isakmpd, greenbow vpn client and NO PROPOSAL CHOSEN

Wed, 19 Oct 2005 05:46:02 -0700 

Hi $misc
I have a problem with isakmpd and the greenbow vpn client (actually all windows vpn clients I have tried except freeswan and racoon) 


The problem is that I specify the protocols that the clients use but it 
seems that it's ignoring that I have specified



A dump from tcpdump -vr /var/run/isakmpd.pcap says that the client is 
trying with these protocols:


[SNIP]
...
attribute ENCRYPTION_ALGORITHM = AES_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute GROUP_DESCRIPTION = MODP_1024
attribute KEY_LENGTH = 128
...

my log from isakmpd says


Oct 19 13:15:56 tefnut isakmpd[32614]: Attribute ENCRYPTION_ALGORITHM 
value 7

Oct 19 13:15:56 tefnut isakmpd[32614]: Attribute HASH_ALGORITHM value 2

Oct 19 13:15:56 tefnut isakmpd[32614]: Attribute AUTHENTICATION_METHOD 
value 1

Oct 19 13:15:56 tefnut isakmpd[32614]: Attribute GROUP_DESCRIPTION value 2
Oct 19 13:15:56 tefnut isakmpd[32614]: Attribute KEY_LENGTH value 128

Oct 19 13:15:56 tefnut isakmpd[32614]: message_validate_vendor: vendor 
ID seen
Oct 19 13:15:56 tefnut isakmpd[32614]: nat_t_check_vendor_payload: NAT-T 
capable peer detected
Oct 19 13:15:56 tefnut isakmpd[32614]: message_validate_vendor: vendor 
ID seen
Oct 19 13:15:56 tefnut isakmpd[32614]: ipsec_responder: phase 1 exchange 
2 step 0
Oct 19 13:15:56 tefnut isakmpd[32614]: message_negotiate_sa: transform 0 
proto 1 proposal 1 ok

Oct 19 13:15:56 tefnut isakmpd[32614]: ike_phase_1_validate_prop: failure

Oct 19 13:15:56 tefnut isakmpd[32614]: message_negotiate_sa: proposal 1 
failed
Oct 19 13:15:56 tefnut isakmpd[32614]: message_negotiate_sa: no 
compatible proposal found
Oct 19 13:15:56 tefnut isakmpd[32614]: dropped message from 
62.242.xxx.xxx port 488 due to notification type NO_PROPOSAL_CHOSEN


my isakmpd.conf:
[General]
Retransmits=                    5
Exchange-max-time=              120
Shared-SADB=                    Defined
Default-phase-1-lifetime=       3600,60:86400
Default-phase-2-lifetime=       1200,60:86400
NAT-T-Keepalive=                10

[Phase 1]
Default=                ISAKMP-clients

[Phase 2]
Passive-connections=    IPsec-clients

[ISAKMP-clients]
Phase=          1
Transport=      udp
Configuration=  greenbow-main-mode
Authentication= mekmitasdigoat

[IPsec-clients]
Phase=          2
Configuration=  greenbow-quick-mode
Local-ID=       default-route
Remote-ID=      dummy-remote

[default-route]
ID-type=        IPV4_ADDR_SUBNET
Network=        0.0.0.0
Netmask=        0.0.0.0

[dummy-remote]
ID-type=        IPV4_ADDR
Address=        0.0.0.0

[greenbow-main-mode]
DOI=            IPSEC
EXCHANGE_TYPE=  ID_PROT
Transforms=     AES-SHA-GRP2

[greenbow-quick-mode]
DOI=            IPSEC
EXCHANGE_TYPE=  QUICK_MODE
Suites=         QM-ESP-AES-SHA-PFS-GR2-SUITE

[AES-SHA-GRP2]
ENCRYPTION_ALGORITHM=   AES_CBC
HASH_ALGORITHM=         SHA
AUTHENTICATION_METHOD=  PRE_SHARED
GROUP_DESCRIPTION=      MODP_1024
Life=                   LIFE_1_DAY



Basiclly its taken from http://www.allard.nu/openbsd/greenbow/ since I 
googled for an answer but even though I take a copy of the isakmpd.conf 
on that page I still don't get though phase1


Hope someone has an answer

Best regards
Kim

Ps. I'm using OpenBSD 3.7























					Reply via email to