Well I did get a bit futher with the problem, it seems it was cause by a firewall blocking some of the traffic.
So new problem now. Using the Greenbow vpn client. It says "Phase 2 algoritm problem". >From the isakmpd output I get (a larger portion of the output included below): 164658.900458 Default responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id d5ade2e5: 213.173.226.229, responder id c0a80102: 192.168.1.2 164658.901274 Default dropped message from 213.173.226.229 port 500 due to notification type NO_PROPOSAL_CHOSEN Any idea whats going on? Thanks, Claus Larsen http://www.b1d.dk/ 164658.880563 Misc 30 ipsec_responder: phase 2 exchange 32 step 0 164658.881355 Negt 90 responder_recv_HASH_SA_NONCE: SKEYID_a: 164658.882267 Negt 90 fecb16b4 55016a69 95160d35 590ae43d eaecf61d 164658.883141 Cryp 60 hash_get: requested algorithm 1 164658.883965 Negt 90 responder_recv_HASH_SA_NONCE: message_id: 164658.884696 Negt 90 641b5b02 164658.885452 Negt 90 responder_recv_HASH_SA_NONCE: message after HASH: 164658.886559 Negt 90 0a000034 00000001 00000001 00000028 01030401 348b8f08 0000001c 010c0000 164658.887588 Negt 90 80010001 80020e10 80040001 80050002 80060080 05000014 f18a9d3e a98adb02 164658.888617 Negt 90 4d48e019 d94e78b7 0500000c 01000000 d5ade2e5 0000000c 01000000 c0a80102 164658.889523 Negt 90 responder_recv_HASH_SA_NONCE: computed HASH(1): 164658.890440 Negt 90 1db4eb09 c20acc1d 9ff7f66f bce87d93 dc00b62b 164658.891233 Negt 90 responder_recv_HASH_SA_NONCE: IDci: 164658.892172 Negt 90 01000000 d5ade2e5 164658.892842 Negt 90 responder_recv_HASH_SA_NONCE: IDcr: 164658.893657 Negt 90 01000000 c0a80102 164658.894437 Negt 30 message_negotiate_sa: transform 1 proto 3 proposal 1 ok 164658.895376 SA 80 sa_add_transform: proto 0x83b5e6c0 no 1 proto 3 chosen 0x7fb51300 sa 0x80ac0b00 id 12 164658.896080 Negt 30 message_negotiate_sa: proposal 1 succeeded 164658.896865 Misc 20 ipsec_decode_transform: transform 1 chosen 164658.897674 Exch 80 exchange_nonce: NONCE_i: 164658.898662 Exch 80 f18a9d3e a98adb02 4d48e019 d94e78b7 164658.899367 Misc 60 connection_passive_lookup_by_ids: no match 164658.900458 Default responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id d5ade2e5: 213.173.226.229, responder id c0a80102: 192.168.1.2 164658.901274 Default dropped message from 213.173.226.229 port 500 due to notification type NO_PROPOSAL_CHOSEN 164658.902191 Misc 95 conf_get_str: [General]:Exchange-max-time->120 164658.903025 Timr 10 timer_add_event: event exchange_free_aux(0x80ac0c00) added before sa_soft_expire(0x8a788200), expiration in 120s 164658.903887 Exch 10 exchange_establish_p2: 0x80ac0c00 <unnamed> <no policy> policy initiator phase 2 doi 1 exchange 5 step 0 164658.904750 Exch 10 exchange_establish_p2: icookie 2dbf0119d00d6f5f rcookie 7a1f5aefc435e4d8 164658.905560 Exch 10 exchange_establish_p2: msgid 8c6588fb sa_list 164658.906355 Trpt 95 transport_reference: transport 0x83b5e140 now has 4 references 164658.907188 Mesg 90 message_alloc: allocated 0x7ea80700 164658.907983 SA 80 sa_reference: SA 0x8a788200 now has 7 references 164658.908918 Cryp 60 hash_get: requested algorithm 1 164658.909617 Cryp 60 hash_get: requested algorithm 1 164658.910390 Misc 90 ipsec_fill_in_hash: SKEYID_a: 164658.911301 Misc 90 fecb16b4 55016a69 95160d35 590ae43d eaecf61d 164658.912076 Cryp 60 hash_get: requested algorithm 1 164658.912890 Misc 90 ipsec_fill_in_hash: message_id: 164658.913682 Misc 90 8c6588fb 164658.914450 Misc 90 ipsec_fill_in_hash: payload 1 after HASH(1): 164658.915433 Misc 90 0000000c 00000001 0100000e 164658.916208 Misc 80 ipsec_fill_in_hash: HASH(1): 164658.917241 Misc 80 44bd700e c8f21689 4ed4cbc4 dd3d8b6d 1e90b35f 164658.917905 Exch 90 exchange_validate: checking for required INFO 164658.919294 Cryp 60 hash_get: requested algorithm 1 164658.919988 Cryp 80 ipsec_get_keystate: final phase 1 IV: 164658.920958 Cryp 80 360a61e7 3cb364b9 b04826a0 8e0e7e8a 164658.921607 Cryp 80 ipsec_get_keystate: message ID: 164658.922385 Cryp 80 8c6588fb On Thu, Aug 21, 2008 at 4:17 PM, Claus Larsen <[EMAIL PROTECTED]> wrote: > Have a problem getting a vpn tunnel up between a zyxel vpn gw and my > openbsd 4.3 system. > > /etc/ipsec.conf > ike passive from any to any \ > main auth hmac-sha1 enc 3des group modp1024 \ > quick auth hmac-sha1 enc 3des group none \ > psk openbsdrules > > Below follows output from cmd: > isakmpd -d -DA=99 -K > > In the output is the line: > 173307.589683 Exch 90 check_vendor_openbsd: bad size 20 != 16 > which does not seem to cause any problems > > A then futher down the line: > 173307.682833 Default sendmsg (14, 0xcfbd65a0, 0): Permission denied > which does not have any lines before it which (to me) explains what goes > wrong. > > These two lines is what I found strange, but I have no idea where to go > from here. > > Thanks, > Claus
