This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ASL 5 <-> OpenBSD

I am trying to get a net to net VPN set up between isakmpd in OpenBSD and ASL 5 and I am having some problems.  The OpenBSD box is stating:
Default exchange_run: exchange_validate failed
Default dropped message from 172.16.107.2 port 500 due to notification type PAYLOAD_MALFORMED

And the output from ASL is:
000
000 "S_CFCU_-_HAFP_0": 10.0.1.0/24===172.16.107.2...172.16.107.19[C=US, ST=Indiana, L=West Lafayette, O=HAFP, OU=IT, CN=test1.org, E=root@test2.org]===10.0.3.0/24
000 "S_CFCU_-_HAFP_0":   CAs: 'C=us, ST=Indiana, L=West Lafayette, O=CFCU, OU=IT, CN=gatekeeper, E=user@test.net'...'%any'
000 "S_CFCU_-_HAFP_0":   ike_life: 3600s; ipsec_life: 600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "S_CFCU_-_HAFP_0":   policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth1; unrouted
000 "S_CFCU_-_HAFP_0":   newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000 "S_CFCU_-_HAFP_0":   IKE algorithms wanted: 5_000-2-2, flags=-strict
000 "S_CFCU_-_HAFP_0":   IKE algorithms found:  5_192-2_160-2,
000 "S_CFCU_-_HAFP_0":   ESP algorithms wanted: 3_000-1, ; pfsgroup=2; flags=-strict
000 "S_CFCU_-_HAFP_0":   ESP algorithms loaded: 3_168-1_128,
000
000 #2: "S_CFCU_-_HAFP_0" STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 30s
000

I will post the configs below...

This thread was automatically locked due to age.

0 notoriousiroc over 21 years ago

OpenBSD Config:

[General]
Policy-File=            /etc/isakmpd/isakmpd.policy
Retransmits=            5
Exchange-max-time=      120
Listen-on=              172.16.107.19
[Phase 1]
172.16.107.2=           cfcu-gw
[Phase 2]
Connections=            hafp-gw-cfcu-gw
[cfcu-gw]
Phase=                  1
Transport=              udp
Local-address=          172.16.107.19
Address=                172.16.107.2
ID=                     my-ID
Configuration=          Default-main-mode
[my-ID]
ID-type=                FQDN
Name=           gateway.test.org
[hafp-gw-cfcu-gw]
Phase=                  2
ISAKMP-peer=            cfcu-gw
Configuration=          Default-quick-mode
Local-ID=               Net-hafp
Remote-ID=              Net-cfcu
[Net-hafp]
ID-type=                IPV4_ADDR_SUBNET
Network=                10.0.3.0
Netmask=                255.255.255.0
[Net-cfcu]
ID-type=                IPV4_ADDR_SUBNET
Network=                10.0.1.0
Netmask=                255.255.255.0
[Default-main-mode]
#DOI=                    IPSEC
EXCHANGE_TYPE=          ID_PROT
Transforms=             3DES-SHA,3DES-MD5
[X509-certificates]
CA-directory=           /etc/isakmpd/ca/
Cert-directory=         /etc/isakmpd/certs/
Private-key=            /etc/isakmpd/private/local.key
[3DES-MD5]
ENCRYPTION_ALGORITHM=   3DES_CBC
HASH_ALGORITHM=         MD5
AUTHENTICATION_METHOD=  RSA_SIG
GROUP_DESCRIPTION=      MODP_1024
Life=                   LIFE_3600_SECS #,LIFE_1000_KB
[3DES-SHA]
ENCRYPTION_ALGORITHM=   3DES_CBC
HASH_ALGORITHM=         SHA
AUTHENTICATION_METHOD=  RSA_SIG
GROUP_DESCRIPTION=      MODP_1024
Life=                   LIFE_3600_SECS
[Default-quick-mode]
EXCHANGE_TYPE=          QUICK_MODE
Suites=                 QM-ESP-AES-SHA-PFS-SUITE,QM-ESP-AES-SHA-PFS-SUITE
[QM-ESP-3DES-MD5-PFS-SUITE]
Protocols=              QM-ESP-3DES-MD5-PFS
[QM-ESP-3DES-MD5-PFS]
PROTOCOL_ID=            IPSEC_ESP
Transforms=             QM-ESP-3DES-MD5-PFS-XF
[QM-ESP-3DES-MD5-PFS-XF]
TRANSFORM_ID=           3DES
ENCAPSULATION_MODE=     TUNNEL
AUTHENTICATION_ALGORITHM=       HMAC_MD5
GROUP_DESCRIPTION=      MODP_1024
Life=                   LIFE_600_SECS
[QM-ESP-AES-SHA-PFS-SUITE]
Protocols=              QM-ESP-AES-SHA-PFS
[QM-ESP-AES-MD5-PFS-SUITE]
Protocols=              QM-ESP-AES-MD5-PFS
[QM-ESP-AES-SHA-PFS]
PROTOCOL_ID=            IPSEC_ESP
Transforms=             QM-ESP-AES-SHA-PFS-XF
[QM-ESP-AES-MD5-PFS]
PROTOCOL_ID=            IPSEC_ESP
Transforms=             QM-ESP-AES-MD5-PFS-XF
[QM-ESP-AES-SHA-PFS-XF]
TRANSFORM_ID=            AES
ENCAPSULATION_MODE=      TUNNEL
AUTHENTICATION_ALGORITHM=HMAC_SHA
GROUP_DESCRIPTION=       MODP_1024
Life=                    LIFE_600_SECS
[QM-ESP-AES-SHA-MD5-XF]
TRANSFORM_ID=            AES
ENCAPSULATION_MODE=      TUNNEL
AUTHENTICATION_ALGORITHM=HMAC_MD5
GROUP_DESCRIPTION=       MODP_1024
Life=                    LIFE_600_SECS
[LIFE_600_SECS]
LIFE_TYPE=              SECONDS
LIFE_DURATION=          600,450/720
[LIFE_3600_SECS]
LIFE_TYPE=              SECONDS
LIFE_DURATION=          3600,1800:7200
Cancel
Vote Up 0 Vote Down

Cancel
0 notoriousiroc over 21 years ago in reply to notoriousiroc

IPSec Connection CFCU - HAFP
Type: Standard
IPSec Policy: HAFP
Auto Packet Filter: On
Strict Routing: On
Local Endpoint: Outside
Remote Endpoint: HAFP Outside
Local Subnet: Internal (Network)
Remote Subnet: HAFP Internal
Key: X509: HAFP

Policy:

IKE Mode: Main Mode
Encryption Algorithm: 3DES 168bit
Authentication Algorithm: MD5 128bit
IKE DH Group: DH Group 2 (MODP1024)
SA Lifetime (secs): 3600
IPSec Mode: Tunnel
IPSec Protocol: ESP
Encryption Algorithm: 3DES-CBC 168bit
Enforce Algorithms: Off
Authentication Algorithm: MD5 128bit
SA Lifetime (secs): 600
PFS: PFS Group 2 (MODP1024)
Compression: Off

I am trying to set these up with certificates and I believe the certs should be fine. Any ideas?
Cancel
Vote Up 0 Vote Down

Cancel
0 SecApp over 21 years ago

I'm not an IPsec guru, but it seems to be complaining that you're BSD's IPsec algorithm is stale (and the BSD appears to be insisting on talking that version). Is your BSD's IPsec the latest and greatest?
Cancel
Vote Up 0 Vote Down

Cancel
0 notoriousiroc over 21 years ago in reply to SecApp

I am pretty sure it is. I am not the one who has set up that machine but I will double check and post his response as soon as I get it.
Cancel
Vote Up 0 Vote Down

Cancel