Can you try to run isakmpd without "-K" and use a 2 line isakmpd.policy
like this:
KeyNote-Version: 2
Authorizer: "POLICY"
This policy accepts anything, so this should be done only for testing.
On Thu, Aug 16, 2007 at 02:53:44AM +0300, Sergey Prysiazhnyi wrote:
> On Wed, Aug 15, 2007 at 10:37:59PM +0200, Hans-Joerg Hoexer wrote:
> > On Mon, Aug 13, 2007 at 01:30:11AM +0300, Sergey Prysiazhnyi wrote:
> > > ike dynamic from any to any \
> > > main auth hmac-sha1 enc aes group modp1024 \
> > > quick auth hmac-sha1 enc aes psk secret
> > >
> > > ; ike passive, ike passive esp, ike esp, etc - no results.
> >
> > On the openbsd gateway you need something like this
> >
> > ike passive from any to 10.1.1.0/24 \
> > main auth hmac-sha1 enc 3des group modp1024 \
> > quick auth hmac-sha1 enc 3des psk secret
> >
> > The default transform of the greenbowclient for phase 1 is
> > 3des/sha1/modp1024, for phase 1 3des/sha1.
>
> Thank you Hans-Joerg, but it is still useless for me: :(
>
> sudo cat /etc/ipsec.conf
> ike passive from any to 10.1.1.0/24 \
> main auth hmac-sha1 enc 3des group modp1024 \
> quick auth hmac-sha1 enc 3des psk secret
>
> pf.conf rules relative to ipsec:
>
> set skip on { lo enc0 }
>
> pass in on $ext_if proto udp to ($ext_if) port { 500, 4500 }
> pass out on $ext_if proto udp from ($ext_if) to port { 500, 4500 }
> pass in on $ext_if proto esp to ($ext_if)
> pass out on $ext_if proto esp from ($ext_if)
> pass in on enc0 proto ipencap to ($ext_if) keep state (if-bound)
> pass out on enc0 proto ipencap from ($ext_if) keep state (if-bound)
>
> further:
>
> isakmpd -dKv &
> ipsecctl -F
> ipsecctl -f /etc/ipsec.conf
>
> greenbowclient: all parameters are in accordance with ipsec.conf on gateway
> side:
>
> logs on gw -
>
> 023255.538907 Default isakmpd: phase 1 done: initiator id c0a80321:
> 192.168.3.33, responder id 5851eaa2: 88.81.XX.XX, src: 88.81.XX.XX dst:
> 77.123.XX.XX
> 023255.558498 Default responder_recv_HASH_SA_NONCE: peer proposed invalid
> phase 2 IDs: initiator id c0a80321: 192.168.3.33, responder id
> 0a010100/ffffff00: 10.1.1.0/255.255.255.0
> 023255.558643 Default dropped message from 77.123.XX.XX port 60056 due to
> notification type NO_PROPOSAL_CHOSEN
> 023302.570472 Default responder_recv_HASH_SA_NONCE: peer proposed invalid
> phase 2 IDs: initiator id c0a80321: 192.168.3.33, responder id
> 0a010100/ffffff00: 10.1.1.0/255.255.255.0
> 023302.570660 Default dropped message from 77.123.XX.XX port 60056 due to
> notification type NO_PROPOSAL_CHOSEN
>
> greenbowclient logs -
>
> 20070816 023245 Default IKE daemon is removing SAs...
> 20070816 023250 Default Reinitializing IKE daemon
> 20070816 023250 Default IKE daemon reinitialized
> 20070816 023258 Default (SA CnxVpn1-P1) SEND phase 1 Main Mode [SA] [VID]
> [VID] [VID] [VID]
> 20070816 023258 Default (SA CnxVpn1-P1) RECV phase 1 Main Mode [SA] [VID]
> [VID] [VID] [VID] [VID]
> 20070816 023258 Default (SA CnxVpn1-P1) SEND phase 1 Main Mode [KEY_EXCH]
> [NONCE] [NAT_D] [NAT_D]
> 20070816 023258 Default (SA CnxVpn1-P1) RECV phase 1 Main Mode [KEY_EXCH]
> [NONCE] [NAT_D] [NAT_D]
> 20070816 023258 Default (SA CnxVpn1-P1) SEND phase 1 Main Mode [HASH] [ID]
> 20070816 023258 Default (SA CnxVpn1-P1) RECV phase 1 Main Mode [HASH] [ID]
> [NOTIFY]
> 20070816 023258 Default phase 1 done: initiator id 192.168.3.33, responder id
> 88.81.234.162
> 20070816 023258 Default (SA CnxVpn1-CnxVpn1-P2) SEND phase 2 Quick Mode
> [HASH] [SA] [NONCE] [ID] [ID]
> 20070816 023258 Default (SA CnxVpn1-P1) RECV Informational [HASH] [NOTIFY]
> with NO_PROPOSAL_CHOSEN error
> 20070816 023305 Default (SA CnxVpn1-CnxVpn1-P2) SEND phase 2 Quick Mode
> [HASH] [SA] [NONCE] [ID] [ID]
> 20070816 023305 Default (SA CnxVpn1-P1) RECV Informational [HASH] [NOTIFY]
> with NO_PROPOSAL_CHOSEN error
> 20070816 023328 Default (SA CnxVpn1-P1) SEND Informational [HASH] [NOTIFY]
> type DPD_R_U_THERE
> 20070816 023328 Default (SA CnxVpn1-P1) RECV Informational [HASH] [NOTIFY]
> type DPD_R_U_THERE_ACK
>
> PS: gw on 4.1-stable, roaming users behind OpenBSD box on 4.2.
>
> My continued thanks,
>
> --
> Sergey Prysiazhnyi
