Matthew Closson wrote:
On Thu, 10 Aug 2006, Steve Glaus wrote:
Daniel Ouellet wrote:
Steve Glaus wrote:
Hello all,
I'm finally desperate enough to post this to a list...
I have been trying for two days to set up a basic VPN between my
OpenBSD box at home and my OpenBSD box at work.
The box at home is running 3.7 and the box here at work is running
3.9.
May be worth to have 3.9 both place.
Here is something that might help:
http://www.securityfocus.com/infocus/1859
Also may be good to read:
http://www.undeadly.org/cgi?action=article&sid=20060621160000
and this specially:
http://www.undeadly.org/cgi?action=article&sid=20060606210130
man 8 ipsecctl
man 8 isakmpd
man 5 isakmpd.conf
So many changes happened in the last few months and many things have
been replace that I think trying to setup a VPN using what we may
call the old way is a waist of time.
I have seen many articles and examples in the last few months
explaining all the great changes to this that I would say trying to
use 3.7 for this is wrong. But I may be wrong for sure. It's just
based on what was posted in the lately really.
I am not 100% sure, but I think even some of the best changes are in
current that make the setup very simple now based on articles on
undeadly.org about the subject.
Just a thought.
Hope this help you some.
Hello again,
Thanks for your help earlier. I haven't really had time to look at
this problem in the last few weeks.
I've started trying to use ipsecctl on my 3.9 box to connect to the
actual service we will be using this for and I've made SOME progress
so thank you for steering me in the right direction.
Now,
Whenever I try to connect to one of our cheesy little VPN routers
(DLINK DFL-300's) using ipsectl it works perfectly. The tunnel comes
up everything looks beautiful.
But I can't stop there I'm afraid (though GOD I wish I could)....
I'm trying to connect to a sonicwall 4060 VPN that our software
vendor uses. When I try to do this using the same setup (with the
appropriate changes made) I get NO_PROPOSAL_CHOSEN messages.
One glaring difference that I can see is that when I connect to the
DLINK I use a passive connection and isakpmd sits and listens for
incoming connections. Could this be a lifetime issue? Tech support at
the other end said this is possible. How do you set the lifetime
using ipsecctl (I've read that this is only possible with -current)
Another item - IS PFS disabled or enabled by default when one uses
ipsecctl? Can this be set?
Looking at my logs I'm pretty sure that it's making it through
phase1. Our vendors phase1 and phase2 use identical
encryption/authorization so I don't quite understand why I would be
getting NO_PROPOSALS for only phase2. The lifetimes for both phases
are also identical on the vendors end.
This is the relevant configuration info:
ike esp from 10.110.38.0/24 to 172.28.128/0/21 peer 204.244.106.134
main auth hmac-sha1 enc 3des quick auth hmac-sha1 enc 3des psk
"XXXXXXXXXX"
The debug outpout can be found here:
http://ww2.bartowpc.com:8080/isakmpd_out
I really don't know where to go from here. I've invested hours &
hours into this and we've (foolishly?) commited to this direction.
Thanks for any help anyone can give.
Ask the SonicWall4060 admin how he/she is defining their network
objects. You have specified 172.28.128.0/21. On SonicOS enhanced you
can define address objects as "Single Host", "Network", or "Address
Range". I think they want to use Network, and specify the netmask
rather than address range, that could be an issue. Also SonicOS also
uses 28800/28800 SA lifetime's as opposed to 86400/28800.
Good luck! I've connected to a 4060 multiple times before but not
using the new ipsecctl syntax, I used the old isakmpd.conf syntax.
Later,
-Matt-
Alright, an update:
I've managed to connect to the sonicwall.
Once.
And everything worked perfectly until I took the tunnel down, made some
changes and tried to reconnect again and lo and behold no joy.
To get it working in the FIRST place i had to set the connection type to
"passive" in ipsec.conf. I ran isakmpd, ran ipsecctl and the tunnels
came right up. Now, when I bring it up again I get INVALID_COOKIE
errors. I might be WAY off base here but I think that this is because
they're trying to re-establish the same connection (I had them set 'keep
alive' to yes on their end) and I'm just sitting here listening
passively, not re-initializing a new connection? I don't know if that
makes sense or not (I might just be revealing my ignorance). The one
time it DID work was the first time I tried connecting to this specific
endpoint.
When I try to connect without using passive I get the same old
NO_PROPOSAL_FOUND errors.
Thanks for all the help so far everyone.
