Daniel Ouellet wrote:
Steve Glaus wrote:
Hello all,
I'm finally desperate enough to post this to a list...
I have been trying for two days to set up a basic VPN between my
OpenBSD box at home and my OpenBSD box at work.
The box at home is running 3.7 and the box here at work is running 3.9.
May be worth to have 3.9 both place.
Here is something that might help:
http://www.securityfocus.com/infocus/1859
Also may be good to read:
http://www.undeadly.org/cgi?action=article&sid=20060621160000
and this specially:
http://www.undeadly.org/cgi?action=article&sid=20060606210130
man 8 ipsecctl
man 8 isakmpd
man 5 isakmpd.conf
So many changes happened in the last few months and many things have
been replace that I think trying to setup a VPN using what we may call
the old way is a waist of time.
I have seen many articles and examples in the last few months
explaining all the great changes to this that I would say trying to
use 3.7 for this is wrong. But I may be wrong for sure. It's just
based on what was posted in the lately really.
I am not 100% sure, but I think even some of the best changes are in
current that make the setup very simple now based on articles on
undeadly.org about the subject.
Just a thought.
Hope this help you some.
Hello again,
Thanks for your help earlier. I haven't really had time to look at this
problem in the last few weeks.
I've started trying to use ipsecctl on my 3.9 box to connect to the
actual service we will be using this for and I've made SOME progress so
thank you for steering me in the right direction.
Now,
Whenever I try to connect to one of our cheesy little VPN routers (DLINK
DFL-300's) using ipsectl it works perfectly. The tunnel comes up
everything looks beautiful.
But I can't stop there I'm afraid (though GOD I wish I could)....
I'm trying to connect to a sonicwall 4060 VPN that our software vendor
uses. When I try to do this using the same setup (with the appropriate
changes made) I get NO_PROPOSAL_CHOSEN messages.
One glaring difference that I can see is that when I connect to the
DLINK I use a passive connection and isakpmd sits and listens for
incoming connections. Could this be a lifetime issue? Tech support at
the other end said this is possible. How do you set the lifetime using
ipsecctl (I've read that this is only possible with -current)
Another item - IS PFS disabled or enabled by default when one uses
ipsecctl? Can this be set?
Looking at my logs I'm pretty sure that it's making it through phase1.
Our vendors phase1 and phase2 use identical encryption/authorization so
I don't quite understand why I would be getting NO_PROPOSALS for only
phase2. The lifetimes for both phases are also identical on the vendors
end.
This is the relevant configuration info:
ike esp from 10.110.38.0/24 to 172.28.128/0/21 peer 204.244.106.134 main
auth hmac-sha1 enc 3des quick auth hmac-sha1 enc 3des psk "XXXXXXXXXX"
The debug outpout can be found here:
http://ww2.bartowpc.com:8080/isakmpd_out
I really don't know where to go from here. I've invested hours & hours
into this and we've (foolishly?) commited to this direction.
Thanks for any help anyone can give.