Date: Mon, 25 Nov 2002 12:20:27 -0800 From: Cameron S.Watters <cameron@toolhouse.com> To: questions@freebsd.org Subject: isakmpd issues Message-ID: <562F1486-00B3-11D7-8AC3-00306599D91A@toolhouse.com>
next in thread | raw e-mail | index | archive | help
Hello,
I've been working on setting up an IPSec connection between two hosts
using isakmpd.
I'm having two problems:
a) incorrect SPD entries being added by isakmpd
b) connection doesn't work if the FreeBSD/isakmpd box initiates
Any insight would be appreciated. If more info is needed I can provide
that too.
Host A is an AS/400 running OS/400 V4R5. I don't control this host, and
have had frustrating experiences with the brain-damaged IPSec
implementation it has. Nonetheless I get to work with it.
Host B is a FreeBSD box (4.6-RELEASE) using ports/security/isakmpd as
the IKE daemon because ports/security/racoon caused the AS/400 IPSec
services to crash and burn.
A connection can successfully be established when/if the AS/400 is the
initiator. However, if the FreeBSD/isakmpd box initiates, negotiation
fails during phase 2 and the AS/400 sends a notify with
"NO_PROPOSAL_CHOSEN" as the contents. I'm awaiting details of the
AS/400's log when this occurs.
When a connection IS negotiated, the SPD entries added are as such:
a.a.a.a[any] b.b.b.b[any] any
in ipsec
ah/tunnel/a.a.a.a-b.b.b.b/use
spid=96 seq=1 pid=41900
refcnt=1
b.b.b.b[any] a.a.a.a[any] any
out ipsec
ah/tunnel/b.b.b.b-a.a.a.a/require
spid=95 seq=0 pid=41900
refcnt=1
whereas they should be like this:
a.a.a.a[any] 216.57.198.37[any] any
in ipsec
ah/transport/a.a.a.a-216.57.198.37/require
spid=96 seq=1 pid=41900
refcnt=1
b.b.b.b[any] a.a.a.a[any] any
out ipsec
ah/transport/b.b.b.b-a.a.a.a/require
spid=95 seq=0 pid=41900
refcnt=1
My configuration file (included below) clearly specifies that it set up
a transport connection, and not a tunnel connection.
[General]
Policy-File= "/usr/local/etc/isakmpd/isakmpd.policy"
Listen-on= b.b.b.b
Default-phase-1-lifetime= Widgetco-lifetime
Default-phase-2-lifetime= Widgetco-lifetime
[Phase 1]
a.a.a.a= ISAKMP-peer-widgetco
[Phase 2]
Connections= IPsec-widgetco-toolhouse
[ISAKMP-peer-widgetco]
Phase= 1
Transport= udp
Local-address= b.b.b.b
Address= a.a.a.a
Configuration= Widgetco-main-mode
Authentication= 2alantis
[IPsec-widgetco-toolhouse]
Phase= 2
ISAKMP-peer= ISAKMP-peer-widgetco
Configuration= Widgetco-quick-mode
Local-ID= Net-toolhouse
Remote-ID= Net-widgetco
[Net-widgetco]
ID-type= IPV4_ADDR
Address= a.a.a.a
[Net-toolhouse]
ID-type= IPV4_ADDR
Address= b.b.b.b
[Widgetco-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= MM-Widgetco
[Widgetco-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-Widgetco-suite
[Widgetco-lifetime]
LIFE_TYPE= SECONDS
LIFE_DURATION= 7200
[Widgetco-lifetime-p2]
LIFE_TYPE= SECONDS
LIFE_DURATION= 1800
[QM-Widgetco-suite]
Protocols= QM-Widgetco-protocol
[QM-Widgetco-protocol]
PROTOCOL_ID= IPSEC_AH
Transforms= QM-Widgetco-transform
[QM-Widgetco-transform]
TRANSFORM_ID= MD5
ENCAPSULATION_MODE= TRANSPORT
AUTHENTICATION_ALGORITHM= HMAC_MD5
GROUP_DESCRIPTION MODP_768
Life= Widgetco-lifetime-p2
[MM-Widgetco]
ENCRYPTION_ALGORITHM= DES_CBC
HASH_ALGORITHM= SHA
AUTHENTICATION_METHOD= PRE_SHARED
GROUP_DESCRIPTION= MODP_768
Life= Widgetco-lifetime
Cameron S. Watters | Programmer | 360.676.9275.105
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?562F1486-00B3-11D7-8AC3-00306599D91A>