[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

VPN setup problem



Im not sure if this is still being maintained so let me know if I should
shoot this email to another list...

I am trying to setup a vpn between two 3.5 openBSD boxes.  When I fire up
the isakmpd daemon with the -d on the two boxes they start spewing the
following.  Another strange thing is that the flow are not created so I
created them manually using ipsecadm. However from what I have read since
the two are not communicating they aren't even getting a chance to setup
the flows. Thanks for any help in advance

/etc/isakmpd> isakmpd -d
021734.997937 Default check_policy: negotiated SA failed policy check
021734.998802 Default message_negotiate_sa: no compatible proposal found
021734.999238 Default dropped message from 68.102.3.3 port 500 due to
notification type NO_PROPOSAL_CHOSEN
021735.000385 Default responder_recv_HASH_SA_NONCE: KEY_EXCH payload
without a group desc. attribute
021735.000844 Default dropped message from 68.102.3.3 port 500 due to
notification type NO_PROPOSAL_CHOSEN
021735.001938 Default group_get: group ID (0) out of range
021742.007659 Default check_policy: negotiated SA failed policy check
021742.008300 Default message_negotiate_sa: no compatible proposal found
021742.008957 Default dropped message from 68.102.3.3 port 500 due to
notification type NO_PROPOSAL

I have used the VPN-east.conf file for a basis for the two isakmpd.conf
files.  Here are my conf file and policy file

[GENERAL]
Retransmits=5
Exchange-max-time=120
Listen-on=68.102.3.3
[Phase 1]
24.5.3.6=           ISAKMP-peer-east
[Phase 2]
Connections=            IPsec-west-east
[ISAKMP-peer-east]
Phase=                  1
Transport=              udp
Address=                24.5.3.6
Configuration=          Default-main-mode
Authentication=         blah
[IPsec-west-east]
Phase=                  2
ISAKMP-peer=            ISAKMP-peer-east
Configuration=          Default-quick-mode
Local-ID=               Net-west
                                                                                                                   [Net-west]
ID-type=                IPV4_ADDR_SUBNET
Network=                192.168.1.0
Netmask=                255.255.255.224
[Net-east]
ID-type=                IPV4_ADDR_SUBNET
Network=                192.9.20.0
Netmask=                255.255.255.224
[Default-main-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          ID_PROT
Transforms=             3DES-SHA
[Default-quick-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          QUICK_MODE
Suites=                 QM-ESP-AES-SHA-PFS-SUITE

KeyNote-Version: 2
Comment: This policy accepts ESP SAs from a remote that uses the right
password
Authorizer: "POLICY"
Licensees: "passphrase:blah"
Conditions: app_domain == "IPsec policy" &&
           esp_present == "yes" -> "true" &&
            esp_enc_alg == "aes";



Visit your host, monkey.org