On Wed, Aug 15, 2007 at 10:37:59PM +0200, Hans-Joerg Hoexer wrote:
quoted text
> On Mon, Aug 13, 2007 at 01:30:11AM +0300, Sergey Prysiazhnyi wrote:
> > ike dynamic from any to any \
> >         main auth  hmac-sha1 enc aes group modp1024 \
> > 	quick auth hmac-sha1 enc aes psk secret
> > 
> > ; ike passive, ike passive esp, ike esp, etc - no results.
> 
> On the openbsd gateway you need something like this
> 
> ike passive from any to 10.1.1.0/24 \
> 	main auth hmac-sha1 enc 3des group modp1024 \
> 	quick auth hmac-sha1 enc 3des psk secret
> 
> The default transform of the greenbowclient for phase 1 is
> 3des/sha1/modp1024, for phase 1 3des/sha1.

Thank you Hans-Joerg, but it is still useless for me: :( 

sudo cat /etc/ipsec.conf
ike passive from any to 10.1.1.0/24 \
        main auth hmac-sha1 enc 3des group modp1024 \
	quick auth hmac-sha1 enc 3des psk secret

pf.conf rules relative to ipsec:

set skip on { lo enc0 }

pass in on $ext_if proto udp to ($ext_if) port { 500, 4500 }
pass out on $ext_if proto udp from ($ext_if) to port { 500, 4500 }
pass in on $ext_if proto esp to ($ext_if)
pass out on $ext_if proto esp from ($ext_if)
pass in on enc0 proto ipencap to ($ext_if) keep state (if-bound)
pass out on enc0 proto ipencap from ($ext_if) keep state (if-bound)

further:

isakmpd -dKv &
ipsecctl -F
ipsecctl -f /etc/ipsec.conf

greenbowclient: all parameters are in accordance with ipsec.conf on gateway side:

logs on gw - 

023255.538907 Default isakmpd: phase 1 done: initiator id c0a80321: 192.168.3.33, responder id 5851eaa2: 88.81.XX.XX, src: 88.81.XX.XX dst: 77.123.XX.XX
023255.558498 Default responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id c0a80321: 192.168.3.33, responder id 0a010100/ffffff00: 10.1.1.0/255.255.255.0
023255.558643 Default dropped message from 77.123.XX.XX port 60056 due to notification type NO_PROPOSAL_CHOSEN
023302.570472 Default responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id c0a80321: 192.168.3.33, responder id 0a010100/ffffff00: 10.1.1.0/255.255.255.0
023302.570660 Default dropped message from 77.123.XX.XX port 60056 due to notification type NO_PROPOSAL_CHOSEN

greenbowclient logs - 

20070816 023245 Default IKE daemon is removing SAs...
20070816 023250 Default Reinitializing IKE daemon
20070816 023250 Default IKE daemon reinitialized 
20070816 023258 Default (SA CnxVpn1-P1) SEND phase 1 Main Mode  [SA] [VID] [VID] [VID] [VID]
20070816 023258 Default (SA CnxVpn1-P1) RECV phase 1 Main Mode  [SA] [VID] [VID] [VID] [VID] [VID]
20070816 023258 Default (SA CnxVpn1-P1) SEND phase 1 Main Mode  [KEY_EXCH] [NONCE] [NAT_D] [NAT_D]
20070816 023258 Default (SA CnxVpn1-P1) RECV phase 1 Main Mode  [KEY_EXCH] [NONCE] [NAT_D] [NAT_D]
20070816 023258 Default (SA CnxVpn1-P1) SEND phase 1 Main Mode  [HASH] [ID]
20070816 023258 Default (SA CnxVpn1-P1) RECV phase 1 Main Mode  [HASH] [ID] [NOTIFY]
20070816 023258 Default phase 1 done: initiator id 192.168.3.33, responder id 88.81.234.162
20070816 023258 Default (SA CnxVpn1-CnxVpn1-P2) SEND phase 2 Quick Mode  [HASH] [SA] [NONCE] [ID] [ID]
20070816 023258 Default (SA CnxVpn1-P1) RECV Informational  [HASH] [NOTIFY] with NO_PROPOSAL_CHOSEN error
20070816 023305 Default (SA CnxVpn1-CnxVpn1-P2) SEND phase 2 Quick Mode  [HASH] [SA] [NONCE] [ID] [ID]
20070816 023305 Default (SA CnxVpn1-P1) RECV Informational  [HASH] [NOTIFY] with NO_PROPOSAL_CHOSEN error
20070816 023328 Default (SA CnxVpn1-P1) SEND Informational  [HASH] [NOTIFY] type DPD_R_U_THERE
20070816 023328 Default (SA CnxVpn1-P1) RECV Informational  [HASH] [NOTIFY] type DPD_R_U_THERE_ACK

PS: gw on 4.1-stable, roaming users behind OpenBSD box on 4.2.

My continued thanks,

-- 
Sergey Prysiazhnyi