Hello jcr,
Friday, November 23, 2007, 5:36:30 PM, you wrote:
> k .
> here i go
> i have red the misc list upside/down and right to left , but i can't
> find a solution to my problhme
> Here is the LAn/WAn network
192.168.0/24(lan)-->>Netgear DG 834 (adsl + NAT + ipsec +ip fix A)
> |
> <---WEB--->
> |
> Openbsd 4.2
> (ipsec.conf+isakmpd.policy+ip fix B+ NAT) --> 10.7.22.0/24(lan)
>
>
> Very simple : lan to lan VPN between 2 GW (DH834 & Obsd)
> Here are the conf :
> netgear :
> local lan : 192.168.0.0/24
> remote lan : 10.7.22.0/24
> IKE :
> direction : initiator & respond
> mode : main
> diffie-Hellman : Groupe 2 (1024)
> local id : IP wan
> remote id: IP
> Params
> Crypto algo : 3DES
> Algo auth : SHA-1
> pre shared key : 123456789
> SA life time : 36000
> active PFS
> Openbsd :
> ipsec.conf
> ike dynamic esp tunnel from IP_B to IP_A \
> main auth hmac-sha1 enc 3des group modp1024 \
> quick auth hmac-sha1 enc 3des group modp1024 \
> psk 123456789
> ike dynamic esp tunnel from 10.7.22.0/24 to 192.168.0.0/24 peer IP_A \
> main auth hmac-sha1 enc 3des group modp1024 \
> quick auth hmac-sha1 enc 3des group modp1024 \
> psk 123456789
> i have tried passive & dynamic for ike esp .. it's the same
> isakmpd.policy
> KeyNote-Version: 2
> Authorizer: "POLICY"
> pf.conf
> pass in quick on $ext_if1 proto udp from $IP_A to $IP_B port {500,4500}
> pass out quick on $ext_if1 proto udp from $IP_B to $IP_A port {500,4500}
> pass in quick on $IP_B proto esp from $IP_A to $IP_B
> pass out quick on $IP_B proto esp from $IP_B to $IP_A
> pass in quick on enc0 proto ipencap from $IP_A to $IP_B keep state
> (if-bound)
> pass out quick on enc0 proto ipencap from $IP_B to $IP_A keep state
> (if-bound)
> pass in quick on enc0 from 192.168.0.0/24 to 10.7.22.0/24 keep state
> (if-bound)
> pass out quick on enc0 from 10.7.22.0/24 to 192.168.0.0/24 keep state
> (if-bound)
> i have a rule for nat on $IP_B
> enc0 is up and running
> i start my vpn with
> isakmpd -dv -D 8=99
> And Finally here is the Trouble , i got this on isakmpd console
> 151330.400513 Negt 30 message_negotiate_sa: transform 0 proto 1 proposal
> 0 ok
> 151330.400933 Negt 20 ike_phase_1_validate_prop: success
> 151330.401046 Negt 30 message_negotiate_sa: proposal 0 succeeded
> 151357.435134 Default transport_send_messages: giving up on exchange
> peer-IP_A, no response from peer IP_A:500
> And this on the DG834
> Fri, 2007-11-23 14:13:30 - [idle] initiating Main Mode
> Fri, 2007-11-23 14:13:40 - [idle] STATE_MAIN_I1: retransmission; will
> wait 20s for response
> Fri, 2007-11-23 14:14:00 - [idle] STATE_MAIN_I1: retransmission; will
> wait 40s for response
> Fri, 2007-11-23 14:14:40 - [idle] max number of retransmissions reached
> STATE_MAIN_I1. No acceptable response to our first IKE message
> and then i have this sequence always and always
> I can't find where is the trouble ....
> i have tried with tcpdump... with : echo "p on" > /var/run/isakmpd.fif
> and tcpdump -r /var/run/isakmpd.pcap -vvn
> But i find nothing revelant...
> HELP would be welcome !
> I can give the TCPdump ouput ... but this mail is long enough for the
> moment ....
> JC
And what about your firewall ? Maybe it blocks incoming packets?
Another idea - maybe your provider block IKE messages?
Check this first :)
--
Best regards,
Evgeniy mailto:[EMAIL PROTECTED]
