Hi,
On Mon, Sep 03, 2007 at 03:11:35PM +0100, Josi Costa wrote:
> Sep 3 15:05:16 obsd1 isakmpd[25239]: dropped message from
> 172.26.10.83 port 500 due to notification type NO_PROPOSAL_CHOSEN
> Sep 3 15:05:16 obsd1 isakmpd[25239]: responder_recv_HASH_SA_NONCE:
> KEY_EXCH payload without a group desc. attribute
> Sep 3 15:05:16 obsd1 isakmpd[25239]: dropped message from
> 172.26.10.83 port 500 due to notification type NO_PROPOSAL_CHOSEN
> Sep 3 15:05:16 obsd1 isakmpd[25239]: responder_recv_HASH_SA_NONCE:
> peer proposed invalid phase 2 IDs: initiator id ac1a0a53:
> 172.26.10.83, responder id 0a000080/ffffff80:
> 10.0.0.128/255.255.255.128
isakmpd tells you, that the peer sent the wront phase 2 ID.
Here, you tell ISA to propose these IDs, but...
> Remote Network 'OBSD1' IP Subnets:
> Subnet: 10.0.0.1/255.255.255.255
> Subnet: 10.0.0.2/255.255.255.254
> Subnet: 10.0.0.4/255.255.255.252
> Subnet: 10.0.0.8/255.255.255.248
> Subnet: 10.0.0.16/255.255.255.240
> Subnet: 10.0.0.32/255.255.255.224
> Subnet: 10.0.0.64/255.255.255.192
> Subnet: 10.0.0.128/255.255.255.128
here you tell isakmpd to accept only 10.0.1.0/24, which is never proposed
by the peer:
--- /etc/ipsec.conf ---
ike dynamic esp from 10.0.0.0/24 to 10.0.1.0/24 peer 172.26.10.83 \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des \
psk teste tag teste
To get started, tell ISA to only use one remote subnet, ie. 10.0.1.0/24
