Hi, I'm trying to connect Checkpoint VPN-1 using OpenBSD 3.8. Basic set up is as follows:
Host-A -> Gateway-A ------ <- Gateway-B <- Host-B Gateway-A: OpenBSD3.8 Gateway-B: Checkpoint VPN1 Aim: Establish connection to Host-B from Host-A. I've no control on Gateway-B and Host-B. First of all, I'm able to connect Gateway-B from Gateway-A. Configuration files that I've used are as follows: =================================== isakmpd.conf [Phase 1] IP-OF-GATEWAY-B= peer-machineB [Phase 2] Connections= VPN-A-B # ISAKMP phase 1 peers (from [Phase 1]) [peer-machineB] Phase= 1 Transport= udp Address= IP-OF-GATEWAY-B Configuration= Default-main-mode Authentication= PRESHAREDKEY # IPSEC phase 2 connections (from [Phase 2]) [VPN-A-B] Phase= 2 ISAKMP-peer= peer-machineB Configuration= Default-quick-mode Local-ID= machineA-internal-network Remote-ID= machineB-internal-network # ID sections (as used in [VPN-A-B]) [machineA-internal-network] ID-type= IPV4_ADDR Address= IP-OF-HOST-A [machineB-internal-network] ID-type= IPV4_ADDR Address= IP-OF-HOST-B # Main and Quick Mode descriptions (as used by peers and connections) [Default-main-mode] DOI= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA [Default-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-3DES-SHA-SUITE =================================== =================================== isakmpd.policy Keynote-version: 2 Authorizer: "POLICY" Conditions: app_domain == "IPsec policy" && esp_present == "yes" && esp_enc_alg != "null" -> "true"; =================================== Using these files, when I run isakmpd (isakmpd -d -DA=90) I can successfully connect to GATEWAY-B. tcpdump output is as follows: =================================== tcpdump: listening on em0, link-type EN10MB 14:44:40.315165 0:4:23:a7:f0:d3 0:4:23:c1:4c:57 0800 202: IP-OF-GATEWAY-A.500 > IP-OF-GATEWAY-B.500: [udp sum ok] isakmp v1.0exchange ID_PROT cookie: 07c9dbce8da4a5b1->0000000000000000 msgid: 00000000 len: 160 payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 40 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 32 transform: 0 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = 3DES_CBC attribute HASH_ALGORITHM = SHA attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_1024 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 3600 payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02) payload: VENDOR len: 20 (supports v3 NAT-T, draft-ietf-ipsec-nat-t-ike-03) payload: VENDOR len: 20 (supports NAT-T, RFC 3947) payload: VENDOR len: 20 (supports DPD v1.0) (ttl 64, id 25076, len 188) 14:44:40.333719 0:4:23:c1:4c:57 0:4:23:a7:f0:d3 0800 122: IP-OF-GATEWAY-B.500 > IP-OF-GATEWAY-A.500: [udp sum ok] isakmp v1.0exchange ID_PROT cookie: 07c9dbce8da4a5b1->b4278095f145b1b6 msgid: 00000000 len: 80 payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 40 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 32 transform: 1 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = 3DES_CBC attribute HASH_ALGORITHM = SHA attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_1024 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 3600 (DF) (ttl 53, id 3115, len 108) 14:44:40.356321 0:4:23:a7:f0:d3 0:4:23:c1:4c:57 0800 222: IP-OF-GATEWAY-A.500 > IP-OF-GATEWAY-B.500: [udp sum ok] isakmp v1.0exchange ID_PROT cookie: 07c9dbce8da4a5b1->b4278095f145b1b6 msgid: 00000000 len: 180 payload: KEY_EXCH len: 132 payload: NONCE len: 20 (ttl 64, id 1228, len 208) 14:44:40.376569 0:4:23:c1:4c:57 0:4:23:a7:f0:d3 0800 226: IP-OF-GATEWAY-B.500 > IP-OF-GATEWAY-A.500: [udp sum ok] isakmp v1.0exchange ID_PROT cookie: 07c9dbce8da4a5b1->b4278095f145b1b6 msgid: 00000000 len: 184 payload: KEY_EXCH len: 132 payload: NONCE len: 24 (DF) (ttl 53, id 3116, len 212) 14:44:40.396111 0:4:23:a7:f0:d3 0:4:23:c1:4c:57 0800 134: IP-OF-GATEWAY-A.500 > IP-OF-GATEWAY-B.500: [udp sum ok] isakmp v1.0exchange ID_PROT encrypted cookie: 07c9dbce8da4a5b1->b4278095f145b1b6 msgid: 00000000 len: 92 (ttl 64, id 23041, len 120) 14:44:40.617927 0:4:23:c1:4c:57 0:4:23:a7:f0:d3 0800 110: IP-OF-GATEWAY-B.500 > IP-OF-GATEWAY-A.500: [udp sum ok] isakmp v1.0exchange ID_PROT encrypted cookie: 07c9dbce8da4a5b1->b4278095f145b1b6 msgid: 00000000 len: 68 (DF) (ttl 53, id 3119, len 96) 14:44:40.631158 0:4:23:a7:f0:d3 0:4:23:c1:4c:57 0800 190: IP-OF-GATEWAY-A.500 > IP-OF-GATEWAY-B.500: [udp sum ok] isakmp v1.0exchange QUICK_MODE encrypted cookie: 07c9dbce8da4a5b1->b4278095f145b1b6 msgid: a960a9e2 len: 148 (ttl 64, id 249, len 176) 14:44:40.651159 0:4:23:c1:4c:57 0:4:23:a7:f0:d3 0800 198: IP-OF-GATEWAY-B.500 > IP-OF-GATEWAY-A.500: [udp sum ok] isakmp v1.0exchange QUICK_MODE encrypted cookie: 07c9dbce8da4a5b1->b4278095f145b1b6 msgid: a960a9e2 len: 156 (DF) (ttl 53, id 3120, len 184) 14:44:40.667012 0:4:23:a7:f0:d3 0:4:23:c1:4c:57 0800 94: IP-OF-GATEWAY-A.500> IP-OF-GATEWAY-B.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE encrypted cookie: 07c9dbce8da4a5b1->b4278095f145b1b6 msgid: a960a9e2 len: 52 (ttl 64, id 10415, len 80) =================================== Now with no changes I'm trying to connect to Host-B from Host-A. =================================== # telnet IP-OF-HOST-B 80 Trying IP-OF-HOST-B... tcpdump: listening on em0, link-type EN10MB 14:51:25.609708 0:4:23:a7:f0:d3 0:4:23:c1:4c:57 0800 126: esp IP-OF-GATEWAY-A > IP-OF-GATEWAY-B spi 0x55C3D5EA seq 1 len 92 (DF) [tos 0x10] (ttl 64, id 54842, len 112) # netstat -rn Encap: Source Port Destination Port Proto SA(Address/Proto/Type/Direction) IP-OF-HOST-B/32 0 IP-OF-HOST-A/32 0 0 IP-OF-GATEWAY-B/50/use/in IP-OF-HOST-A/32 0 IP-OF-HOST-B/32 0 0 IP-OF-GATEWAY-B/50/require/out =================================== After that I added two new flow rules: =================================== # netstat -rn Encap: Source Port Destination Port Proto SA(Address/Proto/Type/Direction) IP-OF-HOST-A/32 0 IP-OF-HOST-B/32 0 0 IP-OF-GATEWAY-B/50/require/in IP-OF-HOST-B/32 0 IP-OF-HOST-A/32 0 0 IP-OF-GATEWAY-B/50/use/in IP-OF-HOST-A/32 0 IP-OF-HOST-B/32 0 0 IP-OF-GATEWAY-B/50/require/out IP-OF-HOST-B/32 0 IP-OF-HOST-A/32 0 0 IP-OF-GATEWAY-B/50/require/out =================================== Without changing any settings in isakmpd configuration files I retry to connect to Host-B, and get the following tcpdump output: =================================== 14:58:42.916302 0:4:23:a7:f0:d3 0:4:23:c1:4c:57 0800 202: IP-OF-GATEWAY-A.500 > IP-OF-GATEWAY-B.500: [udp sum ok] isakmp v1.0exchange ID_PROT cookie: 84f811a77578f599->0000000000000000 msgid: 00000000 len: 160 payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 40 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 32 transform: 0 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = 3DES_CBC attribute HASH_ALGORITHM = SHA attribute AUTHENTICATION_METHOD = RSA_SIG attribute GROUP_DESCRIPTION = MODP_1024 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 3600 payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02) payload: VENDOR len: 20 (supports v3 NAT-T, draft-ietf-ipsec-nat-t-ike-03) payload: VENDOR len: 20 (supports NAT-T, RFC 3947) payload: VENDOR len: 20 (supports DPD v1.0) (ttl 64, id 56922, len 188) 14:58:42.934972 0:4:23:c1:4c:57 0:4:23:a7:f0:d3 0800 82: IP-OF-GATEWAY-B.500> IP-OF-GATEWAY-A.500: [udp sum ok] isakmp v1.0 exchange INFO cookie: 84f811a77578f599->0000000000000000 msgid: b7b40411 len: 40 payload: NOTIFICATION len: 12 notification: NO PROPOSAL CHOSEN (DF) (ttl 53, id 3145, len 68) =================================== After this long intorduction now let me go to the actual questions :) 1. What's the problem with my isakmpd.conf file since isakmpd can't add correct flow rules? 2. Why AUTHENTICATION_METHOD is set to RSA_SIG in second try? How can I set this to PRE_SHARED? It's obvious that the error NO PROPOSAL CHOSEN is related to authentication method, since VPN1 expects me to use PRE_SHARED as authentication method. Sorry for this long post, I was trying to give as much detail as I can. Thanks for the replies.