Hello.
I am trying to use an OpenBSD 4.3 box as the terminator of a VPN to a
business partner, but we're having some problems. From time to time,
my counterparty sees packets with an old SPI. This coincides with me
seeing packets from my internal network missing trying to hit the
default route out instead of being routed through the VPN, which leads
me to suspect that the VPN tunnel gets torn down at that moment.
We suspect problems related to timing. We are trying to use 86400
seconds lifetime for phase 1 and 3600 seconds for phase 2. I have
tried to specify this, both using /etc/ipsec.conf and ipsecctl to
drive isakmpd, and /etc/isakmpd/isakmpd.conf directly, skipping
ipsecctl.
But I still see attribute LIFE_DURATION = 1200 in QUICK_MODE
exchanges and 3600 in ID_PROT exchanges.
What am I missing here? I'm at my wit's end, all suggestions welcome.
I include the configurations tried, and an exerpt of the isakmpd.pcap
file that shows the problem I'm seeing. The report generated by
SIGUSR1 shows the same as the tcpdump: lifetimes of 3600 and 1200 secs
for main- and quick-mode, respectively.
If there is any other information I can provide, please tell me. I
don't know what system my counterparty is using for VPN, but I can
probably find out, if it's relevant.
Also, please Cc me on replies, as I'm not subscribed to the list.
>From ipsec.conf:
====================
ike esp from x.x.x.101/32 to y.y.y.0/24 peer z.z.z.1 \
main auth hmac-sha1 enc 3des group modp1024 life 86400 \
quick auth hmac-md5 enc 3des group none life 3600 \
psk ***********************
====================
>From isakmpd.conf (obviously, isakmpd.conf was not present when trying
to use ipsec.conf and ipsecctl):
====================
[General]
Retransmits= 5
Listen-on= x.x.x.90
Renegotiate-on-HUP= yes
[Phase 1]
z.z.z.1= peer-other
[Phase 2]
Connections= VPN-other
[peer-other]
Phase= 1
Address= z.z.z.1
Configuration= other-main-mode
Authentication= ************************
[VPN-other]
Phase= 2
ISAKMP-peer= peer-other
Configuration= other-quick-mode
Local-ID= my-internal-net
Remote-ID= other-subnet
[my-internal-net]
ID-type= IPV4_ADDR_SUBNET
Network= x.x.x.101
Netmask= 255.255.255.255
[other-subnet]
ID-type= IPV4_ADDR_SUBNET
Network= y.y.y.0
Netmask= 255.255.255.0
[other-main-mode]
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA,3DES-MD5
Life= LIFE_86400_SECS
[other-quick-mode]
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-MD5-SUITE
Life= LIFE_3600_SECS
[LIFE_86400_SECS]
LIFE_TYPE= SECONDS
LIFE_DURATION= 86400,60:86400
[LIFE_3600_SECS]
LIFE_TYPE= SECONDS
LIFE_DURATION= 3600,60:86400
====================
tcpdump of isakmpd.pcap shows (sorry about overlong lines):
====================
23:04:45.330914 x.x.x.90.500 > z.z.z.1.500: [udp sum ok] isakmp v1.0 exchange
QUICK_MODE
cookie: 99a52e9f544cf112->9aeaa9d500dd1f88 msgid: 6d8579bb len: 152
payload: HASH len: 24
payload: SA len: 48 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 36 proposal: 1 proto: IPSEC_ESP spisz: 4
xforms: 1
SPI: 0x58981dda
payload: TRANSFORM len: 24
transform: 1 ID: 3DES
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 1200
attribute ENCAPSULATION_MODE = TUNNEL
attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
payload: NONCE len: 20
payload: ID len: 16 type: IPV4_ADDR_SUBNET = x.x.x.101/255.255.255.255
payload: ID len: 16 type: IPV4_ADDR_SUBNET = y.y.y.0/255.255.255.0 [ttl
0]
(id 1, len 180)
23:04:45.543109 z.z.z.1.500 > x.x.x.90.500: [udp sum ok] isakmp v1.0 exchange
QUICK_MODE
cookie: 99a52e9f544cf112->9aeaa9d500dd1f88 msgid: 6d8579bb len: 164
payload: HASH len: 24
payload: SA len: 48 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 36 proposal: 1 proto: IPSEC_ESP spisz: 4
xforms: 1
SPI: 0xeb872e73
payload: TRANSFORM len: 24
transform: 1 ID: 3DES
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 1200
attribute ENCAPSULATION_MODE = TUNNEL
attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
payload: NONCE len: 24
payload: ID len: 16 type: IPV4_ADDR_SUBNET = x.x.x.101/255.255.255.255
payload: ID len: 16 type: IPV4_ADDR_SUBNET = y.y.y.0/255.255.255.0 [ttl
0]
(id 1, len 192)
23:04:45.560126 x.x.x.90.500 > z.z.z.1.500: [udp sum ok] isakmp v1.0 exchange
QUICK_MODE
cookie: 99a52e9f544cf112->9aeaa9d500dd1f88 msgid: 6d8579bb len: 52
payload: HASH len: 24 [ttl 0] (id 1, len 80)
23:20:58.167788 x.x.x.90.500 > z.z.z.1.500: [udp sum ok] isakmp v1.0 exchange
ID_PROT
cookie: 8738f168feca5c5c->0000000000000000 msgid: 00000000 len: 212
payload: SA len: 84 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 72 proposal: 1 proto: ISAKMP spisz: 0
xforms: 2
payload: TRANSFORM len: 32
transform: 0 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600
payload: TRANSFORM len: 32
transform: 1 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute HASH_ALGORITHM = MD5
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600
payload: VENDOR len: 20 (supports OpenBSD-4.0)
payload: VENDOR len: 20 (supports v2 NAT-T,
draft-ietf-ipsec-nat-t-ike-02)
payload: VENDOR len: 20 (supports v3 NAT-T,
draft-ietf-ipsec-nat-t-ike-03)
payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 240)
23:20:58.221575 z.z.z.1.500 > x.x.x.90.500: [udp sum ok] isakmp v1.0 exchange
ID_PROT
cookie: 8738f168feca5c5c->cf0a5997806dde8f msgid: 00000000 len: 80
payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 40 proposal: 1 proto: ISAKMP spisz: 0
xforms: 1
payload: TRANSFORM len: 32
transform: 1 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600 [ttl 0] (id 1, len 108)
23:20:58.258323 x.x.x.90.500 > z.z.z.1.500: [udp sum ok] isakmp v1.0 exchange
ID_PROT
cookie: 8738f168feca5c5c->cf0a5997806dde8f msgid: 00000000 len: 180
payload: KEY_EXCH len: 132
payload: NONCE len: 20 [ttl 0] (id 1, len 208)
23:20:58.308611 z.z.z.1.500 > x.x.x.90.500: [udp sum ok] isakmp v1.0 exchange
ID_PROT
cookie: 8738f168feca5c5c->cf0a5997806dde8f msgid: 00000000 len: 184
payload: KEY_EXCH len: 132
payload: NONCE len: 24 [ttl 0] (id 1, len 212)
23:20:58.358365 x.x.x.90.500 > z.z.z.1.500: [udp sum ok] isakmp v1.0 exchange
ID_PROT
cookie: 8738f168feca5c5c->cf0a5997806dde8f msgid: 00000000 len: 64
payload: ID len: 12 type: IPV4_ADDR = x.x.x.90
payload: HASH len: 24 [ttl 0] (id 1, len 92)
23:20:58.415426 z.z.z.1.500 > x.x.x.90.500: [udp sum ok] isakmp v1.0 exchange
ID_PROT
cookie: 8738f168feca5c5c->cf0a5997806dde8f msgid: 00000000 len: 68
payload: ID len: 12 type: IPV4_ADDR = z.z.z.1
payload: HASH len: 24 [ttl 0] (id 1, len 96)
====================
...Peder...
--
Slxv uten dop.
