Sorry for the noise. I overlooked your nat statement in pf.conf. But it is wrong, as per man page you shopuld nat on enc0, not on $ext_if
Hi, from what I see you use the new address translation feature of ipsec 4.7 This requires a nat statement in pf.conf , which is probably missing from your configuration.. See the section on 'outgoing network address translation' in the man page of ipsec.conf Regards Christoph > -----Urspr|ngliche Nachricht----- > Von: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] > Im Auftrag von Fernando Alvarez > Gesendet: Donnerstag, 28. Oktober 2010 16:30 > An: misc@openbsd.org > Betreff: IPSec between OpenBSD and Cisco > > > Hi all, > > I have been trying to setup a VPN connection between OpenBSD > and a Cisco router with no success for more than 2 weeks, and > I really need some advice on how to resolve this. Basically, > I cannot understand what is going wrong during the > negociation :-S Any information would be really helpful for me. > > The scenario: > ========================================================== > OpenBSD 4.7 machine (amd64), fresh install, acting as gateway > Public IP: A.A.A.A Private IP: 172.22.1.1/16 > > Cisco Router (IPSec Server) > Public IP: B.B.B.B > Private LAN: 10.20.10.0/24 (Ipsec tunnel configured only to > access 10.20.10.38 machine) > > Diagram: ========================================================== > Localization A > Localization B > 172.22/16 [OpenBSD] A.A.A.A ------(Internet)------- B.B.B.B > [Cisco] -- 10.20.10.38 (machine) > > Constraints: > ========================================================== > 1 - The OpenBSD machine should present itself as 10.0.22.221 > in the Site B LAN. 2 - It's not possible to modify Cisco > configuration. It's probed to be fully functional with other > Cisco peers (at least that's what they have told to > me) > > Cisco Configuration: > ========================================================== > name A.A.A.A siteApublicIP > object-group network siteA > access-list outside_cryptomap_23 extended permit ip > object-group siteA host 10.0.22.221 crypto ipsec > transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto map > outside_map 22 match address outside_cryptomap_23 crypto map > outside_map 22 set pfs crypto map outside_map 22 set peer > siteApublicIP crypto map outside_map 22 set transform-set > ESP-3DES-MD5 tunnel-group A.A.A.A type ipsec-l2l tunnel-group > A.A.A.A ipsec-attributes pre-shared-key theKey > > OpenBSD Config: > ========================================================== > /etc/ipsec.conf: > ========================================================== > ike active esp from 10.0.22.221 (172.22.0.0/16) to 10.20.10.0/24 \ > peer B.B.B.B \ > main auth hmac-md5 enc 3des \ > quick auth hmac-md5 enc 3des group modp1024 \ > psk theKey > > > /etc/pf.conf: > ========================================================== > set skip on lo > match out log on $ext_if from 172.22/16 to 10.20.10.0/24 > nat-to 10.0.22.221 match out log on $int_if from 172.22/16 to > !172.22/16 nat-to A.A.A.A pass > > > isakmpd output (via tcpdump): > ========================================================== > 0.0.0.0.500 > B.B.B.B.500: [udp sum ok] isakmp v1.0 exchange ID_PROT > cookie: 8f5627d25c664fa7->0000000000000000 msgid: 00000000 len: 180 > payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY > payload: PROPOSAL len: 40 proposal: 1 proto: ISAKMP > spisz: 0 xforms: 1 > payload: TRANSFORM len: 32 > transform: 0 ID: ISAKMP > attribute ENCRYPTION_ALGORITHM = 3DES_CBC > attribute HASH_ALGORITHM = MD5 > attribute AUTHENTICATION_METHOD = PRE_SHARED > attribute GROUP_DESCRIPTION = MODP_1024 > attribute LIFE_TYPE = SECONDS > attribute LIFE_DURATION = 3600 > payload: VENDOR len: 20 (supports OpenBSD-4.0) > payload: VENDOR len: 20 (supports v2 NAT-T, > draft-ietf-ipsec-nat-t-ike-02) > payload: VENDOR len: 20 (supports v3 NAT-T, > draft-ietf-ipsec-nat-t-ike-03) > payload: VENDOR len: 20 (supports NAT-T, RFC 3947) > payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, > len 208) B.B.B.B.500 > A.A.A.A.500: [udp sum ok] isakmp v1.0 > exchange ID_PROT > cookie: 8f5627d25c664fa7->a8427e4dfc02591c msgid: 00000000 len: 124 > payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY > payload: PROPOSAL len: 40 proposal: 1 proto: ISAKMP > spisz: 0 xforms: 1 > payload: TRANSFORM len: 32 > transform: 0 ID: ISAKMP > attribute ENCRYPTION_ALGORITHM = 3DES_CBC > attribute HASH_ALGORITHM = MD5 > attribute GROUP_DESCRIPTION = MODP_1024 > attribute AUTHENTICATION_METHOD = PRE_SHARED > attribute LIFE_TYPE = SECONDS > attribute LIFE_DURATION = 3600 > payload: VENDOR len: 20 (supports v2 NAT-T, > draft-ietf-ipsec-nat-t-ike-02) > payload: VENDOR len: 24 [ttl 0] (id 1, len 152) > A.A.A.A.500 > B.B.B.B.500: [udp sum ok] isakmp v1.0 exchange ID_PROT > cookie: 8f5627d25c664fa7->a8427e4dfc02591c msgid: 00000000 len: 220 > payload: KEY_EXCH len: 132 > payload: NONCE len: 20 > payload: NAT-D-DRAFT len: 20 > payload: NAT-D-DRAFT len: 20 [ttl 0] (id 1, len 248) > B.B.B.B.500 > A.A.A.A.500: [udp sum ok] isakmp v1.0 exchange ID_PROT > cookie: 8f5627d25c664fa7->a8427e4dfc02591c msgid: 00000000 len: 296 > payload: KEY_EXCH len: 132 > payload: NONCE len: 24 > payload: VENDOR len: 20 (supports Cisco Unity) > payload: VENDOR len: 12 (supports > draft-ietf-ipsra-isakmp-xauth-06.txt) > payload: VENDOR len: 20 > payload: VENDOR len: 20 > payload: NAT-D-DRAFT len: 20 > payload: NAT-D-DRAFT len: 20 [ttl 0] (id 1, len 324) > A.A.A.A.500 > B.B.B.B.500: [udp sum ok] isakmp v1.0 exchange ID_PROT > cookie: 8f5627d25c664fa7->a8427e4dfc02591c msgid: 00000000 len: 88 > payload: ID len: 12 type: IPV4_ADDR = A.A.A.A > payload: HASH len: 20 > payload: NOTIFICATION len: 28 > notification: INITIAL CONTACT > (8f5627d25c664fa7->a8427e4dfc02591c) [ttl 0] (id 1, len 116) > B.B.B.B.500 > A.A.A.A.500: [udp sum ok] isakmp v1.0 exchange ID_PROT > cookie: 8f5627d25c664fa7->a8427e4dfc02591c msgid: 00000000 len: 84 > payload: ID len: 12 proto: 17 port: 0 type: IPV4_ADDR = B.B.B.B > payload: HASH len: 20 > payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, > len 112) A.A.A.A.500 > B.B.B.B.500: [udp sum ok] isakmp v1.0 > exchange QUICK_MODE > cookie: 8f5627d25c664fa7->a8427e4dfc02591c msgid: d11a9d9b len: 276 > payload: HASH len: 20 > payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY > payload: PROPOSAL len: 40 proposal: 1 proto: IPSEC_ESP > spisz: 4 xforms: 1 SPI: 0x6aa9a434 > payload: TRANSFORM len: 28 > transform: 1 ID: 3DES > attribute LIFE_TYPE = SECONDS > attribute LIFE_DURATION = 1200 > attribute ENCAPSULATION_MODE = TUNNEL > attribute AUTHENTICATION_ALGORITHM = HMAC_MD5 > attribute GROUP_DESCRIPTION = 2 > payload: NONCE len: 20 > payload: KEY_EXCH len: 132 > payload: ID len: 12 type: IPV4_ADDR = 10.0.22.221 > payload: ID len: 12 type: IPV4_ADDR = 10.20.10.38 [ttl 0] > (id 1, len 304) B.B.B.B.500 > A.A.A.A.500: [udp sum ok] > isakmp v1.0 exchange QUICK_MODE > cookie: 8f5627d25c664fa7->a8427e4dfc02591c msgid: d11a9d9b len: 284 > payload: HASH len: 20 > payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY > payload: PROPOSAL len: 40 proposal: 1 proto: IPSEC_ESP > spisz: 4 xforms: 1 SPI: 0xf11d3e40 > payload: TRANSFORM len: 28 > transform: 1 ID: 3DES > attribute LIFE_TYPE = SECONDS > attribute LIFE_DURATION = 1200 > attribute ENCAPSULATION_MODE = TUNNEL > attribute AUTHENTICATION_ALGORITHM = HMAC_MD5 > attribute GROUP_DESCRIPTION = 2 > payload: NONCE len: 24 > payload: KEY_EXCH len: 132 > payload: ID len: 12 type: IPV4_ADDR = 10.0.22.221 > payload: ID len: 12 type: IPV4_ADDR = 10.20.10.38 [ttl 0] > (id 1, len 312) A.A.A.A.500 > B.B.B.B.500: [udp sum ok] > isakmp v1.0 exchange QUICK_MODE > cookie: 8f5627d25c664fa7->a8427e4dfc02591c msgid: d11a9d9b len: 48 > payload: HASH len: 20 [ttl 0] (id 1, len 76) > B.B.B.B.500 > A.A.A.A.500: [udp sum ok] isakmp v1.0 exchange INFO > cookie: 8f5627d25c664fa7->a8427e4dfc02591c msgid: c1f366e9 len: 84 > payload: HASH len: 20 > payload: NOTIFICATION len: 32 > notification: STATUS_DPD_R_U_THERE seq 368398431 [ttl 0] > (id 1, len 112) A.A.A.A.500 > B.B.B.B.500: [udp sum ok] > isakmp v1.0 exchange INFO > cookie: 8f5627d25c664fa7->a8427e4dfc02591c msgid: f2b291c5 len: 80 > payload: HASH len: 20 > payload: NOTIFICATION len: 32 > notification: STATUS_DPD_R_U_THERE_ACK seq 368398431 [ttl > 0] (id 1, len > 108) > B.B.B.B.500 > A.A.A.A.500: [udp sum ok] isakmp v1.0 exchange INFO > cookie: 8f5627d25c664fa7->a8427e4dfc02591c msgid: d5775508 len: 84 > payload: HASH len: 20 > payload: NOTIFICATION len: 32 > notification: STATUS_DPD_R_U_THERE seq 368398432 [ttl 0] > (id 1, len 112) A.A.A.A.500 > B.B.B.B.500: [udp sum ok] > isakmp v1.0 exchange INFO > cookie: 8f5627d25c664fa7->a8427e4dfc02591c msgid: 1d14596e len: 80 > payload: HASH len: 20 > payload: NOTIFICATION len: 32 > notification: STATUS_DPD_R_U_THERE_ACK seq 368398432 [ttl > 0] (id 1, len > 108) > > Thank you in advance for your time and patience, > > Fer