Hello. I am trying to use an OpenBSD 4.3 box as the terminator of a VPN to a business partner, but we're having some problems. From time to time, my counterparty sees packets with an old SPI. This coincides with me seeing packets from my internal network missing trying to hit the default route out instead of being routed through the VPN, which leads me to suspect that the VPN tunnel gets torn down at that moment.
We suspect problems related to timing. We are trying to use 86400 seconds lifetime for phase 1 and 3600 seconds for phase 2. I have tried to specify this, both using /etc/ipsec.conf and ipsecctl to drive isakmpd, and /etc/isakmpd/isakmpd.conf directly, skipping ipsecctl. But I still see attribute LIFE_DURATION = 1200 in QUICK_MODE exchanges and 3600 in ID_PROT exchanges. What am I missing here? I'm at my wit's end, all suggestions welcome. I include the configurations tried, and an exerpt of the isakmpd.pcap file that shows the problem I'm seeing. The report generated by SIGUSR1 shows the same as the tcpdump: lifetimes of 3600 and 1200 secs for main- and quick-mode, respectively. If there is any other information I can provide, please tell me. I don't know what system my counterparty is using for VPN, but I can probably find out, if it's relevant. Also, please Cc me on replies, as I'm not subscribed to the list. >From ipsec.conf: ==================== ike esp from x.x.x.101/32 to y.y.y.0/24 peer z.z.z.1 \ main auth hmac-sha1 enc 3des group modp1024 life 86400 \ quick auth hmac-md5 enc 3des group none life 3600 \ psk *********************** ==================== >From isakmpd.conf (obviously, isakmpd.conf was not present when trying to use ipsec.conf and ipsecctl): ==================== [General] Retransmits= 5 Listen-on= x.x.x.90 Renegotiate-on-HUP= yes [Phase 1] z.z.z.1= peer-other [Phase 2] Connections= VPN-other [peer-other] Phase= 1 Address= z.z.z.1 Configuration= other-main-mode Authentication= ************************ [VPN-other] Phase= 2 ISAKMP-peer= peer-other Configuration= other-quick-mode Local-ID= my-internal-net Remote-ID= other-subnet [my-internal-net] ID-type= IPV4_ADDR_SUBNET Network= x.x.x.101 Netmask= 255.255.255.255 [other-subnet] ID-type= IPV4_ADDR_SUBNET Network= y.y.y.0 Netmask= 255.255.255.0 [other-main-mode] EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA,3DES-MD5 Life= LIFE_86400_SECS [other-quick-mode] EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-3DES-MD5-SUITE Life= LIFE_3600_SECS [LIFE_86400_SECS] LIFE_TYPE= SECONDS LIFE_DURATION= 86400,60:86400 [LIFE_3600_SECS] LIFE_TYPE= SECONDS LIFE_DURATION= 3600,60:86400 ==================== tcpdump of isakmpd.pcap shows (sorry about overlong lines): ==================== 23:04:45.330914 x.x.x.90.500 > z.z.z.1.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: 99a52e9f544cf112->9aeaa9d500dd1f88 msgid: 6d8579bb len: 152 payload: HASH len: 24 payload: SA len: 48 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 36 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0x58981dda payload: TRANSFORM len: 24 transform: 1 ID: 3DES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 1200 attribute ENCAPSULATION_MODE = TUNNEL attribute AUTHENTICATION_ALGORITHM = HMAC_MD5 payload: NONCE len: 20 payload: ID len: 16 type: IPV4_ADDR_SUBNET = x.x.x.101/255.255.255.255 payload: ID len: 16 type: IPV4_ADDR_SUBNET = y.y.y.0/255.255.255.0 [ttl 0] (id 1, len 180) 23:04:45.543109 z.z.z.1.500 > x.x.x.90.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: 99a52e9f544cf112->9aeaa9d500dd1f88 msgid: 6d8579bb len: 164 payload: HASH len: 24 payload: SA len: 48 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 36 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0xeb872e73 payload: TRANSFORM len: 24 transform: 1 ID: 3DES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 1200 attribute ENCAPSULATION_MODE = TUNNEL attribute AUTHENTICATION_ALGORITHM = HMAC_MD5 payload: NONCE len: 24 payload: ID len: 16 type: IPV4_ADDR_SUBNET = x.x.x.101/255.255.255.255 payload: ID len: 16 type: IPV4_ADDR_SUBNET = y.y.y.0/255.255.255.0 [ttl 0] (id 1, len 192) 23:04:45.560126 x.x.x.90.500 > z.z.z.1.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: 99a52e9f544cf112->9aeaa9d500dd1f88 msgid: 6d8579bb len: 52 payload: HASH len: 24 [ttl 0] (id 1, len 80) 23:20:58.167788 x.x.x.90.500 > z.z.z.1.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 8738f168feca5c5c->0000000000000000 msgid: 00000000 len: 212 payload: SA len: 84 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 72 proposal: 1 proto: ISAKMP spisz: 0 xforms: 2 payload: TRANSFORM len: 32 transform: 0 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = 3DES_CBC attribute HASH_ALGORITHM = SHA attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_1024 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 3600 payload: TRANSFORM len: 32 transform: 1 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = 3DES_CBC attribute HASH_ALGORITHM = MD5 attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_1024 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 3600 payload: VENDOR len: 20 (supports OpenBSD-4.0) payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02) payload: VENDOR len: 20 (supports v3 NAT-T, draft-ietf-ipsec-nat-t-ike-03) payload: VENDOR len: 20 (supports NAT-T, RFC 3947) payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 240) 23:20:58.221575 z.z.z.1.500 > x.x.x.90.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 8738f168feca5c5c->cf0a5997806dde8f msgid: 00000000 len: 80 payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 40 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 32 transform: 1 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = 3DES_CBC attribute HASH_ALGORITHM = SHA attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_1024 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 3600 [ttl 0] (id 1, len 108) 23:20:58.258323 x.x.x.90.500 > z.z.z.1.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 8738f168feca5c5c->cf0a5997806dde8f msgid: 00000000 len: 180 payload: KEY_EXCH len: 132 payload: NONCE len: 20 [ttl 0] (id 1, len 208) 23:20:58.308611 z.z.z.1.500 > x.x.x.90.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 8738f168feca5c5c->cf0a5997806dde8f msgid: 00000000 len: 184 payload: KEY_EXCH len: 132 payload: NONCE len: 24 [ttl 0] (id 1, len 212) 23:20:58.358365 x.x.x.90.500 > z.z.z.1.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 8738f168feca5c5c->cf0a5997806dde8f msgid: 00000000 len: 64 payload: ID len: 12 type: IPV4_ADDR = x.x.x.90 payload: HASH len: 24 [ttl 0] (id 1, len 92) 23:20:58.415426 z.z.z.1.500 > x.x.x.90.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 8738f168feca5c5c->cf0a5997806dde8f msgid: 00000000 len: 68 payload: ID len: 12 type: IPV4_ADDR = z.z.z.1 payload: HASH len: 24 [ttl 0] (id 1, len 96) ==================== ...Peder... -- Slxv uten dop.