[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
PGPnet 7.1 (30 days trail) and VPN (OBSD-3.0)

To: misc@openbsd.org
Subject: PGPnet 7.1 (30 days trail) and VPN (OBSD-3.0)
From: Clarence <c5666305@hkstar.com>
Date: Thu, 7 Mar 2002 17:03:58 +0800 (HKT)
Hello,

I tried to setup the VPN using x509 under the environment list below.

1. OBSD-3.0
2. PGPnet (30 days trial) 7.1

However, I tried it without success for the past few days.  The error
reported from the PGPnet and VPN log file was no common proposals
notifications received. Can anyone help as I am very new to VPN setup ?
The isakmpd.conf and isakmpd.policy files are copied from one document
www.fox-it.com/pdf/x509_isakmp_complete.pdf.  I follow the steps of it
without any problem except when I tried to bring up the VPN.  The result
was failed.  Thanks.

Clarence

======= isakmpd.conf =======
[General]
Listen-on=	192.168.2.253

[Phase 1]
Default=	ROAMINGUSER

[ROAMINGUSER]
Phase=		1
Transport=	udp
Configuration=	Default-main-mode

[Default-main-mode]
DOI=		IPSEC
EXCHANGE_TYPE=	ID_PROT
Transforms=	3DES-SHA

[3DES-SHA]
ENCRYPTION_ALGORITHM=	CAST_CBC
#ENCRYPTION_ALGORITHM=	3DES_CBC
HASH_ALGORIHTM=		MD5
#HASH_ALGORIHTM=		SHA
AUTHENTICATION_METHOD=	RSA_SIG
GROUP_DESCRITPION=	MODP_1024
Life=			LIFE_3600_SECS

[Phase 2]
Passive-connections=	VPN-USER

[VPN-USER]
Phase=			2
ISAKMP-peer=		ROAMINGUSER
Configuration=		Default-quick-mode
Local-ID=		fox-intern

[fox-intern]
ID_TYPE=		IPV4_ADDR_SUBNET
Network=		192.168.2.0
Netmask=		255.255.255.0

[Default-quick-mode]
DOI=			IPSEC
EXCHANGE_TYPE=		QUICK_MODE
Suites=			QM-EPS-3DES-SHA-PFS-SUITE

[QM-EPS-3DES-SHA-PFS-SUITE]
Protocols=		QM-ESP-3DES-SHA-PFS

[QM-ESP-3DES-SHA-PFS]
PROTOCOL_ID=		IPSEC_ESP
Transforms=		QM-ESP-3DES-SHA-PFS-XF

[QM-ESP-3DES-SHA-PFS-XF]
TRANSFORM_ID=		3DES
ENCAPSULATION_MODE=	TRANSPORT
AUTHENTICATION_ALGORITHM=	HMAC_SHA
GROUP_DESCRIPTION=	MODP_1024
Life=			LIFE_600_SECS, LIFE_4_MEG

[LIFE_600_SECS]
LIFE_TYPE=		SECONDS
LIFE_DURATION=		600,450:720

[LIFE_3600_SECS]
LIFE_TYPE=		SECONDS
LIFE_DURATION=		3600,1800:7200

[LIFE_4_MEG]
LIFE_TYPE=		MEGABYTES
LIFE_DURATION=		4,1:6

[X509-Certificates]
CA-directory=		/etc/isakmpd/ca/
Cert-directory=		/etc/isakmpd/certs/
Private-key=		/etc/isakmpd/private/local.key
#Private-key=		/etc/ssl/private/ca.key
=================================================

-------- isakmpd.policy ------------
Comment: This policy accepts ESP SAs from a remote that uses the rigth password.
Authorizer: "POLICY"
licensees: "DN:/C=HK/L=Hongkong/O=Root CA/OU=EDP/CN=mcl1.hkstar.com"
Conditions: app_domain == "IPsec policy" &&
		esp_present == "yes" &&
		esp_enc_alg != "null" -> "true";
----------------------------------------------

------- isakmpd.log (part of it) -------
163827.904431 Misc 95 conf_get_str: [ROAMINGUSER]:Configuration->Default-main-mode
163827.904457 Misc 95 conf_get_str: [Default-main-mode]:DOI->IPSEC
163827.904481 Misc 95 conf_get_str: [Default-main-mode]:EXCHANGE_TYPE->ID_PROT
163827.904511 Misc 95 conf_get_str: [General]:Exchange-max-time->120
163827.904541 Timr 10 timer_add_event: event exchange_free_aux(0x105f00) added last, expiration in 120s
163827.904564 Cryp 60 hash_get: requested algorithm 1
163827.904749 Exch 10 exchange_setup_p1: 0x105f00 ROAMINGUSER Default-main-mode policy responder phase 1 doi 1 exchange 2 step 0
163827.904778 Exch 10 exchange_setup_p1: icookie f437cc1420df5321 rcookie 06339e735a8a40fa
163827.904800 Exch 10 exchange_setup_p1: msgid 00000000 
163827.904828 Trpt 95 transport_reference: transport 0x118280 now has 2 references
163827.904853 SA   80 sa_reference: SA 0x120000 now has 1 references
163827.904874 SA   70 sa_enter: SA 0x120000 added to SA list
163827.904896 SA   80 sa_reference: SA 0x120000 now has 2 references
163827.904920 SA   60 sa_create: sa 0x120000 phase 1 added to exchange 0x105f00 (ROAMINGUSER)
163827.904943 SA   80 sa_reference: SA 0x120000 now has 3 references
163827.904967 Mesg 50 message_parse_payloads: offset 0x28 payload PROPOSAL
163827.904991 Mesg 50 message_parse_payloads: offset 0x30 payload TRANSFORM
163827.905014 Mesg 50 Transform 1's attributes
163827.905044 Mesg 50 Attribute ENCRYPTION_ALGORITHM value 5
163827.905067 Mesg 50 Attribute HASH_ALGORITHM value 1
163827.905089 Mesg 50 Attribute AUTHENTICATION_METHOD value 3
163827.905154 Mesg 50 Attribute GROUP_DESCRIPTION value 2
163827.905177 Mesg 50 Attribute LIFE_TYPE value 1
163827.905200 Mesg 50 Attribute LIFE_DURATION value 86400
163827.905222 Mesg 50 message_parse_payloads: offset 0x54 payload TRANSFORM
163827.905244 Mesg 50 Transform 2's attributes
163827.905266 Mesg 50 Attribute ENCRYPTION_ALGORITHM value 6
163827.905287 Mesg 50 Attribute HASH_ALGORITHM value 2
163827.905309 Mesg 50 Attribute AUTHENTICATION_METHOD value 3
163827.905331 Mesg 50 Attribute GROUP_DESCRIPTION value 5
163827.905352 Mesg 50 Attribute LIFE_TYPE value 1
163827.905375 Mesg 50 Attribute LIFE_DURATION value 86400
163827.905399 Mesg 60 message_validate_payloads: payload PROPOSAL at 0x105e28 of message 0x105d00
163827.905421 Mesg 70 NO: 1
163827.905442 Mesg 70 PROTO: ISAKMP
163827.905463 Mesg 70 SPI_SZ: 0
163827.905484 Mesg 70 NTRANSFORMS: 2
163827.905509 Mesg 60 message_validate_payloads: payload TRANSFORM at 0x105e30 of message 0x105d00
163827.905530 Mesg 70 NO: 1
163827.905551 Mesg 70 ID: 1
163827.905578 Mesg 60 message_validate_payloads: payload TRANSFORM at 0x105e54 of message 0x105d00
163827.905600 Mesg 70 NO: 2
163827.905620 Mesg 70 ID: 1
163827.905647 Mesg 60 message_validate_payloads: payload VENDOR at 0x105e78 of message 0x105d00
163827.905668 Mesg 40 message_validate_vendor: vendor ID seen
163827.905692 Mesg 60 message_validate_payloads: payload VENDOR at 0x105e88 of message 0x105d00
163827.905713 Mesg 40 message_validate_vendor: vendor ID seen
163827.905737 Exch 90 exchange_validate: checking for required SA
163827.905760 Misc 30 ipsec_responder: phase 1 exchange 2 step 0
163827.905790 Cryp 60 hash_get: requested algorithm 0
163827.905818 Negt 30 message_negotiate_sa: transform 1 proto 1 proposal 1 ok
163827.905848 SA   80 sa_add_transform: proto 0x118300 no 1 proto 1 chosen 0x129540 sa 0x120000 id 1
163827.905884 Misc 95 conf_get_str: [Default-main-mode]:Transforms->3DES-SHA
163827.905919 Misc 95 conf_get_str: [3DES-SHA]:ENCRYPTION_ALGORITHM->CAST_CBC
163827.905946 Negt 70 attribute_unacceptable: ENCRYPTION_ALGORITHM: got 3DES_CBC, expected CAST_CBC
163827.905967 Negt 20 ike_phase_1_validate_prop: failure
163827.905990 Negt 30 message_negotiate_sa: proposal 1 failed
163827.906012 Cryp 60 hash_get: requested algorithm 1
163827.906037 Negt 30 message_negotiate_sa: transform 2 proto 1 proposal 1 ok
163827.906066 SA   80 sa_add_transform: proto 0x118340 no 1 proto 1 chosen 0x129560 sa 0x120000 id 1
163827.906090 Misc 95 conf_get_str: [Default-main-mode]:Transforms->3DES-SHA
163827.906118 Misc 95 conf_get_str: [3DES-SHA]:ENCRYPTION_ALGORITHM->CAST_CBC
163827.906143 Misc 95 conf_get_str: [3DES-SHA]:HASH_ALGORITHM->SHA
163827.906169 Misc 95 conf_get_str: [3DES-SHA]:AUTHENTICATION_METHOD->RSA_SIG
163827.906194 Misc 95 conf_get_str: [3DES-SHA]:GROUP_DESCRIPTION->MODP_1024
163827.906219 Negt 70 attribute_unacceptable: GROUP_DESCRIPTION: got MODP_1536, expected MODP_1024
163827.906240 Negt 20 ike_phase_1_validate_prop: failure
163827.906262 Negt 30 message_negotiate_sa: proposal 1 failed
163827.906283 Default message_negotiate_sa: no compatible proposal found
163827.906315 Default dropped message from 192.168.2.154 port 500 due to notification type NO_PROPOSAL_CHOSEN
163827.906342 Misc 95 conf_get_str: [General]:Exchange-max-time->120
163827.906370 Timr 10 timer_add_event: event exchange_free_aux(0x120100) added last, expiration in 120s
163827.906391 Cryp 60 hash_get: requested algorithm 1
163827.906429 Exch 10 exchange_establish_p1: 0x120100 <unnamed> <no policy> policy initiator phase 1 doi 1 exchange 5 step 0
163827.906455 Exch 10 exchange_establish_p1: icookie 494719df90a32fed rcookie 0000000000000000
163827.906477 Exch 10 exchange_establish_p1: msgid 00000000 
163827.906502 Trpt 95 transport_reference: transport 0x118280 now has 3 references
163827.906523 Mesg 90 message_alloc: allocated 0x120200
163827.906554 Exch 90 exchange_validate: checking for required INFO
163827.906578 Mesg 70 message_send: message 0x120200
163827.906605 Mesg 70 ICOOKIE: 0x494719df90a32fed
163827.906633 Mesg 70 RCOOKIE: 0x0000000000000000
163827.906654 Mesg 70 NEXT_PAYLOAD: NOTIFY
163827.906676 Mesg 70 VERSION: 16
163827.906697 Mesg 70 EXCH_TYPE: INFO
163827.906717 Mesg 70 FLAGS: [ ]
163827.906741 Mesg 70 MESSAGE_ID: 0x00000000
163827.906762 Mesg 70 LENGTH: 40
163827.906812 Mesg 70 message_send: 494719df 90a32fed 00000000 00000000 0b100500 00000000 00000028 0000000c
163827.906840 Mesg 70 message_send: 00000001 0100000e 
163827.906864 Exch 40 exchange_run: exchange 0x120100 finished step 0, advancing...
163827.906885 Mesg 20 message_free: freeing 0x105d00
163827.906910 Trpt 95 transport_release: transport 0x118280 had 3 references
163827.906932 SA   80 sa_release: SA 0x120000 had 3 references
163827.906958 Trpt 95 transport_reference: transport 0x118280 now has 3 references
163827.906981 Trpt 95 transport_reference: transport 0x118240 now has 2 references
163827.907004 Trpt 95 transport_reference: transport 0x118180 now has 2 references
163827.907027 Trpt 95 transport_reference: transport 0x118100 now has 2 references
163827.907051 Trpt 95 transport_release: transport 0x118280 had 3 references
163827.907073 Trpt 95 transport_release: transport 0x118240 had 2 references
163827.907096 Trpt 95 transport_release: transport 0x118180 had 2 references
163827.907118 Trpt 95 transport_release: transport 0x118100 had 2 references
163827.907154 Trpt 95 transport_reference: transport 0x118280 now has 3 references
163827.907178 Trpt 95 transport_reference: transport 0x118240 now has 2 references
163827.907201 Trpt 95 transport_reference: transport 0x118180 now has 2 references
163827.907224 Trpt 95 transport_reference: transport 0x118100 now has 2 references
163827.907484 Exch 10 exchange_finalize: 0x120100 <unnamed> <no policy> policy initiator phase 1 doi 1 exchange 5 step 1
163827.907512 Exch 10 exchange_finalize: icookie 494719df90a32fed rcookie 0000000000000000
163827.907534 Exch 10 exchange_finalize: msgid 00000000 
163827.907560 Timr 10 timer_remove_event: removing event exchange_free_aux(0x120100)
163827.907582 Exch 80 exchange_free_aux: freeing exchange 0x120100
163827.907627 Mesg 20 message_free: freeing 0x120200
163827.907652 Trpt 95 transport_release: transport 0x118280 had 3 references
163827.907675 Trpt 95 transport_release: transport 0x118280 had 2 references
163827.907698 Trpt 95 transport_release: transport 0x118240 had 2 references
163827.907720 Trpt 95 transport_release: transport 0x118180 had 2 references
163827.907742 Trpt 95 transport_release: transport 0x118100 had 2 references
-------------------------------
Follow-Ups:
- Re: PGPnet 7.1 (30 days trail) and VPN (OBSD-3.0)
  - From: Philipp Buehler <lists@fips.de>
- Re: PGPnet 7.1 (30 days trail) and VPN (OBSD-3.0)
  - From: "Tariq Rashid" <tariq@inty.net>
- Re: PGPnet 7.1 (30 days trail) and VPN (OBSD-3.0)
  - From: Raymond M Schneider <ray@securityfoo.net>
Prev by Date: Re: Keeping dhcp from overwriting /etc/resolve.conf
Next by Date: Re: laptop console
Prev by thread: Re: laptop console
Next by thread: Re: PGPnet 7.1 (30 days trail) and VPN (OBSD-3.0)
Index(es):
- Date
- Thread