Found a solution of sort - downgrade the phase 2 transform from AES to 3DES. Even if offically SEF 7.0.4 supports AES for phase 2 and it accepts it during IKE negotiation, the tunnel fails immediately with a misleading error message on SEF.
Given the age of Symantec Enterprise Firewall 7.0.4 (released in 2001? ) and the standardisation year of AES (2002) I think the SEF AES algorhytm is simply broken. Beware. HJ, thanks for help! Regards, Mitja > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Hans-Joerg Hoexer > Sent: Wednesday, October 18, 2006 12:11 PM > To: Mitja Mu?eni? > Cc: misc@openbsd.org > Subject: Re: VPN interoperability problem with Symantec > Enterprise Firewall > > Hi, > > could you please provide a pcap of such an exchange? > Thanks, > HJ. > > On Wed, Oct 18, 2006 at 11:57:53AM +0200, Mitja Mu?eni? wrote: > > > > Just a quick question if anybody has had the same problem, > or contrary, if > > anybody has a success story with SEF. I'm trying to > establish an IPsec > > tunnel between OpenBSD 3.9 and Symantec Enterprise Firewall > 7.0.4 (NT/2k) > > which is not under my control. > > > > The negotiation goes through normally, but immediately > afterwards the remote > > end sends a "DELETE" notification. The tunnel is still up > on OpenBSD's end, > > but no traffic ever reaches the destination. > > > > The remote end (Symantec) spits out (obfuscated to protect > the innocent): > > > > "VPN packet dropped (213.aaa.bbb.ccc->217.ddd.eee.fff: > Protocol=IPSEC-ESP > > spi=0xa0723686): Received IPCOMP packet on a tunnel that > was not configured > > for compression (tunnel [EMAIL PROTECTED] > <VPN_tunnel_*****>)" > > > > > > This error message is funny because as far as I know, > OpenBSD does not > > support IPCOMP in automatic IKE through isakmpd. Any idea > why Symantec would > > believe that we are sending it IPCOMP traffic? > > > > > > I even checked that net.inet.ipcomp.enable=0 - not that I > know if it's > > applicable to IPsec at all. I suspect this is a bug in SEF, > but can't find > > anything on google or mailing list archives. Nothing special in my > > isakmpd.conf, I have multiple tunnels working to other > vendors' VPN peers. > > > > > > Regards, > > > > Mitja