I'm trying to get an FC5 laptop behind a firewall connected to an
OpenBSD 4.0 server running isakmpd (controlled by ipsecctl) with IPsec
using CA authentication. The CA authentication seems to be working and
I seem to have passed the Phase 1 exchange but am getting stuck in the
Phase 2 exchange.
My /etc/ipsec.d/work.conf:
conn work
type=tunnel
left=[ip of eth0 on FC5 laptop]
right=[vpn server ip]
keyexchange=ike
auto=ignore
auth=esp
ike=aes128-sha1-modp1024
authby=rsasig
leftrsasigkey=%cert
[EMAIL PROTECTED] laptop FQDN]
leftcert=[FC5 laptop FQDN].crt
leftsendcert=always
rightrsasigkey=%cert
[EMAIL PROTECTED] host FQDN]
rightcert=[vpn host FQDN].crt
/etc/ipsec.conf is:
ike passive esp from 192.168.1.0/24 to 192.168.6.0/24 \
srcid [vpn host FQDN] dstid [FC5 laptop FQDN]
I had to change the quick auth parameters because Openswan doesn't
support sha2, the default for isakmpd.
When I start Openswan on the FC5 laptop:
# ipsec auto --replace work; ipsec auto --up --verbose work
002 "work" #28: initiating Main Mode
104 "work" #28: STATE_MAIN_I1: initiate
003 "work" #28: ignoring unknown Vendor ID payload
[6c0dcd481deae8ae0b0a68384b3072f9]
003 "work" #28: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
method set to=106
003 "work" #28: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
method set to=108
003 "work" #28: received Vendor ID payload [RFC 3947] method set to=109
003 "work" #28: received Vendor ID payload [Dead Peer Detection]
002 "work" #28: enabling possible NAT-traversal with method 3
002 "work" #28: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
106 "work" #28: STATE_MAIN_I2: sent MI2, expecting MR2
003 "work" #28: NAT-Traversal: Result using 3: i am NATed
002 "work" #28: I am sending my cert
002 "work" #28: I am sending a certificate request
002 "work" #28: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
108 "work" #28: STATE_MAIN_I3: sent MI3, expecting MR3
003 "work" #28: ignoring informational payload, type IPSEC_INITIAL_CONTACT
002 "work" #28: Main mode peer ID is ID_FQDN: '@[vpn host FQDN]'
002 "work" #28: no crl from issuer "[blah]" found (strict=no)
002 "work" #28: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
004 "work" #28: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=aes_128 prf=oakley_sha group=modp1024} 002 "work" #29: initiating Quick
Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#28}
002 "work" #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP {using
isakmp#1}
117 "work" #29: STATE_QUICK_I1: initiate
010 "work" #29: STATE_QUICK_I1: retransmission; will wait 20s for response
010 "work" #29: STATE_QUICK_I1: retransmission; will wait 40s for response
031 "work" #29: max number of retransmissions (2) reached STATE_QUICK_I1. No
acceptable response to our first Quick Mode message: perhaps peer likes no
proposal
000 "work" #29: starting keying attempt 2 of an unlimited number, but
releasing whack
According to ipsec.conf(5):
quick auth algorithm enc algorithm group group
These parameters define the cryptographic transforms to be used for
quick mode. Possible values for auth, enc, and group are described
below in CRYPTO TRANSFORMS. If group is specified, Perfect Forward
Security (PFS) is used. If the value none is used, PFS is dis-
abled.
If omitted, ipsecctl(8) will use the default values hmac-sha2-256
and aes; PFS will only be used if the remote side requests it.
However, Openswan doesn't support sha2 so I added the following to
/etc/ipsec.d/work.conf:
esp=aes-sha1
and then /etc/ipsec.conf becomes:
ike passive esp from 192.168.1.0/24 to 192.168.6.0/24 \
quick auth hmac-sha1 enc aes \
srcid vpn.thewrittenword.com dstid home.thewrittenword.com
But, the above doesn't get me any further.
Any ideas?
--
albert chin ([EMAIL PROTECTED])
