If I am interpreting the logs correctly then I have partial success using
ike dynamic esp tunnel from any to 192.168.1.0/24 \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha2-256 enc 3des \
psk abc123
I am confident that the first two lines are correct. The dynamic variable
should be correct if the incoming IP address is different for every user.
Line two should be OK since it appears I have a successful Phase 1. I've
SSH'd into the endpoint and run tcpdump against my external interface and
enc0. I have also used "ipssectl -m". So far I have not picked up any new
clues to help resolve the remainder of the problem.
Man ipsec.conf says the default authentication for phase 2 is hmac-sha2-256
so I am reasonably confident that is correct. I suspect it is the remainder
of my config where I am having trouble.
Log out put from Greenbow:
20070813 181803 Default (SA Home_Network-P1) SEND phase 1 Main Mode [SA]
[VID] [VID] [VID] [VID]
20070813 181803 Default (SA Home_Network-P1) RECV phase 1 Main Mode [SA]
[VID] [VID] [VID] [VID] [VID]
20070813 181803 Default (SA Home_Network-P1) SEND phase 1 Main Mode
[KEY_EXCH] [NONCE] [NAT_D] [NAT_D]
20070813 181803 Default (SA Home_Network-P1) RECV phase 1 Main Mode
[KEY_EXCH] [NONCE] [NAT_D] [NAT_D]
20070813 181804 Default (SA Home_Network-P1) SEND phase 1 Main Mode [HASH]
[ID] [NOTIFY]
20070813 181804 Default (SA Home_Network-P1) RECV phase 1 Main Mode [HASH]
[ID]
20070813 181804 Default phase 1 done: initiator id 192.168.11.151, responder
id gateway.home.lan
20070813 181804 Default (SA Home_Network-Home_Network-P2) SEND phase 2 Quick
Mode [HASH] [SA] [NONCE] [ID] [ID]
20070813 181804 Default (SA Home_Network-P1) RECV Informational [HASH]
[NOTIFY] with NO_PROPOSAL_CHOSEN error
20070813 181804 Default (SA <unknown>) RECV phase 2 Quick Mode [HASH] [SA]
[KEY_EXCH] [NONCE] [ID] [ID]
20070813 181804 Default message_negotiate_incoming_sa: no compatible
proposal found
Log out put from "ipsecctl -m"
# ipsecctl -m (full IP partial obscured for security. A/B for source and X/Y
for dest)
sadb_getspi: satype esp vers 2 len 10 seq 5 pid 29253
address_src: 64.119.aa.bbb
address_dst: 64.119.xx.yy
spirange: min 0x00000100 max 0xffffffff
sadb_getspi: satype esp vers 2 len 10 seq 5 pid 29253
sa: spi 0xc1fe759d auth none enc none
state mature replay 0 flags 0
address_src: 64.119.aa.bbb
address_dst: 64.119.xx.yy
The line "sa: spi 0xc1fe759d auth none enc none" is not very encouraging.
Output of tcpdump on the external interface:
Aug 13 18:04:38.881175 64.119.aa.bbb.500 > 64.119.xx.yy.500: isakmp
v1.0exchange ID_PROT
cookie: 46e4aa106358ddb5->0000000000000000 msgid: 00000000 len: 160
Aug 13 18:04:38.901502 64.119.xx.yy.500 > 64.119.aa.bbb.500: isakmp
v1.0exchange ID_PROT
cookie: 46e4aa106358ddb5->26193c745679a129 msgid: 00000000 len: 180
Aug 13 18:04:39.027590 64.119.aa.bbb.500 > 64.119.xx.yy.500: isakmp
v1.0exchange ID_PROT
cookie: 46e4aa106358ddb5->26193c745679a129 msgid: 00000000 len: 228
Aug 13 18:04:39.082435 64.119.xx.yy.500 > 64.119.aa.bbb.500: isakmp
v1.0exchange ID_PROT
cookie: 46e4aa106358ddb5->26193c745679a129 msgid: 00000000 len: 228
Aug 13 18:04:39.216764 64.119.aa.bbb.4500 > 64.119.xx.yy.4500:udpencap:isakmp
v1.0 exchange ID_PROT encrypted
cookie: 46e4aa106358ddb5->26193c745679a129 msgid: 00000000 len: 92
Aug 13 18:04:39.219939 64.119.xx.yy.4500 > 64.119.aa.bbb.4500:udpencap:isakmp
v1.0 exchange ID_PROT encrypted
cookie: 46e4aa106358ddb5->26193c745679a129 msgid: 00000000 len: 108
Aug 13 18:04:39.281029 64.119.aa.bbb.4500 > 64.119.xx.yy.4500:udpencap:isakmp
v1.0 exchange QUICK_MODE encrypted
cookie: 46e4aa106358ddb5->26193c745679a129 msgid: 0ad31636 len: 148
Aug 13 18:04:39.283292 64.119.xx.yy.4500 > 64.119.aa.bbb.4500:udpencap:isakmp
v1.0 exchange INFO encrypted
cookie: 46e4aa106358ddb5->26193c745679a129 msgid: 8e806e2e len: 68
Aug 13 18:04:40.546782 64.119.xx.yy.29337 > 213.41.245.21.123: v4 client
strat 0 poll 0 prec 0 [tos 0x10]
Aug 13 18:04:40.767452 213.41.245.21.123 > 64.119.xx.yy.29337: v4 server
strat 2 poll 0 prec -20 (DF)
Aug 13 18:04:42.084865 64.119.33.178 > 224.0.0.5: OSPFv2-hello 56: [len 44]
[tos 0xc0] [ttl 1]
Aug 13 18:04:44.012876 64.119.40.173.5060 > 64.119.xx.yy.60719: udp 490 (DF)
[tos 0xb8]
Aug 13 18:04:44.048339 64.119.xx.yy.60719 > 64.119.40.173.5060: udp 488 [tos
0xb0]
Aug 13 18:04:44.227369 64.119.xx.yy.4500 > 64.119.aa.bbb.4500:udpencap:isakmp
v1.0 exchange INFO encrypted
cookie: 46e4aa106358ddb5->26193c745679a129 msgid: 14800c89 len: 84
Aug 13 18:04:44.288706 64.119.aa.bbb.4500 > 64.119.xx.yy.4500:udpencap:isakmp
v1.0 exchange INFO encrypted
cookie: 46e4aa106358ddb5->26193c745679a129 msgid: 894489f9 len: 84
Aug 13 18:04:45.068700 64.119.xx.yy.60719 > 64.119.40.173.5060: udp 680 [tos
0xb0]
Aug 13 18:04:45.135503 64.119.40.173.5060 > 64.119.xx.yy.60719: udp 429 (DF)
[tos 0xb8]
Aug 13 18:04:45.138701 64.119.40.173.5060 > 64.119.xx.yy.60719: udp 511 (DF)
[tos 0xb8]
Aug 13 18:04:45.214069 64.119.xx.yy.60719 > 64.119.40.173.5060: udp 679 [tos
0xb0]
Aug 13 18:04:45.278437 64.119.40.173.5060 > 64.119.xx.yy.60719: udp 428 (DF)
[tos 0xb8]
Aug 13 18:04:45.284029 64.119.40.173.5060 > 64.119.xx.yy.60719: udp 502 (DF)
[tos 0xb8]
Aug 13 18:04:46.283575 64.119.aa.bbb.4500 > 64.119.xx.yy.4500:udpencap:isakmp
v1.0 exchange QUICK_MODE encrypted
cookie: 46e4aa106358ddb5->26193c745679a129 msgid: 0ad31636 len: 148
Aug 13 18:04:46.285752 64.119.xx.yy.4500 > 64.119.aa.bbb.4500:udpencap:isakmp
v1.0 exchange INFO encrypted
cookie: 46e4aa106358ddb5->26193c745679a129 msgid: 9f27d1b8 len: 68
Aug 13 18:04:49.297312 64.119.xx.yy.4500 > 64.119.aa.bbb.4500:udpencap:isakmp
v1.0 exchange INFO encrypted
cookie: 46e4aa106358ddb5->26193c745679a129 msgid: 487550f6 len: 84
Aug 13 18:04:49.359347 64.119.aa.bbb.4500 > 64.119.xx.yy.4500:udpencap:isakmp
v1.0 exchange INFO encrypted
cookie: 46e4aa106358ddb5->26193c745679a129 msgid: dbf97e96 len: 84
Aug 13 18:04:51.934026 64.119.40.173.5060 > 64.119.xx.yy.60719: udp 490 (DF)
[tos 0xb8]
Aug 13 18:04:51.974240 64.119.xx.yy.60719 > 64.119.40.173.5060: udp 488 [tos
0xb0]
Aug 13 18:04:52.085330 64.119.33.178 > 224.0.0.5: OSPFv2-hello 56: [len 44]
[tos 0xc0] [ttl 1]
Aug 13 18:04:52.568919 64.119.xx.yy.60719 > 64.119.40.173.5060: udp 678 [tos
0xb0]
Aug 13 18:04:52.635457 64.119.40.173.5060 > 64.119.xx.yy.60719: udp 427 (DF)
[tos 0xb8]
Aug 13 18:04:52.638864 64.119.40.173.5060 > 64.119.xx.yy.60719: udp 509 (DF)
[tos 0xb8]
Aug 13 18:04:52.714580 64.119.xx.yy.60719 > 64.119.40.173.5060: udp 679 [tos
0xb0]
Aug 13 18:04:52.779577 64.119.40.173.5060 > 64.119.xx.yy.60719: udp 428 (DF)
[tos 0xb8]
Aug 13 18:04:52.783972 64.119.40.173.5060 > 64.119.xx.yy.60719: udp 502 (DF)
[tos 0xb8]
Aug 13 18:04:54.070587 64.119.xx.yy.60719 > 64.119.40.173.5060: udp 732 [tos
0xb0]
Aug 13 18:04:54.151875 64.119.40.173.5060 > 64.119.xx.yy.60719: udp 473 (DF)
[tos 0xb8]
Aug 13 18:04:54.157066 64.119.40.173.5060 > 64.119.xx.yy.60719: udp 839 (DF)
[tos 0xb8]
Aug 13 18:04:54.217573 64.119.xx.yy.60719 > 64.119.40.173.5060: udp 401 [tos
0xb0]
Aug 13 18:04:54.367377 64.119.xx.yy.4500 > 64.119.aa.bbb.4500:udpencap:isakmp
v1.0 exchange INFO encrypted
cookie: 46e4aa106358ddb5->26193c745679a129 msgid: 2790d6db len: 84
Aug 13 18:04:54.423352 64.119.aa.bbb.4500 > 64.119.xx.yy.4500:udpencap:isakmp
v1.0 exchange INFO encrypted
cookie: 46e4aa106358ddb5->26193c745679a129 msgid: cf3a0e5e len: 84
I don't think it is a PF rule, but if anyone is looking at this my PF rules
for IPSEC are:
## Pass IPSEC/VPN traffic ##
Set skip on enc0
pass in on $ext_if proto udp from any to $ext_if port {500, 4500}
pass out on $ext_if proto udp from $ext_if to any port {500, 4500}
pass in on $ext_if proto esp from any to $ext_if
pass out on $ext_if proto esp from $ext_if to any
pass in on enc0 proto ipencap from any to $ext_if keep state (if-bound)
pass out on enc0 proto ipencap from $ext_if to any keep state (if-bound)
