Hi, On Thu, Jul 12, 2007 at 05:38:47PM -0800, eric wrote: > I have an OpenBSD 4.1 (OpenBSD <snip> 4.1 GENERIC#1435 i386) acting > as a PPPoE NAT router & firewall to my ISP. I'd like to replace my OS > X 10.4 Server IPSEC VPN with the OpenBSD system. My "road warrior" > clients are all OS X 10.4.10. I read that 10.4 supports AES > encryption but advertises 3DES by default. I'm happy to use 3DES for > now, as isakmpd reported proposal errors when i configured for AES. > > Much of the (excellent) IPsec documentation refers either to site-to- > site configuration and not road warrior clients or is outdated and > refers to isakmpd.conf > > # cat ipsec.conf > ike dynamic from any to any \ > main auth hmac-sha1 enc 3des group modp1024 \ > quick auth hmac-sha1 enc 3des psk TheSecret >
this should be "ike passive from ..." > I start isakmpd with 'isakmpd -K4dv' > > I load ipsec.conf with 'ipsecctl -f /etc/ipsec.conf' > > I then monitor key exchanges with 'ipsecctl -m' > > Once i load ipsec.conf I get the following from isakmpd, repeating > every 25secs or so: > 171653.422228 Default udp_create: no address configured for "peer- > default" > 171653.422357 Default exchange_establish: transport "udp" for peer > "peer-default" could not be created > > I'm testing this entirely from my internal subnet. PF is configured > to 'pass quick on { $int_if enc0 }' > > My OS X VPN client setup includes the OpenBSD server's IP, my OpenBSD > username and password, and the PSK. I click Connect. > > isakmpd reports: > 172358.016652 Default isakmpd: phase 1 done: initiator id ac1e0114: > 172.30.1.20, responder id <OpenBSD FQDN>, src: 172.30.1.1 dst: > 172.30.1.20 > 172430.679924 Default message_recv: invalid cookie(s) > bacca5c8db12e3b9 78c4c4508b02cbe4 > 172430.680286 Default dropped message from 172.30.1.20 port 500 due > to notification type INVALID_COOKIE > 172430.680826 Default message_recv: invalid cookie(s) > bacca5c8db12e3b9 a162b17df4ce9921 > 172430.681041 Default dropped message from 172.30.1.20 port 500 due > to notification type INVALID_COOKIE > > The INVALID_COOKIE messages repeat until the Mac gives up or I > cancel. Then I get: > > 172450.699914 Default transport_send_messages: giving up on exchange > IPsec-0.0.0.0/0-0.0.0.0/0, no response from peer 172.30.1.20:500 > 172450.700387 Default transport_send_messages: giving up on exchange > IPsec-::/0-::/0, no response from peer 172.30.1.20:500 > > ipsecctl -m reports this: > > sadb_getspi: satype esp vers 2 len 10 seq 1 pid 15108 > address_src: 172.30.1.20 > address_dst: 172.30.1.1 > spirange: min 0x00000100 max 0xffffffff > sadb_getspi: satype esp vers 2 len 10 seq 1 pid 15108 > sa: spi 0x272f2a24 auth none enc none > state mature replay 0 flags 0 > address_src: 172.30.1.20 > address_dst: 172.30.1.1 > sadb_getspi: satype esp vers 2 len 10 seq 2 pid 15108 > address_src: 172.30.1.20 > address_dst: 172.30.1.1 > spirange: min 0x00000100 max 0xffffffff > sadb_getspi: satype esp vers 2 len 10 seq 2 pid 15108 > sa: spi 0xee7e7297 auth none enc none > state mature replay 0 flags 0 > address_src: 172.30.1.20 > address_dst: 172.30.1.1 > > Does anybody have any documentation on using Mac clients with IPSEC? > > I sincerely appreciate any assistance and am willing to provide any > additional requested information. Thank you.