Upgrade to 3.7 and VPN no longer works

Sat, 18 Jun 2005 21:41:53 -0700

I just upgraded my firewall to 3.7, but I've found my VPN is now not working. I keep seeing "NAT detected" messages, but both machines have real IPs so it doesn't make sense. The client machine is a 3.6 install, and the server machine was a 3.4 machine which I used the media CD to upgrade. I've also checked out the latest src tree and recompiled both the kernel and the binaries on the newly installed 3.7 machine, but same problem persists.
I'm getting to where I think reinstalling the machine with 3.6 is the way to go, anyone got any ideas ? is this a simple conf problem ? help ? 

isakmpd output, and conf files are transcribed below

Cheers
Dave

Server side :
--------------

isakmpd output :
----------------


115833.011175 Timr 10 timer_add_event: event 
exchange_free_aux(0x3c065a00) added last, expiration in 120s
115833.011409 Exch 10 exchange_setup_p1: 0x3c065a00 Dors-peer 
OpenBSD-main-mode policy responder phase 1 doi 1 exchange 2 step 0
115833.011463 Exch 10 exchange_setup_p1: icookie faca10932e1a71b0 
rcookie b5e563b3774c4389

115833.011509 Exch 10 exchange_setup_p1: msgid 00000000

115833.011574 Exch 10 nat_t_check_vendor_payload: NAT-T capable peer 
detected

115833.011633 Exch 10 dpd_check_vendor_payload: DPD capable peer detected
115833.011684 Misc 30 ipsec_responder: phase 1 exchange 2 step 0

115833.011749 Negt 30 message_negotiate_sa: transform 0 proto 1 proposal 
1 ok

115833.011859 Negt 20 ike_phase_1_validate_prop: success
115833.011907 Negt 30 message_negotiate_sa: proposal 1 succeeded
115833.011954 Misc 20 ipsec_decode_transform: transform 0 chosen
115833.012014 Exch 10 exchange_run: unexpected payload VENDOR
115833.012061 Exch 10 exchange_run: unexpected payload VENDOR
115833.012120 Misc 30 ipsec_responder: phase 1 exchange 2 step 1

115833.012270 Trpt 30 transport_send_messages: message 0x3c069480 
scheduled for retransmission 1 in 7 secs
115833.012325 Timr 10 timer_add_event: event 
message_send_expire(0x3c069480) added before 
exchange_free_aux(0x3c065a00), expiration in 7s

115833.220797 Mesg 20 message_free: freeing 0x3c069480

115833.220854 Timr 10 timer_remove_event: removing event 
message_send_expire(0x3c069480)

115833.220907 Misc 30 ipsec_responder: phase 1 exchange 2 step 2

115833.220977 Exch 10 nat_t_exchange_check_nat_d: NAT detected, we're 
behind it

115833.221026 Mesg 20 message_free: freeing 0x3c069380
115833.221086 Misc 30 ipsec_responder: phase 1 exchange 2 step 3

115833.231526 Trpt 30 transport_send_messages: message 0x3c069380 
scheduled for retransmission 1 in 7 secs
115833.231600 Timr 10 timer_add_event: event 
message_send_expire(0x3c069380) added before 
exchange_free_aux(0x3c065a00), expiration in 7s
115840.240055 Timr 10 timer_handle_expirations: event 
message_send_expire(0x3c069380)
115840.240244 Trpt 30 transport_send_messages: message 0x3c069380 
scheduled for retransmission 2 in 9 secs
115840.240298 Timr 10 timer_add_event: event 
message_send_expire(0x3c069380) added before 
exchange_free_aux(0x3c065a00), expiration in 9s
115849.250013 Timr 10 timer_handle_expirations: event 
message_send_expire(0x3c069380)
115849.250211 Trpt 30 transport_send_messages: message 0x3c069380 
scheduled for retransmission 3 in 11 secs
115849.250273 Timr 10 timer_add_event: event 
message_send_expire(0x3c069380) added before 
exchange_free_aux(0x3c065a00), expiration in 11s
115900.260012 Timr 10 timer_handle_expirations: event 
message_send_expire(0x3c069380)
115900.260204 Default transport_send_messages: giving up on message 
0x3c069380, exchange Dors-peer
115900.260265 Default transport_send_messages: either this message did 
not reach the other peer
115900.260312 Default transport_send_messages: or this is an attempted 
IKE scan

115900.260369 Mesg 20 message_free: freeing 0x3c069380

server isakmpd.conf :
---------------------

##############################
# Phase 1
##############################
[Phase 1]
<CLIENTIP>   = Dors-peer

##############################
# Phase 2
##############################
[Phase 2]
Passive-connections = Dors-connection


#############################
# Phase 1 Peers
#############################
[Dors-peer]
Phase           = 1
Configuration   = OpenBSD-main-mode
Address         = <CLIENTIP>
Authentication  = mypassphrase


##############################
# Phase 2 Connections
##############################
[Dors-connection]
Phase           = 2
ISAKMP-peer     = Dors-peer
Configuration   = OpenBSD-quick-mode
Local-ID        = Sydney-net
Remote-ID       = PA-net


##############################
# Phase 2 Host ID's
##############################
[Sydney-net]
ID-type=        IPV4_ADDR_SUBNET
Network=        <SYDNEYNET>
Netmask=        255.255.252.0

[PA-net]
ID-type=        IPV4_ADDR_SUBNET
Network=        <PANET>
Netmask=        255.255.255.0

Client:
-------

125747.300124 Timr 10 timer_handle_expirations: event 
connection_checker(0x3c1eabf0)
125747.300245 Timr 10 timer_add_event: event 
connection_checker(0x3c1eabf0) added last, expiration in 60s
125747.300389 Timr 10 timer_add_event: event 
exchange_free_aux(0x3c067800) added last, expiration in 120s
125747.300579 Exch 10 exchange_establish_p1: 0x3c067800 Hiro-peer 
OpenBSD-main-mode policy initiator phase 1 doi 1 exchange 2 step 0
125747.300637 Exch 10 exchange_establish_p1: icookie 733b6d2ed3cca4c4 
rcookie 0000000000000000

125747.300709 Exch 10 exchange_establish_p1: msgid 00000000

125747.300973 Trpt 30 transport_send_messages: message 0x3c06b380 
scheduled for retransmission 1 in 7 secs
125747.301054 Timr 10 timer_add_event: event 
message_send_expire(0x3c06b380) added before 
connection_checker(0x3c1eabf0), expiration in 7s
125754.310011 Timr 10 timer_handle_expirations: event 
message_send_expire(0x3c06b380)
125754.310216 Trpt 30 transport_send_messages: message 0x3c06b380 
scheduled for retransmission 2 in 9 secs
125754.310291 Timr 10 timer_add_event: event 
message_send_expire(0x3c06b380) added before 
connection_checker(0x3c1eabf0), expiration in 9s
125758.093052 Default message_recv: invalid cookie(s) c4a6bfcf545a4ded 
5ddd2d411d183af2
125758.093177 Default dropped message from <MYIPADDRESS> port 500 due to 
notification type INVALID_COOKIE
125758.093260 Timr 10 timer_add_event: event 
exchange_free_aux(0x3c067d00) added last, expiration in 120s
125758.093342 Exch 10 exchange_establish_p1: 0x3c067d00 <unnamed> <no 
policy> policy initiator phase 1 doi 0 exchange 5 step 0
125758.093397 Exch 10 exchange_establish_p1: icookie a09e4c0106786847 
rcookie 0000000000000000

125758.093472 Exch 10 exchange_establish_p1: msgid 00000000
125758.093592 Mesg 20 message_free: freeing 0x3c06b480

125758.093707 Exch 10 exchange_finalize: 0x3c067d00 <unnamed> <no 
policy> policy initiator phase 1 doi 0 exchange 5 step 1
125758.093761 Exch 10 exchange_finalize: icookie a09e4c0106786847 
rcookie 0000000000000000

125758.093840 Exch 10 exchange_finalize: msgid 00000000

125758.093907 Timr 10 timer_remove_event: removing event 
exchange_free_aux(0x3c067d00)

125758.093976 Mesg 20 message_free: freeing 0x3c06b500

125803.320016 Timr 10 timer_handle_expirations: event 
message_send_expire(0x3c06b380)
125803.320212 Trpt 30 transport_send_messages: message 0x3c06b380 
scheduled for retransmission 3 in 11 secs
125803.320289 Timr 10 timer_add_event: event 
message_send_expire(0x3c06b380) added before 
connection_checker(0x3c1eabf0), expiration in 11s
125814.330015 Timr 10 timer_handle_expirations: event 
message_send_expire(0x3c06b380)
125814.330245 Default transport_send_messages: giving up on message 
0x3c06b380, exchange Hiro-peer
125814.330308 Default transport_send_messages: either this message did 
not reach the other peer
125814.330382 Default transport_send_messages: or the responsemessage 
did not reach us back

125814.330453 Mesg 20 message_free: freeing 0x3c06b380


client isakmpd.conf :
---------------------
##############################
# Phase 1
##############################
[Phase 1]
<SERVERIP>   = Hiro-peer


##############################
# Phase 2
##############################
[Phase 2]
Connections = Hiro-connection


#############################
# Phase 1 Peers
#############################
[Hiro-peer]
Phase           = 1
Configuration   = OpenBSD-main-mode
Address         = <SERVERIP>
Authentication  = mypassphrase


##############################
# Phase 2 Connections
##############################
[Hiro-connection]
Phase           = 2
ISAKMP-peer     = Hiro-peer
Configuration   = OpenBSD-quick-mode
Local-ID        = PA-net
Remote-ID       = Sydney-net


##############################
# Phase 2 Host ID's
##############################
[Sydney-net]
ID-type=        IPV4_ADDR_SUBNET
Network=        <SYDNEYNET>
Netmask=        255.255.252.0


[PA-net]
ID-type=        IPV4_ADDR_SUBNET
Network=        <PANET>
Netmask=        255.255.255.0























					Reply via email to