Hi all
I have some openbsd boxes as vpn endpoint to a Palo Alto Pa-820.
In my last VPN config (unsing 6.8) I see in the logs that isakmpd is expexting
RSA_SIG as authentication method, while in ipsec.conf I set the psk value.
May 4 18:11:44 fw-donmilani isakmpd[37871]: attribute_unacceptable:
AUTHENTICATION_METHOD: got PRE_SHARED, expected RSA_SIG
May 4 18:11:44 fw-donmilani isakmpd[37871]: message_negotiate_sa: no
compatible proposal found
May 4 18:11:44 fw-donmilani isakmpd[37871]: dropped message from 93.63.x.x
port 500 due to notification type NO_PROPOSAL_CHOSEN
fw-donmilani# uname -a
OpenBSD fw-donmilani.comune.arezzo.it 6.8 GENERIC.MP#98 amd64
fw-donmilani# cat /etc/ipsec.conf
ike esp from 172.16.146.0/24 to 172.16.0.0/16 peer 93.63.x.x \
main auth "hmac-sha2-256" enc "3des" group modp2048 \
quick auth "hmac-sha2-256" enc "3des" group modp2048 \
psk "hxxxxxxxxxxxxxxxI"
fw-donmilani#
fw-donmilani# ipsecctl -nvf /etc/ipsec.conf
C set [Phase 1]:93.63.x.x=peer-93.63.x.x force
C set [peer-93.63.x.x]:Phase=1 force
C set [peer-93.63.x.x]:Address=93.63.x.x force
C set [peer-93.63.x.x]:Authentication=hxxxxxxxxxxxxxxxxxxxxxxxI force
C set [peer-93.63.x.x]:Configuration=phase1-peer-93.63.x.x force
C set [phase1-peer-93.63.x.x]:EXCHANGE_TYPE=ID_PROT force
C add
[phase1-peer-93.63.x.x]:Transforms=phase1-transform-peer-93.63.x.x-PRE_SHARED-SHA2_256-3DES-MODP_2048
force
C set
[phase1-transform-peer-93.63.x.x-PRE_SHARED-SHA2_256-3DES-MODP_2048]:AUTHENTICATION_METHOD=PRE_SHARED
force
C set
[phase1-transform-peer-93.63.x.x-PRE_SHARED-SHA2_256-3DES-MODP_2048]:HASH_ALGORITHM=SHA2_256
force
C set
[phase1-transform-peer-93.63.x.x-PRE_SHARED-SHA2_256-3DES-MODP_2048]:ENCRYPTION_ALGORITHM=3DES_CBC
force
C set
[phase1-transform-peer-93.63.x.x-PRE_SHARED-SHA2_256-3DES-MODP_2048]:GROUP_DESCRIPTION=MODP_2048
force
C set
[phase1-transform-peer-93.63.x.x-PRE_SHARED-SHA2_256-3DES-MODP_2048]:Life=LIFE_MAIN_MODE
force
C set [from-172.16.146.0/24-to-172.16.0.0/16]:Phase=2 force
C set [from-172.16.146.0/24-to-172.16.0.0/16]:ISAKMP-peer=peer-93.63.x.x force
C set
[from-172.16.146.0/24-to-172.16.0.0/16]:Configuration=phase2-from-172.16.146.0/24-to-172.16.0.0/16
force
C set [from-172.16.146.0/24-to-172.16.0.0/16]:Local-ID=from-172.16.146.0/24
force
C set [from-172.16.146.0/24-to-172.16.0.0/16]:Remote-ID=to-172.16.0.0/16 force
C set [phase2-from-172.16.146.0/24-to-172.16.0.0/16]:EXCHANGE_TYPE=QUICK_MODE
force
C set
[phase2-from-172.16.146.0/24-to-172.16.0.0/16]:Suites=phase2-suite-from-172.16.146.0/24-to-172.16.0.0/16
force
C set
[phase2-suite-from-172.16.146.0/24-to-172.16.0.0/16]:Protocols=phase2-protocol-from-172.16.146.0/24-to-172.16.0.0/16
force
C set
[phase2-protocol-from-172.16.146.0/24-to-172.16.0.0/16]:PROTOCOL_ID=IPSEC_ESP
force
C set
[phase2-protocol-from-172.16.146.0/24-to-172.16.0.0/16]:Transforms=phase2-transform-from-172.16.146.0/24-to-172.16.0.0/16-3DES-SHA2_256-MODP_2048-TUNNEL
force
C set
[phase2-transform-from-172.16.146.0/24-to-172.16.0.0/16-3DES-SHA2_256-MODP_2048-TUNNEL]:TRANSFORM_ID=3DES
force
C set
[phase2-transform-from-172.16.146.0/24-to-172.16.0.0/16-3DES-SHA2_256-MODP_2048-TUNNEL]:ENCAPSULATION_MODE=TUNNEL
force
C set
[phase2-transform-from-172.16.146.0/24-to-172.16.0.0/16-3DES-SHA2_256-MODP_2048-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256
force
C set
[phase2-transform-from-172.16.146.0/24-to-172.16.0.0/16-3DES-SHA2_256-MODP_2048-TUNNEL]:GROUP_DESCRIPTION=MODP_2048
force
C set
[phase2-transform-from-172.16.146.0/24-to-172.16.0.0/16-3DES-SHA2_256-MODP_2048-TUNNEL]:Life=LIFE_QUICK_MODE
force
C set [from-172.16.146.0/24]:ID-type=IPV4_ADDR_SUBNET force
C set [from-172.16.146.0/24]:Network=172.16.146.0 force
C set [from-172.16.146.0/24]:Netmask=255.255.255.0 force
C set [to-172.16.0.0/16]:ID-type=IPV4_ADDR_SUBNET force
C set [to-172.16.0.0/16]:Network=172.16.0.0 force
C set [to-172.16.0.0/16]:Netmask=255.255.0.0 force
C add [Phase 2]:Connections=from-172.16.146.0/24-to-172.16.0.0/16
fw-donmilani#
Giacomo Marconi
-------------------------
Ufficio Servizi Informativi
Comune di Arezzo
0575 377790
345 0305792
