Relayd Crashing in transparent mode

2019-04-01 Thread oBSD Nub 
Wondering if someone can help point me in the right direction.
relayd keeps crashing on me, I suspect someone is attacking using corrupted
packets in someway.
Other attacks are much higher than normal (application layer)
States look look inline (less than 5k) processor usage about 20 percent
Running on KVM, Fully patched -Stable (6.4)

Anyway right before the relay stop working, I am getting errors such as:
session failed: Operation timed out
bindany failed, invalid socket: Invalid argument
Socket is not connected: Socket is not connected
relay exiting, pid [X]

Can anyone point me in the right direction to get more logging/how to
investigate the errors I am getting?
rcctl restart relayd always fixes the issue
interment problem, but when an issue it will crash every couple minutes

Config is:
interval 30
log state changes
log connection
prefork 10

vip01 = "159.100.208.71"
table  { 10.5.6.121 10.5.6.171 }

relay webRedirect0180 {
listen on $vip01 port 80
transparent forward to  port 80 \
mode loadbalance check tcp
}
relay webRedirect01443 {
listen on $vip01 port 443
transparent forward to  port 443 \
mode loadbalance check tcp
}
...repeats about 20 times w/ different VIPs

IKEv1 to AzureVPN exchange_validate failed

2017-02-16 Thread oBSD Nub 
I am struggling to setup an ipsec vpn to azure.
Following the azure IPSec parameters in the doc below:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices

Getting the below errors in isakmpd, and am stumped where to look next:
Default exchange_run: exchange_validate failed
Default dropped message from 2.2.2.2 port 500 due to notification type
PAYLOAD_MALFORMED

Can anyone point me in the right direction, as my google-fu isn't
feeling strong.

Thanks!

OpenBSD6.0/AMD64 MP vm on esxi 6.5

# cat /etc/ipsec.conf
WAN1= "carp901001" #Interface address 1.1.1.1
localNets   = "{10.10.0.0/24}"
remoteGW= "2.2.2.2" #AzureGateway
remoteNets  = "{10.20.2.0/24}" #remote azure networks

ike esp from $localNets to $remoteNets \
peer $remoteGW \
main auth hmac-sha1 enc aes-256 group modp1024 lifetime 28800 \
quick auth hmac-sha1 enc aes-256 group none lifetime 3600 \
psk somekey

# isakmpd -dvvvK
073538.301968 Default isakmpd: starting [priv]
073548.958802 Default isakmpd: phase 1 done: initiator id 1.1.1.1,
responder id 2.2.2.2, src: 1.1.1.1 dst: 2.2.2.2
073548.993564 Default isakmpd: quick mode done: src: 1.1.1.1 dst: 2.2.2.2
073549.027410 Default exchange_run: exchange_validate failed
073549.027425 Default dropped message from 2.2.2.2 port 500 due to
notification type PAYLOAD_MALFORMED
^C073612.581088 Default isakmpd: shutting down...
# 073612.581509 Default isakmpd: exit

# ipsecctl -s all
FLOWS:
flow esp in from 10.20.2.0/24 to 10.10.0.0/24 peer 2.2.2.2 srcid
1.1.1.1/32 dstid 2.2.2.2/32 type use
flow esp out from 10.10.0.0/24 to 10.20.2.0/24 peer 2.2.2.2 srcid
1.1.1.1/32 dstid 2.2.2.2/32 type require

SAD:
esp tunnel from 2.2.2.2 to 1.1.1.1 spi 0x44461664 auth hmac-sha1 enc aes-256
esp tunnel from 1.1.1.1 to 2.2.2.2 spi 0x55f07894 auth hmac-sha1 enc aes-256

07:29:44.949102 0.0.0.0.isakmp > 2.2.2.2.isakmp: [udp sum ok] isakmp
v1.0 exchange ID_PROT
cookie: e3ee87821c134d03-> msgid:  len: 184
payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz:
0 xforms: 1
payload: TRANSFORM len: 36
transform: 0 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = AES_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 28800
attribute KEY_LENGTH = 256
payload: VENDOR len: 20
payload: VENDOR len: 20 (supports v2 NAT-T,
draft-ietf-ipsec-nat-t-ike-02)
payload: VENDOR len: 20 (supports v3 NAT-T,
draft-ietf-ipsec-nat-t-ike-03)
payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 212)
07:29:44.992169 2.2.2.2.isakmp > 1.1.1.1.isakmp: [udp sum ok] isakmp
v1.0 exchange ID_PROT
cookie: e3ee87821c134d03->5e09a5d35142c2d9 msgid:  len: 212
payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 48 proposal: 1 proto: ISAKMP spisz:
0 xforms: 1
payload: TRANSFORM len: 40
transform: 0 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = AES_CBC
attribute KEY_LENGTH = 256
attribute HASH_ALGORITHM = SHA
attribute GROUP_DESCRIPTION = MODP_1024
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 7080
payload: VENDOR len: 24
payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
payload: VENDOR len: 20 (supports v2 NAT-T,
draft-ietf-ipsec-nat-t-ike-02)
payload: VENDOR len: 20
payload: VENDOR len: 20
payload: VENDOR len: 20 [ttl 0] (id 1, len 240)
07:29:44.993067 1.1.1.1.isakmp > 2.2.2.2.isakmp: [udp sum ok] isakmp
v1.0 exchange ID_PROT
cookie: e3ee87821c134d03->5e09a5d35142c2d9 msgid:  len: 228
payload: KEY_EXCH len: 132
payload: NONCE len: 20
payload: NAT-D len: 24
payload: NAT-D len: 24 [ttl 0] (id 1, len 256)
07:29:45.036032 2.2.2.2.isakmp > 1.1.1.1.isakmp: [udp sum ok] isakmp
v1.0 exchange ID_PROT
cookie: e3ee87821c134d03->5e09a5d35142c2d9 msgid:  len: 260
payload: KEY_EXCH len: 132
payload: NONCE len: 52
payload: NAT-D len: 24
payload: NAT-D len: 24 [ttl 0] (id 1, len 288)
07:29:45.036815 1.1.1.1.isakmp > 2.2.2.2.isakmp: [udp sum ok] isakmp
v1.0 exchange ID_PROT
cookie: e3ee87821c134d03->5e09a5d35142c2d9 msgid:  len: 92
payload: ID len: 12 type: IPV4_ADDR = 1.1.1.1