Home » Mailing list archives » openbsd-misc » 2008 » June » 30

Re: isakmpd -- NCP IPsec client: peer proposed invalid phase 2 IDs

Previous thread: Les Dangers de l'Aspartame by contact.nln on Friday, June 27, 2008 - 4:09 am. (1 message)

Next thread: Question about tags and ipsec.conf by Michiel van der Kraats on Friday, June 27, 2008 - 5:14 am. (1 message)
[view original message]
From: Harald Dunkel
Subject: isakmpd -- NCP IPsec client: peer proposed invalid phase 2 IDs
Date: Friday, June 27, 2008 - 6:10 am

Hi folks,

I am trying to setup an IPsec connection between OpenBSD
and WindowsXP (NCP IPsec client). ipsec.conf is just a
single line:

	ike passive esp from 192.168.5.1 to 192.168.1.249

(192.168.1.249 is the Windows PC.)


Phase I seems to work, but in Phase II isakmpd complains:

Jun 27 14:55:34 fw01 isakmpd[30626]: log_packet_init: starting IKE packet capture to file "/var/run/isakmpd.dump"
Jun 27 14:56:30 fw01 isakmpd[30626]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id c0a801f9: 192.168.1.249, responder id c0a80501/ffffffff: 192.168.5.1/255.255.255.255
Jun 27 14:56:30 fw01 isakmpd[30626]: dropped message from 192.168.1.249 port 500 due to notification type NO_PROPOSAL_CHOSEN
Jun 27 14:56:35 fw01 isakmpd[30626]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id c0a801f9: 192.168.1.249, responder id c0a80501/ffffffff: 192.168.5.1/255.255.255.255
Jun 27 14:56:35 fw01 isakmpd[30626]: dropped message from 192.168.1.249 port 500 due to notification type NO_PROPOSAL_CHOSEN
Jun 27 14:56:38 fw01 isakmpd[30626]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id c0a801f9: 192.168.1.249, responder id c0a80501/ffffffff: 192.168.5.1/255.255.255.255
Jun 27 14:56:38 fw01 isakmpd[30626]: dropped message from 192.168.1.249 port 500 due to notification type NO_PROPOSAL_CHOSEN
Jun 27 14:56:41 fw01 isakmpd[30626]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id c0a801f9: 192.168.1.249, responder id c0a80501/ffffffff: 192.168.5.1/255.255.255.255
Jun 27 14:56:41 fw01 isakmpd[30626]: dropped message from 192.168.1.249 port 500 due to notification type NO_PROPOSAL_CHOSEN


Looking into the negotiation packets I see at the beginning
of Phase II:

14:56:30.370925 192.168.1.249.500 > 192.168.5.1.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE
         cookie: 27b9931138233444->5f559cf7b1c1dda0 msgid: 45305a4f len: 220
         payload: HASH len: 24
         payload: SA len: 92 DOI: ...
[ message continues ]
[view original message]
From: Prabhu Gurumurthy
Subject: Re: isakmpd -- NCP IPsec client: peer proposed invalid phase 2 IDs
Date: Friday, June 27, 2008 - 10:16 am

I do not know whether Windows XP native IPsec stack supports AES, I know it only 
supports upto 3des. With OpenBSD, the default is AES (128), that is why IKE is 
giving you NO_PROPOSAL_CHOSEN. Change you settings to include 3des and sha1 (or 
md5 may be) and you would get quick mode working.

Prabhu
-



[ message continues ]
[view original message]
From: Harald Dunkel
Subject: Re: isakmpd -- NCP IPsec client: peer proposed invalid phase 2 IDs
Date: Monday, June 30, 2008 - 12:17 am

Hi Prabhu,

I do get a connection for

	ike passive esp from 192.168.5.0/31 to 192.168.1.249

but not for

	ike passive esp from 192.168.5.1 to 192.168.1.249

(192.168.1.249 is the remote Windows laptop running NCP IPsec client.)

So I doubt that this is a problem of aes vs 3des. AFAICS the problem
is that isakmpd doesn't accept the proposal packet with

	:
	payload: ID len: 12 type: IPV4_ADDR = 192.168.1.249
	payload: ID len: 16 type: IPV4_ADDR_SUBNET = 192.168.5.1/255.255.255.255 [ttl 0] (id 1, len 248)
	:

If I setup an IPsec tunnel between 2 OpenBSD hosts, then the
proposal packet says

	:
	payload: ID len: 12 type: IPV4_ADDR = 192.168.5.3
	payload: ID len: 12 type: IPV4_ADDR = 192.168.5.1 [ttl 0] (id 1, len 312)
	:

which seems to be fine for isakmpd.

The questions are:

Does NCP's IPsec client violate some RFC?
Can isakmpd adjusted to accept "IPV4_ADDR_SUBNET" in the proposal
packet, if this is fine with the RFCs?


Regards

Harri


[ message continues ]
[view original message]
From: Mitja Muženič
Subject: Re: isakmpd -- NCP IPsec client: peer proposed invalid phase 2 IDs
Date: Monday, June 30, 2008 - 12:38 am

It is not a problem within isakmpd, it will accept IPV4_ADDR_SUBNET of size
/32.

As I already explained to you in a private mail, ipsecctl will export both
192.168.1.249 and 192.168.1.249/32 into IPV4_ADDR=192.168.1.249 while your
windows client is sending IPV4_ADDR_SUBNET for 192.168.1.249/32, and this
will not match.

I have looked into changing this ipsecctl's behaviour but I can't find a

Since it's not an isakmpd's problem but a problem in ipsecctl parsing the
config for isakmpd, you can always use the old-style isakmpd.conf config. Or

Mitja 


[ message continues ]
[view original message]
From: Harald Dunkel
Subject: Re: isakmpd -- NCP IPsec client: peer proposed invalid phase 2 IDs
Date: Monday, June 30, 2008 - 2:48 am

Does NCP client violate some RFC by sending IPV4_ADDR_SUBNET for

Thats fine. AFAICS most IPsec installations will work on "real"
subnets, so probably it is not so important. I stumbled over
this just in an evaluation environment.


Many thanx to all

Harri


[ message continues ]
[view original message]
From: Harald Dunkel
Subject: Re: isakmpd -- NCP IPsec client: peer proposed invalid phase 2 IDs
Date: Monday, June 30, 2008 - 4:03 am

PS: If I don't define any remote networks in NCP client, then it tries
to send all ip traffic via esp to the OpenBSD gateway, but isakmpd
whoes:

responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id c0a801f9: 192.168.1.249, responder id 00000000/00000000: 0.0.0.0/0.0.0.0

payload: ID len: 12 type: IPV4_ADDR = 192.168.1.249


Regards

Harri


[ message continues ]
Previous thread: Les Dangers de l'Aspartame by contact.nln on Friday, June 27, 2008 - 4:09 am. (1 message)

Next thread: Question about tags and ipsec.conf by Michiel van der Kraats on Friday, June 27, 2008 - 5:14 am. (1 message)