[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PGPnet 7.1 (30 days trail) and VPN (OBSD-3.0)

Thanks for your help.  I had tried to modified my isakmpd.conf and tried
again without any success.  I also tried to add IKE proposals under pgpnet
too but no luck.  Anything I can do to fix the problem of my VPN - x509 ?

Clarence

----- isakmpd.conf -----
[General]
Retransmits=            10
Exchange-max-time=	120
Default-phase-1-lifetime=       500,60:86400
Default-phase-2-lifetime=       600,60:86400
Policy-File=		/etc/isakmpd/isakmpd.policy


[Phase 1]
Default=	ISAKMP-peer-generic_server-0.0.0.0

[ISAKMP-peer-generic_server-0.0.0.0]
Phase=		1
Transport=	udp
Configuration=	ISAKMP-configuration-generic_server-0.0.0.0
Authentication= pass

[ISAKMP-configuration-generic_server-0.0.0.0]

DOI=		IPSEC
EXCHANGE_TYPE=	ID_PROT
Transforms=	3DES-SHA,3DES-MD5,BLF-SHA,BLF-MD5,CAST-SHA,CAST-MD5,DES-SHA,DES-MD5,CAST-CBC

[Phase 2]
Passive-connections=	IPSEC-channel1

[IPSEC-channel1]
Phase=			2
ISAKMP-peer=		ISAKMP-peer-generic_server-0.0.0.0
Configuration=		IPSEC-configuration-channel1
Local-ID=		IPSEC-local-ID-channel1
Remote-ID=		IPSEC-remote-ID-channel1

[IPSEC-local-ID-channel1]
ID_TYPE=		IPV4_ADDR_SUBNET
Network=		192.168.2.0
Netmask=		255.255.255.0

[IPSEC-remote-ID-channel1]
ID-type=	        IPV4_ADDR_SUBNET
Network=		192.168.2.0
Netmask=		255.255.255.0

[IPSEC-configuration-channel1]
DOI=			IPSEC
EXCHANGE_TYPE=		QUICK_MODE
Suites=         	QM-ESP-3DES-SHA-SUITE

[X509-Certificates]
CA-directory=		/etc/isakmpd//
Cert-directory=		/etc/isakmpd//
Private-key=		/etc/isakmpd/private/local.key
--------------------------------------------------------

======= isakmpd.policy ==========
Comment: This policy accepts ESP SAs from a remote that uses the rigth password.
Authorizer: "POLICY"
licensees: "DN:/C=HK/L=Hongkong/O=Root CA/OU=EDP/CN=mcl1.hkstar.com"
Conditions: _domain == "IPsec policy" &&
		esp_present == "yes" &&
		esp_enc_alg != "null" -> "true";
================================

------ isakmpd.log --------
, expected BLOWFISH_CBC
200023.669360 Misc 95 conf_get_str: [BLF-MD5]:ENCRYPTION_ALGORITHM->BLOWFISH_CBC
200023.669384 Negt 70 attribute_unacceptable: ENCRYPTION_ALGORITHM: got 3DES_CBC, expected BLOWFISH_CBC
200023.669408 Misc 95 conf_get_str: [CAST-SHA]:ENCRYPTION_ALGORITHM->CAST_CBC
200023.669432 Negt 70 attribute_unacceptable: ENCRYPTION_ALGORITHM: got 3DES_CBC, expected CAST_CBC
200023.669456 Misc 95 conf_get_str: [CAST-MD5]:ENCRYPTION_ALGORITHM->CAST_CBC
200023.669509 Negt 70 attribute_unacceptable: ENCRYPTION_ALGORITHM: got 3DES_CBC, expected CAST_CBC
200023.669536 Misc 95 conf_get_str: [DES-SHA]:ENCRYPTION_ALGORITHM->DES_CBC
200023.669560 Negt 70 attribute_unacceptable: ENCRYPTION_ALGORITHM: got 3DES_CBC, expected DES_CBC
200023.669585 Misc 95 conf_get_str: [DES-MD5]:ENCRYPTION_ALGORITHM->DES_CBC
200023.669609 Negt 70 attribute_unacceptable: ENCRYPTION_ALGORITHM: got 3DES_CBC, expected DES_CBC
200023.669633 Misc 95 conf_get_str: configuration value not found [CAST-CBC]:ENCRYPTION_ALGORITHM
200023.669656 Negt 70 attribute_unacceptable: attr ENCRYPTION_ALGORITHM does not exist in CAST-CBC
200023.669676 Negt 20 ike_phase_1_validate_prop: failure
200023.669700 Negt 30 message_negotiate_sa: proposal 1 failed
200023.669722 Cryp 60 hash_get: requested algorithm 0
200023.669748 Negt 30 message_negotiate_sa: transform 3 proto 1 proposal 1 ok
200023.669777 SA   80 sa_add_transform: proto 0x1185c0 no 1 proto 1 chosen 0x12a680 sa 0x120000 id 1
200023.669802 Misc 95 conf_get_str: [ISAKMP-configuration-generic_server-0.0.0.0]:Transforms->3DES-SHA,3DES-MD5,BLF-SHA,BLF-MD5,CAST-SHA,CAST-MD5,DES-SHA,DES-MD5,CAST-CBC
200023.669841 Misc 95 conf_get_str: [3DES-SHA]:ENCRYPTION_ALGORITHM->3DES_CBC
200023.669867 Misc 95 conf_get_str: [3DES-SHA]:HASH_ALGORITHM->SHA
200023.669891 Negt 70 attribute_unacceptable: HASH_ALGORITHM: got MD5, expected SHA
200023.669915 Misc 95 conf_get_str: [3DES-MD5]:ENCRYPTION_ALGORITHM->3DES_CBC
200023.669940 Misc 95 conf_get_str: [3DES-MD5]:HASH_ALGORITHM->MD5
200023.669965 Misc 95 conf_get_str: [3DES-MD5]:AUTHENTICATION_METHOD->PRE_SHARED
200023.669989 Negt 70 attribute_unacceptable: AUTHENTICATION_METHOD: got RSA_SIG, expected PRE_SHARED
200023.670093 Misc 95 conf_get_str: [BLF-SHA]:ENCRYPTION_ALGORITHM->BLOWFISH_CBC
200023.670118 Negt 70 attribute_unacceptable: ENCRYPTION_ALGORITHM: got 3DES_CBC, expected BLOWFISH_CBC
200023.670143 Misc 95 conf_get_str: [BLF-MD5]:ENCRYPTION_ALGORITHM->BLOWFISH_CBC
200023.670167 Negt 70 attribute_unacceptable: ENCRYPTION_ALGORITHM: got 3DES_CBC, expected BLOWFISH_CBC
200023.670191 Misc 95 conf_get_str: [CAST-SHA]:ENCRYPTION_ALGORITHM->CAST_CBC
200023.670215 Negt 70 attribute_unacceptable: ENCRYPTION_ALGORITHM: got 3DES_CBC, expected CAST_CBC
200023.670239 Misc 95 conf_get_str: [CAST-MD5]:ENCRYPTION_ALGORITHM->CAST_CBC
200023.670263 Negt 70 attribute_unacceptable: ENCRYPTION_ALGORITHM: got 3DES_CBC, expected CAST_CBC
200023.670287 Misc 95 conf_get_str: [DES-SHA]:ENCRYPTION_ALGORITHM->DES_CBC
200023.670311 Negt 70 attribute_unacceptable: ENCRYPTION_ALGORITHM: got 3DES_CBC, expected DES_CBC
200023.670336 Misc 95 conf_get_str: [DES-MD5]:ENCRYPTION_ALGORITHM->DES_CBC
200023.670359 Negt 70 attribute_unacceptable: ENCRYPTION_ALGORITHM: got 3DES_CBC, expected DES_CBC
200023.670383 Misc 95 conf_get_str: configuration value not found [CAST-CBC]:ENCRYPTION_ALGORITHM
200023.670406 Negt 70 attribute_unacceptable: attr ENCRYPTION_ALGORITHM does not exist in CAST-CBC
200023.670427 Negt 20 ike_phase_1_validate_prop: failure
200023.670450 Negt 30 message_negotiate_sa: proposal 1 failed
200023.670472 Cryp 60 hash_get: requested algorithm 1
200023.670498 Negt 30 message_negotiate_sa: transform 4 proto 1 proposal 1 ok
200023.670527 SA   80 sa_add_transform: proto 0x118600 no 1 proto 1 chosen 0x12a6a0 sa 0x120000 id 1
200023.670552 Misc 95 conf_get_str: [ISAKMP-configuration-generic_server-0.0.0.0]:Transforms->3DES-SHA,3DES-MD5,BLF-SHA,BLF-MD5,CAST-SHA,CAST-MD5,DES-SHA,DES-MD5,CAST-CBC
200023.670591 Misc 95 conf_get_str: [3DES-SHA]:ENCRYPTION_ALGORITHM->3DES_CBC
200023.670616 Negt 70 attribute_unacceptable: ENCRYPTION_ALGORITHM: got CAST_CBC, expected 3DES_CBC
200023.670640 Misc 95 conf_get_str: [3DES-MD5]:ENCRYPTION_ALGORITHM->3DES_CBC
200023.670664 Negt 70 attribute_unacceptable: ENCRYPTION_ALGORITHM: got CAST_CBC, expected 3DES_CBC
200023.670689 Misc 95 conf_get_str: [BLF-SHA]:ENCRYPTION_ALGORITHM->BLOWFISH_CBC
200023.670713 Negt 70 attribute_unacceptable: ENCRYPTION_ALGORITHM: got CAST_CBC, expected BLOWFISH_CBC
200023.670737 Misc 95 conf_get_str: [BLF-MD5]:ENCRYPTION_ALGORITHM->BLOWFISH_CBC
200023.670761 Negt 70 attribute_unacceptable: ENCRYPTION_ALGORITHM: got CAST_CBC, expected BLOWFISH_CBC
200023.670785 Misc 95 conf_get_str: [CAST-SHA]:ENCRYPTION_ALGORITHM->CAST_CBC
200023.670810 Misc 95 conf_get_str: [CAST-SHA]:HASH_ALGORITHM->SHA
200023.670834 Misc 95 conf_get_str: [CAST-SHA]:AUTHENTICATION_METHOD->PRE_SHARED
200023.670858 Negt 70 attribute_unacceptable: AUTHENTICATION_METHOD: got RSA_SIG, expected PRE_SHARED
200023.670883 Misc 95 conf_get_str: [CAST-MD5]:ENCRYPTION_ALGORITHM->CAST_CBC
200023.670908 Misc 95 conf_get_str: [CAST-MD5]:HASH_ALGORITHM->MD5
200023.670931 Negt 70 attribute_unacceptable: HASH_ALGORITHM: got SHA, expected MD5
200023.670956 Misc 95 conf_get_str: [DES-SHA]:ENCRYPTION_ALGORITHM->DES_CBC
200023.670979 Negt 70 attribute_unacceptable: ENCRYPTION_ALGORITHM: got CAST_CBC, expected DES_CBC
200023.671004 Misc 95 conf_get_str: [DES-MD5]:ENCRYPTION_ALGORITHM->DES_CBC
200023.671027 Negt 70 attribute_unacceptable: ENCRYPTION_ALGORITHM: got CAST_CBC, expected DES_CBC
200023.671051 Misc 95 conf_get_str: configuration value not found [CAST-CBC]:ENCRYPTION_ALGORITHM
200023.671074 Negt 70 attribute_unacceptable: attr ENCRYPTION_ALGORITHM does not exist in CAST-CBC
200023.671094 Negt 20 ike_phase_1_validate_prop: failure
200023.671118 Negt 30 message_negotiate_sa: proposal 1 failed
200023.671139 Default message_negotiate_sa: no compatible proposal found
200023.671172 Default dropped message from 192.168.2.154 port 500 due to notification type NO_PROPOSAL_CHOSEN
200023.671200 Misc 95 conf_get_str: [General]:Exchange-max-time->120
200023.671229 Timr 10 timer_add_event: event exchange_free_aux(0x120100) added last, expiration in 120s
200023.671251 Cryp 60 hash_get: requested algorithm 1
200023.671293 Exch 10 exchange_establish_p1: 0x120100 <unnamed> <no policy> policy initiator phase 1 doi 1 exchange 5 step 0
200023.671320 Exch 10 exchange_establish_p1: icookie 0b6acceb4d6c8680 rcookie 0000000000000000
200023.671341 Exch 10 exchange_establish_p1: msgid 00000000 
200023.671366 Trpt 95 transport_reference: transport 0x118480 now has 3 references
200023.671387 Mesg 90 message_alloc: allocated 0x120200
200023.671419 Exch 90 exchange_validate: checking for required INFO
200023.671444 Mesg 70 message_send: message 0x120200
200023.671471 Mesg 70 ICOOKIE: 0x0b6acceb4d6c8680
200023.671499 Mesg 70 RCOOKIE: 0x0000000000000000
200023.671521 Mesg 70 NEXT_PAYLOAD: NOTIFY
200023.671542 Mesg 70 VERSION: 16
200023.671564 Mesg 70 EXCH_TYPE: INFO
200023.671585 Mesg 70 FLAGS: [ ]
200023.671609 Mesg 70 MESSAGE_ID: 0x00000000
200023.671630 Mesg 70 LENGTH: 40
200023.671681 Mesg 70 message_send: 0b6acceb 4d6c8680 00000000 00000000 0b100500 00000000 00000028 0000000c
200023.671709 Mesg 70 message_send: 00000001 0100000e 
200023.671732 Exch 40 exchange_run: exchange 0x120100 finished step 0, advancing...
200023.671754 Mesg 20 message_free: freeing 0x105d00
200023.671779 Trpt 95 transport_release: transport 0x118480 had 3 references
200023.671801 SA   80 sa_release: SA 0x120000 had 3 references
200023.671829 Trpt 95 transport_reference: transport 0x118480 now has 3 references
200023.671853 Trpt 95 transport_reference: transport 0x118440 now has 2 references
200023.671876 Trpt 95 transport_reference: transport 0x118400 now has 2 references
200023.671899 Trpt 95 transport_reference: transport 0x1183c0 now has 2 references
200023.671922 Trpt 95 transport_reference: transport 0x118380 now has 2 references
200023.671945 Trpt 95 transport_reference: transport 0x118340 now has 2 references
200023.671968 Trpt 95 transport_reference: transport 0x118300 now has 2 references
200023.671991 Trpt 95 transport_reference: transport 0x1182c0 now has 2 references
200023.672014 Trpt 95 transport_reference: transport 0x118280 now has 2 references
200023.672036 Trpt 95 transport_reference: transport 0x118240 now has 2 references
200023.672059 Trpt 95 transport_reference: transport 0x118180 now has 2 references
200023.672082 Trpt 95 transport_reference: transport 0x118100 now has 2 references
200023.672198 Trpt 95 transport_release: transport 0x118480 had 3 references
200023.672224 Trpt 95 transport_release: transport 0x118440 had 2 references
200023.672246 Trpt 95 transport_release: transport 0x118400 had 2 references
200023.672269 Trpt 95 transport_release: transport 0x1183c0 had 2 references
200023.672291 Trpt 95 transport_release: transport 0x118380 had 2 references
200023.672314 Trpt 95 transport_release: transport 0x118340 had 2 references
200023.672336 Trpt 95 transport_release: transport 0x118300 had 2 references
200023.672359 Trpt 95 transport_release: transport 0x1182c0 had 2 references
200023.672381 Trpt 95 transport_release: transport 0x118280 had 2 references
200023.672404 Trpt 95 transport_release: transport 0x118240 had 2 references
200023.672427 Trpt 95 transport_release: transport 0x118180 had 2 references
200023.672449 Trpt 95 transport_release: transport 0x118100 had 2 references
200023.672489 Trpt 95 transport_reference: transport 0x118480 now has 3 references
200023.672514 Trpt 95 transport_reference: transport 0x118440 now has 2 references
200023.672537 Trpt 95 transport_reference: transport 0x118400 now has 2 references
200023.672560 Trpt 95 transport_reference: transport 0x1183c0 now has 2 references
200023.672583 Trpt 95 transport_reference: transport 0x118380 now has 2 references
200023.672606 Trpt 95 transport_reference: transport 0x118340 now has 2 references
200023.672629 Trpt 95 transport_reference: transport 0x118300 now has 2 references
200023.672651 Trpt 95 transport_reference: transport 0x1182c0 now has 2 references
200023.672674 Trpt 95 transport_reference: transport 0x118280 now has 2 references
200023.672697 Trpt 95 transport_reference: transport 0x118240 now has 2 references
200023.672720 Trpt 95 transport_reference: transport 0x118180 now has 2 references
200023.672743 Trpt 95 transport_reference: transport 0x118100 now has 2 references
200023.673023 Exch 10 exchange_finalize: 0x120100 <unnamed> <no policy> policy initiator phase 1 doi 1 exchange 5 step 1
200023.673053 Exch 10 exchange_finalize: icookie 0b6acceb4d6c8680 rcookie 0000000000000000
200023.673075 Exch 10 exchange_finalize: msgid 00000000 
200023.673100 Timr 10 timer_remove_event: removing event exchange_free_aux(0x120100)
200023.673123 Exch 80 exchange_free_aux: freeing exchange 0x120100
200023.673169 Mesg 20 message_free: freeing 0x120200
200023.673194 Trpt 95 transport_release: transport 0x118480 had 3 references
200023.673218 Trpt 95 transport_release: transport 0x118480 had 2 references
200023.673240 Trpt 95 transport_release: transport 0x118440 had 2 references
200023.673263 Trpt 95 transport_release: transport 0x118400 had 2 references
200023.673285 Trpt 95 transport_release: transport 0x1183c0 had 2 references
200023.673308 Trpt 95 transport_release: transport 0x118380 had 2 references
200023.673330 Trpt 95 transport_release: transport 0x118340 had 2 references
200023.673353 Trpt 95 transport_release: transport 0x118300 had 2 references
200023.673375 Trpt 95 transport_release: transport 0x1182c0 had 2 references
200023.673398 Trpt 95 transport_release: transport 0x118280 had 2 references
200023.673420 Trpt 95 transport_release: transport 0x118240 had 2 references
200023.673443 Trpt 95 transport_release: transport 0x118180 had 2 references
============================

======== error report pgpnet =========
00:37:11: SARequest: 192.168.2.253 (0.0.0.0/0.0.0.0)
00:37:20: 	New Identity Exchange - Initiator
00:37:20: Initiating Phase 1 Keying
00:37:20: Send: SA/Vendor/Vendor/SENT

00:37:20: Rcvd: exchange=Informational, firstPayload=Notify, port=500
00:37:20: 	New Informational Exchange - Responder
00:37:20: 	Payloads:Notify/
00:37:20: 	Notification
00:37:20: ALERT(R): 192.168.2.253, alert=NoProposalChoice
00:37:20: SAFailed: 192.168.2.253 (0.0.0.0/0.0.0.0)
==================================================