'Re: VPN troubleshooting help request.'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-misc
Subject:    Re: VPN troubleshooting help request.
From:       Dag Richards <dagrichards () speakeasy ! net>
Date:       2008-07-31 14:15:48
Message-ID: 4891C914.70902 () speakeasy ! net
[Download RAW message or body]

Are you using preshared keys?
Your policy seems to imply that you are, but you do not seem to have 
your passphrases in the correct place.

I think the line should be more like this

Licensees:  "passphrase:properpasswd"  || "passphrase:otherproperpasswd"

Though the debug output does imply that it is finding your password 
correctly.

I have had the CISCO's be very finicky, certain IOS's seem to to only 
work with md5 and others sha as the hashing algorithms

run

tcpdump -nvs1400 port 500

or turn on pcap
and do this
tcpdump -nvs 1500 -r /var/run/isakmpd.pcap

You then can observe the negotiations and compare what the running 
config on CIZCOE is doing to what the config says it should.



nuffnough wrote:
> Hi,  a client with a cisco device is attemtping to set up a VPN to my
> OBSD 4.3 firewall.
> 
> Phase 1 is okay,  but phase 2 is fail.   It says it fails the policy
> check.  But...  Checking through everything in the policy against the
> debug it seems like it conforms to the policy to me.  Are there other
> things that might cause it to fail the policy check?
> 
> The policy entry has matches for everything in it within this
> negotaiation. I sure would appreciate it if you could help me figure
> out what it doesn't like about my policy.
> 
> TIA
> 
> nuffi
> 
> 
> Debug output looks like this:
> 
> 
> 194907.101644 Plcy 40 check_policy: adding authorizer [passphrase:123456789]
> 194907.101668 Plcy 40 check_policy: adding authorizer
> [passphrase-md5-hex:edb0afdb2eb73b1efb437dc6778bdfcf]
> 194907.101684 Plcy 40 check_policy: adding authorizer
> [passphrase-sha1-hex:ca6920eca6f25ec15bc7718e1ac4f03aa6f00a38]
> 194907.102199 Plcy 80 Policy context (action attributes):
> 194907.102222 Plcy 80 esp_present == yes
> 194907.102235 Plcy 80 ah_present == no
> 194907.102248 Plcy 80 comp_present == no
> 194907.102259 Plcy 80 ah_hash_alg ==
> 194907.102271 Plcy 80 esp_enc_alg == 3des
> 194907.102283 Plcy 80 comp_alg ==
> 194907.102295 Plcy 80 ah_auth_alg ==
> 194907.102307 Plcy 80 esp_auth_alg == hmac-md5
> 194907.102318 Plcy 80 ah_life_seconds ==
> 194907.102330 Plcy 80 ah_life_kbytes ==
> 194907.102342 Plcy 80 esp_life_seconds == 1200
> 194907.102353 Plcy 80 esp_life_kbytes ==
> 194907.102365 Plcy 80 comp_life_seconds ==
> 194907.102377 Plcy 80 comp_life_kbytes ==
> 194907.102389 Plcy 80 ah_encapsulation ==
> 194907.102400 Plcy 80 esp_encapsulation == tunnel
> 194907.102413 Plcy 80 comp_encapsulation ==
> 194907.102425 Plcy 80 comp_dict_size ==
> 194907.102436 Plcy 80 comp_private_alg ==
> 194907.102448 Plcy 80 ah_key_length ==
> 194907.102460 Plcy 80 ah_key_rounds ==
> 194907.102472 Plcy 80 esp_key_length ==
> 194907.102483 Plcy 80 esp_key_rounds ==
> 194907.102495 Plcy 80 ah_group_desc ==
> 194907.102507 Plcy 80 esp_group_desc == 2
> 194907.102519 Plcy 80 comp_group_desc ==
> 194907.102531 Plcy 80 ah_ecn == no
> 194907.102543 Plcy 80 esp_ecn == no
> 194907.102555 Plcy 80 comp_ecn == no
> 194907.102567 Plcy 80 remote_filter_type == IPv4 address
> 194907.102579 Plcy 80 remote_filter_addr_upper == 010.005.010.022
> 194907.102591 Plcy 80 remote_filter_addr_lower == 010.005.010.022
> 194907.102604 Plcy 80 remote_filter == 010.005.010.022
> 194907.102616 Plcy 80 remote_filter_port == 0
> 194907.102628 Plcy 80 remote_filter_proto == 0
> 194907.102640 Plcy 80 local_filter_type == IPv4 address
> 194907.102652 Plcy 80 local_filter_addr_upper == 192.168.020.217
> 194907.102664 Plcy 80 local_filter_addr_lower == 192.168.020.217
> 194907.102676 Plcy 80 local_filter == 172.030.020.217
> 194907.102688 Plcy 80 local_filter_port == 0
> 194907.102700 Plcy 80 local_filter_proto == 0
> 194907.102713 Plcy 80 remote_id_type == IPv4 address
> 194907.102725 Plcy 80 remote_id_addr_upper == 195.022.200.170
> 194907.102738 Plcy 80 remote_id_addr_lower == 195.022.200.170
> 194907.102750 Plcy 80 remote_id == 195.022.200.170
> 194907.102762 Plcy 80 remote_id_port == 500
> 194907.102774 Plcy 80 remote_id_proto == udp
> 194907.102804 Plcy 80 remote_negotiation_address == 195.022.200.170
> 194907.102818 Plcy 80 local_negotiation_address == 200.022.100.170
> 194907.102830 Plcy 80 pfs == yes
> 194907.102842 Plcy 80 initiator == yes
> 194907.102854 Plcy 80 phase1_group_desc == 2
> 194907.103881 Plcy 40 check_policy: kn_do_query returned 0
> 194907.104093 Default check_policy: negotiated SA failed policy check
> 194907.104123 Default dropped message from 195.022.200.170 port 500
> due to notification type NO_PROPOSAL_CHOSEN
> 
> The policy entry looks like this:
> 
> Comment: #############################################################
> Comment: Cisco box
> 
> Authorizer: "POLICY"
> Licensees:
> Comment:        "passphrase:properpassphrase"
>         "passphrase:123456789"
> Conditions:
>         app_domain == "IPsec policy" && doi == "ipsec" &&
>         remote_negotiation_address == "195.022.200.170" &&
>         esp_present == "yes" &&
>         esp_enc_alg == "3des" &&
>         esp_auth_alg == "hmac-md5" &&
>         local_filter_type == "IPv4 address" &&
>         (
>                 local_filter == "192.168.020.217"
>         ) &&
>         remote_filter_type == "IPv4 address" &&
>         (
>                 remote_filter == "010.005.010.022"
>         )
>         -> "true";

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic