        
payloadVENDOR len20 (supports v2 NAT-Tdraft-ietf-ipsec-nat-t-ike-02\n)
        
payloadVENDOR len20 (supports v2 NAT-Tdraft-ietf-ipsec-nat-t-ike-02)
        
payloadVENDOR len20 (supports v1 NAT-Tdraft-ietf-ipsec-nat-t-ike-00) [ttl 0] (id 1len 284)
11:33:53.877880 OPENBSD.500 BOX.500: [udp sum okisakmp v1.0 exchange ID_PROT
        cookie
17d16e16a42a1fd1->13ff2699b791640b msgid00000000 len184
        payload
SA len56 DOI1(IPSECsituationIDENTITY_ONLY
            payload
PROPOSAL len44 proposal0 protoISAKMP spisz0 xforms1
                payload
TRANSFORM len36
                    transform
0 IDISAKMP
                        attribute LIFE_TYPE 
SECONDS
                        attribute LIFE_DURATION 
28800
                        attribute ENCRYPTION_ALGORITHM 
AES_CBC
                        attribute HASH_ALGORITHM 
SHA
                        attribute KEY_LENGTH 
128
                        attribute AUTHENTICATION_METHOD 
PRE_SHARED
                        attribute GROUP_DESCRIPTION 
MODP_1536
        payload
VENDOR len20
        payload
VENDOR len20 (supports v2 NAT-Tdraft-ietf-ipsec-nat-t-ike-02)
        
payloadVENDOR len20 (supports v3 NAT-Tdraft-ietf-ipsec-nat-t-ike-03)
        
payloadVENDOR len20 (supports NAT-TRFC 3947)
        
payloadVENDOR len20 (supports DPD v1.0) [ttl 0] (id 1len 212
Any idea ?
Reply With Quote
  #2   (View Single Post)  
Old 20th December 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

The udp packets you've posted don'tt indicate the error, only the exchange of capabilities. Consider using isakmpd(8) with -d and -v to capture additional information.
Reply With Quote
  #3   (View Single Post)  
Old 29th December 2015
mikygee mikygee is offline
Port Guard
 
Join Date: Oct 2011
Posts: 15
Default

Thank you for your answer.
I'm taking a long time to come back because I'm reinstalling the whole Openbsd (not because of the ipsec problem).

When I use the debug with isakmpd it's very verbose and I don't have only one VPN.
Is it possible to capture the logs coming from one peer only ?
The lines in the logs don't display the peer so everything is mixed.

Even if I shutdown (unconfigure) all the VPNs, the remote peers continue to send packets to my system. So it's pretty hard to see what line of debug correspond to what.
Reply With Quote
  #4   (View Single Post)  
Old 29th December 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

There's no way to isolate the log from within isakmpd(8). If you need further clarity, I expect you'll need to filter the log after capture, with a tool like grep(1).
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Some help with IPSEC / VPN Daffy OpenBSD Security 1 9th November 2013 12:45 PM
IPsec/pf setup denta OpenBSD Security 1 25th May 2012 09:08 PM
ipsec/isakmpd tunnels dropping after upgrade kbeaucha OpenBSD Installation and Upgrading 9 8th May 2012 08:27 PM
isakmp to ipsec badguy OpenBSD Security 3 17th November 2010 10:52 PM
Need Help Please About IPsec wong_baru FreeBSD Security 2 21st June 2010 08:00 AM


All times are GMT. The time now is 05:04 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick