Home » Mailing list archives » openbsd-misc » 2007 » September » 21

WG: isakmp phase 2 negotiation failed

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
[view in full thread]
From: Christoph Leser <Leser@...>
To: <misc@...>
Subject: WG: isakmp phase 2 negotiation failed
Date: Friday, September 21, 2007 - 7:38 am

> -----Urspr|ngliche Nachricht-----


 > -----Urspr|ngliche Nachricht-----

 > Von: owner-misc@openbsd.org

 [mailto:owner-misc@openbsd.org]Im Auftrag

 > von n0g0013

 > Gesendet: Donnerstag, 20. September 2007 23:52

 > An: misc@openbsd.org

 > Betreff: isakmp phase 2 negotiation failed

 >

 >

 > having a nightmare getting two openbsd (one 3.8, one 4.0) boxes to

 > setup a tunnel.  finally got the phase 1 negotiation going (or so i

 > believe from reviewing the logs) but it appears that the phase two

 > starts and is just abandoned.

 >

 > my best guess is that the default definitions for

 QM-ESP-DES-MD5-SUITE

 > are incompatible but i can't seem to get by it.

 >

 > the "-DA=99" output and configuration files are attached in the hope

 > that someone make sense of this.  i also have the "-L" dump if

 > anyone needs it.

 >

 > thanks for any assistance.

 >

 > --

 >         t

 >  t

 >                  w

 > # isakmpd configuration

 >

 > [General]

 > Listen-on=		83.104.36.71

 >

 > [X509-Certificates]

 > CA-directory=		/etc/isakmpd/ca/

 > Cert-directory=		/etc/isakmpd/certs/

 > Private-key=		/etc/isakmpd/private/local.key

 >

 > [Phase 1]

 > #84.203.180.117=	gw.vpn.cobbled.net

 >

 > [caley01.vpn.cobbled.net]

 > ID-Type=		FQDN

 > Name=			caley01.vpn.cobbled.net

 >

 > [gw.vpn.cobbled.net]

 > ID-Type=		FQDN

 > Name=			gw.vpn.cobbled.net

 >

 > [Phase 2]

 > Connections=		cobbled-caley

 >

 > [cobbled_net-gw]

 > Phase=			1

 > Configuration=		low-crypto

 > Address=		84.203.180.117

 > ID=			caley01.vpn.cobbled.net

 > Remote-ID=		gw.vpn.cobbled.net

 >

 > [cobbled-caley]

 > Phase=                  2

 > ISAKMP-peer=            cobbled_net-gw

 > Configuration=		low-crypto-quick

 > Local-ID=               cobbled_net-caley

 > Remote-ID=              cobbled_net-all

 >

 > [cobbled_net-all]

 > ID-Type=                IPV4_ADDR_SUBNET

 > Network=                10.0.0.0

 > Netmask=                255.0.0.0

 >

 > [cobbled_net-caley]

 > ID-Type=                IPV4_ADDR_SUBNET

 > Network=                10.192.0.0

 > Netmask=                255.255.0.0

 >

 > [min-crypto-quick]

 > DOI=			IPSEC

 > EXCHANGE_TYPE=		QUICK_MODE

 > Transforms=		QM-ESP-DES-MD5-SUITE

 >

 > [low-crypto]

 > DOI=                    IPSEC

 > EXCHANGE_TYPE=          ID_PROT

 > Transforms=             3DES-SHA-RSA_SIG

 >

 > [low-crypto-quick]

 > DOI=                    IPSEC

 > EXCHANGE_TYPE=          QUICK_MODE

 > Transforms=             QM-ESP-3DES-SHA-PFS-SUITE

 >

 > [demime 1.01d removed an attachment of type application/x-gunzip]

 >

 >


 enable logging to /var/run/isakmpd.pcap by either starting

 isakmpd with the -L switch or sending the 'p on' command to

 the isakmpd command pipe

 (echo 'p on' >/var/run/isakmpd.fifo ).


 Then do a


 tcpdump -r /var/run/isakmpd.pcap -nvv


 This will clearly show what parameters are negotiated and

 with what result the phase 2 negotiation fails.


 That's my 5 cent


 regards
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
Messages in current thread:
WG: isakmp phase 2 negotiation failed, Christoph Leser, (Fri Sep 21, 7:38 am)