Re: ipsec vpn?

Sat, 18 Aug 2007 13:37:50 -0700 

Following the advice from Hans-Joerg and Markus I changed the ipsec.con file
back to the default transforms sent by Greenbow, ran ipsecctl -f
/eetc/ipsec.conf, changed the permissions on the policy file and started
isakmpd without the "-K". Greenbow logging shows I did not even get past the
Phase 1 negotiation

# cat /etc/ipsec.conf
ike dynamic esp tunnel from any to 192.168.1.0/24 \
main  auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des \
psk abc123

# ipsecctl -f /etc/ipsec.conf

# chmod 600 /etc/isakmpd/isakmpd.policy
# ls -al /etc/isakmpd/isakmpd.policy
-rw-------  1 root  wheel  40 Aug 16 12:20 /etc/isakmpd/isakmpd.policy

# ps ax |grep isakmpd
17575 ??  Is      0:00.02 isakmpd: monitor [priv] (isakmpd)
12021 ??  I       0:00.60 isakmpd

# echo "p on" > /var/run/isakmpd.fifo
# echo "p off" > /var/run/isakmpd.fifo
# tcpdump -r /var/run/isakmpd.pcap -vvn

tcpdump: WARNING: snaplen raised from 96 to 65536
13:18:38.973099 64.119.40.170.500 > 64.119.37.74.500: [udp sum ok] isakmp
v1.0 exchange ID_PROT
        cookie: 8c3f9c08dbcbb765->0000000000000000 msgid: 00000000 len: 160
        payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
            payload: PROPOSAL len: 40 proposal: 1 proto: ISAKMP spisz: 0
xforms: 1
                payload: TRANSFORM len: 32
                    transform: 0 ID: ISAKMP
                        attribute ENCRYPTION_ALGORITHM = 3DES_CBC
                        attribute HASH_ALGORITHM = SHA
                        attribute AUTHENTICATION_METHOD = PRE_SHARED
                        attribute GROUP_DESCRIPTION = MODP_1024
                        attribute LIFE_TYPE = SECONDS
                        attribute LIFE_DURATION = 3600
        payload: VENDOR len: 20 (supports v1 NAT-T,
draft-ietf-ipsec-nat-t-ike-00)
        payload: VENDOR len: 20 (supports v2 NAT-T,
draft-ietf-ipsec-nat-t-ike-02)
        payload: VENDOR len: 20 (supports v3 NAT-T,
draft-ietf-ipsec-nat-t-ike-03)
        payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 188)
13:18:38.974019 64.119.37.74.500 > 64.119.40.170.500: [udp sum ok] isakmp
v1.0 exchange INFO
        cookie: 39af4dec2463f320->0000000000000000 msgid: 00000000 len: 40
        payload: NOTIFICATION len: 12
            notification: NO PROPOSAL CHOSEN [ttl 0] (id 1, len 68)

Greenbow log:
[VPNCONF] TGBIKESTART received
20070818 131838 Default (SA Home_Network-P1) SEND phase 1 Main Mode  [SA]
[VID] [VID] [VID] [VID]
20070818 131838 Default (SA <unknown>) RECV Informational  [NOTIFY] with
NO_PROPOSAL_CHOSEN error
20070818 131845 Default (SA Home_Network-P1) SEND phase 1 Main Mode  [SA]
[VID] [VID] [VID] [VID]

Reply via email to