I use ipsec-tools on FreeBSD. I will include what I needed to config
with it.
Hopefully you can figure out how to setup isakmpd to work with it.
If you do, could you possibly send me the configs? I would like to
migrate to the OpenBSD
Vpn tools myself
>From error message, it looks like you don't have a compatible isakmp
setup
I have aes/md5 set on both sides. This is covered byu the sainfo
anonymous clause in racoon.conf
PIX:
sysopt connection permit-ipsec
crypto ipsec transform-set AES_VPN esp-aes esp-md5-hmac
crypto dynamic-map AES_VPN_MAP 1 set transform-set AES_VPN
crypto map mymap 200 ipsec-isakmp dynamic AES_VPN_MAP
crypto map mymap client authentication partnerauth
crypto map mymap interface outside
isakmp key ******** address BSD.box.IP.Address netmask 255.255.255.255
no-xauth
isakmp identity address
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption aes
isakmp policy 50 hash md5
isakmp policy 50 group 5
isakmp policy 50 lifetime 3600
Ipsec-tools:
Racoon.conf:
path include "/usr/local/etc/racoon" ;
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
timer
{
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1;
phase1 10 sec;
phase2 10 sec;
}
remote pix.firewall.ip.address
{
exchange_mode main;
doi ipsec_doi;
situation identity_only;
my_identifier address;
nonce_size 16;
lifetime time 28800 seconds;
initial_contact on;
support_mip6 on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm aes;
#hash_algorithm sha1;
hash_algorithm md5;
authentication_method pre_shared_key ;
dh_group 5 ;
}
}
sainfo anonymous
{
pfs_group 2;
lifetime time 28800 sec;
encryption_algorithm aes,3des,des;
#authentication_algorithm hmac_sha1;
authentication_algorithm hmac_md5;
compression_algorithm deflate ;
}
Tunnel setup:
/sbin/ifconfig gif0 destroy
/sbin/ifconfig gif0 create
/sbin/ifconfig gif0 tunnel ${LOCAL_OUTSIDE} ${REMOTE_OUTSIDE}
/sbin/ifconfig gif0 inet ${LOCAL_INSIDE} ${REMOTE_INSIDE} netmask
255.255.255.255
/sbin/route add -net ${REMOTE_NETWORK} ${REMOTE_INSIDE}
/usr/sbin/setkey -c << EOF
flush;
spdflush;
spdadd ${LOCAL_NETWORK} ${REMOTE_NETWORK} any -P out ipsec
esp/tunnel/${LOCAL_OUTSIDE}-${REMOTE_OUTSIDE}/unique;
spdadd ${REMOTE_NETWORK} ${LOCAL_NETWORK} any -P in ipsec
esp/tunnel/${REMOTE_OUTSIDE}-${LOCAL_OUTSIDE}/unique;
EOF
Hope this helps
Adam
>
Adam Clark
Network Administrator
National Gallery of Victoria
PO Box 7259 St Kilda Road Vic 8004
Telephone: +61 3 8620 2369
Fax: +61 3 8620 2565
www.ngv.vic.gov.au
Keep informed of the latest NGV exhibitions, special events and programs at The
Ian Potter Centre: NGV Australia and NGV International by subscribing to [EMAIL
PROTECTED], the NGV's free e-newsletter.
DISCLAIMER: This email and any files transmitted with it are confidential and
intended solely for [EMAIL PROTECTED], [EMAIL PROTECTED] If you are not the
named addressee you should not disseminate, copy or alter this email. WARNING:
Although National Gallery of Victoria has taken reasonable precautions to
ensure no viruses are present in this email, the organisation cannot accept
responsibility for any loss or damage arising from the use of this email or
attachment.-----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> On Behalf Of Elijah Savage
> Sent: Monday, 18 September 2006 9:30 AM
> To: PF
> Subject: ISAKMPD to Pix
>
> All,
>
> I used this link to come up with my base config
> http://www.packetslave.com/docs/vpn-pix-openbsd.txt
>
> I am getting these errors
> Sep 17 18:32:45 firewall isakmpd[3663]: check_policy:
> negotiated SA failed policy check Sep 17 18:32:45 firewall
> isakmpd[3663]: message_negotiate_sa: no compatible proposal
> found Sep 17 18:32:45 firewall isakmpd[3663]: dropped message
> from XXX.XXX.
> 230.83 port 500 due to notification type NO_PROPOSAL_CHOSEN
> Sep 17 18:32:45 firewall isakmpd[3663]: message_validate_notify:
> protocol not supported
>
> If anyone has ever established a connection to a Cisco Pix
> before that's willing to lend me a hand it would be greatly
> appreciated.
>
