"Sebastian Reitenbach" <[EMAIL PROTECTED]> wrote:
> Hi,
>
> in /etc/ipsec.conf I have the following configured:
>
> ike active esp from 192.168.14.12/24 to 172.22.34.0/16 \
> local $our_gw peer $remote1_gw \
> main auth hmac-sha2-256 enc 3des group grp2 \
> quick auth hmac-sha2-256 enc aes group modp1024 \
> psk "AKey"
>
>
> ike active esp from { 192.168.10.0/23 } to { 111.173.28.0/20,
> 10.128.22.0/23 } \
> local $our_gw peer $remote2_gw \
> main auth hmac-md5 enc 3des group grp2 \
> quick auth hmac-md5 enc aes group none \
> psk "Anotherkey"
>
>
> when I start
> isakmpd -K -c /etc/isakmpd/isakmpd.conf
> then the first tunnel is established, but for the second, I see the
> following in the logs:
>
> 180727.337795 SA 60 sa_create: sa 0x89e9e600 phase 1 added to exchange
> 0x89e9e100 (Default-phase-1)
> 180727.337805 Mesg 50 message_parse_payloads: offset 40 payload PROPOSAL
> 180727.337814 Mesg 50 message_parse_payloads: offset 48 payload TRANSFORM
> 180727.337823 Mesg 50 Transform 1's attributes
> 180727.337833 Mesg 50 Attribute ENCRYPTION_ALGORITHM value 5
> 180727.337842 Mesg 50 Attribute HASH_ALGORITHM value 1
> 180727.337850 Mesg 50 Attribute AUTHENTICATION_METHOD value 1
> 180727.337858 Mesg 50 Attribute GROUP_DESCRIPTION value 2
> 180727.337867 Mesg 50 Attribute LIFE_TYPE value 1
> 180727.337876 Mesg 50 Attribute LIFE_DURATION value 28800
> 180727.337915 Mesg 60 message_validate_payloads: payload PROPOSAL at
> 0x82e87ca8 of message 0x82e87700
> 180727.337927 Mesg 70 NO: 1
> 180727.337936 Mesg 70 PROTO: ISAKMP
> 180727.337947 Mesg 70 SPI_SZ: 0
> 180727.337958 Mesg 70 NTRANSFORMS: 1
> 180727.337967 Mesg 70 SPI:
> 180727.337977 Mesg 60 message_validate_payloads: payload TRANSFORM at
> 0x82e87cb0 of message 0x82e87700
> 180727.337987 Mesg 70 NO: 1
> 180727.337997 Mesg 70 ID: 1
> 180727.338005 Mesg 70 SA_ATTRS:
> 180727.338017 Mesg 60 message_validate_payloads: payload VENDOR at
> 0x82e87cd4 of message 0x82e87700
> 180727.338026 Mesg 70 ID:
> 180727.338036 Exch 50 nat_t_check_vendor_payload: bad size 40 != 16
> 180727.338046 Exch 50 nat_t_check_vendor_payload: bad size 40 != 16
> 180727.338055 Exch 50 nat_t_check_vendor_payload: bad size 40 != 16
> 180727.338064 Mesg 40 message_validate_vendor: vendor ID seen
> 180727.338075 Misc 30 ipsec_responder: phase 1 exchange 2 step 0
> 180727.338087 Cryp 60 hash_get: requested algorithm 0
> 180727.338155 Negt 30 message_negotiate_sa: transform 1 proto 1 proposal 1
> ok
> 180727.338179 Negt 70 attribute_unacceptable: HASH_ALGORITHM: got MD5,
> expected SHA
> 180727.338190 Negt 20 ike_phase_1_validate_prop: failure
> 180727.338201 Negt 30 message_negotiate_sa: proposal 1 failed
> 180727.338210 Default message_negotiate_sa: no compatible proposal found
>
>
> When I switch the statements in /etc/ipsec.conf then both tunnels get
> established and are working fine. Is there any explanation for this
> behaviour? I have OpenBSD 4.1 running.
Now it gets even worse, sometimes after some minuts, somtimes it takes some
days, a default route through the tunnel for one of our local networks
behind our VPN endpoint:
netstat -rn -f encap:
...
default 0 192.168.10/23 0 0
$remote2_gw/esp/use/in
192.168.10/23 0 default 0 0
$remote2_gw/esp/require/out
...
We had the tunnel configured for one network on the remote side, running for
months. Then we added the 10.128.22.0/23 to the remote networks. Since then,
from time to time, the default route shows up. The device on the other side
is a cisco.
Any idea how I delete the default route? How do I have to specify the SA, to
be able to remove it? Right now I restart the isakmpd, and have to reload
the configuration when I want to remove the wrong default route?
kind regards
Sebastian
