Hi Ben,
You may have to open up udpencap on the OpenBSD VPN gateway.
pass in quick on $ext_if inet proto udp from <vpn-peers> port { 500 4500 } to
$ext_if port { 500 4500 }
pass out quick on $ext_if inet proto udp from $ext_if port { 500 4500 } to
<vpn-peers> port { 500 4500 }
Also, I am assuming that you're using the support tools from XPSP2 and
that you've configured the XPSP2 firewall to allow ISAKMP and NAT-T
communication with your OpenBSD VPN Gateway.
If you still have no luck, it would be helpful if you provide:
sudo isakmpd -d -L -DA=90
Also, provide any tcpdump info related to the VPN traffic.
I would also suggest that you configure the OpenBSD VPN Gateway with the
public IP address of the XP host. Once you've established a VPN, you can
then work on a more generic configuration. The point being, get it working
first. Once you get all the little pieces right, it'll work just fine.
Mark T. Uemura
OpenBSD Support Japan Inc.
www.openbsd-support.com
Tel: +81-(0)3-3715-3032
On Fri, Sep 02, 2005 at 08:38:27PM -0700, Ben wrote:
> Followed some instructions from last year
> (http://openbsd.cz/~pruzicka/vpn.html) and as per a fair number of other
> posts, I seem to be having the NO_PROPOSAL_CHOSEN problem.
>
> (Checking the errors via isakmpd -d -L )
>
> 185443.335663 Default log_packet_init: starting IKE packet capture to file
> "/var/run/isakmpd.pcap"
> 185447.379924 Default check_policy: negotiated SA failed policy check
> 185447.380041 Default message_negotiate_sa: no compatible proposal found
> 185447.380101 Default dropped message from (client machine ip) port 500 due
> to notification type NO_PROPOSAL_CHOSEN
>
> Run tcpdump -nvs1500 -r /var/run/isakmpd.pcap gives the following output:
> --------isakmpd.pcap------
> 19:54:37.113084 (client machine ip).500 > (BSD machine public IP).500: [udp
> sum ok] isakmp v1.0 exchange ID_PROT
> cookie: 53708ce206b92551->0000000000000000 msgid: 00000000 len: 108
> payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
> payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0
> xforms: 1
> payload: TRANSFORM len: 36
> transform: 1 ID: ISAKMP
> attribute ENCRYPTION_ALGORITHM = 3DES_CBC
> attribute HASH_ALGORITHM = SHA
> attribute GROUP_DESCRIPTION = MODP_1024
> attribute AUTHENTICATION_METHOD = PRE_SHARED
> attribute LIFE_TYPE = SECONDS
> attribute LIFE_DURATION = 00007080
> payload: VENDOR len: 24 [ttl 0] (id 1, len 136) 19:54:37.113390 (BSD
> machine public IP).500 > (client machine ip).500: [udp sum ok] isakmp v1.0
> exchange ID_PROT
> cookie: 53708ce206b92551->c6c84856034d511e msgid: 00000000 len: 164
> payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
> payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0
> xforms: 1
> payload: TRANSFORM len: 36
> transform: 1 ID: ISAKMP
> attribute ENCRYPTION_ALGORITHM = 3DES_CBC
> attribute HASH_ALGORITHM = SHA
> attribute GROUP_DESCRIPTION = MODP_1024
> attribute AUTHENTICATION_METHOD = PRE_SHARED
> attribute LIFE_TYPE = SECONDS
> attribute LIFE_DURATION = 00007080
> payload: VENDOR len: 20 (supports v2 NAT-T,
> draft-ietf-ipsec-nat-t-ike-02)
> payload: VENDOR len: 20 (supports v3 NAT-T,
> draft-ietf-ipsec-nat-t-ike-03)
> payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
> payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 192)
> 19:54:37.157878 (client machine ip).500 > (BSD machine public IP).500: [udp
> sum ok] isakmp v1.0 exchange ID_PROT
> cookie: 53708ce206b92551->c6c84856034d511e msgid: 00000000 len: 184
> payload: KEY_EXCH len: 132
> payload: NONCE len: 24 [ttl 0] (id 1, len 212)
> 19:54:37.169874 (BSD machine public IP).500 > (client machine ip).500: [udp
> sum ok] isakmp v1.0 exchange ID_PROT
> cookie: 53708ce206b92551->c6c84856034d511e msgid: 00000000 len: 184
> payload: KEY_EXCH len: 132
> payload: NONCE len: 24 [ttl 0] (id 1, len 212)
> 19:54:37.185732 (client machine ip).500 > (BSD machine public IP).500: [udp
> sum ok] isakmp v1.0 exchange ID_PROT
> cookie: 53708ce206b92551->c6c84856034d511e msgid: 00000000 len: 68
> payload: ID len: 12 type: IPV4_ADDR = (client machine ip)
> payload: HASH len: 24 [ttl 0] (id 1, len 96)
> 19:54:37.185817 (BSD machine public IP).500 > (client machine ip).500: [udp
> sum ok] isakmp v1.0 exchange ID_PROT
> cookie: 53708ce206b92551->c6c84856034d511e msgid: 00000000 len: 92
> payload: ID len: 12 type: IPV4_ADDR = (BSD machine public IP)
> payload: HASH len: 24
> payload: NOTIFICATION len: 28
> notification: INITIAL CONTACT
> (53708ce206b92551->c6c84856034d511e) [ttl 0] (id 1, len 120)
> 19:54:37.188146 (client machine ip).500 > (BSD machine public IP).500: [udp
> sum ok] isakmp v1.0 exchange QUICK_MODE
> cookie: 53708ce206b92551->c6c84856034d511e msgid: 5cb2ac72 len: 148
> payload: HASH len: 24
> payload: SA len: 40 DOI: 1(IPSEC) situation: IDENTITY_ONLY
> payload: PROPOSAL len: 28 proposal: 1 proto: IPSEC_ESP spisz: 4
> xforms: 1 SPI: 0xf6b63621
> payload: TRANSFORM len: 16
> transform: 1 ID: 3DES
> attribute ENCAPSULATION_MODE = TUNNEL
> attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
> payload: NONCE len: 24
> payload: ID len: 12 type: IPV4_ADDR = (client machine ip)
> payload: ID len: 16 type: IPV4_ADDR_SUBNET =
> 192.168.1.0/255.255.255.0 [ttl 0] (id 1, len 176)
> 19:54:37.188588 (BSD machine public IP).500 > (client machine ip).500: [udp
> sum ok] isakmp v1.0 exchange INFO
> cookie: 53708ce206b92551->c6c84856034d511e msgid: dc9c1fb2 len: 64
> payload: HASH len: 24
> payload: NOTIFICATION len: 12
> notification: NO PROPOSAL CHOSEN [ttl 0] (id 1, len 92)
> 19:54:37.188701 (BSD machine public IP).500 > (client machine ip).500: [udp
> sum ok] isakmp v1.0 exchange QUICK_MODE
> cookie: 53708ce206b92551->c6c84856034d511e msgid: 5cb2ac72 len: 116
> payload: HASH len: 24
> payload: SA len: 12 DOI: 1(IPSEC) situation: IDENTITY_ONLY
> payload: PROPOSAL len: 24 proposal: 128 proto: (unknown) spisz:
> 5 xforms: 14 SPI: 0x8547ad5782
> payload: TRANSFORM len: 52570 [|ipsec]
> payload: ID len: 12
> payload: ID len: 16
> payload: NONCE len: 24
> payload: ID len: 12 type: IPV4_ADDR = (client machine ip)
> payload: ID len: 16 type: IPV4_ADDR_SUBNET =
> 192.168.1.0/255.255.255.0 [ttl 0] (id 1, len 144)
> 19:54:45.756225 (BSD machine public IP).500 > (client machine ip).500: [udp
> sum ok] isakmp v1.0 exchange INFO
> cookie: 53708ce206b92551->c6c84856034d511e msgid: e9968ffb len: 80
> payload: HASH len: 24
> payload: DELETE len: 28 DOI: 1(IPSEC) proto: ISAKMP nspis: 1
> cookie: 53708ce206b92551->c6c84856034d511e [ttl 0] (id 1, len
> 108)
> =-=-=-=-=- End of capture
>
> I've gone over my policy, conf, and batch files with a fine tooth comb, and
> can't see what the problem could be (Aside from the fact that I'm using XP):
>
>
> /etc/isakmpd/isakmpd.policy (even kept the keynote version.)
> KeyNote-version: 2
> Authorizer: "POLICY"
> Licensees: "passphrase:password"
> Conditions: app_domain == "IPSec policy" && esp_present == "yes" &&
> esp_enc_alg != "null" -> "true";
>
>
> --------------------------------
> /etc/isakmpd/isakmpd.conf (chanceg IPSec to match case)
>
> [General]
> Retransmits = 5
> Exchange-max-time = 120
> Listen-on = public_ip_of_openbsd_box
> Shared-SADB= Defined
> Renegotiate-on-HUP= Defined
>
> [Phase 1]
> Default = ISAKMP-clients
>
> [Phase 2]
> Passive-Connections = IPSec-clients
>
> [ISAKMP-clients]
> Phase = 1
> Transport = udp
> Configuration = win-main-mode
> Authentication = password
>
> [IPSec-clients]
> Phase = 2
> Configuration = win-quick-mode
> Local-ID = default-route
> Remote-ID = dummy-remote
>
> [default-route]
> ID-type = IPV4_ADDR_SUBNET
> Network = 0.0.0.0
> Netmask = 0.0.0.0
>
> [dummy-remote]
> ID-type = IPV4_ADDR
> Address = 0.0.0.0
>
> [win-main-mode]
> DOI = IPSEC
> EXCHANGE_TYPE = ID_PROT
> Transforms = 3DES-SHA-GRP2
>
> [win-quick-mode]
> DOI = IPSEC
> EXCHANGE_TYPE = QUICK_MODE
> Suites = QM-ESP-3DES-SHA-SUITE
> ----------------------------------
>
> And finally start-vpn.bat (internal openbsd box network is 192.168.1.0/24)
>
> start-vpn.bat
> @echo off c:\ipsec\ipseccmd.exe -u echo cleared
> c:\ipsec\ipseccmd.exe -f 0=192.168.1.0/255.255.255.0 -n ESP[3DES,SHA] -t
> public_ip_address_of_bsd -a PRESHARE:"password" -1s 3DES-SHA-2
> echo part 1 finished
> c:\ipsec\ipseccmd.exe -f 192.168.1.0/255.255.255.0=0 -n ESP[3DES,SHA] -t
> windows_xp_ipaddress -a PRESHARE:"password" -1s 3DES-SHA-2 echo finished
>
> --------------------------------
>
> If there's another (easier?) way to do this, I'm open to any help.
>
>
> Cheers,
>
> Ben
