Ok .
here i go
i have red the misc list upside/down and right to left , but i can't
find a solution to my problhme
Here is the LAn/WAn network
192.168.0/24(lan)-->Netgear DG 834 (adsl + NAT + ipsec +ip fix A)
|
<---WEB--->
|
Openbsd 4.2
(ipsec.conf+isakmpd.policy+ip fix B+ NAT) --> 10.7.22.0/24(lan)
Very simple : lan to lan VPN between 2 GW (DH834 & Obsd)
Here are the conf :
netgear :
local lan : 192.168.0.0/24
remote lan : 10.7.22.0/24
IKE :
direction : initiator & respond
mode : main
diffie-Hellman : Groupe 2 (1024)
local id : IP wan
remote id: IP
Params
Crypto algo : 3DES
Algo auth : SHA-1
pre shared key : 123456789
SA life time : 36000
active PFS
Openbsd :
ipsec.conf
ike dynamic esp tunnel from IP_B to IP_A \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des group modp1024 \
psk 123456789
ike dynamic esp tunnel from 10.7.22.0/24 to 192.168.0.0/24 peer IP_A \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des group modp1024 \
psk 123456789
i have tried passive & dynamic for ike esp .. it's the same
isakmpd.policy
KeyNote-Version: 2
Authorizer: "POLICY"
pf.conf
pass in quick on $ext_if1 proto udp from $IP_A to $IP_B port {500,4500}
pass out quick on $ext_if1 proto udp from $IP_B to $IP_A port {500,4500}
pass in quick on $IP_B proto esp from $IP_A to $IP_B
pass out quick on $IP_B proto esp from $IP_B to $IP_A
pass in quick on enc0 proto ipencap from $IP_A to $IP_B keep state
(if-bound)
pass out quick on enc0 proto ipencap from $IP_B to $IP_A keep state
(if-bound)
pass in quick on enc0 from 192.168.0.0/24 to 10.7.22.0/24 keep state
(if-bound)
pass out quick on enc0 from 10.7.22.0/24 to 192.168.0.0/24 keep state
(if-bound)
i have a rule for nat on $IP_B
enc0 is up and running
i start my vpn with
isakmpd -dv -D 8=99
And Finally here is the Trouble , i got this on isakmpd console
151330.400513 Negt 30 message_negotiate_sa: transform 0 proto 1 proposal
0 ok
151330.400933 Negt 20 ike_phase_1_validate_prop: success
151330.401046 Negt 30 message_negotiate_sa: proposal 0 succeeded
151357.435134 Default transport_send_messages: giving up on exchange
peer-IP_A, no response from peer IP_A:500
And this on the DG834
Fri, 2007-11-23 14:13:30 - [idle] initiating Main Mode
Fri, 2007-11-23 14:13:40 - [idle] STATE_MAIN_I1: retransmission; will
wait 20s for response
Fri, 2007-11-23 14:14:00 - [idle] STATE_MAIN_I1: retransmission; will
wait 40s for response
Fri, 2007-11-23 14:14:40 - [idle] max number of retransmissions reached
STATE_MAIN_I1. No acceptable response to our first IKE message
and then i have this sequence always and always
I can't find where is the trouble ....
i have tried with tcpdump... with : echo "p on" > /var/run/isakmpd.fif
and tcpdump -r /var/run/isakmpd.pcap -vvn
But i find nothing revelant...
HELP would be welcome !
I can give the TCPdump ouput ... but this mail is long enough for the
moment ....
JC
--
-----------------------------------------
* ~~~~~ Jean-christophe ROIRON ~~~~~ *
* Conseil Giniral Haute-Loire *
* ~~~~~~~~~~~~~~~~~~ *
* Service Informatique *
* Responsable Technique *
* *
* Tel : 04-71-07-42-24 *
* Mail : [EMAIL PROTECTED] *
-----------------------------------------
