If you are willing to try ipsec.conf instead of isakmpd.conf. I use the
following for a VPN with a Checkpoint NG.
ike esp from a.a.a.a/24 to b.b.b.b/20 \
local x.x.x.x peer y.y.y.y \
main auth hmac-md5 enc 3des group grp2 \
quick auth hmac-md5 enc 3des group none \
psk secretsecret
The only thing special here is the "group none" in the quick line. This
disables Perfect Forward Secrecy (pfs). That was needed for a succesful
VPN setup together with a Checkpoint.
--
Cam
On Thu, 11 Jan 2007, Olivier Horn wrote:
> Hi all!
> I have a problem with a VPN tunnel.
>
> The VPN is set between an OpenBSD 4.0 GENERIC and a Checkpoint NG FP3.
> When I etablish the tunnel all is okay for a while. But after a moment
> (variable) the tunnel break because a NO_PROPOSAL_CHOSEN. The problem
> appear to come from the OpenBSD side (see log below) and that for 3.9 and
> 4.0. The isakmpd config file are very basic.
>
> I have to kill the isakmpd process and start it again (for a variable
> moment only until a new NO_PROPOSAL_CHOSEN).
>
> From the log :
> Dec 28 14:56:28 uranium isakmpd[21562]: attribute_unacceptable:
> AUTHENTICATION_METHOD: got PRE_SHARED, expected RSA_SIG
> Dec 28 14:56:28 uranium isakmpd[21562]: ike_phase_1_validate_prop:
> failure
> Dec 28 14:56:28 uranium isakmpd[21562]: message_negotiate_sa: proposal 1
> failed
> Dec 28 14:56:28 uranium isakmpd[21562]: message_negotiate_sa: no
> compatible proposal found
> Dec 28 14:56:28 uranium isakmpd[21562]: dropped message from
> xxx.xxx.xxx.xxx port 500 due to notification type NO_PROPOSAL_CHOSEN
>
> The Checkpoint side has 3DES/SHA/GRP2 with PRE-SHARED Secret for Phase 1
> and 3DES/SHA for Phase2 enabled.
>
> As somebody encoutered the same problem or have a tip to resolve this ?
>
> Thanks a lot in advance.
>
> Olivier
> ------------------
>
> isakmpd.conf
>
> [General]
> Retransmits= 5
> #Exchange-max-time= 120
> Exchange-max-time= 20
> Check-interval= 10
> Listen-on= xxx.xxx.xxx.xxx
> #Default-phase-1-lifetime= 86400
> #Default-phase-2-lifetime= 3600
> DPD-check-interval= 20
>
> [Phase 1]
> Other= ISAKMP-peer-node-Other
>
> [Phase 2]
> Connections= IPsec-Conn-Home-Other
>
> # ISAKMP Phase 1 peer sections
>
> [ISAKMP-peer-node-Other]
> Phase= 1
> Address= XXX.XXX.XXX.XXX
> Configuration= Default-main-mode
> Authentication= TheGreatSecret
>
> # IPsec Phase 2 sections
>
> [IPsec-Conn-Home-Other]
> Phase= 2
> ISAKMP-peer= ISAKMP-peer-node-Other
> Configuration= Default-quick-mode
> Local-ID= MyNet
> Remote-ID= OtherNet
>
> # Client ID sections
>
> [MyNet]
> ID-type= IPV4_ADDR_SUBNET
> Network= 192.168.1.0
> Netmask= 255.255.255.0
>
> [OtherNet]
> ID-type= IPV4_ADDR_SUBNET
> Network= 192.168.2.0
> Netmask= 255.255.255.0
>
> # Main mode description
>
> [Default-main-mode]
> DOI= IPSEC
> EXCHANGE_TYPE= ID_PROT
> Transforms= 3DES-SHA-GRP2
>
> # Quick mode description
>
> [Default-quick-mode]
> DOI= IPSEC
> EXCHANGE_TYPE= QUICK_MODE
> Suites= QM-ESP-3DES-SHA-SUITE
>
> -------------------
> isakmpd.policy
>
> KeyNote-Version: 2
> Comment: This policy accepts ESP SAs from a remote that uses the right
> password
> $OpenBSD: policy,v 1.6 2001/06/20 16:36:19 angelos Exp $
> $EOM: policy,v 1.6 2000/10/09 22:08:30 angelos Exp $
> Authorizer: "POLICY"
> Conditions: app_domain == "IPsec policy" &&
> esp_present == "yes" &&
> esp_enc_alg != "null" -> "true";
