On Mon, Aug 25, 2008 at 09:50:08PM +0200, Laurent CARON wrote:
> John Jackson wrote:
> >It may also be worth noting that Debian has OpenBSD's isakmpd packaged,
> >'apt-get install isakmpd'. I've had success using isakmpd on Debian to
> >create VPN's between OpenBSD and Debian gateways.
>
>
> Here is where I'm now:
>
> Openswan's side:
>
> conn lncjakarta-lncha
> leftsubnet=192.168.9.0/24
> left=LINUX_IP
> right=BSD_IP
> rightsubnet=10.50.0.0/24
> authby=secret
> auto=start
> pfs=yes
> ike=aes128-sha1-modp1024
> esp=3des-sha1-96
>
> BSD side:
>
> ike esp tunnel from 10.50.0.0/24 to 192.168.9.0/24 peer LINUX_IP main
> auth hmac-sha1 enc aes group modp1024 quick auth hmac-sha2-256 enc aes
> group modp1024 psk "MYPSK"
>
> Now the log shows:
>
> Linux Side
>
> STATE_MAIN.....
> STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xdb08bdcf
> <0x57b31855 xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}
>
> The vpn seems to be apparently up
>
> but .... getting such messages:
>
> Quick Mode message is for a non-existent (expired?) ISAKMP SA
>
> BSD side:
> Default transport_send_messages: giving up on exchange
> IPsec-10.50.0.0/24-192.168.9.0/24, no response from peer LINUX_IP:500
>
> Any hint ?
>
> Thanks
It looks like you are trying to use different encryption algorithms and
hash functions for the phase 2 SA. They need to match at both end points.
It looks like the Linux box is configured to do 3DES and SHA1. The
OpenBSD box is configured to do AES and SHA256.
--
Sean Malloy
www.spmalloy.com
GPG KeyID: 0x13EEB747
GPG Fingerprint: D059 5076 ABB3 1E08 9965 1958 F820 CE83 13EE B747
