Date: Mon, 25 Nov 2002 12:20:27 -0800 From: Cameron S.Watters <cameron@toolhouse.com> To: questions@freebsd.org Subject: isakmpd issues Message-ID: <562F1486-00B3-11D7-8AC3-00306599D91A@toolhouse.com>
next in thread | raw e-mail | index | archive | help
Hello, I've been working on setting up an IPSec connection between two hosts using isakmpd. I'm having two problems: a) incorrect SPD entries being added by isakmpd b) connection doesn't work if the FreeBSD/isakmpd box initiates Any insight would be appreciated. If more info is needed I can provide that too. Host A is an AS/400 running OS/400 V4R5. I don't control this host, and have had frustrating experiences with the brain-damaged IPSec implementation it has. Nonetheless I get to work with it. Host B is a FreeBSD box (4.6-RELEASE) using ports/security/isakmpd as the IKE daemon because ports/security/racoon caused the AS/400 IPSec services to crash and burn. A connection can successfully be established when/if the AS/400 is the initiator. However, if the FreeBSD/isakmpd box initiates, negotiation fails during phase 2 and the AS/400 sends a notify with "NO_PROPOSAL_CHOSEN" as the contents. I'm awaiting details of the AS/400's log when this occurs. When a connection IS negotiated, the SPD entries added are as such: a.a.a.a[any] b.b.b.b[any] any in ipsec ah/tunnel/a.a.a.a-b.b.b.b/use spid=96 seq=1 pid=41900 refcnt=1 b.b.b.b[any] a.a.a.a[any] any out ipsec ah/tunnel/b.b.b.b-a.a.a.a/require spid=95 seq=0 pid=41900 refcnt=1 whereas they should be like this: a.a.a.a[any] 216.57.198.37[any] any in ipsec ah/transport/a.a.a.a-216.57.198.37/require spid=96 seq=1 pid=41900 refcnt=1 b.b.b.b[any] a.a.a.a[any] any out ipsec ah/transport/b.b.b.b-a.a.a.a/require spid=95 seq=0 pid=41900 refcnt=1 My configuration file (included below) clearly specifies that it set up a transport connection, and not a tunnel connection. [General] Policy-File= "/usr/local/etc/isakmpd/isakmpd.policy" Listen-on= b.b.b.b Default-phase-1-lifetime= Widgetco-lifetime Default-phase-2-lifetime= Widgetco-lifetime [Phase 1] a.a.a.a= ISAKMP-peer-widgetco [Phase 2] Connections= IPsec-widgetco-toolhouse [ISAKMP-peer-widgetco] Phase= 1 Transport= udp Local-address= b.b.b.b Address= a.a.a.a Configuration= Widgetco-main-mode Authentication= 2alantis [IPsec-widgetco-toolhouse] Phase= 2 ISAKMP-peer= ISAKMP-peer-widgetco Configuration= Widgetco-quick-mode Local-ID= Net-toolhouse Remote-ID= Net-widgetco [Net-widgetco] ID-type= IPV4_ADDR Address= a.a.a.a [Net-toolhouse] ID-type= IPV4_ADDR Address= b.b.b.b [Widgetco-main-mode] DOI= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= MM-Widgetco [Widgetco-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-Widgetco-suite [Widgetco-lifetime] LIFE_TYPE= SECONDS LIFE_DURATION= 7200 [Widgetco-lifetime-p2] LIFE_TYPE= SECONDS LIFE_DURATION= 1800 [QM-Widgetco-suite] Protocols= QM-Widgetco-protocol [QM-Widgetco-protocol] PROTOCOL_ID= IPSEC_AH Transforms= QM-Widgetco-transform [QM-Widgetco-transform] TRANSFORM_ID= MD5 ENCAPSULATION_MODE= TRANSPORT AUTHENTICATION_ALGORITHM= HMAC_MD5 GROUP_DESCRIPTION MODP_768 Life= Widgetco-lifetime-p2 [MM-Widgetco] ENCRYPTION_ALGORITHM= DES_CBC HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_768 Life= Widgetco-lifetime Cameron S. Watters | Programmer | 360.676.9275.105 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?562F1486-00B3-11D7-8AC3-00306599D91A>