Hello
I'm trying to do the same thing as you are.
LAN - OpenBSD - internet - NAT - windows_xp_client
I followed http://openbsd.cz/~pruzicka/vpn.html but I have still problem. I
don't know what's wrong maybe something with NAT-T.
Here is a debug log from isakmpd
115924.644366 Default log_debug_cmd: log level changed from 0 to 999 for
class 9 [priv]
115924.645080 Default log_debug_cmd: log level changed from 0 to 999 for
class 8 [priv]
115924.645376 Default log_debug_cmd: log level changed from 0 to 999 for
class 7 [priv]
115924.645695 Default log_debug_cmd: log level changed from 0 to 999 for
class 6 [priv]
115924.645989 Default log_debug_cmd: log level changed from 0 to 999 for
class 5 [priv]
115924.646283 Default log_debug_cmd: log level changed from 0 to 999 for
class 4 [priv]
115924.646577 Default log_debug_cmd: log level changed from 0 to 999 for
class 3 [priv]
115924.649575 Sdep 80 pf_key_v2_write: iov[0]: [priv]
115924.650116 Sdep 80 02070002 02000000 01000000 f5340000 [priv]
115924.650730 Sdep 80 pf_key_v2_read: msg: [priv]
115924.651096 Sdep 80 02070002 15000000 01000000 f5340000 07000e00 00000000
0300a000 a0000000 [priv]
115924.651457 Sdep 80 02008000 80000000 0800a000 a0000000 05000001 00010000
06008001 80010000 [priv]
115924.651817 Sdep 80 07000002 00020000 09000f00 00000000 0b000000 00000000
02404000 40000000 [priv]
115924.652176 Sdep 80 0340c000 c0000000 07402800 c0010000 06402800 80000000
f9405000 50000000 [priv]
115924.652536 Sdep 80 0c808000 00010000 0d80a000 20010000 03001e00 00000000
02000000 00000000 [priv]
115924.652845 Sdep 80 03000000 00000000 [priv]
115924.653152 Sdep 80 pf_key_v2_write: iov[0]: [priv]
115924.653465 Sdep 80 02070001 02000000 02000000 f5340000 [priv]
115924.653810 Sdep 80 pf_key_v2_read: msg: [priv]
115924.654163 Sdep 80 02070001 15000000 02000000 f5340000 07000e00 00000000
0300a000 a0000000 [priv]
115924.654523 Sdep 80 02008000 80000000 0800a000 a0000000 05000001 00010000
06008001 80010000 [priv]
115924.654887 Sdep 80 07000002 00020000 09000f00 00000000 0b000000 00000000
02404000 40000000 [priv]
115924.655475 Sdep 80 0340c000 c0000000 07402800 c0010000 06402800 80000000
f9405000 50000000 [priv]
115924.655842 Sdep 80 0c808000 00010000 0d80a000 20010000 03001e00 00000000
02000000 00000000 [priv]
115924.656150 Sdep 80 03000000 00000000 [priv]
115924.656456 Sdep 80 pf_key_v2_write: iov[0]: [priv]
115924.656771 Sdep 80 02070009 02000000 03000000 f5340000 [priv]
115924.657189 Sdep 80 pf_key_v2_read: msg: [priv]
115924.657546 Sdep 80 02070009 15000000 03000000 f5340000 07000e00 00000000
0300a000 a0000000 [priv]
115924.657907 Sdep 80 02008000 80000000 0800a000 a0000000 05000001 00010000
06008001 80010000 [priv]
115924.658268 Sdep 80 07000002 00020000 09000f00 00000000 0b000000 00000000
02404000 40000000 [priv]
115924.658629 Sdep 80 0340c000 c0000000 07402800 c0010000 06402800 80000000
f9405000 50000000 [priv]
115924.658989 Sdep 80 0c808000 00010000 0d80a000 20010000 03001e00 00000000
02000000 00000000 [priv]
115924.659298 Sdep 80 03000000 00000000 [priv]
115924.925524 Default conf_parse: last line unterminated, ignored.
115925.240648 Plcy 30 policy_init: initializing
115925.241648 Cryp 40 x509_read_from_dir: reading certs from
/etc/isakmpd/ca/
115925.242232 Cryp 40 x509_read_from_dir: reading certs from
/etc/isakmpd/certs/
115925.242710 Cryp 40 x509_read_crls_from_dir: reading CRLs from
/etc/isakmpd/crls/
115925.245324 Cryp 60 hash_get: requested algorithm 0
115925.245667 Exch 50 nat_t_setup_hashes: MD5("draft-ietf-ipsec-nat-t-ike-02
") (16 bytes)
115925.245948 Exch 50 nat_t_setup_hashes:
115925.246253 Exch 50 90cb8091 3ebb696e 086381b5 ec427b1f
115925.246540 Exch 50 nat_t_setup_hashes:
MD5("draft-ietf-ipsec-nat-t-ike-03") (16 bytes)
115925.246822 Exch 50 nat_t_setup_hashes:
115925.247127 Exch 50 7d9419a6 5310ca6f 2c179d92 15529d56
115925.247418 Exch 50 nat_t_setup_hashes: MD5("RFC 3947") (16 bytes)
115925.247698 Exch 50 nat_t_setup_hashes:
115925.248002 Exch 50 4a131c81 07035845 5c5728f2 0e95452f
115943.844877 SA 90 sa_find: no SA matched query
115943.845472 Timr 10 timer_add_event: event exchange_free_aux(0x7c497900)
added last, expiration in 120s
115943.845787 Cryp 60 hash_get: requested algorithm 1
115943.846262 Exch 10 exchange_setup_p1: 0x7c497900 ISAKMP-clients
win-main-mode policy responder phase 1 doi 1 exchange 2 step 0
115943.846574 Exch 10 exchange_setup_p1: icookie 85c5cc7a21a50111 rcookie
e8127aeaf5c96719
115943.846856 Exch 10 exchange_setup_p1: msgid 00000000
115943.847157 SA 80 sa_reference: SA 0x7c497a00 now has 1 references
115943.847438 SA 70 sa_enter: SA 0x7c497a00 added to SA list
115943.847724 SA 80 sa_reference: SA 0x7c497a00 now has 2 references
115943.848007 SA 60 sa_create: sa 0x7c497a00 phase 1 added to exchange
0x7c497900 (ISAKMP-clients)
115943.848301 SA 80 sa_reference: SA 0x7c497a00 now has 3 references
115943.848660 Exch 90 dpd_check_vendor_payload: bad size 20 != 16
115943.848947 Exch 50 nat_t_check_vendor_payload: bad size 20 != 16
115943.849232 Exch 50 nat_t_check_vendor_payload: bad size 20 != 16
115943.849516 Exch 50 nat_t_check_vendor_payload: bad size 20 != 16
115943.849801 Exch 10 nat_t_check_vendor_payload: NAT-T capable peer
detected
115943.850105 Exch 90 exchange_validate: checking for required SA
115943.850411 Cryp 60 hash_get: requested algorithm 1
115943.850699 Negt 30 message_negotiate_sa: transform 1 proto 1 proposal 1
ok
115943.850997 SA 80 sa_add_transform: proto 0x7df2da80 no 1 proto 1 chosen
0x828dbc20 sa 0x7c497a00 id 1
115943.851587 Negt 20 ike_phase_1_validate_prop: success
115943.851876 Negt 30 message_negotiate_sa: proposal 1 succeeded
115943.852164 Cryp 60 hash_get: requested algorithm 1
115943.852466 Exch 10 exchange_handle_leftover_payloads: unexpected payload
VENDOR
115943.852754 Exch 10 exchange_handle_leftover_payloads: unexpected payload
VENDOR
115943.852967 Exch 10 exchange_handle_leftover_payloads: unexpected payload
VENDOR
115943.853182 Exch 40 exchange_run: exchange 0x7c497900 finished step 0,
advancing...
115943.853411 SA 80 sa_reference: SA 0x7c497a00 now has 4 references
115943.853662 Exch 90 exchange_validate: checking for required SA
115943.854273 Exch 40 exchange_run: exchange 0x7c497900 finished step 1,
advancing...
115943.854625 Timr 10 timer_add_event: event message_send_expire(0x8b641400)
added before exchange_free_aux(0x7c497900), expiration in 7s
115947.147511 SA 80 sa_reference: SA 0x7c497a00 now has 5 references
115947.147871 Timr 10 timer_remove_event: removing event
message_send_expire(0x8b641400)
115947.148193 SA 80 sa_release: SA 0x7c497a00 had 5 references
115947.148516 Exch 90 exchange_validate: checking for required KEY_EXCH
115947.148800 Exch 90 exchange_validate: checking for required NONCE
115947.154365 Exch 80 exchange_nonce: NONCE_i:
115947.154694 Exch 80 bd5fcf00 00eede85 7a0399e7 93c41da3 9c6d51b1
115947.154979 Cryp 60 hash_get: requested algorithm 1
115947.155302 Cryp 60 hash_get: requested algorithm 1
115947.155624 Exch 10 nat_t_exchange_check_nat_d: NAT detected
115947.155972 SA 80 sa_release: SA 0x7c497a00 had 4 references
115947.156268 Exch 40 exchange_run: exchange 0x7c497900 finished step 2,
advancing...
115947.156567 SA 80 sa_reference: SA 0x7c497a00 now has 4 references
115947.201925 Exch 80 exchange_nonce: NONCE_r:
115947.202273 Exch 80 b9ef5387 83d905df c9f3eb5b e83308cc c79581f7
115947.202559 Cryp 60 hash_get: requested algorithm 1
115947.202891 Cryp 60 hash_get: requested algorithm 1
115947.203203 Exch 90 exchange_validate: checking for required KEY_EXCH
115947.203487 Exch 90 exchange_validate: checking for required NONCE
115947.204277 Exch 40 exchange_run: exchange 0x7c497900 finished step 3,
advancing...
115947.204712 Timr 10 timer_add_event: event message_send_expire(0x8b641300)
added before exchange_free_aux(0x7c497900), expiration in 7s
115947.246154 Negt 80 ike_phase_1_post_exchange_KE_NONCE: g^xy:
115947.246517 Negt 80 99d3ee3e cc461dbb 1f04c980 4003cb41 8732b172 6110a123
dbdcdf17 ee00b79a
115947.246871 Negt 80 90db5f1c b433bf0e e2033634 7c4a1011 f0b0791c 5624228b
3383a1de ccb23033
115947.247224 Negt 80 11cf476f 919e5903 c5dc19b9 aabcc947 12a895ad f18a05bb
3f344995 ff4c362b
115947.247576 Negt 80 942bed27 6d171e53 0feab271 48d0664c 9027d0a9 122e242c
17ae3686 34da4e59
115947.247895 Cryp 60 hash_get: requested algorithm 1
115947.248228 Negt 80 ike_phase_1_post_exchange_KE_NONCE: SKEYID:
115947.248550 Negt 80 37e78ca2 00ec7490 cfa009c6 a38db28f ddcba61e
115947.248834 Cryp 60 hash_get: requested algorithm 1
115947.249162 Negt 80 ike_phase_1_post_exchange_KE_NONCE: SKEYID_d:
115947.249482 Negt 80 7c661a86 baa33cef c86fd804 555a3c4f 8db78ec4
115947.249820 Negt 80 ike_phase_1_post_exchange_KE_NONCE: SKEYID_a:
115947.250139 Negt 80 a50deede b52263ea 61ba3b9d 92e8ed8b 67337d67
115947.250467 Negt 80 ike_phase_1_post_exchange_KE_NONCE: SKEYID_e:
115947.250787 Negt 80 64d5e396 ad04bd9f 34bdb74b dd1609b3 8799436c
115947.251068 Cryp 60 hash_get: requested algorithm 1
115947.251551 Cryp 40 crypto_init: key:
115947.251883 Cryp 40 5eb61a34 0c3f3cb9 be514f12 ef1ee687 bfea2a18 95a7af69
115947.261327 Cryp 50 crypto_init_iv: initialized IV:
115947.261631 Cryp 50 2e63492d 295330cc
115954.215449 Timr 10 timer_handle_expirations: event
message_send_expire(0x8b641300)
115954.216548 Timr 10 timer_add_event: event message_send_expire(0x8b641300)
added before exchange_free_aux(0x7c497900), expiration in 9s
120003.225452 Timr 10 timer_handle_expirations: event
message_send_expire(0x8b641300)
120003.226576 Timr 10 timer_add_event: event message_send_expire(0x8b641300)
added before exchange_free_aux(0x7c497900), expiration in 11s
^C120012.882408 Default isakmpd: shutting down...
120012.882480 SA 90 sa_find: no SA matched query
120012.882520 SA 90 sa_find: return SA 0x7c497a00
120012.882560 SA 90 sa_find: no SA matched query
120012.882600 SA 70 sa_remove: SA 0x7c497a00 removed from SA list
120012.882638 SA 80 sa_release: SA 0x7c497a00 had 4 references
120012.882673 SA 90 sa_find: no SA matched query
--------------------------------
my isakmpd.conf and policy files are same as in
http://openbsd.cz/~pruzicka/vpn.html if somebody could help I'll be very
happy because I'm almost without any experience with IPsec.
Thank you
MK
----- Original Message -----
From: <[EMAIL PROTECTED]>
To: <misc@openbsd.org>
Sent: Monday, December 19, 2005 2:23 AM
Subject: VPN: solutions that interoperate with win xp
heya,
i've been grinding away to get a VPN setup where i can have win xp clients
connect to my openbsd firewall and access the network behind it. i have
tried a
number of things, none of which have yet worked for all my users. i am
very much
interested in hearing from other admins who have currently working
solutions
along these lines. i have setup isakmpd between my home and my business
location, so i know i am not a complete idiot when it comes to this stuff
;).
when i tried to use the native windows IPsec implementation, both as
described
in http://openbsd.cz/~pruzicka/vpn.html and through the confusing GUI, i
was not
able to get anywhere. when i used ipseccmd.exe, it would not give me any
useful
debugging outputs and crashed a couple times while i was trying to set
this up.
i would very much like to have a setup using the native IPsec in win xp,
but am
utterly in the dark as to the win xp configuration side of things.
i have also setup openvpn, which works great for me from home, and i have
been
able to successfully get this working. however, one of the users that
connects
to my VPN is having problems making openvpn and his kerio firewall "play
nice",
and a working openvpn configuration cannot survive a reboot due to win xp
being
such a great OS.
i am also aware of "the green bow" VPN client that is known to
interoperate with
isakmpd. i have avoided using this solution since i know it to be a
resource hog
on win xp. anybody else's views on this software would be nice.
anything that you think could help me get a VPN with win xp talking to my
openbsd firewall would be awesome. i would love a "howto" for the win xp
boxes,
but a smack with the cluestick is likely all i need. it would be nice for
this
to NOT use certificates, as i'd like to get a shared secret setup working
first,
then switch to certs later.
cheers,
jake
