Hi misc@:
I'm replying because I'm having the same problem.
My test environment is as follows:
[greenbow vpn client - 192.168.200.74] --- [ 192.168.200.3 (hme0) - OpenBSD
sparc64 -current - (rl0) 172.16.1.1 ]
In the server side:
# cat /etc/ipsec.conf
ike passive from any to any \
main auth hmac-sha1 enc aes group modp1024 \
quick auth hmac-sha1 enc aes \
psk openbsd
The client is configured as shown in the presentation in
http://www.allard.nu/openbsd/ipsecclients/basic_setup/.
The steps:
# isakmpd -4dKv &
[1] 7530
# ipsecctl -mf /etc/ipsec.conf &
[2] 125
# echo "p on" > /var/run/isakmpd.fifo
# 143157.292444 Default log_packet_init: starting IKE packet capture to file
"/var/run/isakmpd.pcap"
143221.565214 Default isakmpd: phase 1 done: initiator id c0a8c84a:
192.168.200.74, responder id c0a8c803: 192.168.200.3, src: 192.168.200.3dst:
192.168.200.74
143222.457356 Default responder_recv_HASH_SA_NONCE: peer proposed invalid
phase 2 IDs: initiator id c0a8c84a: 192.168.200.74, responder id
ac100100/ffffff00: 172.16.1.0/255.255.255.0
143222.458391 Default dropped message from 192.168.200.74 port 500 due to
notification type NO_PROPOSAL_CHOSEN
143229.253083 Default responder_recv_HASH_SA_NONCE: peer proposed invalid
phase 2 IDs: initiator id c0a8c84a: 192.168.200.74, responder id
ac100100/ffffff00: 172.16.1.0/255.255.255.0
143229.254173 Default dropped message from 192.168.200.74 port 500 due to
notification type NO_PROPOSAL_CHOSEN
# echo "p off" > /var/run/isakmpd.fifo
143309.084866 Default log_packet_stop: stopped capture
tcpdump capture logs:
# tcpdump -r /var/run/isakmpd.pcap -vvn
tcpdump: WARNING: snaplen raised from 96 to 65536
tcpdump: WARNING: compensating for unaligned libpcap packets
14:32:20.588664 192.168.200.74.500 > 192.168.200.3.500: [udp sum ok] isakmp
v1.0 exchange ID_PROT
cookie: 77207871e86571a3->0000000000000000 msgid: 00000000 len: 164
payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0
xforms: 1
payload: TRANSFORM len: 36
transform: 0 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = AES_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600
attribute KEY_LENGTH = 128
payload: VENDOR len: 20 (supports v1 NAT-T,
draft-ietf-ipsec-nat-t-ike-00)
payload: VENDOR len: 20 (supports v2 NAT-T,
draft-ietf-ipsec-nat-t-ike-02)
payload: VENDOR len: 20 (supports v3 NAT-T,
draft-ietf-ipsec-nat-t-ike-03)
payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 192)
14:32:20.590927 192.168.200.3.500 > 192.168.200.74.500: [udp sum ok] isakmp
v1.0 exchange ID_PROT
cookie: 77207871e86571a3->c32af3d03a16c54e msgid: 00000000 len: 184
payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0
xforms: 1
payload: TRANSFORM len: 36
transform: 0 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = AES_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600
attribute KEY_LENGTH = 128
payload: VENDOR len: 20 (supports OpenBSD-4.0)
payload: VENDOR len: 20 (supports v2 NAT-T,
draft-ietf-ipsec-nat-t-ike-02)
payload: VENDOR len: 20 (supports v3 NAT-T,
draft-ietf-ipsec-nat-t-ike-03)
payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 212)
14:32:21.130042 192.168.200.74.500 > 192.168.200.3.500: [udp sum ok] isakmp
v1.0 exchange ID_PROT
cookie: 77207871e86571a3->c32af3d03a16c54e msgid: 00000000 len: 228
payload: KEY_EXCH len: 132
payload: NONCE len: 20
payload: NAT-D-DRAFT len: 24
payload: NAT-D-DRAFT len: 24 [ttl 0] (id 1, len 256)
14:32:21.284115 192.168.200.3.500 > 192.168.200.74.500: [udp sum ok] isakmp
v1.0 exchange ID_PROT
cookie: 77207871e86571a3->c32af3d03a16c54e msgid: 00000000 len: 228
payload: KEY_EXCH len: 132
payload: NONCE len: 20
payload: NAT-D-DRAFT len: 24
payload: NAT-D-DRAFT len: 24 [ttl 0] (id 1, len 256)
14:32:21.562607 192.168.200.74.500 > 192.168.200.3.500: [udp sum ok] isakmp
v1.0 exchange ID_PROT
cookie: 77207871e86571a3->c32af3d03a16c54e msgid: 00000000 len: 92
payload: ID len: 12 type: IPV4_ADDR = 192.168.200.74
payload: HASH len: 24
payload: NOTIFICATION len: 28
notification: INITIAL CONTACT
(77207871e86571a3->c32af3d03a16c54e) [ttl 0] (id 1, len 120)
14:32:21.563659 192.168.200.3.500 > 192.168.200.74.500: [udp sum ok] isakmp
v1.0 exchange ID_PROT
cookie: 77207871e86571a3->c32af3d03a16c54e msgid: 00000000 len: 92
payload: ID len: 12 type: IPV4_ADDR = 192.168.200.3
payload: HASH len: 24
payload: NOTIFICATION len: 28
notification: INITIAL CONTACT
(77207871e86571a3->c32af3d03a16c54e) [ttl 0] (id 1, len 120)
14:32:22.456436 192.168.200.74.500 > 192.168.200.3.500: [udp sum ok] isakmp
v1.0 exchange QUICK_MODE
cookie: 77207871e86571a3->c32af3d03a16c54e msgid: 1d2b99c1 len: 156
payload: HASH len: 24
payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 40 proposal: 1 proto: IPSEC_ESP spisz: 4
xforms: 1 SPI: 0xcc87fdad
payload: TRANSFORM len: 28
transform: 1 ID: AES
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600
attribute ENCAPSULATION_MODE = TUNNEL
attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
attribute KEY_LENGTH = 128
payload: NONCE len: 20
payload: ID len: 12 type: IPV4_ADDR = 192.168.200.74
payload: ID len: 16 type: IPV4_ADDR_SUBNET =
172.16.1.0/255.255.255.0 [ttl 0] (id 1, len 184)
14:32:22.459688 192.168.200.3.500 > 192.168.200.74.500: [udp sum ok] isakmp
v1.0 exchange INFO
cookie: 77207871e86571a3->c32af3d03a16c54e msgid: 48e509f4 len: 64
payload: HASH len: 24
payload: NOTIFICATION len: 12
notification: NO PROPOSAL CHOSEN [ttl 0] (id 1, len 92)
14:32:29.252207 192.168.200.74.500 > 192.168.200.3.500: [udp sum ok] isakmp
v1.0 exchange QUICK_MODE
cookie: 77207871e86571a3->c32af3d03a16c54e msgid: 1d2b99c1 len: 156
payload: HASH len: 24
payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 40 proposal: 1 proto: IPSEC_ESP spisz: 4
xforms: 1 SPI: 0xcc87fdad
payload: TRANSFORM len: 28
transform: 1 ID: AES
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600
attribute ENCAPSULATION_MODE = TUNNEL
attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
attribute KEY_LENGTH = 128
payload: NONCE len: 20
payload: ID len: 12 type: IPV4_ADDR = 192.168.200.74
payload: ID len: 16 type: IPV4_ADDR_SUBNET =
172.16.1.0/255.255.255.0 [ttl 0] (id 1, len 184)
14:32:29.255486 192.168.200.3.500 > 192.168.200.74.500: [udp sum ok] isakmp
v1.0 exchange INFO
cookie: 77207871e86571a3->c32af3d03a16c54e msgid: 15c423fd len: 64
payload: HASH len: 24
payload: NOTIFICATION len: 12
notification: NO PROPOSAL CHOSEN [ttl 0] (id 1, len 92)
14:32:51.047670 192.168.200.74.500 > 192.168.200.3.500: [udp sum ok] isakmp
v1.0 exchange INFO
cookie: 77207871e86571a3->c32af3d03a16c54e msgid: 7cd578fd len: 92
payload: HASH len: 24
payload: NOTIFICATION len: 32
notification: STATUS_DPD_R_U_THERE seq 24503 [ttl 0] (id 1, len
120)
14:32:51.048550 192.168.200.3.500 > 192.168.200.74.500: [udp sum ok] isakmp
v1.0 exchange INFO
cookie: 77207871e86571a3->c32af3d03a16c54e msgid: 183f6b8b len: 84
payload: HASH len: 24
payload: NOTIFICATION len: 32
notification: STATUS_DPD_R_U_THERE_ACK seq 24503 [ttl 0] (id 1,
len 112)
Can anyone show any strange ?
Thanks in advance :)
--
Pablo Mindez Hernandez
