I do not know whether Windows XP native IPsec stack supports AES, I know it only
supports upto 3des. With OpenBSD, the default is AES (128), that is why IKE is
giving you NO_PROPOSAL_CHOSEN. Change you settings to include 3des and sha1 (or
md5 may be) and you would get quick mode working.
Prabhu
-
Harald Dunkel wrote:
quoted text > Hi folks,
>
> I am trying to setup an IPsec connection between OpenBSD
> and WindowsXP (NCP IPsec client). ipsec.conf is just a
> single line:
>
> ike passive esp from 192.168.5.1 to 192.168.1.249
>
> (192.168.1.249 is the Windows PC.)
>
>
> Phase I seems to work, but in Phase II isakmpd complains:
>
> Jun 27 14:55:34 fw01 isakmpd[30626]: log_packet_init: starting IKE
> packet capture to file "/var/run/isakmpd.dump"
> Jun 27 14:56:30 fw01 isakmpd[30626]: responder_recv_HASH_SA_NONCE: peer
> proposed invalid phase 2 IDs: initiator id c0a801f9: 192.168.1.249,
> responder id c0a80501/ffffffff: 192.168.5.1/255.255.255.255
> Jun 27 14:56:30 fw01 isakmpd[30626]: dropped message from 192.168.1.249
> port 500 due to notification type NO_PROPOSAL_CHOSEN
> Jun 27 14:56:35 fw01 isakmpd[30626]: responder_recv_HASH_SA_NONCE: peer
> proposed invalid phase 2 IDs: initiator id c0a801f9: 192.168.1.249,
> responder id c0a80501/ffffffff: 192.168.5.1/255.255.255.255
> Jun 27 14:56:35 fw01 isakmpd[30626]: dropped message from 192.168.1.249
> port 500 due to notification type NO_PROPOSAL_CHOSEN
> Jun 27 14:56:38 fw01 isakmpd[30626]: responder_recv_HASH_SA_NONCE: peer
> proposed invalid phase 2 IDs: initiator id c0a801f9: 192.168.1.249,
> responder id c0a80501/ffffffff: 192.168.5.1/255.255.255.255
> Jun 27 14:56:38 fw01 isakmpd[30626]: dropped message from 192.168.1.249
> port 500 due to notification type NO_PROPOSAL_CHOSEN
> Jun 27 14:56:41 fw01 isakmpd[30626]: responder_recv_HASH_SA_NONCE: peer
> proposed invalid phase 2 IDs: initiator id c0a801f9: 192.168.1.249,
> responder id c0a80501/ffffffff: 192.168.5.1/255.255.255.255
> Jun 27 14:56:41 fw01 isakmpd[30626]: dropped message from 192.168.1.249
> port 500 due to notification type NO_PROPOSAL_CHOSEN
>
>
> Looking into the negotiation packets I see at the beginning
> of Phase II:
>
> 14:56:30.370925 192.168.1.249.500 > 192.168.5.1.500: [udp sum ok] isakmp
> v1.0 exchange QUICK_MODE
> cookie: 27b9931138233444->5f559cf7b1c1dda0 msgid: 45305a4f len: 220
> payload: HASH len: 24
> payload: SA len: 92 DOI: 1(IPSEC) situation: IDENTITY_ONLY
> payload: PROPOSAL len: 40 proposal: 1 proto: IPSEC_ESP
> spisz: 4 xforms: 1 SPI: 0x8b62522d
> payload: TRANSFORM len: 28
> transform: 1 ID: AES
> attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
> attribute ENCAPSULATION_MODE = TUNNEL
> attribute LIFE_TYPE = SECONDS
> attribute LIFE_DURATION = 28800
> attribute KEY_LENGTH = 256
> payload: PROPOSAL len: 40 proposal: 2 proto: IPSEC_ESP
> spisz: 4 xforms: 1 SPI: 0xdc14778f
> payload: TRANSFORM len: 28
> transform: 1 ID: AES
> attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
> attribute ENCAPSULATION_MODE = TUNNEL
> attribute LIFE_TYPE = SECONDS
> attribute LIFE_DURATION = 28800
> attribute KEY_LENGTH = 128
> payload: NONCE len: 44
> payload: ID len: 12 type: IPV4_ADDR = 192.168.1.249
> payload: ID len: 16 type: IPV4_ADDR_SUBNET =
> 192.168.5.1/255.255.255.255 [ttl 0] (id 1, len 248)
> 14:56:30.371301 192.168.5.1.500 > 192.168.1.249.500: [udp sum ok] isakmp
> v1.0 exchange INFO
> cookie: 27b9931138233444->5f559cf7b1c1dda0 msgid: 93170a11 len: 64
> payload: HASH len: 24
> payload: NOTIFICATION len: 12
> notification: NO PROPOSAL CHOSEN [ttl 0] (id 1, len 92)
>
> Obviously isakmpd doesn't like something in the negotiation packet
> sent by the NCP IPsec client on Windows.
>
> Anybody got an idea?
>
>
> Regards
>
> Harri
