Hi,
I'm trying to connect Checkpoint VPN-1 using OpenBSD 3.8. Basic set up is as
follows:
Host-A -> Gateway-A ------ <- Gateway-B <- Host-B
Gateway-A: OpenBSD3.8
Gateway-B: Checkpoint VPN1
Aim: Establish connection to Host-B from Host-A.
I've no control on Gateway-B and Host-B.
First of all, I'm able to connect Gateway-B from Gateway-A. Configuration
files that I've used are as follows:
===================================
isakmpd.conf
[Phase 1]
IP-OF-GATEWAY-B= peer-machineB
[Phase 2]
Connections= VPN-A-B
# ISAKMP phase 1 peers (from [Phase 1])
[peer-machineB]
Phase= 1
Transport= udp
Address= IP-OF-GATEWAY-B
Configuration= Default-main-mode
Authentication= PRESHAREDKEY
# IPSEC phase 2 connections (from [Phase 2])
[VPN-A-B]
Phase= 2
ISAKMP-peer= peer-machineB
Configuration= Default-quick-mode
Local-ID= machineA-internal-network
Remote-ID= machineB-internal-network
# ID sections (as used in [VPN-A-B])
[machineA-internal-network]
ID-type= IPV4_ADDR
Address= IP-OF-HOST-A
[machineB-internal-network]
ID-type= IPV4_ADDR
Address= IP-OF-HOST-B
# Main and Quick Mode descriptions (as used by peers and connections)
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE
===================================
===================================
isakmpd.policy
Keynote-version: 2
Authorizer: "POLICY"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg != "null" -> "true";
===================================
Using these files, when I run isakmpd (isakmpd -d -DA=90) I can successfully
connect to GATEWAY-B. tcpdump output is as follows:
===================================
tcpdump: listening on em0, link-type EN10MB
14:44:40.315165 0:4:23:a7:f0:d3 0:4:23:c1:4c:57 0800 202:
IP-OF-GATEWAY-A.500 > IP-OF-GATEWAY-B.500: [udp sum ok] isakmp
v1.0exchange ID_PROT
cookie: 07c9dbce8da4a5b1->0000000000000000 msgid: 00000000 len: 160
payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 40 proposal: 1 proto: ISAKMP spisz: 0
xforms: 1
payload: TRANSFORM len: 32
transform: 0 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600
payload: VENDOR len: 20 (supports v2 NAT-T,
draft-ietf-ipsec-nat-t-ike-02)
payload: VENDOR len: 20 (supports v3 NAT-T,
draft-ietf-ipsec-nat-t-ike-03)
payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
payload: VENDOR len: 20 (supports DPD v1.0) (ttl 64, id 25076, len
188)
14:44:40.333719 0:4:23:c1:4c:57 0:4:23:a7:f0:d3 0800 122:
IP-OF-GATEWAY-B.500 > IP-OF-GATEWAY-A.500: [udp sum ok] isakmp
v1.0exchange ID_PROT
cookie: 07c9dbce8da4a5b1->b4278095f145b1b6 msgid: 00000000 len: 80
payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 40 proposal: 1 proto: ISAKMP spisz: 0
xforms: 1
payload: TRANSFORM len: 32
transform: 1 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600 (DF) (ttl 53, id
3115, len 108)
14:44:40.356321 0:4:23:a7:f0:d3 0:4:23:c1:4c:57 0800 222:
IP-OF-GATEWAY-A.500 > IP-OF-GATEWAY-B.500: [udp sum ok] isakmp
v1.0exchange ID_PROT
cookie: 07c9dbce8da4a5b1->b4278095f145b1b6 msgid: 00000000 len: 180
payload: KEY_EXCH len: 132
payload: NONCE len: 20 (ttl 64, id 1228, len 208)
14:44:40.376569 0:4:23:c1:4c:57 0:4:23:a7:f0:d3 0800 226:
IP-OF-GATEWAY-B.500 > IP-OF-GATEWAY-A.500: [udp sum ok] isakmp
v1.0exchange ID_PROT
cookie: 07c9dbce8da4a5b1->b4278095f145b1b6 msgid: 00000000 len: 184
payload: KEY_EXCH len: 132
payload: NONCE len: 24 (DF) (ttl 53, id 3116, len 212)
14:44:40.396111 0:4:23:a7:f0:d3 0:4:23:c1:4c:57 0800 134:
IP-OF-GATEWAY-A.500 > IP-OF-GATEWAY-B.500: [udp sum ok] isakmp
v1.0exchange ID_PROT encrypted
cookie: 07c9dbce8da4a5b1->b4278095f145b1b6 msgid: 00000000 len: 92
(ttl 64, id 23041, len 120)
14:44:40.617927 0:4:23:c1:4c:57 0:4:23:a7:f0:d3 0800 110:
IP-OF-GATEWAY-B.500 > IP-OF-GATEWAY-A.500: [udp sum ok] isakmp
v1.0exchange ID_PROT encrypted
cookie: 07c9dbce8da4a5b1->b4278095f145b1b6 msgid: 00000000 len: 68
(DF) (ttl 53, id 3119, len 96)
14:44:40.631158 0:4:23:a7:f0:d3 0:4:23:c1:4c:57 0800 190:
IP-OF-GATEWAY-A.500 > IP-OF-GATEWAY-B.500: [udp sum ok] isakmp
v1.0exchange QUICK_MODE encrypted
cookie: 07c9dbce8da4a5b1->b4278095f145b1b6 msgid: a960a9e2 len: 148
(ttl 64, id 249, len 176)
14:44:40.651159 0:4:23:c1:4c:57 0:4:23:a7:f0:d3 0800 198:
IP-OF-GATEWAY-B.500 > IP-OF-GATEWAY-A.500: [udp sum ok] isakmp
v1.0exchange QUICK_MODE encrypted
cookie: 07c9dbce8da4a5b1->b4278095f145b1b6 msgid: a960a9e2 len: 156
(DF) (ttl 53, id 3120, len 184)
14:44:40.667012 0:4:23:a7:f0:d3 0:4:23:c1:4c:57 0800 94: IP-OF-GATEWAY-A.500>
IP-OF-GATEWAY-B.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE encrypted
cookie: 07c9dbce8da4a5b1->b4278095f145b1b6 msgid: a960a9e2 len: 52
(ttl 64, id 10415, len 80)
===================================
Now with no changes I'm trying to connect to Host-B from Host-A.
===================================
# telnet IP-OF-HOST-B 80
Trying IP-OF-HOST-B...
tcpdump: listening on em0, link-type EN10MB
14:51:25.609708 0:4:23:a7:f0:d3 0:4:23:c1:4c:57 0800 126: esp
IP-OF-GATEWAY-A > IP-OF-GATEWAY-B spi 0x55C3D5EA seq 1 len 92 (DF) [tos
0x10] (ttl 64, id 54842, len 112)
# netstat -rn
Encap:
Source Port Destination Port Proto
SA(Address/Proto/Type/Direction)
IP-OF-HOST-B/32 0 IP-OF-HOST-A/32 0 0
IP-OF-GATEWAY-B/50/use/in
IP-OF-HOST-A/32 0 IP-OF-HOST-B/32 0 0
IP-OF-GATEWAY-B/50/require/out
===================================
After that I added two new flow rules:
===================================
# netstat -rn
Encap:
Source Port Destination Port Proto
SA(Address/Proto/Type/Direction)
IP-OF-HOST-A/32 0 IP-OF-HOST-B/32 0 0
IP-OF-GATEWAY-B/50/require/in
IP-OF-HOST-B/32 0 IP-OF-HOST-A/32 0 0
IP-OF-GATEWAY-B/50/use/in
IP-OF-HOST-A/32 0 IP-OF-HOST-B/32 0 0
IP-OF-GATEWAY-B/50/require/out
IP-OF-HOST-B/32 0 IP-OF-HOST-A/32 0 0
IP-OF-GATEWAY-B/50/require/out
===================================
Without changing any settings in isakmpd configuration files I retry to
connect to Host-B, and get the following tcpdump output:
===================================
14:58:42.916302 0:4:23:a7:f0:d3 0:4:23:c1:4c:57 0800 202:
IP-OF-GATEWAY-A.500 > IP-OF-GATEWAY-B.500: [udp sum ok] isakmp
v1.0exchange ID_PROT
cookie: 84f811a77578f599->0000000000000000 msgid: 00000000 len: 160
payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 40 proposal: 1 proto: ISAKMP spisz: 0
xforms: 1
payload: TRANSFORM len: 32
transform: 0 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = RSA_SIG
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600
payload: VENDOR len: 20 (supports v2 NAT-T,
draft-ietf-ipsec-nat-t-ike-02)
payload: VENDOR len: 20 (supports v3 NAT-T,
draft-ietf-ipsec-nat-t-ike-03)
payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
payload: VENDOR len: 20 (supports DPD v1.0) (ttl 64, id 56922, len
188)
14:58:42.934972 0:4:23:c1:4c:57 0:4:23:a7:f0:d3 0800 82: IP-OF-GATEWAY-B.500>
IP-OF-GATEWAY-A.500: [udp sum ok] isakmp v1.0 exchange INFO
cookie: 84f811a77578f599->0000000000000000 msgid: b7b40411 len: 40
payload: NOTIFICATION len: 12
notification: NO PROPOSAL CHOSEN (DF) (ttl 53, id 3145, len 68)
===================================
After this long intorduction now let me go to the actual questions :)
1. What's the problem with my isakmpd.conf file since isakmpd can't add
correct flow rules?
2. Why AUTHENTICATION_METHOD is set to RSA_SIG in second try? How can I set
this to PRE_SHARED? It's obvious that the error NO PROPOSAL CHOSEN is
related to authentication method, since VPN1 expects me to use PRE_SHARED as
authentication method.
Sorry for this long post, I was trying to give as much detail as I can.
Thanks for the replies.
