On Thu, 10 Aug 2006, Steve Glaus wrote:
Daniel Ouellet wrote:
Steve Glaus wrote:
Hello all,
I'm finally desperate enough to post this to a list...
I have been trying for two days to set up a basic VPN between my OpenBSD
box at home and my OpenBSD box at work.
The box at home is running 3.7 and the box here at work is running 3.9.
May be worth to have 3.9 both place.
Here is something that might help:
http://www.securityfocus.com/infocus/1859
Also may be good to read:
http://www.undeadly.org/cgi?action=article&sid=20060621160000
and this specially:
http://www.undeadly.org/cgi?action=article&sid=20060606210130
man 8 ipsecctl
man 8 isakmpd
man 5 isakmpd.conf
So many changes happened in the last few months and many things have been
replace that I think trying to setup a VPN using what we may call the old
way is a waist of time.
I have seen many articles and examples in the last few months explaining
all the great changes to this that I would say trying to use 3.7 for this
is wrong. But I may be wrong for sure. It's just based on what was posted
in the lately really.
I am not 100% sure, but I think even some of the best changes are in
current that make the setup very simple now based on articles on
undeadly.org about the subject.
Just a thought.
Hope this help you some.
Hello again,
Thanks for your help earlier. I haven't really had time to look at this
problem in the last few weeks.
I've started trying to use ipsecctl on my 3.9 box to connect to the actual
service we will be using this for and I've made SOME progress so thank you
for steering me in the right direction.
Now,
Whenever I try to connect to one of our cheesy little VPN routers (DLINK
DFL-300's) using ipsectl it works perfectly. The tunnel comes up everything
looks beautiful.
But I can't stop there I'm afraid (though GOD I wish I could)....
I'm trying to connect to a sonicwall 4060 VPN that our software vendor uses.
When I try to do this using the same setup (with the appropriate changes
made) I get NO_PROPOSAL_CHOSEN messages.
One glaring difference that I can see is that when I connect to the DLINK I
use a passive connection and isakpmd sits and listens for incoming
connections. Could this be a lifetime issue? Tech support at the other end
said this is possible. How do you set the lifetime using ipsecctl (I've read
that this is only possible with -current)
Another item - IS PFS disabled or enabled by default when one uses ipsecctl?
Can this be set?
Looking at my logs I'm pretty sure that it's making it through phase1. Our
vendors phase1 and phase2 use identical encryption/authorization so I don't
quite understand why I would be getting NO_PROPOSALS for only phase2. The
lifetimes for both phases are also identical on the vendors end.
This is the relevant configuration info:
ike esp from 10.110.38.0/24 to 172.28.128/0/21 peer 204.244.106.134 main auth
hmac-sha1 enc 3des quick auth hmac-sha1 enc 3des psk "XXXXXXXXXX"
The debug outpout can be found here:
http://ww2.bartowpc.com:8080/isakmpd_out
I really don't know where to go from here. I've invested hours & hours into
this and we've (foolishly?) commited to this direction.
Thanks for any help anyone can give.
Ask the SonicWall4060 admin how he/she is defining their network objects.
You have specified 172.28.128.0/21. On SonicOS enhanced you can define
address objects as "Single Host", "Network", or "Address Range". I think
they want to use Network, and specify the netmask rather than address
range, that could be an issue. Also SonicOS also uses 28800/28800 SA
lifetime's as opposed to 86400/28800.
Good luck! I've connected to a 4060 multiple times before but not using
the new ipsecctl syntax, I used the old isakmpd.conf syntax. Later,
-Matt-
