On Tue, Oct 02, 2012 at 09:52:28AM +0200, mxb wrote:
> You probably get "NO_PROPOSAL_CHOSEN" error?
> >From the info you gave, looks like Cisco-sides tries to talk AES_CBC
> but your local side talks 3DES_CBC in Phase 1.
Nah, it seems the cisco offers two and OpenBSD picks the second for
phase 1.
I'd advice to ruin isakmpd in debug mode, and see what comes out. In
my experience -D A=5 often shows what is going on, if not, go higher.
The logs are not easy to read though.
Group none could be a problem if the cisco insists on PFS.
-Otto
>
>
> //mxb
>
> On 10/01/2012 09:21 PM, Erwin Schliske wrote:
> > Hello,
> >
> > I've set up an OpenBSD box as vpn gateway. The tunnel I have to establish is
> > with a Cisco ASA 5505, which is not under my administration.
> >
> > Here is the ipsec.conf
> >
> > ike esp from { 172.30.77.0/24, 10.70.0.0/24, 10.83.0.0/24, 10.77.4.0/24 }
> > to {
> > 172.16.70.0/24, 172.16.71.0/24, 172.16.72.0/24 } \
> > peer a.b.102.219 \
> > local c.d.3.254 \
> > main auth hmac-sha1 enc 3des group modp1024 \
> > quick auth hmac-sha1 enc 3des group none \
> > psk password
> >
> > If I try to ping one host on cisco side from OpenBSD side the tunnel doesn't
> > come up. If I look with tcpdump on the external interface or in the tcpdump
> > logging of isakmpd OpenBSD doesn't try to establish the tunnel. If I ping
> > from
> > the Cisco side an host on OpenBSD side the tunnel comes up. In the logging
> > of
> > isakmpd I see this loglines
> >
> > 20:57:40.389157 a.b.102.219.500 > c.d.3.254.500: [udp sum ok] isakmp v1.0
> > exchange ID_PROT
> > cookie: c5fe8a243e380ce2->0000000000000000 msgid: 00000000 len: 188
> > payload: SA len: 96 DOI: 1(IPSEC) situation: IDENTITY_ONLY
> > payload: PROPOSAL len: 84 proposal: 1 proto: ISAKMP spisz: 0
> > xforms: 2
> > payload: TRANSFORM len: 40
> > transform: 1 ID: ISAKMP
> > attribute GROUP_DESCRIPTION = MODP_1024
> > attribute ENCRYPTION_ALGORITHM = AES_CBC
> > attribute KEY_LENGTH = 256
> > attribute HASH_ALGORITHM = SHA
> > attribute AUTHENTICATION_METHOD = PRE_SHARED
> > attribute LIFE_TYPE = SECONDS
> > attribute LIFE_DURATION = 00007080
> > payload: TRANSFORM len: 36
> > transform: 2 ID: ISAKMP
> > attribute GROUP_DESCRIPTION = MODP_1024
> > attribute ENCRYPTION_ALGORITHM = 3DES_CBC
> > attribute HASH_ALGORITHM = SHA
> > attribute AUTHENTICATION_METHOD = PRE_SHARED
> > attribute LIFE_TYPE = SECONDS
> > attribute LIFE_DURATION = 00007080
> > payload: VENDOR len: 20 (supports v2 NAT-T,
> > draft-ietf-ipsec-nat-t-ike-02)
> > payload: VENDOR len: 20 (supports v3 NAT-T,
> > draft-ietf-ipsec-nat-t-ike-03)
> > payload: VENDOR len: 24 [ttl 0] (id 1, len 216)
> > 20:57:40.389644 c.d.3.254.500 > a.b.102.219.500: [udp sum ok] isakmp v1.0
> > exchange ID_PROT
> > cookie: c5fe8a243e380ce2->ad0c72b886cfb802 msgid: 00000000 len: 184
> > payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
> > payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0
> > xforms: 1
> > payload: TRANSFORM len: 36
> > transform: 2 ID: ISAKMP
> > attribute GROUP_DESCRIPTION = MODP_1024
> > attribute ENCRYPTION_ALGORITHM = 3DES_CBC
> > attribute HASH_ALGORITHM = SHA
> > attribute AUTHENTICATION_METHOD = PRE_SHARED
> > attribute LIFE_TYPE = SECONDS
> > attribute LIFE_DURATION = 00007080
> > payload: VENDOR len: 20 (supports OpenBSD-4.0)
> > payload: VENDOR len: 20 (supports v2 NAT-T,
> > draft-ietf-ipsec-nat-t-ike-02)
> > payload: VENDOR len: 20 (supports v3 NAT-T,
> > draft-ietf-ipsec-nat-t-ike-03)
> > payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
> > payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 212)
> > 20:57:40.414762 a.b.102.219.500 > c.d.3.254.500: [udp sum ok] isakmp v1.0
> > exchange ID_PROT
> > cookie: c5fe8a243e380ce2->ad0c72b886cfb802 msgid: 00000000 len: 304
> > payload: KEY_EXCH len: 132
> > payload: NONCE len: 24
> > payload: VENDOR len: 20 (supports Cisco Unity)
> > payload: VENDOR len: 12 (supports
> > draft-ietf-ipsra-isakmp-xauth-06.txt)
> > payload: VENDOR len: 20
> > payload: VENDOR len: 20
> > payload: NAT-D-DRAFT len: 24
> > payload: NAT-D-DRAFT len: 24 [ttl 0] (id 1, len 332)
> > 20:57:40.416442 c.d.3.254.500 > a.b.102.219.500: [udp sum ok] isakmp v1.0
> > exchange ID_PROT
> > cookie: c5fe8a243e380ce2->ad0c72b886cfb802 msgid: 00000000 len: 232
> > payload: KEY_EXCH len: 132
> > payload: NONCE len: 24
> > payload: NAT-D-DRAFT len: 24
> > payload: NAT-D-DRAFT len: 24 [ttl 0] (id 1, len 260)
> > 20:57:40.440675 a.b.102.219.500 > c.d.3.254.500: [udp sum ok] isakmp v1.0
> > exchange ID_PROT
> > cookie: c5fe8a243e380ce2->ad0c72b886cfb802 msgid: 00000000 len: 84
> > payload: ID len: 12 proto: 17 port: 0 type: IPV4_ADDR =
> > 37.188.102.219
> > payload: HASH len: 24
> > payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 112)
> > 20:57:40.440740 c.d.3.254.500 > a.b.102.219.500: [udp sum ok] isakmp v1.0
> > exchange ID_PROT
> > cookie: c5fe8a243e380ce2->ad0c72b886cfb802 msgid: 00000000 len: 64
> > payload: ID len: 12 type: IPV4_ADDR = 87.79.3.254
> > payload: HASH len: 24 [ttl 0] (id 1, len 92)
> > 20:57:40.465988 a.b.102.219.500 > c.d.3.254.500: [udp sum ok] isakmp v1.0
> > exchange QUICK_MODE
> > cookie: c5fe8a243e380ce2->ad0c72b886cfb802 msgid: affb732a len: 196
> > payload: HASH len: 24
> > payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY
> > payload: PROPOSAL len: 48 proposal: 1 proto: IPSEC_ESP spisz: 4
> > xforms: 1 SPI: 0x44230db2
> > payload: TRANSFORM len: 36
> > transform: 1 ID: 3DES
> > attribute LIFE_TYPE = SECONDS
> > attribute LIFE_DURATION = 3600
> > attribute LIFE_TYPE = KILOBYTES
> > attribute LIFE_DURATION = 00465000
> > attribute ENCAPSULATION_MODE = TUNNEL
> > attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
> > payload: NONCE len: 24
> > payload: ID len: 16 type: IPV4_ADDR_SUBNET =
> > 172.16.71.0/255.255.255.0
> > payload: ID len: 16 type: IPV4_ADDR_SUBNET = 10.70.0.0/255.255.255.0
> > payload: NOTIFICATION len: 28
> > notification: INITIAL CONTACT
> > (c5fe8a243e380ce2->ad0c72b886cfb802)
> > [ttl 0] (id 1, len 224)
> > 20:57:40.466133 c.d.3.254.500 > a.b.102.219.500: [udp sum ok] isakmp v1.0
> > exchange QUICK_MODE
> > cookie: c5fe8a243e380ce2->ad0c72b886cfb802 msgid: affb732a len: 168
> > payload: HASH len: 24
> > payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY
> > payload: PROPOSAL len: 48 proposal: 1 proto: IPSEC_ESP spisz: 4
> > xforms: 1 SPI: 0x0d09b388
> > payload: TRANSFORM len: 36
> > transform: 1 ID: 3DES
> > attribute LIFE_TYPE = SECONDS
> > attribute LIFE_DURATION = 3600
> > attribute LIFE_TYPE = KILOBYTES
> > attribute LIFE_DURATION = 00465000
> > attribute ENCAPSULATION_MODE = TUNNEL
> > attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
> > payload: NONCE len: 24
> > payload: ID len: 16 type: IPV4_ADDR_SUBNET =
> > 172.16.71.0/255.255.255.0
> > payload: ID len: 16 type: IPV4_ADDR_SUBNET = 10.70.0.0/255.255.255.0
> > [ttl 0] (id 1, len 196)
> > 20:57:40.492960 a.b.102.219.500 > c.d.3.254.500: [udp sum ok] isakmp v1.0
> > exchange QUICK_MODE
> > cookie: c5fe8a243e380ce2->ad0c72b886cfb802 msgid: affb732a len: 76
> > payload: HASH len: 24 [ttl 0] (id 1, len 104)
> >
> >
> > On the Cisco side port 500/udp is open.
> >
> >
> > Does anybody know why my side doesn't try to set the tunnel up?
> >
> >
> > Thanks,
> >
> > Regards,
> > Erwin
