Window's firewall is off. Dump is as follows: # tcpdump -i sis0 'esp or (udp and (port 500 or port 4500))' tcpdump: listening on sis0, link-type EN10MB 21:06:26.205252 work.isakmp > home.isakmp: isakmp v1.0 exchange ID_PROT cookie: 1a0f8d5bb2637ce2->0000000000000000 msgid: 00000000 len: 3632 (frag 51066:[EMAIL PROTECTED]) 21:06:26.735801 home.isakmp > work.isakmp: isakmp v1.0 exchange ID_PROT cookie: 1a0f8d5bb2637ce2->d37038c8086c3c7a msgid: 00000000 len: 188 21:06:26.745392 work.isakmp > home.isakmp: isakmp v1.0 exchange ID_PROT cookie: 1a0f8d5bb2637ce2->d37038c8086c3c7a msgid: 00000000 len: 184 21:06:27.103644 home.isakmp > work.isakmp: isakmp v1.0 exchange ID_PROT cookie: 1a0f8d5bb2637ce2->d37038c8086c3c7a msgid: 00000000 len: 232 21:06:27.138275 work.ipsec-nat-t > home.ipsec-nat-t:udpencap: isakmp v1.0 exchange ID_PROT encrypted cookie: 1a0f8d5bb2637ce2->d37038c8086c3c7a msgid: 00000000 len: 860 21:06:27.575196 home.isakmp > work.ipsec-nat-t: isakmp v1.0 exchange ID_PROT encrypted cookie: 1a0f8d5bb2637ce2->d37038c8086c3c7a msgid: 00000000 len: 892 21:06:32.575767 home.isakmp > work.ipsec-nat-t: isakmp v1.0 exchange INFO encrypted cookie: 1a0f8d5bb2637ce2->d37038c8086c3c7a msgid: dbc958f1 len: 92 21:06:37.235054 work.ipsec-nat-t > home.ipsec-nat-t:udpencap: isakmp v1.0 exchange ID_PROT encrypted cookie: 1a0f8d5bb2637ce2->d37038c8086c3c7a msgid: 00000000 len: 860 21:06:37.248721 home.isakmp > work.ipsec-nat-t: isakmp v1.0 exchange ID_PROT encrypted cookie: 1a0f8d5bb2637ce2->d37038c8086c3c7a msgid: 00000000 len: 892 21:06:37.619710 home.isakmp > work.ipsec-nat-t: isakmp v1.0 exchange INFO encrypted cookie: 1a0f8d5bb2637ce2->d37038c8086c3c7a msgid: 4c3bb90c len: 92 21:06:42.647504 home.isakmp > work.ipsec-nat-t: isakmp v1.0 exchange INFO encrypted cookie: 1a0f8d5bb2637ce2->d37038c8086c3c7a msgid: 88ad6544 len: 92 21:06:47.244914 work.ipsec-nat-t > home.ipsec-nat-t:udpencap: isakmp v1.0 exchange ID_PROT encrypted cookie: 1a0f8d5bb2637ce2->d37038c8086c3c7a msgid: 00000000 len: 860 21:06:47.263416 home.isakmp > work.ipsec-nat-t: isakmp v1.0 exchange ID_PROT encrypted cookie: 1a0f8d5bb2637ce2->d37038c8086c3c7a msgid: 00000000 len: 892 21:06:47.684881 home.isakmp > work.ipsec-nat-t: isakmp v1.0 exchange INFO encrypted cookie: 1a0f8d5bb2637ce2->d37038c8086c3c7a msgid: 5337bf54 len: 92 21:06:52.715304 home.isakmp > work.ipsec-nat-t: isakmp v1.0 exchange INFO encrypted cookie: 1a0f8d5bb2637ce2->d37038c8086c3c7a msgid: eaeb08da len: 92
On 4/11/07, Dag Richards <[EMAIL PROTECTED]> wrote:
Roy Kim wrote: > I'm trying to setup an ipsec tunnel between an openbsd and a windows > box using X.509 certificates. Phase 1 gets successfully negotiated but > then things crap out at step 1 of phase 2 and I don't have a clue > what's wrong. Any thoughts? > > Isakmpd debug messages just after phase 1 is negotiated and ipsec.conf > are as follows: > > ipsec.conf: > ike dynamic esp tunnel from 192.168.0/8 to any \ > srcid home dstid work > ike dynamic esp tunnel from any to 192.168.0/8 \ > srcid work dstid home > > isakmpd output using 'isakmpd -KvdD A=50' > 191751.046228 Timr 10 timer_add_event: event > exchange_free_aux(0x7df9b500) added before sa_soft_expire(0x85229200), > expiration in 120s > 191751.047319 Exch 10 exchange_establish_p2: 0x7df9b500 <unnamed> <no > policy> policy initiator phase 2 doi 1 exchange 5 step 0 > 191751.049266 Exch 10 exchange_establish_p2: icookie 395faa725fd4c3b3 > rcookie 8e784c12cb6b04bd > 191751.050294 Exch 10 exchange_establish_p2: msgid 47ef99ad sa_list > 191751.052677 Cryp 50 crypto_init_iv: initialized IV: > 191751.054075 Cryp 50 033b6e99 5e66c7ba 8efd5d22 8ffe8567 > 191751.055068 Cryp 30 crypto_encrypt: before encryption: > 191751.057166 Cryp 30 0b000018 68790ed1 9f0d6417 66838f05 de3393d7 > 9ec6dcb3 00000020 00000001 > 191751.058368 Cryp 30 01108d28 395faa72 5fd4c3b3 8e784c12 cb6b04bd > 00003340 00000000 00000000 > 191751.060004 Cryp 30 crypto_encrypt: after encryption: > 191751.061996 Cryp 30 bb6cda82 ec0c809f eac5e496 3102dffb 726b62a3 > 9f0d19e6 624ee717 c65f1486 > 191751.063409 Cryp 30 a35e8fb2 c9a6b8c8 2d03723f 7d6d0c68 909c42ea > 0bf57a7f d8c817ce 070b8719 > 191751.064686 Cryp 50 crypto_update_iv: updated IV: > 191751.066224 Cryp 50 909c42ea 0bf57a7f d8c817ce 070b8719 > 191751.068932 Exch 40 exchange_run: exchange 0x7df9b500 finished step > 0, advancing... > 191751.069968 Timr 10 timer_add_event: event > dpd_check_event(0x85229200) added before > connection_checker(0x8522a060), expiration in 5s > 191751.072222 Exch 10 exchange_finalize: 0x7df9b500 <unnamed> <no > policy> policy initiator phase 2 doi 1 exchange 5 step 1 > 191751.073402 Exch 10 exchange_finalize: icookie 395faa725fd4c3b3 > rcookie 8e784c12cb6b04bd > 191751.074675 Exch 10 exchange_finalize: msgid 47ef99ad sa_list > 191751.076166 Timr 10 timer_remove_event: removing event > exchange_free_aux(0x7df9b500) > 191751.077610 Mesg 20 message_free: freeing 0x7df9e000 > 191756.083274 Timr 10 timer_handle_expirations: event > dpd_check_event(0x85229200) > 191756.084314 Mesg 10 dpd_check_event: peer not responding, retry 2 of 5 > Is the windows firewall on? Can you show a dump of the negotiation?