Re: IPSec help..

Wed, 11 Apr 2007 14:27:03 -0700 

Window's firewall is off. Dump is as follows:

# tcpdump -i sis0 'esp or (udp and (port 500 or port 4500))'
tcpdump: listening on sis0, link-type EN10MB
21:06:26.205252 work.isakmp > home.isakmp: isakmp v1.0 exchange ID_PROT
       cookie: 1a0f8d5bb2637ce2->0000000000000000 msgid: 00000000
len: 3632 (frag 51066:[EMAIL PROTECTED])
21:06:26.735801 home.isakmp > work.isakmp: isakmp v1.0 exchange ID_PROT
       cookie: 1a0f8d5bb2637ce2->d37038c8086c3c7a msgid: 00000000 len: 188
21:06:26.745392 work.isakmp > home.isakmp: isakmp v1.0 exchange ID_PROT
       cookie: 1a0f8d5bb2637ce2->d37038c8086c3c7a msgid: 00000000 len: 184
21:06:27.103644 home.isakmp > work.isakmp: isakmp v1.0 exchange ID_PROT
       cookie: 1a0f8d5bb2637ce2->d37038c8086c3c7a msgid: 00000000 len: 232
21:06:27.138275 work.ipsec-nat-t > home.ipsec-nat-t:udpencap: isakmp
v1.0 exchange ID_PROT encrypted
       cookie: 1a0f8d5bb2637ce2->d37038c8086c3c7a msgid: 00000000 len: 860
21:06:27.575196 home.isakmp > work.ipsec-nat-t: isakmp v1.0 exchange
ID_PROT encrypted
       cookie: 1a0f8d5bb2637ce2->d37038c8086c3c7a msgid: 00000000 len: 892
21:06:32.575767 home.isakmp > work.ipsec-nat-t: isakmp v1.0 exchange
INFO encrypted
       cookie: 1a0f8d5bb2637ce2->d37038c8086c3c7a msgid: dbc958f1 len: 92
21:06:37.235054 work.ipsec-nat-t > home.ipsec-nat-t:udpencap: isakmp
v1.0 exchange ID_PROT encrypted
       cookie: 1a0f8d5bb2637ce2->d37038c8086c3c7a msgid: 00000000 len: 860
21:06:37.248721 home.isakmp > work.ipsec-nat-t: isakmp v1.0 exchange
ID_PROT encrypted
       cookie: 1a0f8d5bb2637ce2->d37038c8086c3c7a msgid: 00000000 len: 892
21:06:37.619710 home.isakmp > work.ipsec-nat-t: isakmp v1.0 exchange
INFO encrypted
       cookie: 1a0f8d5bb2637ce2->d37038c8086c3c7a msgid: 4c3bb90c len: 92
21:06:42.647504 home.isakmp > work.ipsec-nat-t: isakmp v1.0 exchange
INFO encrypted
       cookie: 1a0f8d5bb2637ce2->d37038c8086c3c7a msgid: 88ad6544 len: 92
21:06:47.244914 work.ipsec-nat-t > home.ipsec-nat-t:udpencap: isakmp
v1.0 exchange ID_PROT encrypted
       cookie: 1a0f8d5bb2637ce2->d37038c8086c3c7a msgid: 00000000 len: 860
21:06:47.263416 home.isakmp > work.ipsec-nat-t: isakmp v1.0 exchange
ID_PROT encrypted
       cookie: 1a0f8d5bb2637ce2->d37038c8086c3c7a msgid: 00000000 len: 892
21:06:47.684881 home.isakmp > work.ipsec-nat-t: isakmp v1.0 exchange
INFO encrypted
       cookie: 1a0f8d5bb2637ce2->d37038c8086c3c7a msgid: 5337bf54 len: 92
21:06:52.715304 home.isakmp > work.ipsec-nat-t: isakmp v1.0 exchange
INFO encrypted
       cookie: 1a0f8d5bb2637ce2->d37038c8086c3c7a msgid: eaeb08da len: 92

On 4/11/07, Dag Richards <[EMAIL PROTECTED]> wrote:

Roy Kim wrote:
> I'm trying to setup an ipsec tunnel between an openbsd and a windows
> box using X.509 certificates. Phase 1 gets successfully negotiated but
> then things crap out at step 1 of phase 2 and I don't have a clue
> what's wrong. Any thoughts?
>
> Isakmpd debug messages just after phase 1 is negotiated and ipsec.conf
> are as follows:
>
> ipsec.conf:
> ike dynamic esp tunnel from 192.168.0/8 to any \
>  srcid home dstid work
> ike dynamic esp tunnel from any to 192.168.0/8 \
>  srcid work dstid home
>
> isakmpd output using 'isakmpd -KvdD A=50'
> 191751.046228 Timr 10 timer_add_event: event
> exchange_free_aux(0x7df9b500) added before sa_soft_expire(0x85229200),
> expiration in 120s
> 191751.047319 Exch 10 exchange_establish_p2: 0x7df9b500 <unnamed> <no
> policy> policy initiator phase 2 doi 1 exchange 5 step 0
> 191751.049266 Exch 10 exchange_establish_p2: icookie 395faa725fd4c3b3
> rcookie 8e784c12cb6b04bd
> 191751.050294 Exch 10 exchange_establish_p2: msgid 47ef99ad sa_list
> 191751.052677 Cryp 50 crypto_init_iv: initialized IV:
> 191751.054075 Cryp 50 033b6e99 5e66c7ba 8efd5d22 8ffe8567
> 191751.055068 Cryp 30 crypto_encrypt: before encryption:
> 191751.057166 Cryp 30 0b000018 68790ed1 9f0d6417 66838f05 de3393d7
> 9ec6dcb3 00000020 00000001
> 191751.058368 Cryp 30 01108d28 395faa72 5fd4c3b3 8e784c12 cb6b04bd
> 00003340 00000000 00000000
> 191751.060004 Cryp 30 crypto_encrypt: after encryption:
> 191751.061996 Cryp 30 bb6cda82 ec0c809f eac5e496 3102dffb 726b62a3
> 9f0d19e6 624ee717 c65f1486
> 191751.063409 Cryp 30 a35e8fb2 c9a6b8c8 2d03723f 7d6d0c68 909c42ea
> 0bf57a7f d8c817ce 070b8719
> 191751.064686 Cryp 50 crypto_update_iv: updated IV:
> 191751.066224 Cryp 50 909c42ea 0bf57a7f d8c817ce 070b8719
> 191751.068932 Exch 40 exchange_run: exchange 0x7df9b500 finished step
> 0, advancing...
> 191751.069968 Timr 10 timer_add_event: event
> dpd_check_event(0x85229200) added before
> connection_checker(0x8522a060), expiration in 5s
> 191751.072222 Exch 10 exchange_finalize: 0x7df9b500 <unnamed> <no
> policy> policy initiator phase 2 doi 1 exchange 5 step 1
> 191751.073402 Exch 10 exchange_finalize: icookie 395faa725fd4c3b3
> rcookie 8e784c12cb6b04bd
> 191751.074675 Exch 10 exchange_finalize: msgid 47ef99ad sa_list
> 191751.076166 Timr 10 timer_remove_event: removing event
> exchange_free_aux(0x7df9b500)
> 191751.077610 Mesg 20 message_free: freeing 0x7df9e000
> 191756.083274 Timr 10 timer_handle_expirations: event
> dpd_check_event(0x85229200)
> 191756.084314 Mesg 10 dpd_check_event: peer not responding, retry 2 of 5
>

Is the windows firewall on?
Can you show a dump of the negotiation?

Reply via email to