Steven Surdock wrote:
quoted text
> Greetings, I recently converted from isakmpd.conf to ipsec.conf and I
> seem to be having problem bringing up a second tunnel to a PIX.  It
> _appears_ that the OBSD side is trying to use the default hmac
> (sha2_256) even though it is configured to use md5 for the second
> tunnel.  Oddly, the first tunnel comes up fine.  Any insight or
> trouble-shooting tips would be appreciated.  BTW, Is there anyway to see
> what flows have been "configured"?  "ipsecctl -sf" seemed to only show a
> flow when phase I was complete.
> 
> ipsecctl -sf
> --------
> flow esp in from 192.168.60.192/28 to 10.10.0.0/16 peer 192.168.40.8
> srcid 192.168.13.4/32 dstid 192.168.40.8 type use
> flow esp out from 10.10.0.0/16 to 192.168.60.192/28 peer 192.168.40.8
> srcid 192.168.13.4/32 dstid 192.168.40.8 type require
> ++++++++
> The local peer (OpenBSD 4.0-stable (GENERIC) #6: Fri Apr 13 07:23:48 EDT
> 2007) is configured like:
> --------
> ike esp from { 10.10.0.0/16 , 10.5.0.0/24 } to 192.168.60.192/28 \
>         peer  192.168.40.8 \
>         local 192.168.13.4 \
>         main auth hmac-md5 enc aes group modp1024 \
>         psk "Hereismylovelykey"
> ++++++++
> /var/log/messages:
> --------
> Apr 23 12:28:52 fw1 isakmpd[965]: transport_send_messages: giving up on
> exchange IPsec-10.5.0.0/24-192.168.60.192/28, no response from peer
> 192.168.40.8:500
> Apr 23 12:28:52 fw1 isakmpd[965]: message_recv: bad message length
> Apr 23 12:28:52 fw1 isakmpd[965]: dropped message from 192.168.40.8 port
> 500 due to notification type <Unknown 0>
> ...more of the above
> Apr 23 12:29:37 fw1 isakmpd[965]: dropped message from 192.168.40.8 port
> 500 due to notification type <Unknown 0>
> Apr 23 12:30:25 fw1 isakmpd[965]: message_validate_notify: protocol not
> supported
> Apr 23 12:30:33 fw1 isakmpd[965]: message_recv: bad message length
> ++++++++
> The remote is a PIX configured like:
> --------
> access-list 100 permit ip 192.168.60.192 255.255.255.240 10.10.0.0
> 255.255.0.0
> access-list 100 permit ip 192.168.60.192 255.255.255.240 10.5.0.0
> 255.255.255.0
> sysopt connection permit-ipsec
> crypto ipsec transform-set RMT esp-aes esp-md5-hmac
> crypto map RMT 10 ipsec-isakmp
> crypto map RMT 10 match address 100
> crypto map RMT 10 set peer 192.168.13.4
> crypto map RMT 10 set transform-set RMT
> crypto map RMT interface outside
> isakmp enable outside
> isakmp key ******** address 192.168.13.4 netmask 255.255.255.255
> isakmp policy 10 authentication pre-share
> isakmp policy 10 encryption aes
> isakmp policy 10 hash md5
> isakmp policy 10 group 2
> isakmp policy 10 lifetime 86400
> ++++++++
> The PIX debug says:
> --------
> crypto_isakmp_process_block:src:192.168.13.4, dest:192.168.40.8 spt:500
> dpt:500
> OAK_QM exchange
> oakley_process_quick_mode:
> OAK_QM_IDLE
> ISAKMP (0): processing SA payload. message ID = 3599058422
> 
> ISAKMP : Checking IPSec proposal 1
> 
> ISAKMP: transform 1, ESP_AES
> ISAKMP:   attributes in transform:
> ISAKMP:      SA life type in seconds
> ISAKMP:      SA life duration (basic) of 1200
> ISAKMP:      encaps is 1
> ISAKMP:      authentication algorithm... What? 5?
> ISAKMP:      group is 2
> ISAKMP:      key length is 128IPSEC(validate_proposal): transform
> proposal (prot 3, trans 12, hmac_alg 5) not supported
> 
> ISAKMP (0): atts not acceptable. Next payload is 0
> ISAKMP (0): SA not acceptable!
> ISAKMP (0): sending NOTIFY message 14 protocol 0
> return status is IKMP_ERR_NO_RETRANS
> crypto_isakmp_process_block:src:192.168.13.4, dest:192.168.40.8 spt:500
> dpt:500
> ISAKMP: phase 2 packet is a duplicate of a previous packet
> ISAKMP: resending last response
> ISAKMP (0): retransmitting phase 2 (0/1)... mess_id 0xd68545f6
> crypto_isakmp_process_block:src:192.168.13.4, dest:192.168.40.8 spt:500
> dpt:500
> ISAKMP: phase 2 packet is a duplicate of a previous packet
> crypto_isakmp_process_block:src:192.168.13.4, dest:192.168.40.8 spt:500
> dpt:500
> ISAKMP: phase 2 packet is a duplicate of a previous packet
> ISAKMP: resending last response
> ISAKMP (0): retransmitting phase 2 (1/1)... mess_id 0xd68545f6
> ++++++++
> 
> 

I too have the same problem.
I have a Lan 2 Lan tunnel with pfsync, carp, sasync and it works flawlessly with 
another OpenBSD system as the peer.

I tried to enable OpenBSD to PIX tunnel (PIX 501, OS: 6.3(5))

I defined "quick auth hmac-sha enc aes", when I do that I get phase 1 completed.

ipsec.conf
ike esp from 172.30.75.0/24 to 192.168.137.0/24 \
         local 10.200.3.7 peer 10.200.3.1 \
         main auth hmac-sha1 enc aes \
         quick auth hmac-sha enc aes \
         srcid 10.200.3.7 psk "F00F00Bar"

snippet from PIX firewall:

crypto ipsec transform-set IPSEC_SET esp-aes-256 esp-sha-hmac
crypto map VPN_MAP 1 ipsec-isakmp
crypto map VPN_MAP 1 match address VPN_ACL
crypto map VPN_MAP 1 set peer 10.200.3.7
crypto map VPN_MAP 1 set transform-set IPSEC_SET
crypto map VPN_MAP interface outside
isakmp enable outside
isakmp key ******** address 10.200.3.7 netmask 255.255.255.255 no-xauth
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption aes-256
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 1800

pixfirewall# sh crypto isakmp sa
Total     : 1
Embryonic : 0
         dst               src        state     pending     created
       10.200.3.1       10.200.3.7    QM_IDLE         0           0

But phase 2 does not established at all for some reason!

Does anybody need any more logs?

Thanks
Prabhu
-