Hello again,
Am 15.08.2007 um 23:20 schrieb James Lepthien:
Hi there,
Am 15.08.2007 um 22:24 schrieb Hans-Joerg Hoexer:
On Thu, Aug 09, 2007 at 02:22:31AM +0200, James Lepthien wrote:
Hi,
I have set up a vpn from my OpenBSD Box (4.1-current) to our
company
WatchGuard X700. My problem is that the re-keying
isn't always working and my tunnel does not come up if I send
traffic to
the destination network. I must manually
restart the isakmpd and then start the tunnel by using ipsecctl -f
/etc/ipsec.conf. I see some strange errors in my /var/log/messages
even when the tunnel is up. What do these errors mean?:
Aug 9 01:52:40 voldemort isakmpd[20491]: attribute_unacceptable:
ENCRYPTION_ALGORITHM: got 3DES_CBC, expected AES_CBC
...
My ipsec.conf looks like this:
ike esp from $ext_IP to $peer_GW
ike esp from $ext_IP to $peer_LAN peer $peer_GW
ike esp from $int_LAN to $peer_LAN \
peer $peer_GW \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des group none \
psk "XXXX"
this enables 3des/sha1/modp1024 only for the third rule. The
first and
second rule will both use the default values (aes/sha1/modp1024
for phase
1 and aes/sha2-256 for phase 2).
try this:
ike esp from $ext_IP to $peer_GW \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des group none \
psk "XXXX"
ike esp from $ext_IP to $peer_LAN peer $peer_GW \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des group none \
psk "XXXX"
ike esp from $int_LAN to $peer_LAN peer $peer_GW \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des group none \
psk "XXXX"
it is not stated in the ipsec.conf manual that you need to do this
for all the entries. Just for the one ike statement which connects
the to LANs. I can not see any difference in this way. The tunnel
comes up fine but at sometime the connection gets down and I net to
manually kill the isakmpd process and start the ipsec again.
In my messages there are always a lot of those lines:
Aug 15 23:16:00 voldemort isakmpd[19600]: transport_send_messages:
giving up on exchange IPsec-MYEXTIP-PEERIP, no response from peer
PEERIP:500
What does this mean? The tunnel is ip and working but I still see
those lines...
Cheers
James
Now it seems to be working fine with my OpenBSD and the WatchGuard
X700. I now tried again the way that you described but have only two
ike statements. My working ipsec.conf looks like this:
ike esp from $ext_IP to $peer \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des group none \
psk "SHAREDKEY"
ike esp from $int_LAN to $peer_LAN \
peer $peer \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des group none \
psk "SHAREDKEY"
I still get messages like this all the time:
"Aug 18 13:20:49 voldemort isakmpd[19600]: transport_send_messages:
giving up on exchange IPsec-MY_EXT_IP-PEER_IP, no response from peer
PEER_IP:500"
But it works. Does anybody know why I get these messages?
Cheers
James
