I have posted a sanitized read of the file at: http://www.consault.com/vpn/capture.txt Will this help? Thanks, -Dave
On 10/3/05, Hans-Joerg Hoexer <[EMAIL PROTECTED]> wrote: > > Hi, > > and please provide me the pcap file generated with -L. > > Thanks > HJ. > > On Fri, Sep 30, 2005 at 05:57:14PM -0700, Trepliev wrote: > > I'm having some unusual difficulties getting a VPN running between > > OpenBSD3.7 and a SonicWall. > > > > The remote gateway is not under my control and I have to make the > > adjustments on my side to make this work. > > > > For some reason it looks to be failing during Phase 1 when it is getting > the > > USER_FQDN from the remote gateway. > > > > Does anyone here have working configuration snippets for this sort of > > arrangement? > > > > Thanks! > > > > AAA.AAA.AAA.AAA is the address of the local OpenBSD 3.7 VPN Server > > BBB.BBB.BBB.BBB is the address of the remote SonicWall > > > > ========================================= > > isakmpd.conf > > ========================================= > > > > [General] > > Retransmits= 3 > > Exchange-max-time= 120 > > Check-interval= 300 > > Policy-file= /etc/isakmpd/isakmpd.policy > > > > [Phase 1] > > BBB.BBB.BBB.BBB= ISAKMP-peer-SonicWall > > > > [Phase 2] > > Connections= IPsec-Fission-SonicWall > > > > [ISAKMP-peer-SonicWall] > > Phase= 1 > > Transport= udp > > Address= BBB.BBB.BBB.BBB > > Configuration= SonicWall-main-mode > > Authentication= mekmitasdigoat > > Local-ID= ID-Fission > > Remote-ID= ID-SonicWall > > > > [IPsec-Fission-SonicWall] > > Phase= 2 > > ISAKMP-peer= ISAKMP-peer-SonicWall > > Configuration= SonicWall-quick-mode > > Local-ID= Net-Corp > > Remote-ID= Net-SonicWall > > > > [ID-SonicWall] > > ID-type= USER_FQDN > > Name= SonicWall > > > > [ID-Fission] > > ID-type= FQDN > > Name= fission.corp.local > > > > [Net-SonicWall] > > ID-type= IPV4_ADDR_SUBNET > > Network= 172.16.0.0 <http://172.16.0.0> <http://172.16.0.0> > > Netmask= 255.255.0.0 <http://255.255.0.0> <http://255.255.0.0> > > > > [Net-Corp] > > ID-type= IPV4_ADDR_SUBNET > > Network= 10.1.105.0 <http://10.1.105.0> <http://10.1.105.0> > > Netmask= 255.255.255.0 <http://255.255.255.0> <http://255.255.255.0> > > > > [SonicWall-main-mode] > > DOI= IPSEC > > EXCHANGE_TYPE= AGGRESSIVE > > Transforms= AES-SHA-GRP2 > > > > [SonicWall-quick-mode] > > DOI= IPSEC > > EXCHANGE_TYPE= QUICK_MODE > > Suites= QM-ESP-AES-SHA-GRP2-SUITE > > > > > > ========================================= > > Debugging information from ISAKMPD -dvL -D0=70 -D4=99 -D5=50 -D6=60 > -D7=50 > > -D8=40 -D9=40 > > ========================================= > > > > 174101.074956 Default log_debug_cmd: log level changed from 0 to 70 for > > class 0 [priv] > > 174101.075646 Default log_debug_cmd: log level changed from 0 to 99 for > > class 4 [priv] > > 174101.075713 Default log_debug_cmd: log level changed from 0 to 50 for > > class 5 [priv] > > 174101.075773 Default log_debug_cmd: log level changed from 0 to 60 for > > class 6 [priv] > > 174101.075832 Default log_debug_cmd: log level changed from 0 to 50 for > > class 7 [priv] > > 174101.075891 Default log_debug_cmd: log level changed from 0 to 40 for > > class 8 [priv] > > 174101.075950 Default log_debug_cmd: log level changed from 0 to 40 for > > class 9 [priv] > > 174101.077609 Sdep 30 monitor_init: pid 18819 my fd 6 [priv] > > 174101.079134 Sdep 30 monitor_init: pid 0 my fd 5 [priv] > > 174101.079510 Misc 10 monitor_init: privileges dropped for child process > > 174101.654766 Timr 10 timer_add_event: event > connection_checker(0x3c1e8c80) > > added last, expiration in 0s > > 174101.655255 Misc 60 connection_record_passive: passive connection > > "IPsec-Fission-SonicWall" added > > 174101.645410 Plcy 30 policy_init: initializing > > 174101.658148 Misc 20 udp_make: transport 0x3c1ead00 socket 8 ip > > 127.0.0.1 <http://127.0.0.1><http://127.0.0.1>port 500 > > 174101.659980 Misc 20 udp_encap_make: transport 0x3c1ead40 socket 9 ip > > 127.0.0.1 <http://127.0.0.1> <http://127.0.0.1> port 4500 > > 174101.675446 Misc 20 udp_make: transport 0x3c06a0c0 socket 16 ip > > AAA.AAA.AAA.AAA port 500 > > 174101.677576 Misc 20 udp_encap_make: transport 0x3c06a100 socket 17 ip > > AAA.AAA.AAA.AAA port 4500 > > 174101.696403 Misc 20 udp_make: transport 0x3c06a480 socket 26 ip > > 0.0.0.0 <http://0.0.0.0><http://0.0.0.0>port 500 > > 174101.698525 Misc 20 udp_encap_make: transport 0x3c06a4c0 socket 27 ip > > 0.0.0.0 <http://0.0.0.0> <http://0.0.0.0> port 4500 > > 174101.743637 Default log_packet_init: starting IKE packet capture to > file > > "/var/run/isakmpd.pcap" > > 174101.744459 Timr 10 timer_handle_expirations: event > > connection_checker(0x3c1e8c80) > > 174101.745041 Timr 10 timer_add_event: event > connection_checker(0x3c1e8c80) > > added last, expiration in 300s > > 174101.746671 Timr 10 timer_add_event: event > exchange_free_aux(0x3c065d00) > > added before connection_checker(0x3c1e8c80), expiration in 120s > > 174101.748101 Exch 10 exchange_establish_p1: 0x3c065d00 > > ISAKMP-peer-SonicWall SonicWall-main-mode policy initiator phase 1 doi 1 > > exchange 4 step 0 > > 174101.748691 Exch 10 exchange_establish_p1: icookie 0f7fd1a961498319 > > rcookie 0000000000000000 > > 174101.749186 Exch 10 exchange_establish_p1: msgid 00000000 > > 174101.749826 SA 60 sa_create: sa 0x3c065f00 phase 1 added to exchange > > 0x3c065d00 (ISAKMP-peer-SonicWall) > > 174101.745797 Misc 70 attribute_set_constant: no PRF in the AES-SHA-GRP2 > > section > > 174101.745971 Misc 70 group_get: returning 0x3c06a6c0 of group 2 > > 174101.746116 Exch 50 nat_t_setup_hashes: > MD5("draft-ietf-ipsec-nat-t-ike-02 > > ") (16 bytes) > > 174101.746174 Exch 50 nat_t_setup_hashes: > > 174101.746242 Exch 50 90cb8091 3ebb696e 086381b5 ec427b1f > > 174101.746299 Exch 50 nat_t_setup_hashes: > > MD5("draft-ietf-ipsec-nat-t-ike-03") (16 bytes) > > 174101.746347 Exch 50 nat_t_setup_hashes: > > 174101.746412 Exch 50 7d9419a6 5310ca6f 2c179d92 15529d56 > > 174101.746467 Exch 50 nat_t_setup_hashes: MD5("RFC 3947") (16 bytes) > > 174101.746513 Exch 50 nat_t_setup_hashes: > > 174101.746580 Exch 50 4a131c81 07035845 5c5728f2 0e95452f > > 174101.789728 Negt 40 ike_phase_1_send_ID: IPV4_ADDR: > > 174101.789821 Negt 40 00000000 > > 174101.800761 Exch 40 exchange_run: exchange 0x3c065d00 finished step 0, > > advancing... > > 174101.801342 Timr 10 timer_add_event: event > message_send_expire(0x3c069580) > > added before exchange_free_aux(0x3c065d00), expiration in 7s > > 174104.088867 Timr 10 timer_remove_event: removing event > > message_send_expire(0x3c069580) > > 174104.089711 Exch 50 nat_t_check_vendor_payload: bad size 8 != 16 > > 174104.090254 Exch 50 nat_t_check_vendor_payload: bad size 8 != 16 > > 174104.090740 Exch 10 nat_t_check_vendor_payload: NAT-T capable peer > > detected > > 174104.091406 Exch 10 dpd_check_vendor_payload: DPD capable peer > detected > > 174104.091962 Negt 30 message_negotiate_sa: transform 1 proto 1 proposal > 1 > > ok > > 174104.094023 Negt 20 ike_phase_1_validate_prop: success > > 174104.094612 Negt 30 message_negotiate_sa: proposal 1 succeeded > > 174104.095100 Misc 20 ipsec_decode_transform: transform 1 chosen > > 174104.146533 Negt 40 ike_phase_1_recv_ID: FQDN: > > 174104.147189 Negt 40 4d696372 6f706c65 78 > > 174110.127525 Negt 30 message_negotiate_sa: transform 1 proto 1 proposal > 1 > > ok > > 174110.128426 Negt 20 ike_phase_1_validate_prop: success > > 174110.128963 Negt 30 message_negotiate_sa: proposal 1 succeeded > > 174110.129448 Misc 20 ipsec_decode_transform: transform 1 chosen > > 174110.180487 Negt 40 ike_phase_1_recv_ID: FQDN: > > 174110.181143 Negt 40 4d696372 6f706c65 78 > > 174119.127216 Negt 30 message_negotiate_sa: transform 1 proto 1 proposal > 1 > > ok > > 174119.128104 Negt 20 ike_phase_1_validate_prop: success > > 174119.128638 Negt 30 message_negotiate_sa: proposal 1 succeeded > > 174119.129119 Misc 20 ipsec_decode_transform: transform 1 chosen > > 174119.180523 Negt 40 ike_phase_1_recv_ID: FQDN: > > 174119.181182 Negt 40 4d696372 6f706c65 78 > > 174139.126306 Negt 30 message_negotiate_sa: transform 1 proto 1 proposal > 1 > > ok > > 174139.127198 Negt 20 ike_phase_1_validate_prop: success > > 174139.127731 Negt 30 message_negotiate_sa: proposal 1 succeeded > > 174139.128214 Misc 20 ipsec_decode_transform: transform 1 chosen > > 174139.179205 Negt 40 ike_phase_1_recv_ID: FQDN: > > 174139.179854 Negt 40 4d696372 6f706c65 78 > > 174301.765855 Timr 10 timer_handle_expirations: event > > exchange_free_aux(0x3c065d00) > > 174301.766599 Exch 20 exchange_establish_finalize: finalizing exchange > > 0x3c065d00 with arg 0x3c12bc40 (IPsec-Fission-SonicWall) & fail = 1
