Re: IPSec

Mon, 03 Sep 2007 08:23:29 -0700 

Okay, I've altered the range from 10.0.0.1 to 10.0.0.255 -> 10.0.0.0
to 10.0.0.255.

FLOWS:
flow esp in from 172.26.10.83 to 10.0.0.0/24 peer 172.26.10.83 srcid
obsd1.my.domain dstid 172.26.10.83/32 type use
flow esp out from 10.0.0.0/24 to 172.26.10.83 peer 172.26.10.83 srcid
obsd1.my.domain dstid 172.26.10.83/32 type require

SAD:
esp tunnel from 172.26.10.83 to 172.26.10.82 spi 0x3fe97772 auth
hmac-sha1 enc 3des-cbc
esp tunnel from 172.26.10.82 to 172.26.10.83 spi 0x981a7980 auth
hmac-sha1 enc 3des-cbc

BUT there's another error:

Sep  3 16:12:08 obsd1 isakmpd[16423]: exchange_run: exchange_validate failed
Sep  3 16:12:08 obsd1 isakmpd[16423]: dropped message from
172.26.10.83 port 500 due to notification type PAYLOAD_MALFORMED


On 9/3/07, Hans-Joerg Hoexer <[EMAIL PROTECTED]> wrote:
> Hi,
>
> On Mon, Sep 03, 2007 at 03:11:35PM +0100, JosC) Costa wrote:
> > Sep  3 15:05:16 obsd1 isakmpd[25239]: dropped message from
> > 172.26.10.83 port 500 due to notification type NO_PROPOSAL_CHOSEN
> > Sep  3 15:05:16 obsd1 isakmpd[25239]: responder_recv_HASH_SA_NONCE:
> > KEY_EXCH payload without a group desc. attribute
> > Sep  3 15:05:16 obsd1 isakmpd[25239]: dropped message from
> > 172.26.10.83 port 500 due to notification type NO_PROPOSAL_CHOSEN
> > Sep  3 15:05:16 obsd1 isakmpd[25239]: responder_recv_HASH_SA_NONCE:
> > peer proposed invalid phase 2 IDs: initiator id ac1a0a53:
> > 172.26.10.83, responder id 0a000080/ffffff80:
> > 10.0.0.128/255.255.255.128
>
> isakmpd tells you, that the peer sent the wront phase 2 ID.
>
> Here, you tell ISA to propose these IDs, but...
>
> > Remote Network 'OBSD1' IP Subnets:
> >     Subnet: 10.0.0.1/255.255.255.255
> >     Subnet: 10.0.0.2/255.255.255.254
> >     Subnet: 10.0.0.4/255.255.255.252
> >     Subnet: 10.0.0.8/255.255.255.248
> >     Subnet: 10.0.0.16/255.255.255.240
> >     Subnet: 10.0.0.32/255.255.255.224
> >     Subnet: 10.0.0.64/255.255.255.192
> >     Subnet: 10.0.0.128/255.255.255.128
>
> here you tell isakmpd to accept only 10.0.1.0/24, which is never proposed
> by the peer:
>
> --- /etc/ipsec.conf ---
>
> ike dynamic esp from 10.0.0.0/24 to 10.0.1.0/24 peer 172.26.10.83 \
>         main auth hmac-sha1 enc 3des group modp1024 \
>         quick auth hmac-sha1 enc 3des \
>         psk teste tag teste
>
>
> To get started, tell ISA to only use one remote subnet, ie. 10.0.1.0/24

Reply via email to