Hi, this worked with an older isakmpd version? Is this netscreen box some kind of appliance or just some windows software?
The general problem is, I can only test interoperatibility with open source vpn solutions on standard hareware. If people need to rely on interoperability with appliance X and Windows client Y and MacOS client Z, I need this kind of hardware/software. People interrested in providing those, are welcome to contact me :-) HJ. On Wed, Jul 27, 2005 at 01:35:34AM -0700, Sean Knox wrote: > (posted a similar message originally on the IPSec list; thought I'd post > here too) > > Hey all- > > I almost have a working VPN between isakmpd and a Netscreen box-- things > fail at phase 2 as the peers enter quick mode. > > 64.81.74.226 = isakmpd > 206.14.210.146 = netscreen > > 00:28:11.947907 64.81.74.226.500 > 206.14.210.146.500: [udp sum ok] > isakmp v1.0 exchange QUICK_MODE > cookie: eb114e8223bc0965->3aac9200ac79d919 msgid: 9e7ccdd5 len: 284 > payload: HASH len: 24 > payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY > payload: PROPOSAL len: 44 proposal: 1 proto: IPSEC_ESP spisz: 4 > xforms: 1 SPI: 0xadfa06f3 > payload: TRANSFORM len: 32 > transform: 1 ID: AES > attribute LIFE_TYPE = SECONDS > attribute LIFE_DURATION = 1200 > attribute ENCAPSULATION_MODE = TUNNEL > attribute AUTHENTICATION_ALGORITHM = HMAC_SHA > attribute GROUP_DESCRIPTION = 2 > attribute KEY_LENGTH = 128 > payload: NONCE len: 20 > payload: KEY_EXCH len: 132 > payload: ID len: 12 type: IPV4_ADDR = 64.81.74.226 > payload: ID len: 12 type: IPV4_ADDR = 130.94.4.65 [ttl 0] (id 1, len > 312) > 00:28:12.138720 206.14.210.146.500 > 64.81.74.226.500: [udp sum ok] > isakmp v1.0 exchange QUICK_MODE > cookie: eb114e8223bc0965->3aac9200ac79d919 msgid: 9e7ccdd5 len: 300 > payload: HASH len: 24 > payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY > payload: PROPOSAL len: 48 proposal: 1 proto: IPSEC_ESP spisz: 4 > xforms: 1 SPI: 0x0502a8eb > payload: TRANSFORM len: 36 > transform: 1 ID: AES > attribute LIFE_TYPE = SECONDS > attribute LIFE_DURATION = 000004b0 > attribute ENCAPSULATION_MODE = TUNNEL > attribute AUTHENTICATION_ALGORITHM = HMAC_SHA > attribute GROUP_DESCRIPTION = 2 > attribute KEY_LENGTH = 128 > payload: NONCE len: 24 > payload: KEY_EXCH len: 132 > payload: ID len: 12 type: IPV4_ADDR = 64.81.74.226 > payload: ID len: 12 type: IPV4_ADDR = 130.94.4.65 [ttl 0] (id 1, len > 328) > 00:28:15.838995 206.14.210.146.500 > 64.81.74.226.500: [udp sum ok] > isakmp v1.0 exchange QUICK_MODE > cookie: eb114e8223bc0965->3aac9200ac79d919 msgid: 9e7ccdd5 len: 300 > payload: HASH len: 24 > payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY > payload: PROPOSAL len: 48 proposal: 1 proto: IPSEC_ESP spisz: 4 > xforms: 1 SPI: 0x0502a8eb > payload: TRANSFORM len: 36 > transform: 1 ID: AES > attribute LIFE_TYPE = SECONDS > attribute LIFE_DURATION = 000004b0 > attribute ENCAPSULATION_MODE = TUNNEL > attribute AUTHENTICATION_ALGORITHM = HMAC_SHA > attribute GROUP_DESCRIPTION = 2 > attribute KEY_LENGTH = 128 > payload: NONCE len: 24 > payload: KEY_EXCH len: 132 > payload: ID len: 12 type: IPV4_ADDR = 64.81.74.226 > payload: ID len: 12 type: IPV4_ADDR = 130.94.4.65 [ttl 0] (id 1, len > 328) > > --snip-- > > Note the wacky LIFE_DURATION sent by the netscreen. As shown in the > packet capture the netscreen continues to send quick mode packets but > isakmpd never responds. I've logs at http://obstacle9.com/isakmpd/ . > I've tried different transforms and proposal settings but the result is > the same. This happens on a snapshot from a few days ago. > > > thanks, > sk > -- pub 1024D/513AEFD9 1999-12-18 Hans-Joerg Hoexer <[EMAIL PROTECTED]> Key fingerprint = 83D2 436A 0D3C 34A9 E0FF 4C33 35F6 617C 513A EFD9
