I have an OpenBSD 4.1 (OpenBSD <snip> 4.1 GENERIC#1435 i386) acting
as a PPPoE NAT router & firewall to my ISP. I'd like to replace my OS
X 10.4 Server IPSEC VPN with the OpenBSD system. My "road warrior"
clients are all OS X 10.4.10. I read that 10.4 supports AES
encryption but advertises 3DES by default. I'm happy to use 3DES for
now, as isakmpd reported proposal errors when i configured for AES.
Much of the (excellent) IPsec documentation refers either to site-to-
site configuration and not road warrior clients or is outdated and
refers to isakmpd.conf
# cat ipsec.conf
ike dynamic from any to any \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des psk TheSecret
I start isakmpd with 'isakmpd -K4dv'
I load ipsec.conf with 'ipsecctl -f /etc/ipsec.conf'
I then monitor key exchanges with 'ipsecctl -m'
Once i load ipsec.conf I get the following from isakmpd, repeating
every 25secs or so:
171653.422228 Default udp_create: no address configured for "peer-
default"
171653.422357 Default exchange_establish: transport "udp" for peer
"peer-default" could not be created
I'm testing this entirely from my internal subnet. PF is configured
to 'pass quick on { $int_if enc0 }'
My OS X VPN client setup includes the OpenBSD server's IP, my OpenBSD
username and password, and the PSK. I click Connect.
isakmpd reports:
172358.016652 Default isakmpd: phase 1 done: initiator id ac1e0114:
172.30.1.20, responder id <OpenBSD FQDN>, src: 172.30.1.1 dst:
172.30.1.20
172430.679924 Default message_recv: invalid cookie(s)
bacca5c8db12e3b9 78c4c4508b02cbe4
172430.680286 Default dropped message from 172.30.1.20 port 500 due
to notification type INVALID_COOKIE
172430.680826 Default message_recv: invalid cookie(s)
bacca5c8db12e3b9 a162b17df4ce9921
172430.681041 Default dropped message from 172.30.1.20 port 500 due
to notification type INVALID_COOKIE
The INVALID_COOKIE messages repeat until the Mac gives up or I
cancel. Then I get:
172450.699914 Default transport_send_messages: giving up on exchange
IPsec-0.0.0.0/0-0.0.0.0/0, no response from peer 172.30.1.20:500
172450.700387 Default transport_send_messages: giving up on exchange
IPsec-::/0-::/0, no response from peer 172.30.1.20:500
ipsecctl -m reports this:
sadb_getspi: satype esp vers 2 len 10 seq 1 pid 15108
address_src: 172.30.1.20
address_dst: 172.30.1.1
spirange: min 0x00000100 max 0xffffffff
sadb_getspi: satype esp vers 2 len 10 seq 1 pid 15108
sa: spi 0x272f2a24 auth none enc none
state mature replay 0 flags 0
address_src: 172.30.1.20
address_dst: 172.30.1.1
sadb_getspi: satype esp vers 2 len 10 seq 2 pid 15108
address_src: 172.30.1.20
address_dst: 172.30.1.1
spirange: min 0x00000100 max 0xffffffff
sadb_getspi: satype esp vers 2 len 10 seq 2 pid 15108
sa: spi 0xee7e7297 auth none enc none
state mature replay 0 flags 0
address_src: 172.30.1.20
address_dst: 172.30.1.1
Does anybody have any documentation on using Mac clients with IPSEC?
I sincerely appreciate any assistance and am willing to provide any
additional requested information. Thank you.