Re: IPSec Tunnel - OpenBSD to NetScreen

Thu, 24 Aug 2006 07:27:09 -0700 

Sean Hafeez wrote:
Can someone help me. I am quite stuck. I have spend hours trying various combinations in order to get an 3.9 box bring up a tunnel to a NetScreen 25. 


Below is all the information. I have full control over both boxes and 
I am willing to try anything at this point.


--------------------------------------------------------
isakmpd.conf
--------------------------------------------------------
# Filter incoming phase 1 negotiations so they are only
# valid if negotiating with this local address.

[General]
Listen-On=1.1.1.1

[Phase 1]
2.2.2.2=peer-machineB

# 'Phase 2' defines which connections the daemon
# should establish.  These connections contain the actual
# "IPsec VPN" information.

[Phase 2]
Connections=VPN-A-B

# ISAKMP phase 1 peers (from [Phase 1])

[peer-machineB]
Phase=1
Address=2.2.2.2
Configuration=Default-main-mode
Authentication=bbb111aaaccceee

# IPSEC phase 2 connections (from [Phase 2])

[VPN-A-B]
Phase=2
ISAKMP-peer=peer-machineB
Configuration=Default-quick-mode
Local-ID=machineA-internal-network
Remote-ID=machineB-internal-network

# ID sections (as used in [VPN-A-B])

[machineA-internal-network]
ID-type=IPV4_ADDR_SUBNET
Network=192.168.22.0
Netmask=255.255.255.0

[machineB-internal-network]
ID-type=IPV4_ADDR_SUBNET
Network=192.168.0.0
Netmask=255.255.255.0

# Main and Quick Mode descriptions
# (as used by peers and connections).

[Default-main-mode]
EXCHANGE_TYPE=ID_PROT
Transforms=3DES-SHA

[Default-quick-mode]
EXCHANGE_TYPE=QUICK_MODE

Suites=QM-ESP-3DES-SHA-SUITE,QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-AES-SHA-SUITE,QM-ESP-AES-SHA-PFS-SUITE 



--------------------------------------------------------
isakmpd -d -DA=50


You may want to do a -DA=90 here for a little more info. Just a thought?

Have you tried with ipsecctl?

What are the default phase1 and phase2 lifetimes set to on the Netscreen?


I'm really not sure how suite negotiations work but I know that you 
can't have
a suite using pfs with one that doesn't. I would try getting rid of all 
the suites

but one in your quick mode and matching up to that on the netscreen side.


I feel your pain. I spent a week trying to get openbsd 3.9 connected to 
a sonicwall vpn.
















    











					Reply via email to