[EMAIL PROTECTED] writes:
>Has anybody gotten this to work? I've been dorking with it again in OBSD
>3.0, still seem to have the same issues. Both sides appear to be
>configured fine, tcpdump on the OBSD box shows ESP traffic coming from the
>GB, while the GB shows ESP traffic coming in from the OBSD box, but
>packets never get past either gateway. Seems like it's probably a keying
>issue. I've tried blowfish and 3des with no luck. I'm going to keep
>pounding on it, but I send this note in hopes of someone else having
>already done the pounding...
My quest is at an end. I have OBSD VPN... Yee Freakin' Haw! (I've been
dorking with this off and on for some months now, so I'm very pleased to
finally nail it). Never got Manual key exchange going, but I'm up with
IKE. I Like IKE... ;-) Also, I noted that the OBSD daemon seems to get
upset if you reboot the box-I had to reset the daemon on both the GB and
OBSD box when that happened. Anyway, here's what I found:
GBFlash 3.2.1 config:
Phase1:
Exchange mode:main
Keygroup: any
preshared secret (hex value of "mysecretkey")
Enc method: 3des
Hash: md5(sha1 wouldn't work)
Phase2:
Enc method: 3des
hash: sha1
Keygroup: any
OpenBSD 3.0 config:
/etc/isakmpd/isakmpd.policy:
KeyNote-Version: 2
Comment: This policy accepts ESP SAs from a remote that uses the right
password
Authorizer: "POLICY"
Licensees: "passphrase:mysecretkey"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg == "3des" &&
esp_auth_alg == "hmac-sha" -> "true";
/etc/isakmpd/isakmpd.conf-replace stuff in {} with correct values:
[General]
Retransmits= 5
Exchange-max-time= 120
Listen-on= {obsd ext ip address}
[Phase 1]
{gbflash ext ip address}= ISAKMP-peer-west
[Phase 2]
Connections= IPsec-east-west
[ISAKMP-peer-west]
Phase= 1
Transport= udp
Address= {gbflash ext ip address}
Configuration= Default-main-mode
Authentication= {mysecretkey}
[IPsec-east-west]
Phase= 2
ISAKMP-peer= ISAKMP-peer-west
Configuration= Default-quick-mode
Local-ID= Net-east
Remote-ID= Net-west
[Net-west]
ID-type= IPV4_ADDR_SUBNET
Network= {gb protected subnet addr}
Netmask= 255.255.255.0
[Net-east]
ID-type= IPV4_ADDR_SUBNET
Network= {obsd protected subnet addr}
Netmask= 255.255.255.0
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-MD5
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-AES-SHA-PFS-SUITE
Regards,
Ed Hintz
Network Systems Administrator
Natus Medical, Inc.
[EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
To subscribe to the digest version first unsubscribe, then
e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
