can you tell, how did you get this greate debug log?
>>> Erwin Schliske <[email protected]> 10/1/2012 9:21 PM >>> Hello, I've set up an OpenBSD box as vpn gateway. The tunnel I have to establish is with a Cisco ASA 5505, which is not under my administration. Here is the ipsec.conf ike esp from { 172.30.77.0/24, 10.70.0.0/24, 10.83.0.0/24, 10.77.4.0/24 } to { 172.16.70.0/24, 172.16.71.0/24, 172.16.72.0/24 } \ peer a.b.102.219 \ local c.d.3.254 \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des group none \ psk password If I try to ping one host on cisco side from OpenBSD side the tunnel doesn't come up. If I look with tcpdump on the external interface or in the tcpdump logging of isakmpd OpenBSD doesn't try to establish the tunnel. If I ping from the Cisco side an host on OpenBSD side the tunnel comes up. In the logging of isakmpd I see this loglines 20:57:40.389157 a.b.102.219.500 > c.d.3.254.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: c5fe8a243e380ce2->0000000000000000 msgid: 00000000 len: 188 payload: SA len: 96 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 84 proposal: 1 proto: ISAKMP spisz: 0 xforms: 2 payload: TRANSFORM len: 40 transform: 1 ID: ISAKMP attribute GROUP_DESCRIPTION = MODP_1024 attribute ENCRYPTION_ALGORITHM = AES_CBC attribute KEY_LENGTH = 256 attribute HASH_ALGORITHM = SHA attribute AUTHENTICATION_METHOD = PRE_SHARED attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 00007080 payload: TRANSFORM len: 36 transform: 2 ID: ISAKMP attribute GROUP_DESCRIPTION = MODP_1024 attribute ENCRYPTION_ALGORITHM = 3DES_CBC attribute HASH_ALGORITHM = SHA attribute AUTHENTICATION_METHOD = PRE_SHARED attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 00007080 payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02) payload: VENDOR len: 20 (supports v3 NAT-T, draft-ietf-ipsec-nat-t-ike-03) payload: VENDOR len: 24 [ttl 0] (id 1, len 216) 20:57:40.389644 c.d.3.254.500 > a.b.102.219.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: c5fe8a243e380ce2->ad0c72b886cfb802 msgid: 00000000 len: 184 payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 36 transform: 2 ID: ISAKMP attribute GROUP_DESCRIPTION = MODP_1024 attribute ENCRYPTION_ALGORITHM = 3DES_CBC attribute HASH_ALGORITHM = SHA attribute AUTHENTICATION_METHOD = PRE_SHARED attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 00007080 payload: VENDOR len: 20 (supports OpenBSD-4.0) payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02) payload: VENDOR len: 20 (supports v3 NAT-T, draft-ietf-ipsec-nat-t-ike-03) payload: VENDOR len: 20 (supports NAT-T, RFC 3947) payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 212) 20:57:40.414762 a.b.102.219.500 > c.d.3.254.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: c5fe8a243e380ce2->ad0c72b886cfb802 msgid: 00000000 len: 304 payload: KEY_EXCH len: 132 payload: NONCE len: 24 payload: VENDOR len: 20 (supports Cisco Unity) payload: VENDOR len: 12 (supports draft-ietf-ipsra-isakmp-xauth-06.txt) payload: VENDOR len: 20 payload: VENDOR len: 20 payload: NAT-D-DRAFT len: 24 payload: NAT-D-DRAFT len: 24 [ttl 0] (id 1, len 332) 20:57:40.416442 c.d.3.254.500 > a.b.102.219.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: c5fe8a243e380ce2->ad0c72b886cfb802 msgid: 00000000 len: 232 payload: KEY_EXCH len: 132 payload: NONCE len: 24 payload: NAT-D-DRAFT len: 24 payload: NAT-D-DRAFT len: 24 [ttl 0] (id 1, len 260) 20:57:40.440675 a.b.102.219.500 > c.d.3.254.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: c5fe8a243e380ce2->ad0c72b886cfb802 msgid: 00000000 len: 84 payload: ID len: 12 proto: 17 port: 0 type: IPV4_ADDR = 37.188.102.219 payload: HASH len: 24 payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 112) 20:57:40.440740 c.d.3.254.500 > a.b.102.219.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: c5fe8a243e380ce2->ad0c72b886cfb802 msgid: 00000000 len: 64 payload: ID len: 12 type: IPV4_ADDR = 87.79.3.254 payload: HASH len: 24 [ttl 0] (id 1, len 92) 20:57:40.465988 a.b.102.219.500 > c.d.3.254.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: c5fe8a243e380ce2->ad0c72b886cfb802 msgid: affb732a len: 196 payload: HASH len: 24 payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 48 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0x44230db2 payload: TRANSFORM len: 36 transform: 1 ID: 3DES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 3600 attribute LIFE_TYPE = KILOBYTES attribute LIFE_DURATION = 00465000 attribute ENCAPSULATION_MODE = TUNNEL attribute AUTHENTICATION_ALGORITHM = HMAC_SHA payload: NONCE len: 24 payload: ID len: 16 type: IPV4_ADDR_SUBNET = 172.16.71.0/255.255.255.0 payload: ID len: 16 type: IPV4_ADDR_SUBNET = 10.70.0.0/255.255.255.0 payload: NOTIFICATION len: 28 notification: INITIAL CONTACT (c5fe8a243e380ce2->ad0c72b886cfb802) [ttl 0] (id 1, len 224) 20:57:40.466133 c.d.3.254.500 > a.b.102.219.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: c5fe8a243e380ce2->ad0c72b886cfb802 msgid: affb732a len: 168 payload: HASH len: 24 payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 48 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0x0d09b388 payload: TRANSFORM len: 36 transform: 1 ID: 3DES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 3600 attribute LIFE_TYPE = KILOBYTES attribute LIFE_DURATION = 00465000 attribute ENCAPSULATION_MODE = TUNNEL attribute AUTHENTICATION_ALGORITHM = HMAC_SHA payload: NONCE len: 24 payload: ID len: 16 type: IPV4_ADDR_SUBNET = 172.16.71.0/255.255.255.0 payload: ID len: 16 type: IPV4_ADDR_SUBNET = 10.70.0.0/255.255.255.0 [ttl 0] (id 1, len 196) 20:57:40.492960 a.b.102.219.500 > c.d.3.254.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: c5fe8a243e380ce2->ad0c72b886cfb802 msgid: affb732a len: 76 payload: HASH len: 24 [ttl 0] (id 1, len 104) On the Cisco side port 500/udp is open. Does anybody know why my side doesn't try to set the tunnel up? Thanks, Regards, Erwin
