Hi,
I want to use the ifstated daemon.
I have Googled around and read the man page (not very clear) but not
understood how to use the ifstated.conf file.
All I want to do is monitoring the output of 'netstat -nr' and if the
output changes, and to kill the isakmpd daemon and restart it.
Does someone have a working config file or tip to monitor this ?
Thanks in advance.
Olivier
<------ BEGIN PREVIOUS POST--------------->
Hi all!
I have a problem with a *VPN* tunnel.
The *VPN* is set between an *OpenBSD* 4.0 GENERIC and a *Checkpoint* NG
FP3. When I etablish the tunnel all is okay for a while. But after a
moment (variable) the tunnel break because a NO_PROPOSAL_CHOSEN. The
problem appear to come from the *OpenBSD* side (see log below) and that
for 3.9 and 4.0. The isakmpd config file are very basic.
I have to kill the isakmpd process and start it again (for a variable
moment only until a new NO_PROPOSAL_CHOSEN).
From the log :
Dec 28 14:56:28 uranium isakmpd[21562]: attribute_unacceptable:
AUTHENTICATION_METHOD: got PRE_SHARED, expected RSA_SIG
Dec 28 14:56:28 uranium isakmpd[21562]: ike_phase_1_validate_prop: failure
Dec 28 14:56:28 uranium isakmpd[21562]: message_negotiate_sa: proposal 1
failed
Dec 28 14:56:28 uranium isakmpd[21562]: message_negotiate_sa: no
compatible proposal found
Dec 28 14:56:28 uranium isakmpd[21562]: dropped message from
xxx.xxx.xxx.xxx port 500 due to notification type NO_PROPOSAL_CHOSEN
The *Checkpoint* side has 3DES/SHA/GRP2 with PRE-SHARED Secret for Phase
1 and 3DES/SHA for Phase2 enabled.
As somebody encoutered the same problem or have a tip to resolve this ?
Thanks a lot in advance.
Olivier
------------------
isakmpd.conf
[General]
Retransmits= 5
#Exchange-max-time= 120
Exchange-max-time= 20
Check-interval= 10
Listen-on= xxx.xxx.xxx.xxx
#Default-phase-1-lifetime= 86400
#Default-phase-2-lifetime= 3600
DPD-check-interval= 20
[Phase 1]
Other= ISAKMP-peer-node-Other
[Phase 2]
Connections= IPsec-Conn-Home-Other
# ISAKMP Phase 1 peer sections
[ISAKMP-peer-node-Other]
Phase= 1
Address= XXX.XXX.XXX.XXX
Configuration= Default-main-mode
Authentication= TheGreatSecret
# IPsec Phase 2 sections
[IPsec-Conn-Home-Other]
Phase= 2
ISAKMP-peer= ISAKMP-peer-node-Other
Configuration= Default-quick-mode
Local-ID= MyNet
Remote-ID= OtherNet
# Client ID sections
[MyNet]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.1.0
Netmask= 255.255.255.0
[OtherNet]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.2.0
Netmask= 255.255.255.0
# Main mode description
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA-GRP2
# Quick mode description
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE
-------------------
isakmpd.policy
KeyNote-Version: 2
Comment: This policy accepts ESP SAs from a remote that uses the right
password
$*OpenBSD*: policy,v 1.6 2001/06/20 16:36:19 angelos Exp $
$EOM: policy,v 1.6 2000/10/09 22:08:30 angelos Exp $
Authorizer: "POLICY"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg != "null" -> "true";
<------ END PREVIOUS POST--------------->
