> -----Urspr|ngliche Nachricht----- > Von: Christoph Leser > Gesendet: Freitag, 21. September 2007 12:58 > An: 'n0g0013' > Betreff: AW: isakmp phase 2 negotiation failed > >
> -----Urspr|ngliche Nachricht----- > Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Auftrag > von n0g0013 > Gesendet: Donnerstag, 20. September 2007 23:52 > An: misc@openbsd.org > Betreff: isakmp phase 2 negotiation failed > > > having a nightmare getting two openbsd (one 3.8, one 4.0) boxes to > setup a tunnel. finally got the phase 1 negotiation going (or so i > believe from reviewing the logs) but it appears that the phase two > starts and is just abandoned. > > my best guess is that the default definitions for QM-ESP-DES-MD5-SUITE > are incompatible but i can't seem to get by it. > > the "-DA=99" output and configuration files are attached in the hope > that someone make sense of this. i also have the "-L" dump if > anyone needs it. > > thanks for any assistance. > > -- > t > t > w > # isakmpd configuration > > [General] > Listen-on= 83.104.36.71 > > [X509-Certificates] > CA-directory= /etc/isakmpd/ca/ > Cert-directory= /etc/isakmpd/certs/ > Private-key= /etc/isakmpd/private/local.key > > [Phase 1] > #84.203.180.117= gw.vpn.cobbled.net > > [caley01.vpn.cobbled.net] > ID-Type= FQDN > Name= caley01.vpn.cobbled.net > > [gw.vpn.cobbled.net] > ID-Type= FQDN > Name= gw.vpn.cobbled.net > > [Phase 2] > Connections= cobbled-caley > > [cobbled_net-gw] > Phase= 1 > Configuration= low-crypto > Address= 84.203.180.117 > ID= caley01.vpn.cobbled.net > Remote-ID= gw.vpn.cobbled.net > > [cobbled-caley] > Phase= 2 > ISAKMP-peer= cobbled_net-gw > Configuration= low-crypto-quick > Local-ID= cobbled_net-caley > Remote-ID= cobbled_net-all > > [cobbled_net-all] > ID-Type= IPV4_ADDR_SUBNET > Network= 10.0.0.0 > Netmask= 255.0.0.0 > > [cobbled_net-caley] > ID-Type= IPV4_ADDR_SUBNET > Network= 10.192.0.0 > Netmask= 255.255.0.0 > > [min-crypto-quick] > DOI= IPSEC > EXCHANGE_TYPE= QUICK_MODE > Transforms= QM-ESP-DES-MD5-SUITE > > [low-crypto] > DOI= IPSEC > EXCHANGE_TYPE= ID_PROT > Transforms= 3DES-SHA-RSA_SIG > > [low-crypto-quick] > DOI= IPSEC > EXCHANGE_TYPE= QUICK_MODE > Transforms= QM-ESP-3DES-SHA-PFS-SUITE > > [demime 1.01d removed an attachment of type application/x-gunzip] > > enable logging to /var/run/isakmpd.pcap by either starting isakmpd with the -L switch or sending the 'p on' command to the isakmpd command pipe (echo 'p on' >/var/run/isakmpd.fifo ). Then do a tcpdump -r /var/run/isakmpd.pcap -nvv This will clearly show what parameters are negotiated and with what result the phase 2 negotiation fails. That's my 5 cent regards
