On Wed, Apr 11, 2007 at 01:28:28PM -0600, Roy Kim wrote: > I'm trying to setup an ipsec tunnel between an openbsd and a windows > box using X.509 certificates. Phase 1 gets successfully negotiated but > then things crap out at step 1 of phase 2 and I don't have a clue > what's wrong. Any thoughts? > > Isakmpd debug messages just after phase 1 is negotiated and ipsec.conf > are as follows: > > ipsec.conf: > ike dynamic esp tunnel from 192.168.0/8 to any \ > srcid home dstid work > ike dynamic esp tunnel from any to 192.168.0/8 \ > srcid work dstid home
you only need one of these two rules as ipsecctl will create automatically the correct pairs of SAs and flows. See ipsec.conf(5) for details. > > isakmpd output using 'isakmpd -KvdD A=50' > 191751.046228 Timr 10 timer_add_event: event > exchange_free_aux(0x7df9b500) added before sa_soft_expire(0x85229200), > expiration in 120s > 191751.047319 Exch 10 exchange_establish_p2: 0x7df9b500 <unnamed> <no > policy> policy initiator phase 2 doi 1 exchange 5 step 0 > 191751.049266 Exch 10 exchange_establish_p2: icookie 395faa725fd4c3b3 > rcookie 8e784c12cb6b04bd > 191751.050294 Exch 10 exchange_establish_p2: msgid 47ef99ad sa_list > 191751.052677 Cryp 50 crypto_init_iv: initialized IV: > 191751.054075 Cryp 50 033b6e99 5e66c7ba 8efd5d22 8ffe8567 > 191751.055068 Cryp 30 crypto_encrypt: before encryption: > 191751.057166 Cryp 30 0b000018 68790ed1 9f0d6417 66838f05 de3393d7 > 9ec6dcb3 00000020 00000001 > 191751.058368 Cryp 30 01108d28 395faa72 5fd4c3b3 8e784c12 cb6b04bd > 00003340 00000000 00000000 > 191751.060004 Cryp 30 crypto_encrypt: after encryption: > 191751.061996 Cryp 30 bb6cda82 ec0c809f eac5e496 3102dffb 726b62a3 > 9f0d19e6 624ee717 c65f1486 > 191751.063409 Cryp 30 a35e8fb2 c9a6b8c8 2d03723f 7d6d0c68 909c42ea > 0bf57a7f d8c817ce 070b8719 > 191751.064686 Cryp 50 crypto_update_iv: updated IV: > 191751.066224 Cryp 50 909c42ea 0bf57a7f d8c817ce 070b8719 > 191751.068932 Exch 40 exchange_run: exchange 0x7df9b500 finished step > 0, advancing... > 191751.069968 Timr 10 timer_add_event: event > dpd_check_event(0x85229200) added before > connection_checker(0x8522a060), expiration in 5s > 191751.072222 Exch 10 exchange_finalize: 0x7df9b500 <unnamed> <no > policy> policy initiator phase 2 doi 1 exchange 5 step 1 > 191751.073402 Exch 10 exchange_finalize: icookie 395faa725fd4c3b3 > rcookie 8e784c12cb6b04bd > 191751.074675 Exch 10 exchange_finalize: msgid 47ef99ad sa_list > 191751.076166 Timr 10 timer_remove_event: removing event > exchange_free_aux(0x7df9b500) > 191751.077610 Mesg 20 message_free: freeing 0x7df9e000 > 191756.083274 Timr 10 timer_handle_expirations: event > dpd_check_event(0x85229200) > 191756.084314 Mesg 10 dpd_check_event: peer not responding, retry 2 of 5