login
Login / Register
Header Space

 
 

Home » Mailing list archives » openbsd-misc » 2007 » November » 27

ipsec vpn netgear DG834 : openbsd 4.2 (new thread)

Score:
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
[view in full thread]
From: jcr <jeanchristophe.roiron@...>
To: <misc@...>
Subject: ipsec vpn netgear DG834 : openbsd 4.2 (new thread)
Date: Tuesday, November 27, 2007 - 7:09 am

New thread .. after some new test..

And stiill the same ... shit !

Here is the LAn/WAn network


192.168.0/24(lan)-->Netgear DG 834 (adsl + NAT + ipsec +ip fix A)
                                                 |
                                         <---WEB--->
                                                  |
                                 Openbsd 4.2 
(ipsec.conf+isakmpd.policy+ip fix B+ NAT) --> 10.7.22.0/24(lan)  


Here are the conf :

netgear :

local lan : 192.168.0.0/24
remote lan : 10.7.22.0/24
IKE :
direction : initiator & respond
mode : main
diffie-Hellman : Groupe 2 (1024)
local id : IP wan
remote id: IP

Params
Crypto algo : 3DES
Algo auth : SHA-1
pre shared key : 123456789
SA life time : 36000


Openbsd :
ipsec.conf

ike passive esp tunnel from IP_A to IP_B \
     main auth hmac-sha1 enc 3des group modp1024 \
     quick auth hmac-sha1 enc 3des  psk 123456789

ike dynamic esp tunnel from 192.168.0.0/24 to 10.7.22.0/24 peer IP_A \
     main auth hmac-sha1 enc 3des group modp1024 \
     quick auth hmac-sha1 enc 3des psk 123456789

   i have tried passive & dynamic for ike esp .. it's the same

isakmpd.policy

KeyNote-Version: 2
Authorizer: "POLICY"

pf.conf

pass in on $ext_if1 proto udp from $IP_A to $IP_B port {500,4500}
pass out on $ext_if1 proto udp from $IP_B to $IP_A port {500,4500}

pass in  on $IP_B proto esp from $IP_A to $IP_B
pass out on $IP_B proto esp from $IP_B to $IP_A

pass in on enc0 proto ipencap from $IP_A to $IP_B keep state (if-bound)
pass out on enc0 proto ipencap from $IP_B to $IP_A keep state (if-bound)

pass in on enc0 from 192.168.0.0/24 to 10.7.22.0/24 keep state (if-bound)
pass out on enc0 from 10.7.22.0/24 to 192.168.0.0/24 keep state (if-bound)

i have a rule for nat on $IP_B


enc0 is up and running

i start my vpn with

isakmpd -dv -D 8=99


And Finally here is the Trouble , i got this on isakmpd console

151330.400513 Negt 30 message_negotiate_sa: transform 0 proto 1 proposal 
0 ok
151330.400933 Negt 20 ike_phase_1_validate_prop: success
151330.401046 Negt 30 message_negotiate_sa: proposal 0 succeeded
151357.435134 Default transport_send_messages: giving up on exchange 
peer-IP_A, no response from peer IP_A:500

And this on the DG834

Fri, 2007-11-23 14:13:30 - [idle] initiating Main Mode
Fri, 2007-11-23 14:13:40 - [idle] STATE_MAIN_I1: retransmission; will 
wait 20s for response
Fri, 2007-11-23 14:14:00 - [idle] STATE_MAIN_I1: retransmission; will 
wait 40s for response
Fri, 2007-11-23 14:14:40 - [idle] max number of retransmissions reached 
STATE_MAIN_I1.  No acceptable response to our first IKE message


and finally ( As wanted for those who try to help me .. thanks)

echo "p on" > /var/run/isakmpd.fif and tcpdump -r /var/run/isakmpd.pcap 
-vvn


tcpdump: WARNING: snaplen raised from 96 to 65536
11:40:31.600710 IP_A.500 > IP_B.500: [udp sum ok] isakmp v1.0 exchange 
ID_PROT
        cookie: cb79617a4b409a8f->0000000000000000 msgid: 00000000 len: 100
        payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
            payload: PROPOSAL len: 40 proposal: 0 proto: ISAKMP spisz: 0 
xforms: 1
                payload: TRANSFORM len: 32
                    transform: 0 ID: ISAKMP
                        attribute LIFE_TYPE = SECONDS
                        attribute LIFE_DURATION = 3600
                        attribute ENCRYPTION_ALGORITHM = 3DES_CBC
                        attribute HASH_ALGORITHM = SHA
                        attribute AUTHENTICATION_METHOD = PRE_SHARED
                        attribute GROUP_DESCRIPTION = MODP_1024
        payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 128)
11:40:31.601712 IP_B.500 > IP_A.500: [udp sum ok] isakmp v1.0 exchange 
ID_PROT
        cookie: cb79617a4b409a8f->76316a628a99ce2b msgid: 00000000 len: 180
        payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
            payload: PROPOSAL len: 40 proposal: 0 proto: ISAKMP spisz: 0 
xforms: 1
                payload: TRANSFORM len: 32
                    transform: 0 ID: ISAKMP
                        attribute LIFE_TYPE = SECONDS
                        attribute LIFE_DURATION = 3600
                        attribute ENCRYPTION_ALGORITHM = 3DES_CBC
                        attribute HASH_ALGORITHM = SHA
                        attribute AUTHENTICATION_METHOD = PRE_SHARED
                        attribute GROUP_DESCRIPTION = MODP_1024
        payload: VENDOR len: 20 (supports OpenBSD-4.0)
        payload: VENDOR len: 20 (supports v2 NAT-T, 
draft-ietf-ipsec-nat-t-ike-02)
        payload: VENDOR len: 20 (supports v3 NAT-T, 
draft-ietf-ipsec-nat-t-ike-03)
        payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
        payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 208)



And then nothing !!!!

it is not related to my FAI i have tried with 2 different.. it is the same


For me it is around pf.conf .. but i can't find where

jc
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
Messages in current thread:
ipsec vpn netgear DG834 : openbsd 4.2 (new thread), jcr, (Tue Nov 27, 7:09 am)
Re: ipsec vpn netgear DG834 : openbsd 4.2 (new thread), Christoph Leser, (Tue Nov 27, 8:02 am)
Re: ipsec vpn netgear DG834 : openbsd 4.2 (new thread), Christoph Leser, (Tue Nov 27, 7:56 am)

Mail archive search
Enter your search terms.
Optionally limit your search to a specific mailing list.
advanced
Colocation donated by:
Who's online
There are currently 2 users and 739 guests online.

Online users

Syndicate
Syndicate content
© 2007 KernelTrap.  |  Powered by Drupal.  |  Legal statement.
speck-geostationary