Hi,

here my 50 cent:

tcpdump looks good, obsd maschine receives first message of phase 1 exchange
and sends a suitable response.

your netgear log says, that no response to first message is received.

this means, response from isakmpd gets lost, either in local pf or in netgear
( dont know if they have some sort packet filter ) or somewhere in between .

you could distinguish there two possibilities by either

tcpdump -lenvvi pflog0 # watch out for packets to if_A that are blocked

or

tcpdump -lenvvi <external if> ip host if_A   ( you should see exactly one
message in and one message out )

Once we know whether the packets really leave openBSD, we can do further
analysis.



quoted text
> -----Urspr|ngliche Nachricht-----
> Von: owner-misc@openbsd.org [mailto:owner-misc@openbsd.org]Im Auftrag
> von jcr
> Gesendet: Dienstag, 27. November 2007 12:10
> An: misc@openbsd.org
> Betreff: ipsec vpn netgear DG834 : openbsd 4.2 (new thread)
>
>
> New thread .. after some new test..
>
> And stiill the same ... shit !
>
> Here is the LAn/WAn network
>
>
> 192.168.0/24(lan)-->Netgear DG 834 (adsl + NAT + ipsec +ip fix A)
>                                                  |
>                                          <---WEB--->
>                                                   |
>                                  Openbsd 4.2
> (ipsec.conf+isakmpd.policy+ip fix B+ NAT) --> 10.7.22.0/24(lan)
>
>
> Here are the conf :
>
> netgear :
>
> local lan : 192.168.0.0/24
> remote lan : 10.7.22.0/24
> IKE :
> direction : initiator & respond
> mode : main
> diffie-Hellman : Groupe 2 (1024)
> local id : IP wan
> remote id: IP
>
> Params
> Crypto algo : 3DES
> Algo auth : SHA-1
> pre shared key : 123456789
> SA life time : 36000
>
>
> Openbsd :
> ipsec.conf
>
> ike passive esp tunnel from IP_A to IP_B \
>      main auth hmac-sha1 enc 3des group modp1024 \
>      quick auth hmac-sha1 enc 3des  psk 123456789
>
> ike dynamic esp tunnel from 192.168.0.0/24 to 10.7.22.0/24 peer IP_A \
>      main auth hmac-sha1 enc 3des group modp1024 \
>      quick auth hmac-sha1 enc 3des psk 123456789
>
>    i have tried passive & dynamic for ike esp .. it's the same
>
> isakmpd.policy
>
> KeyNote-Version: 2
> Authorizer: "POLICY"
>
> pf.conf
>
> pass in on $ext_if1 proto udp from $IP_A to $IP_B port {500,4500}
> pass out on $ext_if1 proto udp from $IP_B to $IP_A port {500,4500}
>
> pass in  on $IP_B proto esp from $IP_A to $IP_B
> pass out on $IP_B proto esp from $IP_B to $IP_A
>
> pass in on enc0 proto ipencap from $IP_A to $IP_B keep state
> (if-bound)
> pass out on enc0 proto ipencap from $IP_B to $IP_A keep state
> (if-bound)
>
> pass in on enc0 from 192.168.0.0/24 to 10.7.22.0/24 keep
> state (if-bound)
> pass out on enc0 from 10.7.22.0/24 to 192.168.0.0/24 keep
> state (if-bound)
>
> i have a rule for nat on $IP_B
>
>
> enc0 is up and running
>
> i start my vpn with
>
> isakmpd -dv -D 8=99
>
>
> And Finally here is the Trouble , i got this on isakmpd console
>
> 151330.400513 Negt 30 message_negotiate_sa: transform 0 proto
> 1 proposal
> 0 ok
> 151330.400933 Negt 20 ike_phase_1_validate_prop: success
> 151330.401046 Negt 30 message_negotiate_sa: proposal 0 succeeded
> 151357.435134 Default transport_send_messages: giving up on exchange
> peer-IP_A, no response from peer IP_A:500
>
> And this on the DG834
>
> Fri, 2007-11-23 14:13:30 - [idle] initiating Main Mode
> Fri, 2007-11-23 14:13:40 - [idle] STATE_MAIN_I1: retransmission; will
> wait 20s for response
> Fri, 2007-11-23 14:14:00 - [idle] STATE_MAIN_I1: retransmission; will
> wait 40s for response
> Fri, 2007-11-23 14:14:40 - [idle] max number of
> retransmissions reached
> STATE_MAIN_I1.  No acceptable response to our first IKE message
>
>
> and finally ( As wanted for those who try to help me .. thanks)
>
> echo "p on" > /var/run/isakmpd.fif and tcpdump -r
> /var/run/isakmpd.pcap
> -vvn
>
>
> tcpdump: WARNING: snaplen raised from 96 to 65536
> 11:40:31.600710 IP_A.500 > IP_B.500: [udp sum ok] isakmp v1.0
> exchange
> ID_PROT
>         cookie: cb79617a4b409a8f->0000000000000000 msgid:
> 00000000 len: 100
>         payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
>             payload: PROPOSAL len: 40 proposal: 0 proto:
> ISAKMP spisz: 0
> xforms: 1
>                 payload: TRANSFORM len: 32
>                     transform: 0 ID: ISAKMP
>                         attribute LIFE_TYPE = SECONDS
>                         attribute LIFE_DURATION = 3600
>                         attribute ENCRYPTION_ALGORITHM = 3DES_CBC
>                         attribute HASH_ALGORITHM = SHA
>                         attribute AUTHENTICATION_METHOD = PRE_SHARED
>                         attribute GROUP_DESCRIPTION = MODP_1024
>         payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0]
> (id 1, len 128)
> 11:40:31.601712 IP_B.500 > IP_A.500: [udp sum ok] isakmp v1.0
> exchange
> ID_PROT
>         cookie: cb79617a4b409a8f->76316a628a99ce2b msgid:
> 00000000 len: 180
>         payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
>             payload: PROPOSAL len: 40 proposal: 0 proto:
> ISAKMP spisz: 0
> xforms: 1
>                 payload: TRANSFORM len: 32
>                     transform: 0 ID: ISAKMP
>                         attribute LIFE_TYPE = SECONDS
>                         attribute LIFE_DURATION = 3600
>                         attribute ENCRYPTION_ALGORITHM = 3DES_CBC
>                         attribute HASH_ALGORITHM = SHA
>                         attribute AUTHENTICATION_METHOD = PRE_SHARED
>                         attribute GROUP_DESCRIPTION = MODP_1024
>         payload: VENDOR len: 20 (supports OpenBSD-4.0)
>         payload: VENDOR len: 20 (supports v2 NAT-T,
> draft-ietf-ipsec-nat-t-ike-02)
>         payload: VENDOR len: 20 (supports v3 NAT-T,
> draft-ietf-ipsec-nat-t-ike-03)
>         payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
>         payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0]
> (id 1, len 208)
>
>
>
> And then nothing !!!!
>
> it is not related to my FAI i have tried with 2 different..
> it is the same
>
>
> For me it is around pf.conf .. but i can't find where
>
> jc