WG: Re: isakmp phase 2 negotiation failed

Fri, 21 Sep 2007 08:00:10 -0700 

> -----Urspr|ngliche Nachricht-----
> Von: Christoph Leser
> Gesendet: Freitag, 21. September 2007 16:44
> An: '[EMAIL PROTECTED]'
> Betreff: Re: isakmp phase 2 negotiation failed
>
>
> >                 w
> >#    $OpenBSD: ipsec.conf,v 1.5 2006/09/14 15:10:43 hshoexer Exp $
> >#
> ># See ipsec.conf(5) for syntax and examples.
>
> >ike esp from 10.192.0.0/16 to 10.0.0.0/8 \
> >     peer gw.vpn.cobbled.net \
> >     main auth hmac-sha enc 3des-cbc \
> >     quick auth hmac-md5 enc des-cbc \
> >     srcid caley01.vpn.cobbled.net dstid gw.vpn.cobbled.net
> ># isakmpd configuration
>
> >[General]
> >Listen-on=           83.104.36.71
>
> >[X509-Certificates]
> >CA-directory=                /etc/isakmpd/ca/
> >Cert-directory=              /etc/isakmpd/certs/
> >Private-key=         /etc/isakmpd/private/local.key
>
> >[Phase 1]
> >#84.203.180.117=     gw.vpn.cobbled.net
>
> >[caley01.vpn.cobbled.net]
> >ID-Type=             FQDN
> >Name=                        caley01.vpn.cobbled.net
>
> >[gw.vpn.cobbled.net]
> >ID-Type=             FQDN
> >Name=                        gw.vpn.cobbled.net
>
> >[Phase 2]
> >Connections=         cobbled-caley
>
> >[cobbled_net-gw]
> >Phase=                       1
> >Configuration=               low-crypto
> >Address=             84.203.180.117
> >ID=                  caley01.vpn.cobbled.net
> >Remote-ID=           gw.vpn.cobbled.net
>
> >[cobbled-caley]
> >Phase=                  2
> >ISAKMP-peer=            cobbled_net-gw
> >Configuration=               low-crypto-quick
> >Local-ID=               cobbled_net-caley
> >Remote-ID=              cobbled_net-all
>
> >[cobbled_net-all]
> >ID-Type=                IPV4_ADDR_SUBNET
> >Network=                10.0.0.0
> >Netmask=                255.0.0.0
>
> >[cobbled_net-caley]
> >ID-Type=                IPV4_ADDR_SUBNET
> >Network=                10.192.0.0
> >Netmask=                255.255.0.0
>
> >[low-crypto]
> >DOI=                    IPSEC
> >EXCHANGE_TYPE=          ID_PROT
> >Transforms=             3DES-SHA-RSA_SIG
>
> >[low-crypto-quick]
> >DOI=                    IPSEC
> >EXCHANGE_TYPE=          QUICK_MODE
> >Transforms=             QM-ESP-DES-MD5-SUITE
>
>
>
>
>
 Maybe there is a problem with your isakmpd.conf:

 The hierachy should be as follows ( that's at least what I
 read from man isakmpd.conf:

 Connections lists <ipsec-connection>s: cobbled-caley

 <ipsec-connections> names <IPsec-configuration>: low-crypto-quick

 <IPsec-configuration> names <Suites> QM-ESP-DES-MD5-SUITE  !!
 so maybe it should be

 [low-crypto-quick]
 DOI=                    IPSEC
 EXCHANGE_TYPE=          QUICK_MODE
 Suites=                 QM-ESP-DES-MD5-SUITE

 i.e. transforms is not a valid parameter in the
 IPsec-configuration section


 let me know ...


 regards

 christoph

Reply via email to