Hans-Joerg, Markus - Thanks for the advice and the help. I sat down and did some more testing at work. I definitely have an IPSEC tunnel from one point to the other. Any suggestions on how I can now have my users route all of their traffic through our end? I'd like them to be able to safely browse sites from Internet cafes and such.
On 8/18/07, Steve B <[EMAIL PROTECTED]> wrote: > > I finally have some SUCCESS to report!!!!! I changed the ipsec.con file > back to the one that I got to work on Phase 1, but appeared to be hanging on > Phase 2, ran ipsecctl -f /etc/ipsec.conf and started isakmpd without the > "-K". Greenbow now reports both Phases worked and I had a tunnel. When I > tested from the command line I was able to ping from one location to the > other!! The only question that remains is, how can I determine traffic is > passing over the IPSEC VPN instead of whatever connection it got to > establish the VPN? > > # cat /etc/ipsec.conf > ike dynamic esp tunnel from any to 192.168.1.0/24 \ > main auth hmac-sha1 enc 3des group modp1024 \ > quick auth hmac-sha2-256 enc 3des \ > psk abc123 > > # ipsecctl -f /etc/ipsec.conf > > # ps ax |grep isakmpd > 17023 ?? Is 0:00.02 isakmpd: monitor [priv] (isakmpd) > 19046 ?? I 0:00.79 isakmpd > > # echo "p on" > /var/run/isakmpd.fifo > # echo "p off" > /var/run/isakmpd.fifo > # tcpdump -r /var/run/isakmpd.pcap -vvn > > 13:29:04.815727 64.119.40.170.500 > 64.119.37.74.500: [udp sum ok] isakmp > v1.0 exchange ID_PROT > cookie: 14a9d793fabd9a1b->0000000000000000 msgid: 00000000 len: > 160 > payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY > payload: PROPOSAL len: 40 proposal: 1 proto: ISAKMP spisz: 0 > xforms: 1 > payload: TRANSFORM len: 32 > transform: 0 ID: ISAKMP > attribute ENCRYPTION_ALGORITHM = 3DES_CBC > attribute HASH_ALGORITHM = SHA > attribute AUTHENTICATION_METHOD = PRE_SHARED > attribute GROUP_DESCRIPTION = MODP_1024 > attribute LIFE_TYPE = SECONDS > attribute LIFE_DURATION = 3600 > payload: VENDOR len: 20 (supports v1 NAT-T, > draft-ietf-ipsec-nat-t-ike-00) > payload: VENDOR len: 20 (supports v2 NAT-T, > draft-ietf-ipsec-nat-t-ike-02) > payload: VENDOR len: 20 (supports v3 NAT-T, > draft-ietf-ipsec-nat-t-ike-03) > payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len > 188) > 13:29:04.826775 64.119.37.74.500 > 64.119.40.170.500 : [udp sum ok] isakmp > v1.0 exchange ID_PROT > cookie: 14a9d793fabd9a1b->40a39c778bcbd5eb msgid: 00000000 len: > 180 > payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY > payload: PROPOSAL len: 40 proposal: 1 proto: ISAKMP spisz: 0 > xforms: 1 > payload: TRANSFORM len: 32 > transform: 0 ID: ISAKMP > attribute ENCRYPTION_ALGORITHM = 3DES_CBC > attribute HASH_ALGORITHM = SHA > attribute AUTHENTICATION_METHOD = PRE_SHARED > attribute GROUP_DESCRIPTION = MODP_1024 > attribute LIFE_TYPE = SECONDS > attribute LIFE_DURATION = 3600 > payload: VENDOR len: 20 (supports OpenBSD-4.0) > payload: VENDOR len: 20 (supports v2 NAT-T, > draft-ietf-ipsec-nat-t-ike-02) > payload: VENDOR len: 20 (supports v3 NAT-T, > draft-ietf-ipsec-nat-t-ike-03) > payload: VENDOR len: 20 (supports NAT-T, RFC 3947) > payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len > 208) > 13:29:04.959737 64.119.40.170.500 > 64.119.37.74.500: [udp sum ok] isakmp > v1.0 exchange ID_PROT > cookie: 14a9d793fabd9a1b->40a39c778bcbd5eb msgid: 00000000 len: > 228 > payload: KEY_EXCH len: 132 > payload: NONCE len: 20 > payload: NAT-D-DRAFT len: 24 > payload: NAT-D-DRAFT len: 24 [ttl 0] (id 1, len 256) > 13:29:05.065555 64.119.37.74.4500 > 64.119.40.170.4500: [udp sum ok] > udpencap: isakmp v1.0 exchange ID_PROT > cookie: 14a9d793fabd9a1b->40a39c778bcbd5eb msgid: 00000000 len: > 228 > payload: KEY_EXCH len: 132 > payload: NONCE len: 20 > payload: NAT-D-DRAFT len: 24 > payload: NAT-D-DRAFT len: 24 [ttl 0] (id 1, len 260) > 13:29:05.196922 64.119.40.170.4500 > 64.119.37.74.4500: [bad udp cksum > a274!] udpencap: isakmp v1.0 exchange ID_PROT > cookie: 14a9d793fabd9a1b->40a39c778bcbd5eb msgid: 00000000 len: 92 > payload: ID len: 12 type: IPV4_ADDR = 192.168.11.109 > payload: HASH len: 24 > payload: NOTIFICATION len: 28 > notification: INITIAL CONTACT > (14a9d793fabd9a1b->40a39c778bcbd5eb) [ttl 0] (id 1, len 124) > 13:29:05.197530 64.119.37.74.4500 > 64.119.40.170.4500: [bad udp cksum > 4d5e!] udpencap: isakmp v1.0 exchange ID_PROT > cookie: 14a9d793fabd9a1b->40a39c778bcbd5eb msgid: 00000000 len: > 104 > payload: ID len: 24 type: FQDN = "gateway.home.lan" > payload: HASH len: 24 > payload: NOTIFICATION len: 28 > notification: INITIAL CONTACT > (14a9d793fabd9a1b->40a39c778bcbd5eb) [ttl 0] (id 1, len 136) > 13:29:05.252842 64.119.40.170.4500 > 64.119.37.74.500: [bad udp cksum > 978e!] udpencap: isakmp v1.0 exchange QUICK_MODE > cookie: 14a9d793fabd9a1b->40a39c778bcbd5eb msgid: a36e0ba2 len: > 148 > payload: HASH len: 24 > payload: SA len: 48 DOI: 1(IPSEC) situation: IDENTITY_ONLY > payload: PROPOSAL len: 36 proposal: 1 proto: IPSEC_ESP spisz: > 4 xforms: 1 SPI: 0xb038f9a0 > payload: TRANSFORM len: 24 > transform: 1 ID: 3DES > attribute LIFE_TYPE = SECONDS > attribute LIFE_DURATION = 3600 > attribute ENCAPSULATION_MODE = 61443 (unknown) > attribute AUTHENTICATION_ALGORITHM = HMAC_SHA > payload: NONCE len: 20 > payload: ID len: 12 type: IPV4_ADDR = 192.168.11.109 > payload: ID len: 16 type: IPV4_ADDR_SUBNET = > 192.168.1.0/255.255.255.0 [ttl 0] (id 1, len 180) > 13:29:05.255054 64.119.37.74.4500 > 64.119.40.170.4500: [bad udp cksum > 978e!] udpencap: isakmp v1.0 exchange QUICK_MODE > cookie: 14a9d793fabd9a1b->40a39c778bcbd5eb msgid: a36e0ba2 len: > 148 > payload: HASH len: 24 > payload: SA len: 48 DOI: 1(IPSEC) situation: IDENTITY_ONLY > payload: PROPOSAL len: 36 proposal: 1 proto: IPSEC_ESP spisz: > 4 xforms: 1 SPI: 0xc23ba0f6 > payload: TRANSFORM len: 24 > transform: 1 ID: 3DES > attribute LIFE_TYPE = SECONDS > attribute LIFE_DURATION = 3600 > attribute ENCAPSULATION_MODE = 61443 (unknown) > attribute AUTHENTICATION_ALGORITHM = HMAC_SHA > payload: NONCE len: 20 > payload: ID len: 12 type: IPV4_ADDR = 192.168.11.109 > payload: ID len: 16 type: IPV4_ADDR_SUBNET = > 192.168.1.0/255.255.255.0 [ttl 0] (id 1, len 180) > 13:29:05.310478 64.119.40.170.4500 > 64.119.37.74.4500: [bad udp cksum > 300a!] udpencap: isakmp v1.0 exchange QUICK_MODE > cookie: 14a9d793fabd9a1b->40a39c778bcbd5eb msgid: a36e0ba2 len: 52 > payload: HASH len: 24 [ttl 0] (id 1, len 84) > 13:29:10.210377 64.119.37.74.4500 > 64.119.40.170.4500: [bad udp cksum > 280!] udpencap: isakmp v1.0 exchange INFO > cookie: 14a9d793fabd9a1b->40a39c778bcbd5eb msgid: aaa26a9f len: 84 > payload: HASH len: 24 > payload: NOTIFICATION len: 32 > notification: STATUS_DPD_R_U_THERE seq 23109 [ttl 0] (id 1, > len 116) > 13:29:10.263451 64.119.40.170.4500 > 64.119.37.74.500: [bad udp cksum > 280!] udpencap: isakmp v1.0 exchange INFO > cookie: 14a9d793fabd9a1b->40a39c778bcbd5eb msgid: 9f3f01ba len: 84 > payload: HASH len: 24 > payload: NOTIFICATION len: 32 > notification: STATUS_DPD_R_U_THERE_ACK seq 23109 [ttl 0] (id > 1, len 116) > 13:29:15.270357 64.119.37.74.4500 > 64.119.40.170.4500: [bad udp cksum > 280!] udpencap: isakmp v1.0 exchange INFO > cookie: 14a9d793fabd9a1b->40a39c778bcbd5eb msgid: d94edbe1 len: 84 > payload: HASH len: 24 > payload: NOTIFICATION len: 32 > notification: STATUS_DPD_R_U_THERE seq 23110 [ttl 0] (id 1, > len 116) > 13:29:15.324567 64.119.40.170.4500 > 64.119.37.74.500: [bad udp cksum > 280!] udpencap: isakmp v1.0 exchange INFO > cookie: 14a9d793fabd9a1b->40a39c778bcbd5eb msgid: 50b487d4 len: 84 > payload: HASH len: 24 > payload: NOTIFICATION len: 32 > notification: STATUS_DPD_R_U_THERE_ACK seq 23110 [ttl 0] (id > 1, len 116) > 13:29:15.889461 64.119.37.74.4500 > 64.119.40.170.4500: [udp sum ok] > udpencap: isakmp v1.0 exchange QUICK_MODE > cookie: 14a9d793fabd9a1b->40a39c778bcbd5eb msgid: 7534cf04 len: > 288 > payload: HASH len: 24 > payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY > payload: PROPOSAL len: 40 proposal: 1 proto: IPSEC_ESP spisz: > 4 xforms: 1 SPI: 0x1d004486 > payload: TRANSFORM len: 28 > transform: 1 ID: 3DES > attribute LIFE_TYPE = SECONDS > attribute LIFE_DURATION = 1200 > attribute ENCAPSULATION_MODE = TUNNEL > attribute AUTHENTICATION_ALGORITHM = HMAC_SHA2_256 > attribute GROUP_DESCRIPTION = 2 > payload: NONCE len: 20 > payload: KEY_EXCH len: 132 > payload: ID len: 16 type: IPV4_ADDR_SUBNET = 0.0.0.0/0.0.0.0 > payload: ID len: 16 type: IPV4_ADDR_SUBNET = > 192.168.1.0/255.255.255.0 [ttl 0] (id 1, len 320) > 13:29:20.340357 64.119.37.74.4500 > 64.119.40.170.4500: [bad udp cksum > 280!] udpencap: isakmp v1.0 exchange INFO > cookie: 14a9d793fabd9a1b->40a39c778bcbd5eb msgid: e0887e93 len: 84 > payload: HASH len: 24 > payload: NOTIFICATION len: 32 > notification: STATUS_DPD_R_U_THERE seq 23111 [ttl 0] (id 1, > len 116) > 13:29:20.395636 64.119.40.170.4500 > 64.119.37.74.500: [bad udp cksum > 280!] udpencap: isakmp v1.0 exchange INFO > cookie: 14a9d793fabd9a1b->40a39c778bcbd5eb msgid: 6d9f75ee len: 84 > > payload: HASH len: 24 > payload: NOTIFICATION len: 32 > notification: STATUS_DPD_R_U_THERE_ACK seq 23111 [ttl 0] (id > 1, len 116) > 13:29:25.410330 64.119.37.74.4500 > 64.119.40.170.4500 : [bad udp cksum > 280!] udpencap: isakmp v1.0 exchange INFO > cookie: 14a9d793fabd9a1b->40a39c778bcbd5eb msgid: c283bb96 len: 84 > payload: HASH len: 24 > payload: NOTIFICATION len: 32 > notification: STATUS_DPD_R_U_THERE seq 23112 [ttl 0] (id 1, > len 116) > 13:29:25.466349 64.119.40.170.4500 > 64.119.37.74.500: [bad udp cksum > 280!] udpencap: isakmp v1.0 exchange INFO > cookie: 14a9d793fabd9a1b->40a39c778bcbd5eb msgid: 8f49389a len: 84 > payload: HASH len: 24 > payload: NOTIFICATION len: 32 > notification: STATUS_DPD_R_U_THERE_ACK seq 23112 [ttl 0] (id > 1, len 116) > 13:29:30.486598 64.119.37.74.4500 > 64.119.40.170.4500: [bad udp cksum > 280!] udpencap: isakmp v1.0 exchange INFO > cookie: 14a9d793fabd9a1b->40a39c778bcbd5eb msgid: 3fa0fe90 len: 84 > payload: HASH len: 24 > payload: NOTIFICATION len: 32 > notification: STATUS_DPD_R_U_THERE seq 23113 [ttl 0] (id 1, > len 116) > 13:29:30.539491 64.119.40.170.4500 > 64.119.37.74.500: [bad udp cksum > 280!] udpencap: isakmp v1.0 exchange INFO > cookie: 14a9d793fabd9a1b->40a39c778bcbd5eb msgid: 6c62fcc6 len: 84 > payload: HASH len: 24 > payload: NOTIFICATION len: 32 > notification: STATUS_DPD_R_U_THERE_ACK seq 23113 [ttl 0] (id > 1, len 116) > 13:29:35.556146 64.119.37.74.4500 > 64.119.40.170.4500: [bad udp cksum > 280!] udpencap: isakmp v1.0 exchange INFO > cookie: 14a9d793fabd9a1b->40a39c778bcbd5eb msgid: 7a7f89a3 len: 84 > payload: HASH len: 24 > payload: NOTIFICATION len: 32 > notification: STATUS_DPD_R_U_THERE seq 23114 [ttl 0] (id 1, > len 116) > 13:29:35.612233 64.119.40.170.4500 > 64.119.37.74.500: [bad udp cksum > 280!] udpencap: isakmp v1.0 exchange INFO > cookie: 14a9d793fabd9a1b->40a39c778bcbd5eb msgid: 4408b08b len: 84 > payload: HASH len: 24 > payload: NOTIFICATION len: 32 > notification: STATUS_DPD_R_U_THERE_ACK seq 23114 [ttl 0] (id > 1, len 116) > 13:29:40.625802 64.119.37.74.4500 > 64.119.40.170.4500: [bad udp cksum > 280!] udpencap: isakmp v1.0 exchange INFO > cookie: 14a9d793fabd9a1b->40a39c778bcbd5eb msgid: 58a07d6a len: 84 > payload: HASH len: 24 > payload: NOTIFICATION len: 32 > notification: STATUS_DPD_R_U_THERE seq 23115 [ttl 0] (id 1, > len 116) > 13:29:40.681990 64.119.40.170.4500 > 64.119.37.74.500: [bad udp cksum > 280!] udpencap: isakmp v1.0 exchange INFO > cookie: 14a9d793fabd9a1b->40a39c778bcbd5eb msgid: 80482c26 len: 84 > payload: HASH len: 24 > payload: NOTIFICATION len: 32 > notification: STATUS_DPD_R_U_THERE_ACK seq 23115 [ttl 0] (id > 1, len 116) > 13:29:45.685449 64.119.37.74.4500 > 64.119.40.170.4500: [bad udp cksum > 280!] udpencap: isakmp v1.0 exchange INFO > cookie: 14a9d793fabd9a1b->40a39c778bcbd5eb msgid: 0816db3b len: 84 > payload: HASH len: 24 > payload: NOTIFICATION len: 32 > notification: STATUS_DPD_R_U_THERE seq 23116 [ttl 0] (id 1, > len 116) > 13:29:45.741452 64.119.40.170.4500 > 64.119.37.74.500: [bad udp cksum > 280!] udpencap: isakmp v1.0 exchange INFO > > From Greenbow logs: > [VPNCONF] TGBIKESTART received > 20070818 132904 Default (SA Home_Network-P1) SEND phase 1 Main Mode [SA] > [VID] [VID] [VID] [VID] > 20070818 132904 Default (SA Home_Network-P1) RECV phase 1 Main Mode [SA] > [VID] [VID] [VID] [VID] [VID] > 20070818 132904 Default (SA Home_Network-P1) SEND phase 1 Main Mode > [KEY_EXCH] [NONCE] [NAT_D] [NAT_D] > 20070818 132904 Default (SA Home_Network-P1) RECV phase 1 Main Mode > [KEY_EXCH] [NONCE] [NAT_D] [NAT_D] > 20070818 132904 Default (SA Home_Network-P1) SEND phase 1 Main Mode > [HASH] [ID] [NOTIFY] > 20070818 132904 Default (SA Home_Network-P1) RECV phase 1 Main Mode > [HASH] [ID] [NOTIFY] > 20070818 132904 Default phase 1 done: initiator id 192.168.11.109, > responder id gateway.home.lan > 20070818 132904 Default (SA Home_Network-Home_Network-P2) SEND phase 2 > Quick Mode [HASH] [SA] [NONCE] [ID] [ID] > 20070818 132905 Default (SA Home_Network-Home_Network-P2) RECV phase 2 > Quick Mode [HASH] [SA] [NONCE] [ID] [ID] > 20070818 132905 Default (SA Home_Network-Home_Network-P2) SEND phase 2 > Quick Mode [HASH] > 20070818 132909 Default (SA Home_Network-P1) RECV Informational [HASH] > [NOTIFY] type DPD_R_U_THERE > 20070818 132909 Default (SA Home_Network-P1) SEND Informational [HASH] > [NOTIFY] type DPD_R_U_THERE_ACK > 20070818 132915 Default (SA Home_Network-P1) RECV Informational [HASH] > [NOTIFY] type DPD_R_U_THERE > 20070818 132915 Default (SA Home_Network-P1) SEND Informational [HASH] > [NOTIFY] type DPD_R_U_THERE_ACK > 20070818 132915 Default (SA <unknown>) RECV phase 2 Quick Mode [HASH] > [SA] [KEY_EXCH] [NONCE] [ID] [ID] > 20070818 132915 Default message_negotiate_incoming_sa: no compatible > proposal found > 20070818 132920 Default (SA Home_Network-P1) RECV Informational [HASH] > [NOTIFY] type DPD_R_U_THERE > 20070818 132920 Default (SA Home_Network-P1) SEND Informational [HASH] > [NOTIFY] type DPD_R_U_THERE_ACK > 20070818 132922 Default (SA <unknown>) RECV phase 2 Quick Mode [HASH] > [SA] [KEY_EXCH] [NONCE] [ID] [ID] > 20070818 132922 Default message_negotiate_incoming_sa: no compatible > proposal found > 20070818 132925 Default (SA Home_Network-P1) RECV Informational [HASH] > [NOTIFY] type DPD_R_U_THERE > 20070818 132925 Default (SA Home_Network-P1) SEND Informational [HASH] > [NOTIFY] type DPD_R_U_THERE_ACK > 20070818 132930 Default (SA Home_Network-P1) RECV Informational [HASH] > [NOTIFY] type DPD_R_U_THERE > 20070818 132930 Default (SA Home_Network-P1) SEND Informational [HASH] > [NOTIFY] type DPD_R_U_THERE_ACK > 20070818 132931 Default (SA <unknown>) RECV phase 2 Quick Mode [HASH] > [SA] [KEY_EXCH] [NONCE] [ID] [ID] > 20070818 132931 Default message_negotiate_incoming_sa: no compatible > proposal found > 20070818 132935 Default (SA Home_Network-P1) RECV Informational [HASH] > [NOTIFY] type DPD_R_U_THERE > 20070818 132935 Default (SA Home_Network-P1) SEND Informational [HASH] > [NOTIFY] type DPD_R_U_THERE_ACK > 20070818 132940 Default (SA Home_Network-P1) RECV Informational [HASH] > [NOTIFY] type DPD_R_U_THERE > 20070818 132940 Default (SA Home_Network-P1) SEND Informational [HASH] > [NOTIFY] type DPD_R_U_THERE_ACK > 20070818 132942 Default (SA <unknown>) RECV phase 2 Quick Mode [HASH] > [SA] [KEY_EXCH] [NONCE] [ID] [ID] > 20070818 132942 Default message_negotiate_incoming_sa: no compatible > proposal found > 20070818 132945 Default (SA Home_Network-P1) RECV Informational [HASH] > [NOTIFY] type DPD_R_U_THERE > 20070818 132945 Default (SA Home_Network-P1) SEND Informational [HASH] > [NOTIFY] type DPD_R_U_THERE_ACK > 20070818 132950 Default (SA Home_Network-P1) RECV Informational [HASH] > [NOTIFY] type DPD_R_U_THERE > 20070818 132950 Default (SA Home_Network-P1) SEND Informational [HASH] > [NOTIFY] type DPD_R_U_THERE_ACK > 20070818 132955 Default (SA Home_Network-P1) RECV Informational [HASH] > [NOTIFY] type DPD_R_U_THERE > 20070818 132955 Default (SA Home_Network-P1) SEND Informational [HASH] > [NOTIFY] type DPD_R_U_THERE_ACK > 20070818 133005 Default (SA Home_Network-P1) RECV Informational [HASH] > [NOTIFY] type DPD_R_U_THERE > 20070818 133005 Default (SA Home_Network-P1) SEND Informational [HASH] > [NOTIFY] type DPD_R_U_THERE_ACK > 20070818 133010 Default (SA Home_Network-P1) RECV Informational [HASH] > [NOTIFY] type DPD_R_U_THERE > 20070818 133010 Default (SA Home_Network-P1) SEND Informational [HASH] > [NOTIFY] type DPD_R_U_THERE_ACK > 20070818 133016 Default (SA Home_Network-P1) RECV Informational [HASH] > [NOTIFY] type DPD_R_U_THERE > 20070818 133016 Default (SA Home_Network-P1) SEND Informational [HASH] > [NOTIFY] type DPD_R_U_THERE_ACK > 20070818 133021 Default (SA Home_Network-P1) RECV Informational [HASH] > [NOTIFY] type DPD_R_U_THERE > 20070818 133021 Default (SA Home_Network-P1) SEND Informational [HASH] > [NOTIFY] type DPD_R_U_THERE_ACK
