[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ISAKMP problem

To: <retrev@csh.rit.edu>, <tech@openbsd.org>
Subject: Re: ISAKMP problem
From: "Luke Renn" <lrenn@etci.com>
Date: Mon, 7 Feb 2000 11:41:21 -0500
References: <200002071636.LAA02508@mcp.csh.rit.edu>

This only took me two months to figure out :(

Change your policy file to something like this (exactly like this):

KeyNote-Version: 2
Comment: This policy accepts ESP SAs from a remote that uses the right
password
Authorizer: "POLICY"
Licensees: "thisismypassphrase"
Conditions: app_domain == "IPsec policy" &&
            esp_present == "yes" -> "true";

note that the "passphrase:thisismypassphrase" isn't there.  leave the
"passphrase:" out.  And make you don't have the lines from from the example
that start with $OpenBSD something or other.  Let me know if you have more
problems.

Luke


----- Original Message -----
From: Trevor R.H. Clarke <retrev@csh.rit.edu>
To: <tech@openbsd.org>
Sent: Monday, February 07, 2000 11:33 AM
Subject: ISAKMP problem


> I'm trying to set up a VPN from my home network (behind a nat firewall and
a
> cable modem) to my OBSD machine at work. I've used the sample policy and
config
> files from anoncvs and changed the IP addesses and shared secret. I run
> isakmpd -d on the firewall and it sits there waiting for a connection (no
msgs
> yet). I run isakmpd -d on the otehr end of the tunnel and after a few
seconds,
> I get errors on both machines. The firewall errors are:
>
> 113107.795446 Default exchange_run: unexpected payload HASH
> 113107.804713 Default exchange_run: unexpected payload HASH
>
> The machine at work has the following errors:
>
> 113003.753941 Default dropped message from 24.93.15.85 port 500 due to
> notification type NO_PROPOSAL_CHOSEN
> 113003.755689 Default responder_recv_HASH_SA_NONCE: KEY_EXCH payload
without a
> group desc. attribute
> 113003.755745 Default dropped message from 24.93.15.85 port 500 due to
> notification type NO_PROPOSAL_CHOSEN
> 113003.756052 Default group_get: group ID (0) out of range
>
> After a few seconds, these repeat. Any Idea what is wrong?
> ------------------
> Trevor R.H. Clarke                     Computer Science House
> Rochester Institute of Technology      Systems Programmer for ISC
> retrev@csh.rit.edu                     trcsys@rit.edu
> http://www.csh.rit.edu/~retrev/        finger retrev@csh.rit.edu for PGP
key
>

Follow-Ups:
- Re: ISAKMP problem
  - From: "Trevor R.H. Clarke" <retrev@csh.rit.edu>
- Re: ISAKMP problem
  - From: "Angelos D. Keromytis" <angelos@dsl.cis.upenn.edu>
- Re: ISAKMP problem
  - From: Håkan Olsson <ho@crt.se>

References:
- ISAKMP problem
  - From: "Trevor R.H. Clarke" <retrev@csh.rit.edu>

Prev by Date: ISAKMP problem
Next by Date: Re: ISAKMP problem
Prev by thread: ISAKMP problem
Next by thread: Re: ISAKMP problem
Index(es):
- Date
- Thread