Okay, I've altered the range from 10.0.0.1 to 10.0.0.255 -> 10.0.0.0 to 10.0.0.255.
FLOWS: flow esp in from 172.26.10.83 to 10.0.0.0/24 peer 172.26.10.83 srcid obsd1.my.domain dstid 172.26.10.83/32 type use flow esp out from 10.0.0.0/24 to 172.26.10.83 peer 172.26.10.83 srcid obsd1.my.domain dstid 172.26.10.83/32 type require SAD: esp tunnel from 172.26.10.83 to 172.26.10.82 spi 0x3fe97772 auth hmac-sha1 enc 3des-cbc esp tunnel from 172.26.10.82 to 172.26.10.83 spi 0x981a7980 auth hmac-sha1 enc 3des-cbc BUT there's another error: Sep 3 16:12:08 obsd1 isakmpd[16423]: exchange_run: exchange_validate failed Sep 3 16:12:08 obsd1 isakmpd[16423]: dropped message from 172.26.10.83 port 500 due to notification type PAYLOAD_MALFORMED On 9/3/07, Hans-Joerg Hoexer <[EMAIL PROTECTED]> wrote: > Hi, > > On Mon, Sep 03, 2007 at 03:11:35PM +0100, JosC) Costa wrote: > > Sep 3 15:05:16 obsd1 isakmpd[25239]: dropped message from > > 172.26.10.83 port 500 due to notification type NO_PROPOSAL_CHOSEN > > Sep 3 15:05:16 obsd1 isakmpd[25239]: responder_recv_HASH_SA_NONCE: > > KEY_EXCH payload without a group desc. attribute > > Sep 3 15:05:16 obsd1 isakmpd[25239]: dropped message from > > 172.26.10.83 port 500 due to notification type NO_PROPOSAL_CHOSEN > > Sep 3 15:05:16 obsd1 isakmpd[25239]: responder_recv_HASH_SA_NONCE: > > peer proposed invalid phase 2 IDs: initiator id ac1a0a53: > > 172.26.10.83, responder id 0a000080/ffffff80: > > 10.0.0.128/255.255.255.128 > > isakmpd tells you, that the peer sent the wront phase 2 ID. > > Here, you tell ISA to propose these IDs, but... > > > Remote Network 'OBSD1' IP Subnets: > > Subnet: 10.0.0.1/255.255.255.255 > > Subnet: 10.0.0.2/255.255.255.254 > > Subnet: 10.0.0.4/255.255.255.252 > > Subnet: 10.0.0.8/255.255.255.248 > > Subnet: 10.0.0.16/255.255.255.240 > > Subnet: 10.0.0.32/255.255.255.224 > > Subnet: 10.0.0.64/255.255.255.192 > > Subnet: 10.0.0.128/255.255.255.128 > > here you tell isakmpd to accept only 10.0.1.0/24, which is never proposed > by the peer: > > --- /etc/ipsec.conf --- > > ike dynamic esp from 10.0.0.0/24 to 10.0.1.0/24 peer 172.26.10.83 \ > main auth hmac-sha1 enc 3des group modp1024 \ > quick auth hmac-sha1 enc 3des \ > psk teste tag teste > > > To get started, tell ISA to only use one remote subnet, ie. 10.0.1.0/24