It seems that I was provided the wrong peer IP (which was also running an IPSEC endpoint but with different settings). So after placing the right IP address in the ipsec.conf the flows are established although I get some errors like:
Default responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 192.168.55.0/255.255.255.0, responder id 192.168.66.0/255.255.255.0 180852.346361 Default dropped message from A.B.C.D port 500 due to notification type INVALID_ID_INFORMATION The problem now is that I can ping from one side to another (from cloud to our premises) but not the opposite direction. Thanks, George On Tue, May 10, 2016 at 1:40 PM, George Kourvoulis <gko...@gmail.com> wrote: > Hi, > I am trying to create an IPSEC tunnel between an OpenBSD 5.8 and VMWare's > vcloud air cloud platform. > > The options that I can set from the vmware side (they provide a GUI) are > specific and they are the following: > > -Local networks > -Remote networks > -Peer > -Pre shared key > -Encryption (3DES) > > On the OpenBSD side I use ipsec.conf and the contents are the following: > > ike esp from 192.168.66.0/24 to 192.168.55.0/24 peer ABC.DEF.GHI.JKL main > auth hmac-sha1 enc 3des group modp1024 quick auth hmac-sha2-256 enc > blowfish psk MY-PSK-PHRASE > > When I start isakmpd and ipsecctl -f /etc/ipsec.conf I always get the > following message and the SAs are never created. > > 133935.717470 Default attribute_unacceptable: AUTHENTICATION_METHOD: got > PRE_SHARED, expected RSA_SIG > 133935.717808 Default message_negotiate_sa: no compatible proposal found > 133935.717916 Default dropped message from ABC.DEF.GHI.JKL port 500 due to > notification type NO_PROPOSAL_CHOSEN > 133944.988656 Default transport_send_messages: giving up on exchange > peer-ABC.DEF.GHI.JKL , no response from peer ABC.DEF.GHI.JKL :500 > 133945.755693 Default attribute_unacceptable: AUTHENTICATION_METHOD: got > PRE_SHARED, expected RSA_SIG > 133945.755884 Default message_negotiate_sa: no compatible proposal found > 133945.755930 Default dropped message from ABC.DEF.GHI.JKL port 500 due to > notification type NO_PROPOSAL_CHOSEN > > It seems that although I specify that I want a psk to be used, it expects > a pub key. > > Thank you, > George
