Hi,
On Thu, Jul 12, 2007 at 05:38:47PM -0800, eric wrote:
> I have an OpenBSD 4.1 (OpenBSD <snip> 4.1 GENERIC#1435 i386) acting
> as a PPPoE NAT router & firewall to my ISP. I'd like to replace my OS
> X 10.4 Server IPSEC VPN with the OpenBSD system. My "road warrior"
> clients are all OS X 10.4.10. I read that 10.4 supports AES
> encryption but advertises 3DES by default. I'm happy to use 3DES for
> now, as isakmpd reported proposal errors when i configured for AES.
>
> Much of the (excellent) IPsec documentation refers either to site-to-
> site configuration and not road warrior clients or is outdated and
> refers to isakmpd.conf
>
> # cat ipsec.conf
> ike dynamic from any to any \
> main auth hmac-sha1 enc 3des group modp1024 \
> quick auth hmac-sha1 enc 3des psk TheSecret
>
this should be "ike passive from ..."
> I start isakmpd with 'isakmpd -K4dv'
>
> I load ipsec.conf with 'ipsecctl -f /etc/ipsec.conf'
>
> I then monitor key exchanges with 'ipsecctl -m'
>
> Once i load ipsec.conf I get the following from isakmpd, repeating
> every 25secs or so:
> 171653.422228 Default udp_create: no address configured for "peer-
> default"
> 171653.422357 Default exchange_establish: transport "udp" for peer
> "peer-default" could not be created
>
> I'm testing this entirely from my internal subnet. PF is configured
> to 'pass quick on { $int_if enc0 }'
>
> My OS X VPN client setup includes the OpenBSD server's IP, my OpenBSD
> username and password, and the PSK. I click Connect.
>
> isakmpd reports:
> 172358.016652 Default isakmpd: phase 1 done: initiator id ac1e0114:
> 172.30.1.20, responder id <OpenBSD FQDN>, src: 172.30.1.1 dst:
> 172.30.1.20
> 172430.679924 Default message_recv: invalid cookie(s)
> bacca5c8db12e3b9 78c4c4508b02cbe4
> 172430.680286 Default dropped message from 172.30.1.20 port 500 due
> to notification type INVALID_COOKIE
> 172430.680826 Default message_recv: invalid cookie(s)
> bacca5c8db12e3b9 a162b17df4ce9921
> 172430.681041 Default dropped message from 172.30.1.20 port 500 due
> to notification type INVALID_COOKIE
>
> The INVALID_COOKIE messages repeat until the Mac gives up or I
> cancel. Then I get:
>
> 172450.699914 Default transport_send_messages: giving up on exchange
> IPsec-0.0.0.0/0-0.0.0.0/0, no response from peer 172.30.1.20:500
> 172450.700387 Default transport_send_messages: giving up on exchange
> IPsec-::/0-::/0, no response from peer 172.30.1.20:500
>
> ipsecctl -m reports this:
>
> sadb_getspi: satype esp vers 2 len 10 seq 1 pid 15108
> address_src: 172.30.1.20
> address_dst: 172.30.1.1
> spirange: min 0x00000100 max 0xffffffff
> sadb_getspi: satype esp vers 2 len 10 seq 1 pid 15108
> sa: spi 0x272f2a24 auth none enc none
> state mature replay 0 flags 0
> address_src: 172.30.1.20
> address_dst: 172.30.1.1
> sadb_getspi: satype esp vers 2 len 10 seq 2 pid 15108
> address_src: 172.30.1.20
> address_dst: 172.30.1.1
> spirange: min 0x00000100 max 0xffffffff
> sadb_getspi: satype esp vers 2 len 10 seq 2 pid 15108
> sa: spi 0xee7e7297 auth none enc none
> state mature replay 0 flags 0
> address_src: 172.30.1.20
> address_dst: 172.30.1.1
>
> Does anybody have any documentation on using Mac clients with IPSEC?
>
> I sincerely appreciate any assistance and am willing to provide any
> additional requested information. Thank you.
