Trying to get OpenBSD and the Cisco 3002 to set up an ipsec tunnel, it was
fairly easy and straightforward to get them to authenticate each other via
x.509 certs. But then the main mode negotiation breaks down after a lot of
trying, and isakmpd gives up. Various attempts to get things running by
adding 'main' and 'quick' statements to ipsec.conf failed. If anyone can tell
me why this would be happening it would be greatly appreciated.
The short story:
grendel:~# cat /var/log/daemon
Oct 15 13:10:57 grendel isakmpd[22058]: message_negotiate_sa: no compatible
proposal found
Oct 15 13:10:57 grendel isakmpd[22058]: dropped message from 10.20.20.10 port
500 due to notification type NO_PROPOSAL_CHOSEN
The much longer story:
grendel:~# cat /etc/ipsec.conf
ike passive esp from 10.20.20.1 to 10.20.20.10
grendel:~# isakmpd -d -K -a -D 8=99
181458.243050 Default log_debug_cmd: log level changed from 0 to 99 for class
8 [priv]
181613.644890 Negt 30 message_negotiate_sa: transform 4 proto 1 proposal 1 ok
181613.645087 Negt 70 attribute_unacceptable: ENCRYPTION_ALGORITHM: got
3DES_CBC, expected AES_CBC
181613.645154 Negt 20 ike_phase_1_validate_prop: failure
181613.645220 Negt 30 message_negotiate_sa: proposal 1 failed
181613.645287 Negt 30 message_negotiate_sa: transform 5 proto 1 proposal 1 ok
181613.645395 Negt 70 attribute_unacceptable: ENCRYPTION_ALGORITHM: got
3DES_CBC, expected AES_CBC
181613.645457 Negt 20 ike_phase_1_validate_prop: failure
181613.645517 Negt 30 message_negotiate_sa: proposal 1 failed
181613.645581 Negt 30 message_negotiate_sa: transform 6 proto 1 proposal 1 ok
181613.645673 Negt 70 attribute_unacceptable: GROUP_DESCRIPTION: got MODP_768,
expected MODP_1024
181613.645732 Negt 20 ike_phase_1_validate_prop: failure
181613.645790 Negt 30 message_negotiate_sa: proposal 1 failed
181613.645882 Negt 30 message_negotiate_sa: transform 19 proto 1 proposal 1 ok
181613.645972 Negt 70 attribute_unacceptable: GROUP_DESCRIPTION: got
MODP_1536, expected MODP_1024
181613.646030 Negt 20 ike_phase_1_validate_prop: failure
181613.646089 Negt 30 message_negotiate_sa: proposal 1 failed
181613.646153 Negt 30 message_negotiate_sa: transform 20 proto 1 proposal 1 ok
181613.646241 Negt 70 attribute_unacceptable: GROUP_DESCRIPTION: got
MODP_1536, expected MODP_1024
181613.646300 Negt 20 ike_phase_1_validate_prop: failure
181613.646358 Negt 30 message_negotiate_sa: proposal 1 failed
181613.646422 Negt 30 message_negotiate_sa: transform 21 proto 1 proposal 1 ok
181613.646679 Negt 20 ike_phase_1_validate_prop: failure
181613.646749 Negt 30 message_negotiate_sa: proposal 1 failed
181613.646815 Negt 30 message_negotiate_sa: transform 22 proto 1 proposal 1 ok
181613.646958 Negt 70 attribute_unacceptable: HASH_ALGORITHM: got MD5,
expected SHA
181613.647023 Negt 20 ike_phase_1_validate_prop: failure
181613.647137 Negt 30 message_negotiate_sa: proposal 1 failed
181613.647206 Negt 30 message_negotiate_sa: transform 23 proto 1 proposal 1 ok
181613.647459 Negt 20 ike_phase_1_validate_prop: failure
181613.647530 Negt 30 message_negotiate_sa: proposal 1 failed
181613.647595 Negt 30 message_negotiate_sa: transform 24 proto 1 proposal 1 ok
181613.647737 Negt 70 attribute_unacceptable: HASH_ALGORITHM: got MD5,
expected SHA
181613.647803 Negt 20 ike_phase_1_validate_prop: failure
181613.647866 Negt 30 message_negotiate_sa: proposal 1 failed
181613.647931 Negt 30 message_negotiate_sa: transform 25 proto 1 proposal 1 ok
181613.648022 Negt 70 attribute_unacceptable: GROUP_DESCRIPTION: got
MODP_1536, expected MODP_1024
181613.648081 Negt 20 ike_phase_1_validate_prop: failure
181613.648144 Negt 30 message_negotiate_sa: proposal 1 failed
181613.648209 Negt 30 message_negotiate_sa: transform 26 proto 1 proposal 1 ok
181613.648299 Negt 70 attribute_unacceptable: GROUP_DESCRIPTION: got
MODP_1536, expected MODP_1024
181613.648358 Negt 20 ike_phase_1_validate_prop: failure
181613.648420 Negt 30 message_negotiate_sa: proposal 1 failed
181613.648485 Negt 30 message_negotiate_sa: transform 27 proto 1 proposal 1 ok
181613.648601 Negt 70 attribute_unacceptable: GROUP_DESCRIPTION: got
MODP_1536, expected MODP_1024
181613.648661 Negt 20 ike_phase_1_validate_prop: failure
181613.648724 Negt 30 message_negotiate_sa: proposal 1 failed
181613.648791 Negt 30 message_negotiate_sa: transform 28 proto 1 proposal 1 ok
181613.648880 Negt 70 attribute_unacceptable: GROUP_DESCRIPTION: got
MODP_1536, expected MODP_1024
181613.648937 Negt 20 ike_phase_1_validate_prop: failure
181613.649003 Negt 30 message_negotiate_sa: proposal 1 failed
181613.649003 Negt 30 message_negotiate_sa: proposal 1 failed
181613.649069 Negt 30 message_negotiate_sa: transform 29 proto 1 proposal 1 ok
181613.649159 Negt 70 attribute_unacceptable: GROUP_DESCRIPTION: got
MODP_1536, expected MODP_1024
181613.649216 Negt 20 ike_phase_1_validate_prop: failure
181613.649278 Negt 30 message_negotiate_sa: proposal 1 failed
181613.649354 Default message_negotiate_sa: no compatible proposal found
181613.649435 Default dropped message from 10.20.20.10 port 500 due to
notification type NO_PROPOSAL_CHOSEN
--
Jeff Simmons [EMAIL PROTECTED]
Simmons Consulting - Network Engineering, Administration, Security
"You guys, I don't hear any noise. Are you sure you're doing it right?"
-- My Life With The Thrill Kill Kult
