[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

isakmpd vs shiva lanrover

        I am trying to get isakmpd to set up a vpn tunnel with a shiva
lanrover.  Supposedly the lanrover is capable of doing this but I
don't seem to be able to get it to work.  I am trying to get a "road
warrior" config running, not a site-to-site tunnel, I am using
preshared keys (for the moment) but no matter what I try I don't seem
to be able to get the two talking.

I have configured the shiva box to accept a ipsec connection and I
have verified that this ipsec connection works by using the shiva
client on a wintel box - the tunnel is built.  I feel that I am close
to getting this working with isakmpd, it gets past the phase 1
negotiation, moves on to phase 2 but the shiva box keeps telling me
there is no ESP profile match and returns a no proposal chosen message
to isakmpd which promptly tears down the SA setup.  I have tried all
sorts of suites in my phase 2 config with no success - even the one I
think exactly matches the shiva setup is rejected.  One thing the
shiva client does have is a little tick box that allows the client to
accept proposals from the peer (the shiva vpn box).  From what I can
see in the logs on the shiva box it sends a proposal back to isakmpd
which I think is piggybacked on a DELETE mesage but this proposal
seems to be ignored:

212638.884331 Mesg 50 message_parse_payloads: offset 28 payload HASH
212638.885006 Mesg 50 message_parse_payloads: offset 52 payload DELETE
212638.885062 Mesg 60 message_validate_payloads: payload HASH at
0x812751c of message 0x8180300
212638.885103 Mesg 60 message_validate_payloads: payload DELETE at
0x8127534 of message 0x8180300
212638.885137 Mesg 70 DOI: IPSEC
212638.885170 Mesg 70 PROTO: ISAKMP
212638.885233 Mesg 70 SPI_SZ: 16
212638.885273 Mesg 70 NSPIS: 1
212638.885328 Timr 10 timer_add_event: event
exchange_free_aux(0x8180400) added before sa_soft_expire(0x8125900),
expiration in 120s
212638.885374 Exch 10 exchange_setup_p2: 0x8180400 <unnamed> <no
policy> policy responder phase 2 doi 1 exchange 5 step 0
212638.885412 Exch 10 exchange_setup_p2: icookie 8535282d4cb451ab
rcookie 7fe17a64d4f95e09
212638.885448 Exch 10 exchange_setup_p2: msgid 71393564 sa_list 
212638.885505 Misc 30 ipsec_responder: phase 2 exchange 5 step 0
212638.886218 Exch 10 exchange_run: unexpected payload HASH
212638.886263 SA   30 ipsec_delete_spi_list: DELETE made us delete SA
0x8125900 (7 references) for proto 1

I am assuming the HASH here is a proposal but I may be wrong.  Is
there anyway I can look at what this data is?  Is there anyway I can
do the equivalent of "accept peer proposal" with isakmpd?

Brett Lymn