Re: isakmpd and INVALID_COOKIE
Hmm.. sounds like this might be a candidate for -STABLE? --Paul On Jul 8, 2011, at 10:09 AM, Stuart Henderson wrote: > On 2011-07-08, Tony Sarendal wrote: If you're running isakmpd from 4.8 or 4.9 with IKE you want to pull up src/sbin/isakmpd/dh.c to r1.14 otherwise you will certainly see problems from time to time. >>> >> >> Is this a cosmetic thing or does it affect connectivity ? > > dh.c r1.14 affects stability. Between 4.7 and 4.8 isakmpd switched > from internal to openssl DH; an openssl function wasn't padding with > leading 0's where it was expected that they would, so there was junk > at the end of the key, causing key mismatches. [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Re: isakmpd and INVALID_COOKIE
On Fri, Jul 8, 2011 at 4:09 PM, Stuart Henderson wrote: > On 2011-07-08, Tony Sarendal wrote: > >> > If you're running isakmpd from 4.8 or 4.9 with IKE you want to pull > >> > up src/sbin/isakmpd/dh.c to r1.14 otherwise you will certainly > >> > see problems from time to time. > >> > > > > Is this a cosmetic thing or does it affect connectivity ? > > dh.c r1.14 affects stability. Between 4.7 and 4.8 isakmpd switched > from internal to openssl DH; an openssl function wasn't padding with > leading 0's where it was expected that they would, so there was junk > at the end of the key, causing key mismatches. > Sounds like a candidate to our issues that we are seeing on both 4.8 and 4.9. We see it quite easily as we run gre tunnels with bgp inside them using ipsec to encrypt gre. We are seeing the connectivity issue antyhing from a few times a day to a few times a week. And the time I caught it while it was going on things started working immediately after some bi-directional ike traffic. Regards Tony
Re: isakmpd and INVALID_COOKIE
On 2011-07-08, Tony Sarendal wrote: >> > If you're running isakmpd from 4.8 or 4.9 with IKE you want to pull >> > up src/sbin/isakmpd/dh.c to r1.14 otherwise you will certainly >> > see problems from time to time. >> > > Is this a cosmetic thing or does it affect connectivity ? dh.c r1.14 affects stability. Between 4.7 and 4.8 isakmpd switched from internal to openssl DH; an openssl function wasn't padding with leading 0's where it was expected that they would, so there was junk at the end of the key, causing key mismatches.
Re: isakmpd and INVALID_COOKIE
We are not using the tunnels for production use yet and have not started to measure uptime but we will do it soon. I have not noticed any problem when Im using the tunnels, only the messages. How ever. I was recommended by Stuart to pull up src/sbin/isakmpd/dh.c to 1.14 since there is a bug that are fixed in current but that caused problem from time to time with OpenBSD 4.8 and 4.9. I can send you the patch if you find it hard to figure it out. Best regards rancor Den 8 jul 2011 14.24 skrev "Tony Sarendal" :
Re: isakmpd and INVALID_COOKIE
On Mon, Jul 4, 2011 at 4:12 PM, rancor wrote: > Ah =) Thanks! > > // rancor > > 2011/7/4 Stuart Henderson : > > On 2011-07-02, rancor wrote: > >> Hi. > >> > >> I have two separate ipsec tunnels from 4.9 boxes and both are > >> generating this message i /var/log/messages once every hour or two > >> Jul 2 08:14:54 isakmpd[28247]: message_recv: invalid > >> cookie(s) 57603c2 > >> Jul 2 08:14:54 isakmpd[28247]: dropped message from > >> x.x.x.x port 500 due to notification type INVALID_COOKIE > >> > >> The tunnels works perfect but I still wounder why I got this message. > >> > >> This is my ipsec.conf on host x > >> ike esp transport from x.x.x.x to y.y.y.y psk > >> > >> and on host y > >> ike esp transport from y.y.y.y to x.x.x.x psk > >> > >> Any idea? > >> > >> Best regards rancor > >> > >> > > > > If you're running isakmpd from 4.8 or 4.9 with IKE you want to pull > > up src/sbin/isakmpd/dh.c to r1.14 otherwise you will certainly > > see problems from time to time. > Is this a cosmetic thing or does it affect connectivity ? We are having issues with gaps in connectivity on our ipsec links with a basic ike setup, an issue we're starting to look into now. Regards Tony
Re: isakmpd and INVALID_COOKIE
Ah =) Thanks! // rancor 2011/7/4 Stuart Henderson : > On 2011-07-02, rancor wrote: >> Hi. >> >> I have two separate ipsec tunnels from 4.9 boxes and both are >> generating this message i /var/log/messages once every hour or two >> Jul 2 08:14:54 isakmpd[28247]: message_recv: invalid >> cookie(s) 57603c2 >> Jul 2 08:14:54 isakmpd[28247]: dropped message from >> x.x.x.x port 500 due to notification type INVALID_COOKIE >> >> The tunnels works perfect but I still wounder why I got this message. >> >> This is my ipsec.conf on host x >> ike esp transport from x.x.x.x to y.y.y.y psk >> >> and on host y >> ike esp transport from y.y.y.y to x.x.x.x psk >> >> Any idea? >> >> Best regards rancor >> >> > > If you're running isakmpd from 4.8 or 4.9 with IKE you want to pull > up src/sbin/isakmpd/dh.c to r1.14 otherwise you will certainly > see problems from time to time.
Re: isakmpd and INVALID_COOKIE
On 2011-07-02, rancor wrote: > Hi. > > I have two separate ipsec tunnels from 4.9 boxes and both are > generating this message i /var/log/messages once every hour or two > Jul 2 08:14:54 isakmpd[28247]: message_recv: invalid > cookie(s) 57603c2 > Jul 2 08:14:54 isakmpd[28247]: dropped message from > x.x.x.x port 500 due to notification type INVALID_COOKIE > > The tunnels works perfect but I still wounder why I got this message. > > This is my ipsec.conf on host x > ike esp transport from x.x.x.x to y.y.y.y psk > > and on host y > ike esp transport from y.y.y.y to x.x.x.x psk > > Any idea? > > Best regards rancor > > If you're running isakmpd from 4.8 or 4.9 with IKE you want to pull up src/sbin/isakmpd/dh.c to r1.14 otherwise you will certainly see problems from time to time.
