I forgot to ask: what are the NAT statements in your pf.conf, that you mention. the ipsec packets should not be NAT'ed inyour configuration ( although ipsec can go through NAT in general ).
> -----Urspr|ngliche Nachricht----- > Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Auftrag > von jcr > Gesendet: Dienstag, 27. November 2007 12:10 > An: [email protected] > Betreff: ipsec vpn netgear DG834 : openbsd 4.2 (new thread) > > > New thread .. after some new test.. > > And stiill the same ... shit ! > > Here is the LAn/WAn network > > > 192.168.0/24(lan)-->Netgear DG 834 (adsl + NAT + ipsec +ip fix A) > | > <---WEB---> > | > Openbsd 4.2 > (ipsec.conf+isakmpd.policy+ip fix B+ NAT) --> 10.7.22.0/24(lan) > > > Here are the conf : > > netgear : > > local lan : 192.168.0.0/24 > remote lan : 10.7.22.0/24 > IKE : > direction : initiator & respond > mode : main > diffie-Hellman : Groupe 2 (1024) > local id : IP wan > remote id: IP > > Params > Crypto algo : 3DES > Algo auth : SHA-1 > pre shared key : 123456789 > SA life time : 36000 > > > Openbsd : > ipsec.conf > > ike passive esp tunnel from IP_A to IP_B \ > main auth hmac-sha1 enc 3des group modp1024 \ > quick auth hmac-sha1 enc 3des psk 123456789 > > ike dynamic esp tunnel from 192.168.0.0/24 to 10.7.22.0/24 peer IP_A \ > main auth hmac-sha1 enc 3des group modp1024 \ > quick auth hmac-sha1 enc 3des psk 123456789 > > i have tried passive & dynamic for ike esp .. it's the same > > isakmpd.policy > > KeyNote-Version: 2 > Authorizer: "POLICY" > > pf.conf > > pass in on $ext_if1 proto udp from $IP_A to $IP_B port {500,4500} > pass out on $ext_if1 proto udp from $IP_B to $IP_A port {500,4500} > > pass in on $IP_B proto esp from $IP_A to $IP_B > pass out on $IP_B proto esp from $IP_B to $IP_A > > pass in on enc0 proto ipencap from $IP_A to $IP_B keep state > (if-bound) > pass out on enc0 proto ipencap from $IP_B to $IP_A keep state > (if-bound) > > pass in on enc0 from 192.168.0.0/24 to 10.7.22.0/24 keep > state (if-bound) > pass out on enc0 from 10.7.22.0/24 to 192.168.0.0/24 keep > state (if-bound) > > i have a rule for nat on $IP_B > > > enc0 is up and running > > i start my vpn with > > isakmpd -dv -D 8=99 > > > And Finally here is the Trouble , i got this on isakmpd console > > 151330.400513 Negt 30 message_negotiate_sa: transform 0 proto > 1 proposal > 0 ok > 151330.400933 Negt 20 ike_phase_1_validate_prop: success > 151330.401046 Negt 30 message_negotiate_sa: proposal 0 succeeded > 151357.435134 Default transport_send_messages: giving up on exchange > peer-IP_A, no response from peer IP_A:500 > > And this on the DG834 > > Fri, 2007-11-23 14:13:30 - [idle] initiating Main Mode > Fri, 2007-11-23 14:13:40 - [idle] STATE_MAIN_I1: retransmission; will > wait 20s for response > Fri, 2007-11-23 14:14:00 - [idle] STATE_MAIN_I1: retransmission; will > wait 40s for response > Fri, 2007-11-23 14:14:40 - [idle] max number of > retransmissions reached > STATE_MAIN_I1. No acceptable response to our first IKE message > > > and finally ( As wanted for those who try to help me .. thanks) > > echo "p on" > /var/run/isakmpd.fif and tcpdump -r > /var/run/isakmpd.pcap > -vvn > > > tcpdump: WARNING: snaplen raised from 96 to 65536 > 11:40:31.600710 IP_A.500 > IP_B.500: [udp sum ok] isakmp v1.0 > exchange > ID_PROT > cookie: cb79617a4b409a8f->0000000000000000 msgid: > 00000000 len: 100 > payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY > payload: PROPOSAL len: 40 proposal: 0 proto: > ISAKMP spisz: 0 > xforms: 1 > payload: TRANSFORM len: 32 > transform: 0 ID: ISAKMP > attribute LIFE_TYPE = SECONDS > attribute LIFE_DURATION = 3600 > attribute ENCRYPTION_ALGORITHM = 3DES_CBC > attribute HASH_ALGORITHM = SHA > attribute AUTHENTICATION_METHOD = PRE_SHARED > attribute GROUP_DESCRIPTION = MODP_1024 > payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] > (id 1, len 128) > 11:40:31.601712 IP_B.500 > IP_A.500: [udp sum ok] isakmp v1.0 > exchange > ID_PROT > cookie: cb79617a4b409a8f->76316a628a99ce2b msgid: > 00000000 len: 180 > payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY > payload: PROPOSAL len: 40 proposal: 0 proto: > ISAKMP spisz: 0 > xforms: 1 > payload: TRANSFORM len: 32 > transform: 0 ID: ISAKMP > attribute LIFE_TYPE = SECONDS > attribute LIFE_DURATION = 3600 > attribute ENCRYPTION_ALGORITHM = 3DES_CBC > attribute HASH_ALGORITHM = SHA > attribute AUTHENTICATION_METHOD = PRE_SHARED > attribute GROUP_DESCRIPTION = MODP_1024 > payload: VENDOR len: 20 (supports OpenBSD-4.0) > payload: VENDOR len: 20 (supports v2 NAT-T, > draft-ietf-ipsec-nat-t-ike-02) > payload: VENDOR len: 20 (supports v3 NAT-T, > draft-ietf-ipsec-nat-t-ike-03) > payload: VENDOR len: 20 (supports NAT-T, RFC 3947) > payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] > (id 1, len 208) > > > > And then nothing !!!! > > it is not related to my FAI i have tried with 2 different.. > it is the same > > > For me it is around pf.conf .. but i can't find where > > jc
