[prev in list] [next in list] [prev in thread] [next in thread]
List: openbsd-misc
Subject: Re: VPN troubleshooting help request.
From: Dag Richards <dagrichards () speakeasy ! net>
Date: 2008-07-31 14:15:48
Message-ID: 4891C914.70902 () speakeasy ! net
[Download RAW message or body]
Are you using preshared keys?
Your policy seems to imply that you are, but you do not seem to have
your passphrases in the correct place.
I think the line should be more like this
Licensees: "passphrase:properpasswd" || "passphrase:otherproperpasswd"
Though the debug output does imply that it is finding your password
correctly.
I have had the CISCO's be very finicky, certain IOS's seem to to only
work with md5 and others sha as the hashing algorithms
run
tcpdump -nvs1400 port 500
or turn on pcap
and do this
tcpdump -nvs 1500 -r /var/run/isakmpd.pcap
You then can observe the negotiations and compare what the running
config on CIZCOE is doing to what the config says it should.
nuffnough wrote:
> Hi, a client with a cisco device is attemtping to set up a VPN to my
> OBSD 4.3 firewall.
>
> Phase 1 is okay, but phase 2 is fail. It says it fails the policy
> check. But... Checking through everything in the policy against the
> debug it seems like it conforms to the policy to me. Are there other
> things that might cause it to fail the policy check?
>
> The policy entry has matches for everything in it within this
> negotaiation. I sure would appreciate it if you could help me figure
> out what it doesn't like about my policy.
>
> TIA
>
> nuffi
>
>
> Debug output looks like this:
>
>
> 194907.101644 Plcy 40 check_policy: adding authorizer [passphrase:123456789]
> 194907.101668 Plcy 40 check_policy: adding authorizer
> [passphrase-md5-hex:edb0afdb2eb73b1efb437dc6778bdfcf]
> 194907.101684 Plcy 40 check_policy: adding authorizer
> [passphrase-sha1-hex:ca6920eca6f25ec15bc7718e1ac4f03aa6f00a38]
> 194907.102199 Plcy 80 Policy context (action attributes):
> 194907.102222 Plcy 80 esp_present == yes
> 194907.102235 Plcy 80 ah_present == no
> 194907.102248 Plcy 80 comp_present == no
> 194907.102259 Plcy 80 ah_hash_alg ==
> 194907.102271 Plcy 80 esp_enc_alg == 3des
> 194907.102283 Plcy 80 comp_alg ==
> 194907.102295 Plcy 80 ah_auth_alg ==
> 194907.102307 Plcy 80 esp_auth_alg == hmac-md5
> 194907.102318 Plcy 80 ah_life_seconds ==
> 194907.102330 Plcy 80 ah_life_kbytes ==
> 194907.102342 Plcy 80 esp_life_seconds == 1200
> 194907.102353 Plcy 80 esp_life_kbytes ==
> 194907.102365 Plcy 80 comp_life_seconds ==
> 194907.102377 Plcy 80 comp_life_kbytes ==
> 194907.102389 Plcy 80 ah_encapsulation ==
> 194907.102400 Plcy 80 esp_encapsulation == tunnel
> 194907.102413 Plcy 80 comp_encapsulation ==
> 194907.102425 Plcy 80 comp_dict_size ==
> 194907.102436 Plcy 80 comp_private_alg ==
> 194907.102448 Plcy 80 ah_key_length ==
> 194907.102460 Plcy 80 ah_key_rounds ==
> 194907.102472 Plcy 80 esp_key_length ==
> 194907.102483 Plcy 80 esp_key_rounds ==
> 194907.102495 Plcy 80 ah_group_desc ==
> 194907.102507 Plcy 80 esp_group_desc == 2
> 194907.102519 Plcy 80 comp_group_desc ==
> 194907.102531 Plcy 80 ah_ecn == no
> 194907.102543 Plcy 80 esp_ecn == no
> 194907.102555 Plcy 80 comp_ecn == no
> 194907.102567 Plcy 80 remote_filter_type == IPv4 address
> 194907.102579 Plcy 80 remote_filter_addr_upper == 010.005.010.022
> 194907.102591 Plcy 80 remote_filter_addr_lower == 010.005.010.022
> 194907.102604 Plcy 80 remote_filter == 010.005.010.022
> 194907.102616 Plcy 80 remote_filter_port == 0
> 194907.102628 Plcy 80 remote_filter_proto == 0
> 194907.102640 Plcy 80 local_filter_type == IPv4 address
> 194907.102652 Plcy 80 local_filter_addr_upper == 192.168.020.217
> 194907.102664 Plcy 80 local_filter_addr_lower == 192.168.020.217
> 194907.102676 Plcy 80 local_filter == 172.030.020.217
> 194907.102688 Plcy 80 local_filter_port == 0
> 194907.102700 Plcy 80 local_filter_proto == 0
> 194907.102713 Plcy 80 remote_id_type == IPv4 address
> 194907.102725 Plcy 80 remote_id_addr_upper == 195.022.200.170
> 194907.102738 Plcy 80 remote_id_addr_lower == 195.022.200.170
> 194907.102750 Plcy 80 remote_id == 195.022.200.170
> 194907.102762 Plcy 80 remote_id_port == 500
> 194907.102774 Plcy 80 remote_id_proto == udp
> 194907.102804 Plcy 80 remote_negotiation_address == 195.022.200.170
> 194907.102818 Plcy 80 local_negotiation_address == 200.022.100.170
> 194907.102830 Plcy 80 pfs == yes
> 194907.102842 Plcy 80 initiator == yes
> 194907.102854 Plcy 80 phase1_group_desc == 2
> 194907.103881 Plcy 40 check_policy: kn_do_query returned 0
> 194907.104093 Default check_policy: negotiated SA failed policy check
> 194907.104123 Default dropped message from 195.022.200.170 port 500
> due to notification type NO_PROPOSAL_CHOSEN
>
> The policy entry looks like this:
>
> Comment: #############################################################
> Comment: Cisco box
>
> Authorizer: "POLICY"
> Licensees:
> Comment: "passphrase:properpassphrase"
> "passphrase:123456789"
> Conditions:
> app_domain == "IPsec policy" && doi == "ipsec" &&
> remote_negotiation_address == "195.022.200.170" &&
> esp_present == "yes" &&
> esp_enc_alg == "3des" &&
> esp_auth_alg == "hmac-md5" &&
> local_filter_type == "IPv4 address" &&
> (
> local_filter == "192.168.020.217"
> ) &&
> remote_filter_type == "IPv4 address" &&
> (
> remote_filter == "010.005.010.022"
> )
> -> "true";
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic