I do not know whether Windows XP native IPsec stack supports AES, I know it only
supports upto 3des. With OpenBSD, the default is AES (128), that is why IKE is
giving you NO_PROPOSAL_CHOSEN. Change you settings to include 3des and sha1 (or
md5 may be) and you would get quick mode working.
Prabhu
-
Harald Dunkel wrote:
Hi folks,
I am trying to setup an IPsec connection between OpenBSD
and WindowsXP (NCP IPsec client). ipsec.conf is just a
single line:
ike passive esp from 192.168.5.1 to 192.168.1.249
(192.168.1.249 is the Windows PC.)
Phase I seems to work, but in Phase II isakmpd complains:
Jun 27 14:55:34 fw01 isakmpd[30626]: log_packet_init: starting IKE
packet capture to file "/var/run/isakmpd.dump"
Jun 27 14:56:30 fw01 isakmpd[30626]: responder_recv_HASH_SA_NONCE: peer
proposed invalid phase 2 IDs: initiator id c0a801f9: 192.168.1.249,
responder id c0a80501/ffffffff: 192.168.5.1/255.255.255.255
Jun 27 14:56:30 fw01 isakmpd[30626]: dropped message from 192.168.1.249
port 500 due to notification type NO_PROPOSAL_CHOSEN
Jun 27 14:56:35 fw01 isakmpd[30626]: responder_recv_HASH_SA_NONCE: peer
proposed invalid phase 2 IDs: initiator id c0a801f9: 192.168.1.249,
responder id c0a80501/ffffffff: 192.168.5.1/255.255.255.255
Jun 27 14:56:35 fw01 isakmpd[30626]: dropped message from 192.168.1.249
port 500 due to notification type NO_PROPOSAL_CHOSEN
Jun 27 14:56:38 fw01 isakmpd[30626]: responder_recv_HASH_SA_NONCE: peer
proposed invalid phase 2 IDs: initiator id c0a801f9: 192.168.1.249,
responder id c0a80501/ffffffff: 192.168.5.1/255.255.255.255
Jun 27 14:56:38 fw01 isakmpd[30626]: dropped message from 192.168.1.249
port 500 due to notification type NO_PROPOSAL_CHOSEN
Jun 27 14:56:41 fw01 isakmpd[30626]: responder_recv_HASH_SA_NONCE: peer
proposed invalid phase 2 IDs: initiator id c0a801f9: 192.168.1.249,
responder id c0a80501/ffffffff: 192.168.5.1/255.255.255.255
Jun 27 14:56:41 fw01 isakmpd[30626]: dropped message from 192.168.1.249
port 500 due to notification type NO_PROPOSAL_CHOSEN
Looking into the negotiation packets I see at the beginning
of Phase II:
14:56:30.370925 192.168.1.249.500 > 192.168.5.1.500: [udp sum ok] isakmp
v1.0 exchange QUICK_MODE
cookie: 27b9931138233444->5f559cf7b1c1dda0 msgid: 45305a4f len: 220
payload: HASH len: 24
payload: SA len: 92 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 40 proposal: 1 proto: IPSEC_ESP
spisz: 4 xforms: 1 SPI: 0x8b62522d
payload: TRANSFORM len: 28
transform: 1 ID: AES
attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
attribute ENCAPSULATION_MODE = TUNNEL
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 28800
attribute KEY_LENGTH = 256
payload: PROPOSAL len: 40 proposal: 2 proto: IPSEC_ESP
spisz: 4 xforms: 1 SPI: 0xdc14778f
payload: TRANSFORM len: 28
transform: 1 ID: AES
attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
attribute ENCAPSULATION_MODE = TUNNEL
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 28800
attribute KEY_LENGTH = 128
payload: NONCE len: 44
payload: ID len: 12 type: IPV4_ADDR = 192.168.1.249
payload: ID len: 16 type: IPV4_ADDR_SUBNET =
192.168.5.1/255.255.255.255 [ttl 0] (id 1, len 248)
14:56:30.371301 192.168.5.1.500 > 192.168.1.249.500: [udp sum ok] isakmp
v1.0 exchange INFO
cookie: 27b9931138233444->5f559cf7b1c1dda0 msgid: 93170a11 len: 64
payload: HASH len: 24
payload: NOTIFICATION len: 12
notification: NO PROPOSAL CHOSEN [ttl 0] (id 1, len 92)
Obviously isakmpd doesn't like something in the negotiation packet
sent by the NCP IPsec client on Windows.
Anybody got an idea?
Regards
Harri
