ipsec vpn netgear DG834 : openbsd 4.2 (new thread)
New thread .. after some new test.. And stiill the same ... shit ! Here is the LAn/WAn network 192.168.0/24(lan)--Netgear DG 834 (adsl + NAT + ipsec +ip fix A) | ---WEB--- | Openbsd 4.2 (ipsec.conf+isakmpd.policy+ip fix B+ NAT) -- 10.7.22.0/24(lan) Here are the conf : netgear : local lan : 192.168.0.0/24 remote lan : 10.7.22.0/24 IKE : direction : initiator respond mode : main diffie-Hellman : Groupe 2 (1024) local id : IP wan remote id: IP Params Crypto algo : 3DES Algo auth : SHA-1 pre shared key : 123456789 SA life time : 36000 Openbsd : ipsec.conf ike passive esp tunnel from IP_A to IP_B \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des psk 123456789 ike dynamic esp tunnel from 192.168.0.0/24 to 10.7.22.0/24 peer IP_A \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des psk 123456789 i have tried passive dynamic for ike esp .. it's the same isakmpd.policy KeyNote-Version: 2 Authorizer: POLICY pf.conf pass in on $ext_if1 proto udp from $IP_A to $IP_B port {500,4500} pass out on $ext_if1 proto udp from $IP_B to $IP_A port {500,4500} pass in on $IP_B proto esp from $IP_A to $IP_B pass out on $IP_B proto esp from $IP_B to $IP_A pass in on enc0 proto ipencap from $IP_A to $IP_B keep state (if-bound) pass out on enc0 proto ipencap from $IP_B to $IP_A keep state (if-bound) pass in on enc0 from 192.168.0.0/24 to 10.7.22.0/24 keep state (if-bound) pass out on enc0 from 10.7.22.0/24 to 192.168.0.0/24 keep state (if-bound) i have a rule for nat on $IP_B enc0 is up and running i start my vpn with isakmpd -dv -D 8=99 And Finally here is the Trouble , i got this on isakmpd console 151330.400513 Negt 30 message_negotiate_sa: transform 0 proto 1 proposal 0 ok 151330.400933 Negt 20 ike_phase_1_validate_prop: success 151330.401046 Negt 30 message_negotiate_sa: proposal 0 succeeded 151357.435134 Default transport_send_messages: giving up on exchange peer-IP_A, no response from peer IP_A:500 And this on the DG834 Fri, 2007-11-23 14:13:30 - [idle] initiating Main Mode Fri, 2007-11-23 14:13:40 - [idle] STATE_MAIN_I1: retransmission; will wait 20s for response Fri, 2007-11-23 14:14:00 - [idle] STATE_MAIN_I1: retransmission; will wait 40s for response Fri, 2007-11-23 14:14:40 - [idle] max number of retransmissions reached STATE_MAIN_I1. No acceptable response to our first IKE message and finally ( As wanted for those who try to help me .. thanks) echo p on /var/run/isakmpd.fif and tcpdump -r /var/run/isakmpd.pcap -vvn tcpdump: WARNING: snaplen raised from 96 to 65536 11:40:31.600710 IP_A.500 IP_B.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: cb79617a4b409a8f- msgid: len: 100 payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 40 proposal: 0 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 32 transform: 0 ID: ISAKMP attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 3600 attribute ENCRYPTION_ALGORITHM = 3DES_CBC attribute HASH_ALGORITHM = SHA attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_1024 payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 128) 11:40:31.601712 IP_B.500 IP_A.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: cb79617a4b409a8f-76316a628a99ce2b msgid: len: 180 payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 40 proposal: 0 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 32 transform: 0 ID: ISAKMP attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 3600 attribute ENCRYPTION_ALGORITHM = 3DES_CBC attribute HASH_ALGORITHM = SHA attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_1024 payload: VENDOR len: 20 (supports OpenBSD-4.0) payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02) payload: VENDOR len: 20 (supports v3 NAT-T, draft-ietf-ipsec-nat-t-ike-03) payload: VENDOR len: 20 (supports NAT-T, RFC 3947) payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 208) And then nothing it is not related to my FAI i have tried with 2 different.. it is the same For me it is around pf.conf .. but i can't find where jc
Re: ipsec vpn netgear DG834 : openbsd 4.2 (new thread)
Hi, here my 50 cent: tcpdump looks good, obsd maschine receives first message of phase 1 exchange and sends a suitable response. your netgear log says, that no response to first message is received. this means, response from isakmpd gets lost, either in local pf or in netgear ( dont know if they have some sort packet filter ) or somewhere in between . you could distinguish there two possibilities by either tcpdump -lenvvi pflog0 # watch out for packets to if_A that are blocked or tcpdump -lenvvi external if ip host if_A ( you should see exactly one message in and one message out ) Once we know whether the packets really leave openBSD, we can do further analysis. -Urspr|ngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Auftrag von jcr Gesendet: Dienstag, 27. November 2007 12:10 An: misc@openbsd.org Betreff: ipsec vpn netgear DG834 : openbsd 4.2 (new thread) New thread .. after some new test.. And stiill the same ... shit ! Here is the LAn/WAn network 192.168.0/24(lan)--Netgear DG 834 (adsl + NAT + ipsec +ip fix A) | ---WEB--- | Openbsd 4.2 (ipsec.conf+isakmpd.policy+ip fix B+ NAT) -- 10.7.22.0/24(lan) Here are the conf : netgear : local lan : 192.168.0.0/24 remote lan : 10.7.22.0/24 IKE : direction : initiator respond mode : main diffie-Hellman : Groupe 2 (1024) local id : IP wan remote id: IP Params Crypto algo : 3DES Algo auth : SHA-1 pre shared key : 123456789 SA life time : 36000 Openbsd : ipsec.conf ike passive esp tunnel from IP_A to IP_B \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des psk 123456789 ike dynamic esp tunnel from 192.168.0.0/24 to 10.7.22.0/24 peer IP_A \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des psk 123456789 i have tried passive dynamic for ike esp .. it's the same isakmpd.policy KeyNote-Version: 2 Authorizer: POLICY pf.conf pass in on $ext_if1 proto udp from $IP_A to $IP_B port {500,4500} pass out on $ext_if1 proto udp from $IP_B to $IP_A port {500,4500} pass in on $IP_B proto esp from $IP_A to $IP_B pass out on $IP_B proto esp from $IP_B to $IP_A pass in on enc0 proto ipencap from $IP_A to $IP_B keep state (if-bound) pass out on enc0 proto ipencap from $IP_B to $IP_A keep state (if-bound) pass in on enc0 from 192.168.0.0/24 to 10.7.22.0/24 keep state (if-bound) pass out on enc0 from 10.7.22.0/24 to 192.168.0.0/24 keep state (if-bound) i have a rule for nat on $IP_B enc0 is up and running i start my vpn with isakmpd -dv -D 8=99 And Finally here is the Trouble , i got this on isakmpd console 151330.400513 Negt 30 message_negotiate_sa: transform 0 proto 1 proposal 0 ok 151330.400933 Negt 20 ike_phase_1_validate_prop: success 151330.401046 Negt 30 message_negotiate_sa: proposal 0 succeeded 151357.435134 Default transport_send_messages: giving up on exchange peer-IP_A, no response from peer IP_A:500 And this on the DG834 Fri, 2007-11-23 14:13:30 - [idle] initiating Main Mode Fri, 2007-11-23 14:13:40 - [idle] STATE_MAIN_I1: retransmission; will wait 20s for response Fri, 2007-11-23 14:14:00 - [idle] STATE_MAIN_I1: retransmission; will wait 40s for response Fri, 2007-11-23 14:14:40 - [idle] max number of retransmissions reached STATE_MAIN_I1. No acceptable response to our first IKE message and finally ( As wanted for those who try to help me .. thanks) echo p on /var/run/isakmpd.fif and tcpdump -r /var/run/isakmpd.pcap -vvn tcpdump: WARNING: snaplen raised from 96 to 65536 11:40:31.600710 IP_A.500 IP_B.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: cb79617a4b409a8f- msgid: len: 100 payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 40 proposal: 0 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 32 transform: 0 ID: ISAKMP attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 3600 attribute ENCRYPTION_ALGORITHM = 3DES_CBC attribute HASH_ALGORITHM = SHA attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_1024 payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 128) 11:40:31.601712 IP_B.500 IP_A.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: cb79617a4b409a8f-76316a628a99ce2b msgid: len: 180 payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 40 proposal: 0 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 32
Re: ipsec vpn netgear DG834 : openbsd 4.2 (new thread)
I forgot to ask: what are the NAT statements in your pf.conf, that you mention. the ipsec packets should not be NAT'ed inyour configuration ( although ipsec can go through NAT in general ). -Urspr|ngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Auftrag von jcr Gesendet: Dienstag, 27. November 2007 12:10 An: misc@openbsd.org Betreff: ipsec vpn netgear DG834 : openbsd 4.2 (new thread) New thread .. after some new test.. And stiill the same ... shit ! Here is the LAn/WAn network 192.168.0/24(lan)--Netgear DG 834 (adsl + NAT + ipsec +ip fix A) | ---WEB--- | Openbsd 4.2 (ipsec.conf+isakmpd.policy+ip fix B+ NAT) -- 10.7.22.0/24(lan) Here are the conf : netgear : local lan : 192.168.0.0/24 remote lan : 10.7.22.0/24 IKE : direction : initiator respond mode : main diffie-Hellman : Groupe 2 (1024) local id : IP wan remote id: IP Params Crypto algo : 3DES Algo auth : SHA-1 pre shared key : 123456789 SA life time : 36000 Openbsd : ipsec.conf ike passive esp tunnel from IP_A to IP_B \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des psk 123456789 ike dynamic esp tunnel from 192.168.0.0/24 to 10.7.22.0/24 peer IP_A \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des psk 123456789 i have tried passive dynamic for ike esp .. it's the same isakmpd.policy KeyNote-Version: 2 Authorizer: POLICY pf.conf pass in on $ext_if1 proto udp from $IP_A to $IP_B port {500,4500} pass out on $ext_if1 proto udp from $IP_B to $IP_A port {500,4500} pass in on $IP_B proto esp from $IP_A to $IP_B pass out on $IP_B proto esp from $IP_B to $IP_A pass in on enc0 proto ipencap from $IP_A to $IP_B keep state (if-bound) pass out on enc0 proto ipencap from $IP_B to $IP_A keep state (if-bound) pass in on enc0 from 192.168.0.0/24 to 10.7.22.0/24 keep state (if-bound) pass out on enc0 from 10.7.22.0/24 to 192.168.0.0/24 keep state (if-bound) i have a rule for nat on $IP_B enc0 is up and running i start my vpn with isakmpd -dv -D 8=99 And Finally here is the Trouble , i got this on isakmpd console 151330.400513 Negt 30 message_negotiate_sa: transform 0 proto 1 proposal 0 ok 151330.400933 Negt 20 ike_phase_1_validate_prop: success 151330.401046 Negt 30 message_negotiate_sa: proposal 0 succeeded 151357.435134 Default transport_send_messages: giving up on exchange peer-IP_A, no response from peer IP_A:500 And this on the DG834 Fri, 2007-11-23 14:13:30 - [idle] initiating Main Mode Fri, 2007-11-23 14:13:40 - [idle] STATE_MAIN_I1: retransmission; will wait 20s for response Fri, 2007-11-23 14:14:00 - [idle] STATE_MAIN_I1: retransmission; will wait 40s for response Fri, 2007-11-23 14:14:40 - [idle] max number of retransmissions reached STATE_MAIN_I1. No acceptable response to our first IKE message and finally ( As wanted for those who try to help me .. thanks) echo p on /var/run/isakmpd.fif and tcpdump -r /var/run/isakmpd.pcap -vvn tcpdump: WARNING: snaplen raised from 96 to 65536 11:40:31.600710 IP_A.500 IP_B.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: cb79617a4b409a8f- msgid: len: 100 payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 40 proposal: 0 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 32 transform: 0 ID: ISAKMP attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 3600 attribute ENCRYPTION_ALGORITHM = 3DES_CBC attribute HASH_ALGORITHM = SHA attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_1024 payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 128) 11:40:31.601712 IP_B.500 IP_A.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: cb79617a4b409a8f-76316a628a99ce2b msgid: len: 180 payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 40 proposal: 0 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 32 transform: 0 ID: ISAKMP attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 3600 attribute ENCRYPTION_ALGORITHM = 3DES_CBC attribute HASH_ALGORITHM = SHA attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_1024 payload: VENDOR len: 20 (supports OpenBSD-4.0) payload: VENDOR len: 20 (supports