> Here is the configuration I used between 2 peers
> ike esp tunnel \
Interesting. Thanks for that, and for your help.
I now seem to be able to get a flow going but not traffic (e.g.
with the below I cannot ping).
I'm sure I'm missing something obvious, but I think I need that
second pair of eyes as I've been working on this problem so long !
HOST A (10.0.0.1) :
-- ping 172.16.11.170
PING 172.16.11.170 (172.16.11.170): 56 data bytes
64 bytes from 172.16.11.170: icmp_seq=0 ttl=255 time=0.251 ms
64 bytes from 172.16.11.170: icmp_seq=1 ttl=255 time=0.336 ms
--ipsec.conf :
ike esp tunnel \
from 10.0.0.1 to 10.0.0.2 local 172.16.11.169 peer
172.16.11.170 \
main auth hmac-sha1 enc aes group grp5 \
quick auth hmac-sha1 enc aes group grp5 \
psk OpenBSD
-- ipsecctl -s all
FLOWS:
flow esp in from 10.0.0.2 to 10.0.0.1 peer 172.16.11.170 srcid
172.16.11.169/32 dstid 172.16.11.170/32 type use
flow esp out from 10.0.0.1 to 10.0.0.2 peer 172.16.11.170 srcid
172.16.11.169/32 dstid 172.16.11.170/32 type require
SAD:
esp tunnel from 172.16.11.169 to 172.16.11.170 spi 0x457e29e4 auth
hmac-sha1 enc aes
tcpmd5 from 172.16.11.169 to 172.16.11.170 spi 0x5ebc181a
tcpmd5 from 172.16.11.170 to 172.16.11.169 spi 0xa8496b5c
esp tunnel from 172.16.11.170 to 172.16.11.169 spi 0xbb35f85d auth
hmac-sha1 enc aes
-- isakmpd -Kvd
114001.702446 Default isakmpd: phase 1 done: initiator id
172.16.11.170, responder id 172.16.11.169, src: 172.16.11.169 dst:
172.16.11.170
114001.793818 Default isakmpd: quick mode done: src: 172.16.11.169
dst: 172.16.11.170
114022.266040 Default transport_send_messages: giving up on
exchange peer-172.16.11.170-local-172.16.11.169, no response from
peer 172.16.11.170:500
HOST B (10.0.0.2) :
-- ping 172.16.11.169
PING 172.16.11.169 (172.16.11.169): 56 data bytes
64 bytes from 172.16.11.169: icmp_seq=0 ttl=255 time=0.336 ms
64 bytes from 172.16.11.169: icmp_seq=1 ttl=255 time=0.220 ms
--ipsec.conf :
ike esp tunnel \
from 10.0.0.2 to 10.0.0.1 local 172.16.11.170 peer
172.16.11.169 \
main auth hmac-sha1 enc aes group grp5 \
quick auth hmac-sha1 enc aes group grp5 \
psk OpenBSD
--ipsecctl -s all
FLOWS:
flow esp in from 10.0.0.1 to 10.0.0.2 peer 172.16.11.169 srcid
172.16.11.170/32 dstid 172.16.11.169/32 type use
flow esp out from 10.0.0.2 to 10.0.0.1 peer 172.16.11.169 srcid
172.16.11.170/32 dstid 172.16.11.169/32 type require
SAD:
esp tunnel from 172.16.11.169 to 172.16.11.170 spi 0x457e29e4 auth
hmac-sha1 enc aes
esp tunnel from 172.16.11.170 to 172.16.11.169 spi 0xbb35f85d auth
hmac-sha1 enc aes
tcpmd5 from 172.16.11.170 to 172.16.11.169 spi 0xe62273b9
tcpmd5 from 172.16.11.169 to 172.16.11.170 spi 0xf286fa8f
--isakmpd -Kvd
123955.361080 Default attribute_unacceptable: ENCRYPTION_ALGORITHM:
got AES_CBC, expected 3DES_CBC
123955.361154 Default message_negotiate_sa: no compatible proposal
found
123955.361181 Default dropped message from 172.16.11.169 port 500
due to notification type NO_PROPOSAL_CHOSEN
124001.827314 Default isakmpd: phase 1 done: initiator id
172.16.11.170, responder id 172.16.11.169, src: 172.16.11.170 dst:
172.16.11.169
124001.922104 Default isakmpd: quick mode done: src: 172.16.11.170
dst: 172.16.11.169
