Hi all, I've been looking to mess around with IPSec for quite some time now, and sadly all I've had is perpetual failure.
I found this guide - http://www.securityfocus.com/infocus/1859 - and followed it apart from the NAT bits. When the two endpoints try to talk, they fall over in a heap. The systems in use are both VMware VMs with three host-only networks - one each for the "local" network and one for both to use as an "external" network. What I hope to achieve is this: Host-only (192.168.120.0/24) /|\ | \|/ obsd-ipsec-left (192.168.120.130/ 10.255.255.5) /|\ | \|/ 10.255.255.0/30 /|\ | \|/ obsd-ipsec-right (192.168.33.7/ 10.255.255.6) /|\ | \|/ Host-only (192.168.33.0/24) After I ran isakmpd -K -d and used ipsecctl to set the config up, I got these messages: obsd-ipsec-left: 210739.768482 Default message_parse_payloads: reserved field non-zero: c9 210739.770193 Default dropped message from 10.255.255.6 port 500 due to notification type PAYLOAD_MALFORMED 210739.777760 Default message_parse_payloads: reserved field non-zero: b 210739.779268 Default dropped message from 10.255.255.6 port 500 due to notification type PAYLOAD_MALFORMED 210739.801533 Default message_parse_payloads: reserved field non-zero: fc 210739.802865 Default dropped message from 10.255.255.6 port 500 due to notification type PAYLOAD_MALFORMED 210746.767433 Default message_parse_payloads: reserved field non-zero: c9 210746.769181 Default dropped message from 10.255.255.6 port 500 due to notification type PAYLOAD_MALFORMED 210746.772014 Default message_parse_payloads: reserved field non-zero: b 210746.773250 Default dropped message from 10.255.255.6 port 500 due to notification type PAYLOAD_MALFORMED 210746.806677 Default message_parse_payloads: reserved field non-zero: fc 210746.807830 Default dropped message from 10.255.255.6 port 500 due to notification type PAYLOAD_MALFORMED 210755.815875 Default message_parse_payloads: reserved field non-zero: c9 210755.817366 Default dropped message from 10.255.255.6 port 500 due to notification type PAYLOAD_MALFORMED 210755.820174 Default message_parse_payloads: reserved field non-zero: b 210755.821603 Default dropped message from 10.255.255.6 port 500 due to notification type PAYLOAD_MALFORMED 210755.857385 Default message_parse_payloads: reserved field non-zero: fc 210755.858449 Default dropped message from 10.255.255.6 port 500 due to notification type PAYLOAD_MALFORMED 210806.813902 Default message_parse_payloads: reserved field non-zero: c9 210806.815241 Default dropped message from 10.255.255.6 port 500 due to notification type PAYLOAD_MALFORMED 210806.817721 Default message_parse_payloads: reserved field non-zero: b 210806.819338 Default dropped message from 10.255.255.6 port 500 due to notification type PAYLOAD_MALFORMED 210806.854645 Default message_parse_payloads: reserved field non-zero: fc 210806.856265 Default dropped message from 10.255.255.6 port 500 due to notification type PAYLOAD_MALFORMED obsd-ipsec-right: 210720.707482 Default responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 192.168.120.0/255.255.255.0, responder id 192.168.33.0/255.255.255.0 210720.711177 Default dropped message from 10.255.255.5 port 500 due to notification type INVALID_ID_INFORMATION 210720.714730 Default responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.255.255.5, responder id 192.168.33.0/255.255.255.0 210720.718172 Default dropped message from 10.255.255.5 port 500 due to notification type INVALID_ID_INFORMATION 210720.721666 Default responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.255.255.5, responder id 10.255.255.6 210720.724001 Default dropped message from 10.255.255.5 port 500 due to notification type INVALID_ID_INFORMATION 210727.752507 Default responder_recv_HASH_SA_NONCE: KEY_EXCH payload without a group desc. attribute 210727.754909 Default dropped message from 10.255.255.5 port 500 due to notification type NO_PROPOSAL_CHOSEN 210727.766740 Default responder_recv_HASH_SA_NONCE: KEY_EXCH payload without a group desc. attribute 210727.768953 Default dropped message from 10.255.255.5 port 500 due to notification type NO_PROPOSAL_CHOSEN 210727.798642 Default responder_recv_HASH_SA_NONCE: KEY_EXCH payload without a group desc. attribute 210727.800977 Default dropped message from 10.255.255.5 port 500 due to notification type NO_PROPOSAL_CHOSEN 210754.807254 Default transport_send_messages: giving up on exchange from-192.168.33.0/24-to-192.168.120.0/24, no response from peer 10.255.255.5:500 210754.810248 Default transport_send_messages: giving up on exchange from-192.168.33.0/24-to-192.168.120.0/24, no response from peer 10.255.255.5:500 210754.847582 Default transport_send_messages: giving up on exchange from-10.255.255.6-to-10.255.255.5, no response from peer 10.255.255.5:500 The listing of ipsec.conf is as follows: obsd-ipsec-left: ike esp from 192.168.120.0/24 to 192.168.33.0/24 peer 10.255.255.6 ike esp from 10.255.255.5 to 192.168.33.0/24 peer 10.255.255.6 ike esp from 10.255.255.5 to 10.255.255.6 obsd-ipsec-right: ike esp from 192.168.33.0/24 to 192.168.120.0/24 peer 10.255.255.5 ike esp from 10.255.255.6 to 192.168.120.0/24 peer 10.255.255.5 ike esp from 10.255.255.6 to 10.255.255.5 ifconfig on each side: obsd-ipsec-left# ifconfig lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33200 priority: 0 groups: lo inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 vic0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:0c:29:f6:20:76 priority: 0 media: Ethernet autoselect status: active inet6 fe80::20c:29ff:fef6:2076%vic0 prefixlen 64 scopeid 0x1 inet 192.168.120.130 netmask 0xffffff00 broadcast 192.168.120.255 vic1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:0c:29:f6:20:80 priority: 0 media: Ethernet autoselect status: active inet 10.255.255.5 netmask 0xfffffffc broadcast 10.255.255.7 inet6 fe80::20c:29ff:fef6:2080%vic1 prefixlen 64 scopeid 0x2 enc0: flags=0<> mtu 1536 priority: 0 pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33200 priority: 0 groups: pflog obsd-ipsec-right# ifconfig lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33200 priority: 0 groups: lo inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 vic0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:0c:29:e1:29:22 priority: 0 media: Ethernet autoselect status: active inet6 fe80::20c:29ff:fee1:2922%vic0 prefixlen 64 scopeid 0x1 inet 192.168.33.7 netmask 0xffffff00 broadcast 192.168.33.255 vic1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:0c:29:e1:29:2c priority: 0 media: Ethernet autoselect status: active inet 10.255.255.6 netmask 0xfffffffc broadcast 10.255.255.7 inet6 fe80::20c:29ff:fee1:292c%vic1 prefixlen 64 scopeid 0x2 enc0: flags=0<> mtu 1536 priority: 0 pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33200 priority: 0 groups: pflog pf.conf is the standard one on both sides. Any ideas? Both sides run OpenBSD 4.6 release and this was done on a fresh install with only bsd{,.rd}, base and etc. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
