You probably get "NO_PROPOSAL_CHOSEN" error?
>From the info you gave, looks like Cisco-sides tries to talk AES_CBC
but your local side talks 3DES_CBC in Phase 1.
//mxb
On 10/01/2012 09:21 PM, Erwin Schliske wrote:
> Hello,
>
> I've set up an OpenBSD box as vpn gateway. The tunnel I have to establish is
> with a Cisco ASA 5505, which is not under my administration.
>
> Here is the ipsec.conf
>
> ike esp from { 172.30.77.0/24, 10.70.0.0/24, 10.83.0.0/24, 10.77.4.0/24 } to {
> 172.16.70.0/24, 172.16.71.0/24, 172.16.72.0/24 } \
> peer a.b.102.219 \
> local c.d.3.254 \
> main auth hmac-sha1 enc 3des group modp1024 \
> quick auth hmac-sha1 enc 3des group none \
> psk password
>
> If I try to ping one host on cisco side from OpenBSD side the tunnel doesn't
> come up. If I look with tcpdump on the external interface or in the tcpdump
> logging of isakmpd OpenBSD doesn't try to establish the tunnel. If I ping from
> the Cisco side an host on OpenBSD side the tunnel comes up. In the logging of
> isakmpd I see this loglines
>
> 20:57:40.389157 a.b.102.219.500 > c.d.3.254.500: [udp sum ok] isakmp v1.0
> exchange ID_PROT
> cookie: c5fe8a243e380ce2->0000000000000000 msgid: 00000000 len: 188
> payload: SA len: 96 DOI: 1(IPSEC) situation: IDENTITY_ONLY
> payload: PROPOSAL len: 84 proposal: 1 proto: ISAKMP spisz: 0
> xforms: 2
> payload: TRANSFORM len: 40
> transform: 1 ID: ISAKMP
> attribute GROUP_DESCRIPTION = MODP_1024
> attribute ENCRYPTION_ALGORITHM = AES_CBC
> attribute KEY_LENGTH = 256
> attribute HASH_ALGORITHM = SHA
> attribute AUTHENTICATION_METHOD = PRE_SHARED
> attribute LIFE_TYPE = SECONDS
> attribute LIFE_DURATION = 00007080
> payload: TRANSFORM len: 36
> transform: 2 ID: ISAKMP
> attribute GROUP_DESCRIPTION = MODP_1024
> attribute ENCRYPTION_ALGORITHM = 3DES_CBC
> attribute HASH_ALGORITHM = SHA
> attribute AUTHENTICATION_METHOD = PRE_SHARED
> attribute LIFE_TYPE = SECONDS
> attribute LIFE_DURATION = 00007080
> payload: VENDOR len: 20 (supports v2 NAT-T,
> draft-ietf-ipsec-nat-t-ike-02)
> payload: VENDOR len: 20 (supports v3 NAT-T,
> draft-ietf-ipsec-nat-t-ike-03)
> payload: VENDOR len: 24 [ttl 0] (id 1, len 216)
> 20:57:40.389644 c.d.3.254.500 > a.b.102.219.500: [udp sum ok] isakmp v1.0
> exchange ID_PROT
> cookie: c5fe8a243e380ce2->ad0c72b886cfb802 msgid: 00000000 len: 184
> payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
> payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0
> xforms: 1
> payload: TRANSFORM len: 36
> transform: 2 ID: ISAKMP
> attribute GROUP_DESCRIPTION = MODP_1024
> attribute ENCRYPTION_ALGORITHM = 3DES_CBC
> attribute HASH_ALGORITHM = SHA
> attribute AUTHENTICATION_METHOD = PRE_SHARED
> attribute LIFE_TYPE = SECONDS
> attribute LIFE_DURATION = 00007080
> payload: VENDOR len: 20 (supports OpenBSD-4.0)
> payload: VENDOR len: 20 (supports v2 NAT-T,
> draft-ietf-ipsec-nat-t-ike-02)
> payload: VENDOR len: 20 (supports v3 NAT-T,
> draft-ietf-ipsec-nat-t-ike-03)
> payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
> payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 212)
> 20:57:40.414762 a.b.102.219.500 > c.d.3.254.500: [udp sum ok] isakmp v1.0
> exchange ID_PROT
> cookie: c5fe8a243e380ce2->ad0c72b886cfb802 msgid: 00000000 len: 304
> payload: KEY_EXCH len: 132
> payload: NONCE len: 24
> payload: VENDOR len: 20 (supports Cisco Unity)
> payload: VENDOR len: 12 (supports
> draft-ietf-ipsra-isakmp-xauth-06.txt)
> payload: VENDOR len: 20
> payload: VENDOR len: 20
> payload: NAT-D-DRAFT len: 24
> payload: NAT-D-DRAFT len: 24 [ttl 0] (id 1, len 332)
> 20:57:40.416442 c.d.3.254.500 > a.b.102.219.500: [udp sum ok] isakmp v1.0
> exchange ID_PROT
> cookie: c5fe8a243e380ce2->ad0c72b886cfb802 msgid: 00000000 len: 232
> payload: KEY_EXCH len: 132
> payload: NONCE len: 24
> payload: NAT-D-DRAFT len: 24
> payload: NAT-D-DRAFT len: 24 [ttl 0] (id 1, len 260)
> 20:57:40.440675 a.b.102.219.500 > c.d.3.254.500: [udp sum ok] isakmp v1.0
> exchange ID_PROT
> cookie: c5fe8a243e380ce2->ad0c72b886cfb802 msgid: 00000000 len: 84
> payload: ID len: 12 proto: 17 port: 0 type: IPV4_ADDR =
> 37.188.102.219
> payload: HASH len: 24
> payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 112)
> 20:57:40.440740 c.d.3.254.500 > a.b.102.219.500: [udp sum ok] isakmp v1.0
> exchange ID_PROT
> cookie: c5fe8a243e380ce2->ad0c72b886cfb802 msgid: 00000000 len: 64
> payload: ID len: 12 type: IPV4_ADDR = 87.79.3.254
> payload: HASH len: 24 [ttl 0] (id 1, len 92)
> 20:57:40.465988 a.b.102.219.500 > c.d.3.254.500: [udp sum ok] isakmp v1.0
> exchange QUICK_MODE
> cookie: c5fe8a243e380ce2->ad0c72b886cfb802 msgid: affb732a len: 196
> payload: HASH len: 24
> payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY
> payload: PROPOSAL len: 48 proposal: 1 proto: IPSEC_ESP spisz: 4
> xforms: 1 SPI: 0x44230db2
> payload: TRANSFORM len: 36
> transform: 1 ID: 3DES
> attribute LIFE_TYPE = SECONDS
> attribute LIFE_DURATION = 3600
> attribute LIFE_TYPE = KILOBYTES
> attribute LIFE_DURATION = 00465000
> attribute ENCAPSULATION_MODE = TUNNEL
> attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
> payload: NONCE len: 24
> payload: ID len: 16 type: IPV4_ADDR_SUBNET =
> 172.16.71.0/255.255.255.0
> payload: ID len: 16 type: IPV4_ADDR_SUBNET = 10.70.0.0/255.255.255.0
> payload: NOTIFICATION len: 28
> notification: INITIAL CONTACT (c5fe8a243e380ce2->ad0c72b886cfb802)
> [ttl 0] (id 1, len 224)
> 20:57:40.466133 c.d.3.254.500 > a.b.102.219.500: [udp sum ok] isakmp v1.0
> exchange QUICK_MODE
> cookie: c5fe8a243e380ce2->ad0c72b886cfb802 msgid: affb732a len: 168
> payload: HASH len: 24
> payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY
> payload: PROPOSAL len: 48 proposal: 1 proto: IPSEC_ESP spisz: 4
> xforms: 1 SPI: 0x0d09b388
> payload: TRANSFORM len: 36
> transform: 1 ID: 3DES
> attribute LIFE_TYPE = SECONDS
> attribute LIFE_DURATION = 3600
> attribute LIFE_TYPE = KILOBYTES
> attribute LIFE_DURATION = 00465000
> attribute ENCAPSULATION_MODE = TUNNEL
> attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
> payload: NONCE len: 24
> payload: ID len: 16 type: IPV4_ADDR_SUBNET =
> 172.16.71.0/255.255.255.0
> payload: ID len: 16 type: IPV4_ADDR_SUBNET = 10.70.0.0/255.255.255.0
> [ttl 0] (id 1, len 196)
> 20:57:40.492960 a.b.102.219.500 > c.d.3.254.500: [udp sum ok] isakmp v1.0
> exchange QUICK_MODE
> cookie: c5fe8a243e380ce2->ad0c72b886cfb802 msgid: affb732a len: 76
> payload: HASH len: 24 [ttl 0] (id 1, len 104)
>
>
> On the Cisco side port 500/udp is open.
>
>
> Does anybody know why my side doesn't try to set the tunnel up?
>
>
> Thanks,
>
> Regards,
> Erwin
