Chris Jones writes:
> I'm running the release version or OpenBSD 4.0 on my firewall and
> experiencing some odd IPSEC VPN behavior when connecting to a Fortigate
> peer. The tunnel will come up just fine but will randomly go down and
> then come back up and will continue this cycle.
Unfortunately both FortiGate and OpenBSD don't follow Postel's advice
to be liberal in what you accept (OpenBSD) and conservative in what
you send (FortiGate). RFC 3706 section 5.3 says that the DOI SHOULD
(not MUST) be 1. When the FortiGate sends a DPD with a DOI of 0,
OpenBSD rejects it because that sends it to the ISAKMP handler which
drops NOTIFY messages (see annotated trace below).
If you only need DPD on one end and OpenBSD will send a DPD Vendor ID
without trying to send a DPD (I haven't checked) then you can leave
DPD enabled on the FortiGate and disable it OpenBSD.
If that won't work or isn't acceptable (won't work too well if the
FortiGate is configured with a dynamic connection) then to get
FortiGate and OpenBSD DPD to interoperate you'll need to get one or
both of FortiGate and OpenBSD to change their code. For FortiGate,
send email to their customer support. In the case of OpenBSD maybe it
is as simple as copying over the DPD message parsing from
src/sbin/isakmpd/ipsec.c:ipsec_responder and put it in
src/sbin/isakmpd/isakmpd_doi.c:isakmp_responder.
BTW Cisco IOS (12.4) does follow the "be liberal in what you accept"
recommendation in this case and will accept a DPD with a DOI of 0 from
a FortiGate (though it will log a warning for DPD R U THERE).
> I am running isakmpd with the -K option and using ipsecctl to
> establish flows and SA's. This is what my ipsec.conf looks like:
>
> remote_gw = "10.1.1.1"
>
> flow esp from 192.168.8.1/32 to 192.168.0.0/16 peer $remote_gw type
> bypass
>
> ike dynamic esp from 192.168.8.0/24 to 192.168.0.0/16 peer $remote_gw \
> aggressive auth hmac-sha1 enc 3des group modp1536 \
> quick auth hmac-sha1 enc 3des group modp1536 \
> srcid [EMAIL PROTECTED] \
> psk sharedsecret
>
> The peer is DPD capable and enabled with the following settings:
>
> retry-count: 3
> retry-interval: 5
>
> After running isakmpd in debug mode (isakmpd -d -DA=50 -K) and after
> running ipsecctl I issued a continuous ping to one of the hosts at the
> other side of the tunnel. The ping ran fine for a period of time and
> then stopped. Here is the ouput from the debug:
>
> 073059.683292 Cryp 30 crypto_decrypt: after decryption:
> 073059.686654 Cryp 30 01000018 fbbe1146 c43cf921 dc386a4a 0dfc2751
> e4cf2a6d 0a000034 00000001
> 073059.689438 Cryp 30 00000001 00000028 01030401 f286fdea 0000001c
> 01030000 80010001 800204b0
> 073059.692737 Cryp 30 80040001 80050002 80030005 04000014 c5664590
> c4700a67 9cec6a71 633ffd8c
> 073059.695546 Cryp 30 050000c4 6214a4ed 31ca88ca 0945b3d6 dd2c44ef
> d03b008d 72b5ea00 273d3e0a
> 073059.698996 Cryp 30 5ec40d98 02c0ebad e3eac805 f87fa1ee 1142e2fd
> 92aee043 09e84e1c 3788c268
> 073059.701817 Cryp 30 4fdab8c6 1cbfad15 8123a459 df7a9a3b 66db84c5
> 59211ec4 90882bfc 2ae61c66
> 073059.705109 Cryp 30 6d35acdf 585d0b08 c5560cf9 d4a996a7 32a18daa
> d3385206 7ce49f52 f5bab82c
> 073059.707999 Cryp 30 12b6cc01 29fec19b 3f582995 e80637b4 5e99d396
> 3a3b650b 2d78dd5f 44879af5
> 073059.711332 Cryp 30 1f8e016d 27c69817 341c6984 52e4f663 175db8ba
> c206fb2b 08b9d0df f46705c1
> 073059.714125 Cryp 30 5a7d0a5a 05000010 04000000 0a4c0800 ffffff00
> 00000010 04000000 0a4c0000
> 073059.717252 Cryp 30 ffff0000 00000000
> 073059.719573 Mesg 50 message_parse_payloads: offset 28 payload HASH
> 073059.722425 Mesg 50 message_parse_payloads: offset 52 payload SA
> 073059.724772 Mesg 50 message_parse_payloads: offset 104 payload NONCE
> 073059.727806 Mesg 50 message_parse_payloads: offset 124 payload
> KEY_EXCH
> 073059.730126 Mesg 50 message_parse_payloads: offset 320 payload ID
> 073059.733027 Mesg 50 message_parse_payloads: offset 336 payload ID
> 073059.735500 Mesg 50 message_parse_payloads: offset 64 payload PROPOSAL
> 073059.738492 Mesg 50 message_parse_payloads: offset 76 payload
> TRANSFORM
> 073059.740835 Mesg 50 Transform 1's attributes
> 073059.743665 Mesg 50 Attribute SA_LIFE_TYPE value 1
> 073059.745973 Mesg 50 Attribute SA_LIFE_DURATION value 1200
> 073059.749044 Mesg 50 Attribute ENCAPSULATION_MODE value 1
> 073059.751324 Mesg 50 Attribute AUTHENTICATION_ALGORITHM value 2
> 073059.754161 Mesg 50 Attribute GROUP_DESCRIPTION value 5
> 073059.757008 Mesg 40 ipsec_validate_id_information: proto 0 port 0 type
> 4
> 073059.761190 Mesg 40 ipsec_validate_id_information: IPv4
> network/netmask:
> 073059.763556 Mesg 40 0a4c0800 ffffff00
> 073059.766532 Mesg 40 ipsec_validate_id_information: proto 0 port 0 type
> 4
> 073059.768913 Mesg 40 ipsec_validate_id_information: IPv4
> network/netmask:
> 073059.771838 Mesg 40 0a4c0000 ffff0000
> 073059.774860 Misc 20 ipsec_decode_transform: transform 1 chosen
> 073059.778019 Cryp 50 crypto_update_iv: updated IV:
> 073059.780420 Cryp 50 acdf5f44 564c53bf
> 073059.783186 Exch 40 exchange_run: exchange 0x8990e000 finished step 1,
> advancing...
> 073059.786754 Cryp 30 crypto_encrypt: before encryption:
> 073059.789907 Cryp 30 00000018 ffd2fd35 9f9703b5 931c4a0e a7a39fd6
> 38d67537
> 073059.792339 Cryp 30 crypto_encrypt: after encryption:
> 073059.795498 Cryp 30 29a4e78f 474a5a98 2f00dcca b662924e d5de0039
> 29beb555
> 073059.797975 Cryp 50 crypto_update_iv: updated IV:
> 073059.800865 Cryp 50 d5de0039 29beb555
> 073059.804274 Exch 40 exchange_run: exchange 0x8990e000 finished step 2,
> advancing...
> 073102.451676 Exch 10 exchange_finalize: 0x8990e000
> IPsec-10.76.8.0/24-10.76.0.0/16 qm-10.76.8.0/24-10.76.0.0/16 policy
> initiator phase 2 doi 1 exchange 32 step 3
> 073102.454201 Exch 10 exchange_finalize: icookie 24ecf40d73ec86fa
> rcookie b49a30f91498c9f5
> 073102.457290 Exch 10 exchange_finalize: msgid 803a2cca sa_list
> 0x8990e100
> 073102.461087 Sdep 40 pf_key_v2_convert_id: UFQDN [EMAIL PROTECTED]
> 073102.464038 Sdep 40 pf_key_v2_convert_id: IPv4 address
> 64.254.145.133/32
> 073102.466674 Sdep 10 pf_key_v2_set_spi: satype 2 dst 64.254.145.133 SPI
> 0xf286fdea
> 073102.469698 Timr 10 timer_add_event: event sa_soft_expire(0x8990e100)
> added before sa_soft_expire(0x7ec2f900), expiration in 1051s
> 073102.472224 Timr 10 timer_add_event: event sa_hard_expire(0x8990e100)
> added before sa_soft_expire(0x7ec2f900), expiration in 1200s
> 073102.477810 Sdep 50 pf_key_v2_set_spi: done
> 073102.480684 Sdep 40 pf_key_v2_convert_id: UFQDN [EMAIL PROTECTED]
> 073102.483711 Sdep 40 pf_key_v2_convert_id: IPv4 address
> 64.254.145.133/32
> 073102.486343 Sdep 10 pf_key_v2_set_spi: satype 2 dst 64.46.13.251 SPI
> 0xbd254135
> 073102.493179 Sdep 50 pf_key_v2_set_spi: done
> 073102.495765 Exch 50 ipsec_finalize_exchange: src 10.76.8.0
> 255.255.255.0 dst 10.76.0.0 255.255.0.0 tproto 0 sport 0 dport 0
> 073102.499028 Sdep 40 pf_key_v2_convert_id: UFQDN [EMAIL PROTECTED]
> 073102.501404 Sdep 40 pf_key_v2_convert_id: IPv4 address
> 64.254.145.133/32
> 073102.504574 Sdep 50 pf_key_v2_flow: src 10.76.8.0 255.255.255.0 dst
> 10.76.0.0 255.255.0.0 proto 0 sport 0 dport 0
> 073102.508739 Misc 50 pf_key_v2_flow: ADDFLOW: done
> 073102.511924 Sdep 50 pf_key_v2_flow: src 10.76.0.0 255.255.0.0 dst
> 10.76.8.0 255.255.255.0 proto 0 sport 0 dport 0
> 073102.515942 Misc 50 pf_key_v2_flow: ADDFLOW: done
> 073104.623456 Timr 10 timer_handle_expirations: event
> dpd_event(0x7ec2f900)
> 073104.627099 Sdep 50 pf_key_v2_get_kernel_sa: spi:
> 073104.629932 Sdep 50 bd254135
> 073104.632377 Mesg 30 dpd_event: sending R_U_THERE to 64.254.145.133 seq
> 28518
> 073104.635623 Timr 10 timer_add_event: event
> exchange_free_aux(0x8990e800) added before sa_soft_expire(0x8990e100),
> expiration in 120s
> 073104.638135 Exch 10 exchange_establish_p2: 0x8990e800 <unnamed> <no
> policy> policy initiator phase 2 doi 1 exchange 5 step 0
> 073104.641155 Exch 10 exchange_establish_p2: icookie 24ecf40d73ec86fa
> rcookie b49a30f91498c9f5
> 073104.643647 Exch 10 exchange_establish_p2: msgid 25ae751d sa_list
> 073104.647421 Cryp 50 crypto_init_iv: initialized IV:
> 073104.649771 Cryp 50 ec1d5fb7 8ddc0509
> 073104.652550 Cryp 30 crypto_encrypt: before encryption:
> 073104.655412 Cryp 30 0b000018 3ed5e1c1 b444b7e3 72d6f523 798bb359 c4cbcc31
> 00000020 00000001
^^^^^^^^
DOI = IPsec
> 073104.658598 Cryp 30 01108d28 24ecf40d 73ec86fa b49a30f9 1498c9f5 00006f66
^^^^ ^^^^^^^^
DPD R U THERE SEQ 28518
> 073104.661119 Cryp 30 crypto_encrypt: after encryption:
> 073104.664495 Cryp 30 821eb041 132621ed b7f36cd9 e4e13443 d29754d8
> 65541eeb d57aeb25 69be3a8b
> 073104.667150 Cryp 30 78a3459d 2e62c155 45e420bc a4b137b0 87fb22ac
> 41f5d87c
> 073104.669917 Cryp 50 crypto_update_iv: updated IV:
> 073104.672326 Cryp 50 87fb22ac 41f5d87c
> 073104.676781 Exch 40 exchange_run: exchange 0x8990e800 finished step 0,
> advancing...
> 073104.679230 Timr 10 timer_add_event: event dpd_check_event(0x7ec2f900)
> added before connection_checker(0x83f01f90), expiration in 5s
> 073104.684255 Exch 10 exchange_finalize: 0x8990e800 <unnamed> <no
> policy> policy initiator phase 2 doi 1 exchange 5 step 1
> 073104.687543 Exch 10 exchange_finalize: icookie 24ecf40d73ec86fa
> rcookie b49a30f91498c9f5
> 073104.689876 Exch 10 exchange_finalize: msgid 25ae751d sa_list
> 073104.692739 Timr 10 timer_remove_event: removing event
> exchange_free_aux(0x8990e800)
> 073104.695448 Mesg 20 message_free: freeing 0x7f49d680
> 073104.698913 Trpt 50 virtual_clone: old 0x7c617840 new 0x7c617e40 (main
> is 0x7c617ec0)
> 073104.703249 Cryp 50 crypto_init_iv: initialized IV:
> 073104.706258 Cryp 50 3b61e1be 8116d41a
> 073104.708485 Cryp 30 crypto_decrypt: before decryption:
> 073104.711724 Cryp 30 705cd77b 436bf282 3c04a02d 3936ac8a 214892a6
> 9999b5c7 089cbfbb 626937bd
> 073104.714537 Cryp 30 5614eda7 57c70fd5 1885574d f73b5d90 714c310d
> 4937eeae
> 073104.717623 Cryp 30 crypto_decrypt: after decryption:
> 073104.720307 Cryp 30 0b000018 f9d41491 1c4ce188 0f9a0fe1 62815061 bd0b0716
> 00000020 00000000
^^^^^^^^
DOI = ISAKMP
> 073104.723490 Cryp 30 01108d29 24ecf40d 73ec86fa b49a30f9 1498c9f5 00006f66
^^^^ ^^^^^^^^
DPD R U THERE ACK SEQ 28158
> 073104.726029 Mesg 50 message_parse_payloads: offset 28 payload HASH
> 073104.728880 Mesg 50 message_parse_payloads: offset 52 payload NOTIFY
> 073104.731966 Timr 10 timer_add_event: event
[snip]
