[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

isakmpd question

To: misc@openbsd.org
Subject: isakmpd question
From: Wolfgang Pichler <madmin@dialog-telekom.at>
Date: Wed, 01 Sep 2004 13:01:26 +0200

hi all,

i am trying to get a vpn tunnel to a Checkpoint NG FP3 working.

They are using:
Phase 1:
 - AES-256
 - SHA1
 - DH Group 2
 - Authentication Shared
 - no aggressive Mode

Phase 2:
 - AES-128
 - SHA1
 - Lifetime 3600sec
 - no ip compression
 - PFS
 - DH Group 2
 - Key Exchange for Subnets

i am getting this error message:
exchange_run: doi->initiator (0x3c12b000) failed
and the tunnel don't gets established

everything else seems to work fine

tcpdump shows me
--------------------------------------------------
13:10:01.510457 81.223.6.247.500 > 212.95.11.161.500:  isakmp v1.0
exchange ID_PROT
        cookie: 4a8701585e731441->0000000000000000 msgid: 00000000 len:
76
13:10:01.523664 212.95.11.161.500 > 81.223.6.247.500:  isakmp v1.0
exchange ID_PROT
        cookie: 4a8701585e731441->68093a78f8d7385a msgid: 00000000 len:
76 (DF)
13:10:02.735808 81.223.6.247.500 > 212.95.11.161.500:  isakmp v1.0
exchange ID_PROT
        cookie: 4a8701585e731441->68093a78f8d7385a msgid: 00000000 len:
180
13:10:02.750076 212.95.11.161.500 > 81.223.6.247.500:  isakmp v1.0
exchange ID_PROT
        cookie: 4a8701585e731441->68093a78f8d7385a msgid: 00000000 len:
184 (DF)
13:10:03.557676 81.223.6.247.500 > 212.95.11.161.500:  isakmp v1.0
exchange ID_PROT encrypted
        cookie: 4a8701585e731441->68093a78f8d7385a msgid: 00000000 len:
92
13:10:03.589408 212.95.11.161.500 > 81.223.6.247.500:  isakmp v1.0
exchange ID_PROT encrypted
        cookie: 4a8701585e731441->68093a78f8d7385a msgid: 00000000 len:
76 (DF)
13:10:03.696384 212.95.11.161.500 > 81.223.6.247.500:  isakmp v1.0
exchange ID_PROT encrypted
        cookie: 4a8701585e731441->68093a78f8d7385a msgid: 00000000 len:
76 (DF)
13:10:03.796680 212.95.11.161.500 > 81.223.6.247.500:  isakmp v1.0
exchange ID_PROT encrypted
        cookie: 4a8701585e731441->68093a78f8d7385a msgid: 00000000 len:
76 (DF)
----------------------------------------------------------------

my isakmpd.conf is:
-----------------------------------------------------------------
[General]
Retransmits=                5
Exchange-max-time=          120
Listen-on=                  81.223.6.247
Shared-SADB=                Defined
Policy-file=                /etc/isakmpd/isakmpd.policy
Default-phase-1-lifetime=       28800
Default-phase-2-lifetime=       3600
Check-interval=                 3600

# Incoming phase 1 negotiations are multiplexed on the source IP address
[Phase 1]
212.95.11.161=              ISAKMP-peer-Checkpoint
Default=                    ISAKMP-peer-Checkpoint

# These connections are walked over after config file parsing and told
# to the application layer so that it will inform us when traffic wants
to
# pass over them.  This means we can do on-demand keying.
[Phase 2]
Connections=               
IPsec-OBSD-Checkpoint1,IPsec-OBSD-Checkpoint2

# The peers
[ISAKMP-peer-Checkpoint]
Phase=              1
Transport=          udp
Local-address=      81.223.6.247
Address=            212.95.11.161
Configuration=      Default-main-mode
Authentication=     secret

# The different connections
[IPsec-OBSD-Checkpoint1]
Phase=              2
ISAKMP-peer=        ISAKMP-peer-Checkpoint
Configuration=      Default-quick-mode
Local-ID=           Net-OBSD
Remote-ID=          Net-Checkpoint1

[IPsec-OBSD-Checkpoint2]
Phase=              2
ISAKMP-peer=        ISAKMP-peer-Checkpoint
Configuration=      Default-quick-mode
Local-ID=           Net-OBSD
Remote-ID=          Net-Checkpoint2

# Our Networks
[Net-Checkpoint1]
ID-type=    IPV4_ADDR_SUBNET
Network=    212.95.16.240
Netmask=    255.255.255.255

[Net-Checkpoint2]
ID-type=    IPV4_ADDR_SUBNET
Network=    212.95.19.135
Netmask=    255.255.255.255

[Net-OBSD]
ID-type=    IPV4_ADDR
Address=    81.223.6.247

# Phase 1 descriptions
[Default-main-mode]
DOI=                IPSEC
EXCHANGE_TYPE=      ID_PROT
Transforms=       AES256-SHA-GRP2

# Phase 2 description
[Default-quick-mode]
DOI=                        IPSEC
EXCHANGE_TYPE=              QUICK_MODE
Transforms=             QM-AES128-SHA-GRP2-PFS-SUITE

[AES256-SHA-GRP2]
ENCRYPTION_ALGORITHM=       AES_CBC
KEY_LENGTH=                                                                     256
HASH_ALGORITHM=             SHA
AUTHENTICATION_METHOD=      PRE_SHARED
GROUP_DESCRIPTION=  MODP_1024

[QM-AES128-SHA-GRP2-PFS-SUITE]
Protocols=              QM-ESP-AES-SHA-PFS

[QM-ESP-AES-SHA-PFS]
PROTOCOL_ID=            IPSEC_ESP
Transforms=             QM-ESP-AES-SHA-PFS-XF

[QM-ESP-AES-SHA-PFS-XF]
TRANSFORM_ID=           AES
ENCAPSULATION_MODE=     TUNNEL
AUTHENTICATION_ALGORITHM=       HMAC_SHA
GROUP_DESCRIPTION=      MODP_1024
--------------------------------------------------------------------

and my isakmpd.policy is
---------------------------------------------------------------------
Keynote-Version: 2
Comment: This policy accepts ESP SAs from a remote that uses the right
password
Authorizer: "POLICY"
Licensees: "passphrase:secret"
Conditions:     app_domain == "IPsec policy" &&
                esp_present == "yes" -> "true";
----------------------------------------------------------------------

i am running OpenBSD 3.5

does someone knows why it wont work ?

best regards
Wolfgang

Follow-Ups:
- Re: isakmpd question
  - From: Waldemar Brodkorb <wbx@openbsd.de>
- Re: isakmpd question
  - From: Hans-Joerg Hoexer <Hans-Joerg.Hoexer@yerbouti.franken.de>

Prev by Date: Re: Aren't we at 9 years at the moment?
Next by Date: =?windows-1251?B?0uDs7ubt/yDk4O3t++Ug7+4gMSDI3svfLg==?=
Prev by thread: [금융]고객님의 입장을 한번더 생각하는 마음으로 상담하겠습니다.
Next by thread: Re: isakmpd question
Index(es):
- Date
- Thread