Running obsd 3.5 with pf and isakmpd which doesn't like some setting. Starting isakmpd with some debugging gives the following -

"Trpt 50 udp_init: not binding ISAKMP UDP port to INADDR_ANY"

Why the hell not??

I have made the changes for runtime -

sysctl -w net.inet.gre.allow=1
sysctl -w net.inet.esp.enable=1

Different isakmpd.conf's give me the same error, while trying the same isakmpd.conf on another obsd 3.5 box does not. I've tried with pf enabled and disabled. The problem box is using pseudo device enc0. I've been following this howto (http://www.drijf.net/vpn/) as a rough guide - it's for a client setup, but I thought it would suit my purposes.

could you please post the isakmpd.conf files? Also Kernel_Killer has a good how-to on this in our how-to section. :) BTW, Welcome to S.E.!

Thanks for the reply, Elmore.

Okay, I get the error on the other box also, so maybe it is not the problem. It happens as long as I specify udp for the transport. Here's the current flavor of the isakmpd.conf, a la howto by Kernel_Killer:

[General]
Listen-on= 10.0.1.180
Retransmits= 3
Exchange-max-time= 120
Check-interval= 300
Policy-file= /etc/isakmpd/isakmpd.policy

[Phase 1]
Default= ISAKMP-peer-default

[Phase 2]
Passive-connections= IPsec-vpn-client1

[ISAKMP-peer-default]
Phase= 1
Transport= udp
Configuration= Default-aggressive-mode


[client1@vpn]
Phase= 1
Transport= udp
Configuration= Default-aggressive-mode
Authentication= passphrase

[IPsec-vpn-client1]
Phase= 2
ISAKMP-peer= client1@vpn
Configuration= Default-quick-mode
Local-ID= Net-vpn
Remote-ID= Net-client1

[Net-vpn]
ID-type= IPV4_ADDR_SUBNET
Network= 10.0.1.180
Netmask= 255.255.255.0


[Net-client1]
ID-type= IPV4_ADDR_SUBNET
Network= 10.0.0.179
Netmask= 255.255.255.0

[Default-aggressive-mode]
DOI= IPSEC
EXCHANGE_TYPE= AGGRESSIVE
Transforms= 3DES-SHA

[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE


On the client I'm attempting to get racoon talking to the obsd. I've gotten as far as creating the x.509 certs and piecing together a racoon.conf - I'll post it shortly.

Racoon should be a fun one to incorperate. Only issue would be setting the SA's explictily, but nothing a ipsec.conf won't fix (or at least from what I've read).

Here's (http://www.rommel.stw.uni-erlangen.de/~hshoexer/ipsec-howto/HOWTO.html#Interop1) a nice how-to I bookmarks for such an occasion. This person took an OpenBSD concentrator, and had a racoon client, a FreeS/WAN client, KAME client, and a PGPNet client all connecting to it. Should help you out quick a bit with your setup.

I'm getting closer, at least now racoon's talking to isakmpd but fails in phase 1 because of a CERT problem. x.509 certificates have been created - I'm going to go through that process again, it's likely I missed something.

racoon debugging -
Nov 17 16:18:03 apostate racoon: DEBUG: begin.
Nov 17 16:18:03 apostate racoon: DEBUG: seen nptype=5(id)
Nov 17 16:18:03 apostate racoon: DEBUG: seen nptype=9(sig)
Nov 17 16:18:03 apostate racoon: DEBUG: succeed.
Nov 17 16:18:03 apostate racoon: DEBUG: SIGN passed:
Nov 17 16:18:03 apostate racoon: DEBUG: 5840b40d 42130050 ac835412 9f6c2083 a46133fb c9951ae2 c5a7a74d e9b28474 ab769256 c0a31d32 5b15a2e0
736750c8 a3358c24 0b4a9e1e 4ece546b 8ba469dc 44057cdd ec585508 49575b11 e8f57530 97e9c5b3 3da2095c 4efddb94 295e2f1d 5587eb59 7baa6d6b cb3
e8ad2 721cd226 7db77bd4 c463132e b7b68d81 ce7da628
Nov 17 16:18:03 apostate racoon: ERROR: no peer's CERT payload found.

isakmpd log snippet -
162322.083750 Misc 95 conf_get_str: configuration value not found [ISAKMP-peer-west]:Credentials
162322.084179 Misc 95 conf_get_str: [KeyNote]:Credential-directory->/etc/isakmpd/keynote/
162322.084829 Plcy 30 keynote_cert_obtain: failed to stat "/etc/isakmpd/keynote//10.0.1.180/credentials"
162322.085276 Cryp 70 x509_hash_find: no certificate matched query
162322.085654 Misc 10 rsa_sig_encode_hash: no certificate to send
162322.086200 Misc 95 conf_get_str: configuration value not found [ISAKMP-peer-west]:PKAuthentication
162322.086649 Misc 95 conf_get_str: [KeyNote]:Credential-directory->/etc/isakmpd/keynote/
162322.087295 Misc 95 conf_get_str: [X509-certificates]:Private-key->/etc/isakmpd/private/local.key
162322.092629 Cryp 60 hash_get: requested algorithm 1
162322.093271 Misc 80 rsa_sig_encode_hash: HASH_I:
...
162349.201114 Default transport_send_messages: giving up on message 0x3c12c700, exchange ISAKMP-peer-west
162349.201632 Default transport_send_messages: either this message did not reach the other peer
162349.202109 Default transport_send_messages: or the responsemessage did not reach us back

isakmdp.conf:

[General]
Listen-on= 10.0.1.180
Policy-file= /etc/isakmpd/isakmpd.policy
Retransmits= 3
Exchange-max-time= 120

[X509-certificates]
CA-directory= /etc/isakmpd/ca/
Cert-directory= /etc/isakmpd/certs/
CRL-directory= /etc/isakmpd/crls/
Private-key= /etc/isakmpd/private/local.key

[Phase 1]
10.0.0.179= ISAKMP-peer-west

[Phase 2]
Connections= IPsec-east-west

[ISAKMP-peer-west]
Phase= 1
#Transport= udp
Local-address= 10.0.1.180
Address= 10.0.0.179
Configuration= Default-Phase1

[IPsec-east-west]
Phase= 2
ISAKMP-peer= ISAKMP-peer-west
Configuration= Default-quick-mode
Local-ID= Net-east
Remote-ID= Net-west

[Net-west]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.255.0
Netmask= 255.255.255.0

[Net-east]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.255.0
Netmask= 255.255.255.0

[Default-Phase1]
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA-RSA_SIG


racoon.conf:
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/certs";
log debug;

padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}

remote 10.0.1.180
{
exchange_mode main;
certificate_type x509 "vpn_cert.pem" "my_private_key.pem";
my_identifier address "10.0.0.179";

proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method rsasig;
dh_group 2;
}
}

sainfo anonymous
{
pfs_group 2;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}

pf.conf vpn lines (isakmpd is running on the firewall):

vpn_if="enc0"
...
pass in quick on $ext_if inet proto udp from any to $ext_if port isakmp keep state
pass out quick on $ext_if inet proto udp from $ext_if to any port isakmp keep state

#esp traffic
pass in quick on $ext_if inet proto esp from any to $ext_if
pass out quick on $ext_if inet proto esp from $ext_if to any
pass in quick on $vpn_if proto ipencap all
pass in quick on $vpn_if all
pass out quick on $vpn_if all