Hey everyone
I am hoping I am posting this to the correct list
I am running an AMD 2200+ w/ 512mb of ram and all intel pro cards in my main
location.
I have 14 other locations connecting back to this 1 location and each location
creates 3 tunnels to this system as I have
3 internal network segments I want available via VPN
Platforms are:
Main system: OpenBSD 3.7 Stable
Remote locations: OpenBSD 3.5 and some OpenBSD 3.7
at first, all locations come up fine, but then in approx 1 hour, 3 units stop
communicating to the main firewall.
They all have the same config (minor changes based on location and assigned
ips of course).
I was planning to finally get rid of my main checkpoint box and complete my
migration to BSD but I had to revert back do to lack of time i had left to go
back in case of an issue.
My Main location is on Fiber
All branches on DSL (pretty much same provider)
My main location has approx 50VPN Connection entries in it.
My Branches connect to 3 VPN's.
Example branch isakmpd.conf file
[Phase 1]
12.12.12.12= peer-loc1
13.13.13.13= peer-loc2
14.14.14.14= peer-loc3
[Phase 2]
Connections= LOC1-SEG1, LOC1-SEG2, LOC1-SEG3, LOC2-SEG1, LOC3-SEG1
[peer-loc1]
Phase= 1
Transport= udp
Address= 12.12.12.12
Configuration= Default-main-mode
Authentication= MYSUPERPASS
[peer-loc2]
Phase= 1
Transport= udp
Address= 13.13.13.13
Configuration= Default-main-mode
Authentication= MYSUPERPASS
[peer-loc3]
Phase= 1
Transport= udp
Address= 14.14.14.14
Configuration= Default-main-mode
Authentication= MYSUPERPASS
[LOC1-SEG1]
Phase= 2
ISAKMP-peer= peer-loc1
Configuration= Default-quick-mode
Local-ID= Loc-Network
Remote-ID= loc1-seg1-Network
[LOC1-SEG2]
Phase= 2
ISAKMP-peer= peer-loc1
Configuration= Default-quick-mode
Local-ID= Loc-Network
Remote-ID= loc1-seg2-Network
[LOC1-SEG3]
Phase= 2
ISAKMP-peer= peer-loc1
Configuration= Default-quick-mode
Local-ID= Loc-Network
Remote-ID= loc1-seg3-Network
[LOC2-SEG1]
Phase= 2
ISAKMP-peer= peer-loc2
Configuration= Default-quick-mode
Local-ID= Loc-Network
Remote-ID= loc2-seg1-Network
[LOC3-SEG1]
Phase= 2
ISAKMP-peer= peer-loc3
configuration= Default-quick-mode
Local-ID= Loc-Network
Remote-ID= loc3-seg1-Network
[loc1-seg1-Network]
ID-type= IPV4_ADDR_SUBNET
Network= 10.20.22.0
Netmask= 255.255.255.0
[loc1-seg2-Network]
ID-type= IPV4_ADDR_SUBNET
Network= 10.20.23.0
Netmask= 255.255.255.0
[loc1-seg3-Network]
ID-type= IPV4_ADDR_SUBNET
Network= 10.20.24.0
Netmask= 255.255.255.0
[loc2-seg1-Network]
ID-type= IPV4_ADDR_SUBNET
Network= 10.20.21.0
Netmask= 255.255.255.0
[loc3-seg1-Network]
ID-type= IPV4_ADDR_SUBNET
Network= 10.20.20.0
Netmask= 255.255.255.0
[Loc-Network]
ID-type= IPV4_ADDR_SUBNET
Network= 10.20.25.0
Netmask= 255.255.255.0
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE
My isakmpd.policy file
Keynote-version: 2
Authorizer: "POLICY"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg != "null" -> "true";
I have run isakmpd -L , which I am still reviewing but most errors are below
Nov 13 04:01:14 fw2 isakmpd[16014]: transport_send_messages: giving up on
message 0x3c066800, exchange fw01
Nov 13 04:01:14 fw2 isakmpd[16014]: transport_send_messages: either this
message did not reach the other peer
Nov 13 04:01:14 fw2 isakmpd[16014]: transport_send_messages: or the
responsemessage did not reach us back
Nov 13 05:41:46 fw2 isakmpd[16014]: dropped message from fw01 port 500 due to
notification type PAYLOAD_MALFORMED
Nov 13 05:41:46 fw2 isakmpd[16014]: message_parse_payloads: reserved field
non-zero: ca
Nov 13 05:41:46 fw2 isakmpd[16014]: dropped message from fw01 port 500 due to
notification type PAYLOAD_MALFORMED
Nov 13 21:09:52 fw2 isakmpd[3312]: message_recv: invalid cookie(s)
8710be0bf45687ff 482bbdaf5287d3db
Nov 13 21:09:52 fw2 isakmpd[3312]: dropped message from fw01 port 57834 due to
notification type INVALID_COOKIE
Nov 13 21:11:41 fw2 isakmpd[12205]: message_recv: invalid cookie(s)
91bd63a6716685f7 439a07ad7e83a2e6
Nov 13 21:11:41 fw2 isakmpd[12205]: dropped message from fw01 port 500 due to
notification type INVALID_COOKIE
I am lost at this point because the layout is the same, for all firewalls
including the PF config as I built a generic config and deploy to them all
oh, also, My remote firewalls are running approx 200 states and my main one is
running approx 6000-8000 states, and this is durning low business times, high
business count is hard to determine at this point but I am guessing approx
20000-40000
Anyhow, any suggestions here would be great as it stands right now, I am back
on checkpoint and I am not a fan of it.. I like isakmpd and pf alot and want
it everywhere
Thanks in advance
James
