Hello,
I have a very odd problem with a VPN machine. The situation:
Net 1 --- Host 1 ----- Internet ----- Host 2 --- Net 2
\
+--------- Host 3 --- Net 3
The whole thing was working since the days of 3.5 or so with ISAKMPD
and X.509 certificates in tunnel mode. Last year, everything was on
3.8. Now I upgraded Host 2 to 4.0. Everything was still fine. Today I
upgraded Host 1 to 4.0, then to 4.0-stable (this was required anyway,
and prompted by disk failure), things stopped working completely. I see
such packets being sent between hosts 1 and 2 (real IPs replaced by
RFC1918 with s///):
22:37:11.106378 192.168.1.3.500 > 192.168.1.2.500: [udp sum ok] isakmp v1.0
exchange ID_PROT
cookie: f06dc17173c6c1fa->0000000000000000 msgid: 00000000 len: 184
payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0
xforms: 1
payload: TRANSFORM len: 36
transform: 0 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = AES_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = RSA_SIG
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600
attribute KEY_LENGTH = 128
payload: VENDOR len: 20 (supports OpenBSD-4.0)
payload: VENDOR len: 20 (supports v2 NAT-T,
draft-ietf-ipsec-nat-t-ike-02)
payload: VENDOR len: 20 (supports v3 NAT-T,
draft-ietf-ipsec-nat-t-ike-03)
payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
payload: VENDOR len: 20 (supports DPD v1.0) (ttl 63, id 28972, len 212)
22:37:11.125678 192.168.1.2.500 > 192.168.1.3.500: [udp sum ok] isakmp v1.0
exchange ID_PROT
cookie: f06dc17173c6c1fa->3a8a72a4e10f97c3 msgid: 00000000 len: 184
payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0
xforms: 1
payload: TRANSFORM len: 36
transform: 0 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = AES_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = RSA_SIG
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600
attribute KEY_LENGTH = 128
payload: VENDOR len: 20 (supports OpenBSD-4.0)
payload: VENDOR len: 20 (supports v2 NAT-T,
draft-ietf-ipsec-nat-t-ike-02)
payload: VENDOR len: 20 (supports v3 NAT-T,
draft-ietf-ipsec-nat-t-ike-03)
payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
payload: VENDOR len: 20 (supports DPD v1.0) (ttl 64, id 35720, len 212)
22:37:11.274135 192.168.1.3.500 > 192.168.1.2.500: [udp sum ok] isakmp v1.0
exchange ID_PROT
cookie: f06dc17173c6c1fa->3a8a72a4e10f97c3 msgid: 00000000 len: 228
payload: KEY_EXCH len: 132
payload: NONCE len: 20
payload: NAT-D len: 24
payload: NAT-D len: 24 (ttl 63, id 4431, len 256)
22:37:11.349204 192.168.1.2.500 > 192.168.1.3.500: [udp sum ok] isakmp v1.0
exchange ID_PROT
cookie: f06dc17173c6c1fa->3a8a72a4e10f97c3 msgid: 00000000 len: 228
payload: KEY_EXCH len: 132
payload: NONCE len: 20
payload: NAT-D len: 24
payload: NAT-D len: 24 (ttl 64, id 32849, len 256)
22:37:11.558309 192.168.1.3.500 > 192.168.1.2.500: [udp sum ok] isakmp v1.0
exchange ID_PROT encrypted
cookie: f06dc17173c6c1fa->3a8a72a4e10f97c3 msgid: 00000000 len: 972
(ttl 63, id 3944, len 1000)
22:37:11.668529 192.168.1.2.500 > 192.168.1.3.500: [udp sum ok] isakmp v1.0
exchange ID_PROT encrypted
cookie: f06dc17173c6c1fa->3a8a72a4e10f97c3 msgid: 00000000 len: 940
(ttl 64, id 60717, len 968)
22:37:11.864217 192.168.1.3.500 > 192.168.1.2.500: [udp sum ok] isakmp v1.0
exchange QUICK_MODE encrypted
cookie: f06dc17173c6c1fa->3a8a72a4e10f97c3 msgid: aaeca62d len: 300
(ttl 63, id 14459, len 328)
22:37:11.914359 192.168.1.2.500 > 192.168.1.3.500: [udp sum ok] isakmp v1.0
exchange INFO encrypted
cookie: f06dc17173c6c1fa->3a8a72a4e10f97c3 msgid: 87fd8670 len: 76 (ttl
64, id 59694, len 104)
22:37:11.915785 192.168.1.2.500 > 192.168.1.3.500: [udp sum ok] isakmp v1.0
exchange INFO encrypted
cookie: f06dc17173c6c1fa->3a8a72a4e10f97c3 msgid: a7a43d6f len: 76 (ttl
64, id 45897, len 104)
22:37:18.878857 192.168.1.3.500 > 192.168.1.2.500: [udp sum ok] isakmp v1.0
exchange QUICK_MODE encrypted
cookie: f06dc17173c6c1fa->3a8a72a4e10f97c3 msgid: aaeca62d len: 300
(ttl 63, id 25088, len 328)
22:37:18.976186 192.168.1.2.500 > 192.168.1.3.500: [udp sum ok] isakmp v1.0
exchange INFO encrypted
cookie: f06dc17173c6c1fa->3a8a72a4e10f97c3 msgid: b7e4e7ce len: 76 (ttl
64, id 51566, len 104)
22:37:18.979813 192.168.1.2.500 > 192.168.1.3.500: [udp sum ok] isakmp v1.0
exchange INFO encrypted
cookie: f06dc17173c6c1fa->3a8a72a4e10f97c3 msgid: 49eef417 len: 76 (ttl
64, id 42703, len 104)
22:37:18.981214 192.168.1.2.500 > 192.168.1.3.500: [udp sum ok] isakmp v1.0
exchange INFO encrypted
cookie: f06dc17173c6c1fa->3a8a72a4e10f97c3 msgid: aa13b963 len: 76 (ttl
64, id 57646, len 104)
22:37:27.888882 192.168.1.3.500 > 192.168.1.2.500: [udp sum ok] isakmp v1.0
exchange QUICK_MODE encrypted
cookie: f06dc17173c6c1fa->3a8a72a4e10f97c3 msgid: aaeca62d len: 300
(ttl 63, id 7188, len 328)
22:37:27.922457 192.168.1.2.500 > 192.168.1.3.500: [udp sum ok] isakmp v1.0
exchange INFO encrypted
cookie: f06dc17173c6c1fa->3a8a72a4e10f97c3 msgid: a8600dc4 len: 76 (ttl
64, id 35350, len 104)
22:37:27.929981 192.168.1.2.500 > 192.168.1.3.500: [udp sum ok] isakmp v1.0
exchange INFO encrypted
cookie: f06dc17173c6c1fa->3a8a72a4e10f97c3 msgid: dc8e2e94 len: 76 (ttl
64, id 55397, len 104)
22:37:27.931374 192.168.1.2.500 > 192.168.1.3.500: [udp sum ok] isakmp v1.0
exchange INFO encrypted
cookie: f06dc17173c6c1fa->3a8a72a4e10f97c3 msgid: 5f714a3f len: 76 (ttl
64, id 50186, len 104)
22:37:27.932718 192.168.1.2.500 > 192.168.1.3.500: [udp sum ok] isakmp v1.0
exchange INFO encrypted
cookie: f06dc17173c6c1fa->3a8a72a4e10f97c3 msgid: 24bd4fce len: 76 (ttl
64, id 57144, len 104)
I already diff'ed and checksum'ed the configs, the certs, the keys, and
am now running out of ideas (except upgrading Host 2, and possibly Host
3 to -stable in a hurry).
The upgrade from 4.0 (-release) to 4.0-stable was done because the
problem was occurring with 4.0 and in order to fix the OpenSSL
problems. But things didn't work from this box to either Host 2 or
Host 3 the whole day.
Any idea, please?
TIA!
Best,
--Toni++
