Hi, a client with a cisco device is attemtping to set up a VPN to my
OBSD 4.3 firewall.
Phase 1 is okay, but phase 2 is fail. It says it fails the policy
check. But... Checking through everything in the policy against the
debug it seems like it conforms to the policy to me. Are there other
things that might cause it to fail the policy check?
The policy entry has matches for everything in it within this
negotaiation. I sure would appreciate it if you could help me figure
out what it doesn't like about my policy.
TIA
nuffi
Debug output looks like this:
194907.101644 Plcy 40 check_policy: adding authorizer [passphrase:123456789]
194907.101668 Plcy 40 check_policy: adding authorizer
[passphrase-md5-hex:edb0afdb2eb73b1efb437dc6778bdfcf]
194907.101684 Plcy 40 check_policy: adding authorizer
[passphrase-sha1-hex:ca6920eca6f25ec15bc7718e1ac4f03aa6f00a38]
194907.102199 Plcy 80 Policy context (action attributes):
194907.102222 Plcy 80 esp_present == yes
194907.102235 Plcy 80 ah_present == no
194907.102248 Plcy 80 comp_present == no
194907.102259 Plcy 80 ah_hash_alg ==
194907.102271 Plcy 80 esp_enc_alg == 3des
194907.102283 Plcy 80 comp_alg ==
194907.102295 Plcy 80 ah_auth_alg ==
194907.102307 Plcy 80 esp_auth_alg == hmac-md5
194907.102318 Plcy 80 ah_life_seconds ==
194907.102330 Plcy 80 ah_life_kbytes ==
194907.102342 Plcy 80 esp_life_seconds == 1200
194907.102353 Plcy 80 esp_life_kbytes ==
194907.102365 Plcy 80 comp_life_seconds ==
194907.102377 Plcy 80 comp_life_kbytes ==
194907.102389 Plcy 80 ah_encapsulation ==
194907.102400 Plcy 80 esp_encapsulation == tunnel
194907.102413 Plcy 80 comp_encapsulation ==
194907.102425 Plcy 80 comp_dict_size ==
194907.102436 Plcy 80 comp_private_alg ==
194907.102448 Plcy 80 ah_key_length ==
194907.102460 Plcy 80 ah_key_rounds ==
194907.102472 Plcy 80 esp_key_length ==
194907.102483 Plcy 80 esp_key_rounds ==
194907.102495 Plcy 80 ah_group_desc ==
194907.102507 Plcy 80 esp_group_desc == 2
194907.102519 Plcy 80 comp_group_desc ==
194907.102531 Plcy 80 ah_ecn == no
194907.102543 Plcy 80 esp_ecn == no
194907.102555 Plcy 80 comp_ecn == no
194907.102567 Plcy 80 remote_filter_type == IPv4 address
194907.102579 Plcy 80 remote_filter_addr_upper == 010.005.010.022
194907.102591 Plcy 80 remote_filter_addr_lower == 010.005.010.022
194907.102604 Plcy 80 remote_filter == 010.005.010.022
194907.102616 Plcy 80 remote_filter_port == 0
194907.102628 Plcy 80 remote_filter_proto == 0
194907.102640 Plcy 80 local_filter_type == IPv4 address
194907.102652 Plcy 80 local_filter_addr_upper == 192.168.020.217
194907.102664 Plcy 80 local_filter_addr_lower == 192.168.020.217
194907.102676 Plcy 80 local_filter == 172.030.020.217
194907.102688 Plcy 80 local_filter_port == 0
194907.102700 Plcy 80 local_filter_proto == 0
194907.102713 Plcy 80 remote_id_type == IPv4 address
194907.102725 Plcy 80 remote_id_addr_upper == 195.022.200.170
194907.102738 Plcy 80 remote_id_addr_lower == 195.022.200.170
194907.102750 Plcy 80 remote_id == 195.022.200.170
194907.102762 Plcy 80 remote_id_port == 500
194907.102774 Plcy 80 remote_id_proto == udp
194907.102804 Plcy 80 remote_negotiation_address == 195.022.200.170
194907.102818 Plcy 80 local_negotiation_address == 200.022.100.170
194907.102830 Plcy 80 pfs == yes
194907.102842 Plcy 80 initiator == yes
194907.102854 Plcy 80 phase1_group_desc == 2
194907.103881 Plcy 40 check_policy: kn_do_query returned 0
194907.104093 Default check_policy: negotiated SA failed policy check
194907.104123 Default dropped message from 195.022.200.170 port 500
due to notification type NO_PROPOSAL_CHOSEN
The policy entry looks like this:
Comment: #############################################################
Comment: Cisco box
Authorizer: "POLICY"
Licensees:
Comment: "passphrase:properpassphrase"
"passphrase:123456789"
Conditions:
app_domain == "IPsec policy" && doi == "ipsec" &&
remote_negotiation_address == "195.022.200.170" &&
esp_present == "yes" &&
esp_enc_alg == "3des" &&
esp_auth_alg == "hmac-md5" &&
local_filter_type == "IPv4 address" &&
(
local_filter == "192.168.020.217"
) &&
remote_filter_type == "IPv4 address" &&
(
remote_filter == "010.005.010.022"
)
-> "true";
