[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: tunnel notification: NO PROPOSAL CHOSEN

To: misc@openbsd.org
Subject: Re: tunnel notification: NO PROPOSAL CHOSEN
From: Steve <steve@videogroup.com>
Date: Mon, 9 Feb 2004 13:02:56 -0500
Content-Disposition: inline
References: <200402091239.09462.steve@videogroup.com>
User-Agent: KMail/1.5

Sorry I forgot to include the isakmpd.conf files

On Monday 09 February 2004 12:39 pm, Steve wrote:
> Hi,
>
> I should have two "mirrored" configureations on two OpenBSD FW's.
> On one of them I get "notification: NO PROPOSAL CHOSEN"
> Whilst the other is not complaining.
>
> Where have I gone wrong?
>
> -------------------(All IP addresses changed)------------------------
> # tcpdump -nvs1500 -r /var/run/isakmpd.pcap
> 07:29:21.406587 207.mmm.nnn.ooo.500 > 24.mmm.nnn.ooo.500:  [udp sum ok]
> isakmp v1.0 exchange ID_PROT
>         cookie: e6ee5844c712736e->0000000000000000 msgid: 00000000 len:
> 80 payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload:
> PROPOSAL len: 40 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1
>                 payload: TRANSFORM len: 32
>                     transform: 0 ID: ISAKMP
>                         attribute ENCRYPTION_ALGORITHM = 3DES_CBC
>                         attribute HASH_ALGORITHM = SHA
>                         attribute AUTHENTICATION_METHOD = PRE_SHARED
>                         attribute GROUP_DESCRIPTION = MODP_1024
>                         attribute LIFE_TYPE = SECONDS
>                         attribute LIFE_DURATION = 3600 [ttl 0] (id 1)
> 07:29:47.301642 24.mmm.nnn.ooo.500 > 207.mmm.nnn.ooo.500:  [udp sum ok]
> isakmp v1.0 exchange ID_PROT
>         cookie: ad350d152522f63a->0000000000000000 msgid: 00000000 len:
> 80 payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload:
> PROPOSAL len: 40 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1
>                 payload: TRANSFORM len: 32
>                     transform: 0 ID: ISAKMP
>                         attribute ENCRYPTION_ALGORITHM = 3DES_CBC
>                         attribute HASH_ALGORITHM = SHA
>                         attribute AUTHENTICATION_METHOD = PRE_SHARED
>                         attribute GROUP_DESCRIPTION = MODP_1024
>                         attribute LIFE_TYPE = SECONDS
>                         attribute LIFE_DURATION = 3600 [ttl 0] (id 1)
> 07:29:47.309810 207.mmm.nnn.ooo.500 > 24.mmm.nnn.ooo.500:  [udp sum ok]
> isakmp v1.0 exchange INFO
>         cookie: 37440e5f6264a54a->0000000000000000 msgid: 00000000 len:
> 40 payload: NOTIFICATION len: 12
>             notification: NO PROPOSAL CHOSEN [ttl 0] (id 1)


isakmpd.conf on LAN0
[General]
Default-phase-1-lifetime=3600,60:43200
Default-phase-2-lifetime=3600,60:43200
Listen-on=      24.mmm.nnn.ooo

[Phase 1]
#=      GW-LAN0
#=      GW-LAN1
207.mmm.nnn.ooo=   GW-LAN2
#=      GW-LAN3
#=      GW-LAN4

# Phase 2 defines which connections the daemon should establish.
# These connections contain the actual "IPsec VPN" information.

[Phase 2]
Connections=    VPN-0-2

# ISAKMP phase 1 peers (from [Phase 1])

[GW-LAN2]
Phase=          1
Transport=      udp
Address=        207.mmm.nnn.ooo
Configuration=  Default-main-mode
Authentication= mysharedsecret

# IPSEC phase 2 connections (from [Phase 2])

[VPN-0-2]
Phase=          2
ISAKMP-peer=    GW-LAN2
Configuration=  Default-quick-mode
Local-ID=       GW-LAN0-int-netw
Remote-ID=      GW-LAN2-int-netw

# ID sections (as used in [VPN-0-2])

[GW-LAN0-int-netw]
ID-type=        IPV4_ADDR_SUBNET
Network=        10.12.6.0
Netmask=        255.255.255.0

[GW-LAN2-int-netw]
ID-type=        IPV4_ADDR_SUBNET
Network=        10.12.2.0
Netmask=        255.255.255.0

# Main and Quick Mode descriptions (as used by peers and connections)

[Default-main-mode]
DOI=            IPSEC
EXCHANGE_TYPE=  ID_PROT
Transforms=     3DES-SHA

[Default-quick-mode]
DOI=            IPSEC
EXCHANGE_TYPE=  QUICK_MODE
Suites=         QM-ESP-3DES-SHA-SUITE



isakmpd.conf on LAN2
[General]
Default-phase-1-lifetime=3600,60:43200
Default-phase-2-lifetime=3600,60:43200
Listen-on=      207.mmm.nnn.ooo

[Phase 1]
24.mm.nnn.ooo=  GW-LAN0
#=  GW-LAN1
#=  GW-LAN2
#=  GW-LAN3
#=  GW-LAN4

# Phase 2 defines which connections the daemon should establish.
# These connections contain the actual "IPsec VPN" information.

[Phase 2]
Connections=    VPN-2-0

# ISAKMP phase 1 peers (from [Phase 1])

[GW-LAN0]
Phase=          1
Transport=      udp
Address=        24.mmm.nnn.ooo
Configuration=  Default-main-mode
Authentication= mysharedsecret

# IPSEC phase 2 connections (from [Phase 2])

[VPN-2-0]
Phase=          2
ISAKMP-peer=    GW-LAN0
Configuration=  Default-quick-mode
Local-ID=       GW-LAN2-int-netw
Remote-ID=      GW-LAN0-int-netw

# ID sections (as used in [VPN-2-0])

[GW-LAN2-int-netw]
ID-type=        IPV4_ADDR_SUBNET
Network=        10.12.2.0
Netmask=        255.255.255.0

[GW-LAN0-int-netw]
ID-type=        IPV4_ADDR_SUBNET
Network=        10.12.6.0
Netmask=        255.255.255.0

# Main and Quick Mode descriptions (as used by peers and connections)

[Default-main-mode]
DOI=            IPSEC
EXCHANGE_TYPE=  ID_PROT
Transforms=     3DES-SHA

[Default-quick-mode]
DOI=            IPSEC
EXCHANGE_TYPE=  QUICK_MODE
Suites=         QM-ESP-3DES-SHA-SUITE

-- 


____________________________________
Steve Szmidt
VP Information Technology
Video Group Distributors, Inc.
727-585-7737

Follow-Ups:
- Re: tunnel notification: NO PROPOSAL CHOSEN
  - From: Eduardo Alvarenga <eduardo-kw-openbsd.81d1ed@thrx.org>

References:
- tunnel notification: NO PROPOSAL CHOSEN
  - From: Steve <steve@videogroup.com>

Prev by Date: Re: tunnel notification: NO PROPOSAL CHOSEN
Next by Date: Re: PF NAT altq
Prev by thread: Re: tunnel notification: NO PROPOSAL CHOSEN
Next by thread: Re: tunnel notification: NO PROPOSAL CHOSEN
Index(es):
- Date
- Thread