Re: VPN ipv4_addr to ipv4_addr tunnel doesn't work

[Mikolaj Kucharski]

On Sat, Jul 18, 2009 at 03:50:23PM +0100, Mikolaj Kucharski wrote:
> On both machines isakmpd(8) started same way `isakmpd -vK'. Machine cn700 has
> ip 79.97.200.174, and www1 has ip 172.16.0.51.

www1 is behind NAT with external ip 79.97.195.245 (as you can see with
error message in my first post).

-- 
best regards
q#

VPN ipv4_addr to ipv4_addr tunnel doesn't work

[Mikolaj Kucharski]

Hi,

My question is: What I'm doing wrong?


Two machines, both same snapshot, and I'm failing to setup VPN tunnel
between them with following configuration files:


# cn700: /etc/ipsec.conf (vpn server)
ike passive esp tunnel \
from 172.16.0.51 to 79.97.200.174 \
srcid cn700.ath.cx dstid www1.virtualization.lan


# www1: /etc/ipsec.conf (vpn client)
ike dynamic esp tunnel \
from 172.16.0.51 to 79.97.200.174 \
peer 79.97.200.174 \
srcid www1.virtualization.lan dstid cn700.ath.cx


On VPN server (cn700) I get following error:

> Jul 18 15:42:02 cn700 isakmpd[14697]: attribute_unacceptable: 
> ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
> Jul 18 15:42:02 cn700 isakmpd[14697]: message_negotiate_sa: no compatible 
> proposal found
> Jul 18 15:42:02 cn700 isakmpd[14697]: dropped message from 79.97.195.245 port 
> 54860 due to notification type NO_PROPOSAL_CHOSEN


ON VPN client (www1) I get following error:

> Jul 18 15:43:46 www1 isakmpd[13468]: transport_send_messages: giving up on 
> exchange peer-79.97.200.174, no response from peer 79.97.200.174:500


On both machines isakmpd(8) started same way `isakmpd -vK'. Machine cn700 has
ip 79.97.200.174, and www1 has ip 172.16.0.51.

# sysctl kern.version
kern.version=OpenBSD 4.6-current (GENERIC) #62: Wed Jul 15 17:27:21 MDT 2009
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC

-- 
best regards
q#