|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
isakmpd - "no proposal chosen" error
From: Chris Cameron (chris
upnix.com)
Date: Tue Aug 03 2004 - 10:43:13 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Trying to setup a VPN tunnel between OpenBSD and Firewall-1.
For the most part, it seems to work fine, however the OpenBSD side of
things will give the error:
dropped message from 216.82.85.146 port 500 due to notification type
NO_PROPOSAL_CHOSEN
Despite this error traffic moves fine over the VPN and the Firewall-1
side seems happy as can be.
Normally I'd just leave it, but looking through the archives, I came
across someone with a similar problem that mentioned the VPN tunnel
would break every 2 or so days. As this OpenBSD machine is being put in
on probationary terms, it'd be nice if it didn't mess up a couple days
into it.
Complete error from isakmpd:
Jul 31 20:32:58 gate1 isakmpd[1556]: message_negotiate_sa: no compatible
proposal found
Jul 31 20:32:58 gate1 isakmpd[1556]: dropped message from 216.82.85.146
port 500 due to notification type NO_PROPOSAL_CHOSEN
Any help on this would be appreciated. I played around a bit with
different isakmpd "Configuration"'s, but being as the tunnel was
established I really wasn't certain what I should be fooling with.
Going through the archives, I found a number of posters with a similar
error message, but only one mentioned that his tunnel actually worked
despite the error.
Below is more detail on the configuration. Software involved is OpenBSD
3.5 (on Sparc64) and Firewall-1 NG (Solaris 8).
Thanks,
Chris
/var/run/isakmpd.pcap output (which doesn't seem to show the error):
$ tcpdump -vr isakmpd.pcap
14:32:55.765661 0.0.0.0.isakmp > 216.82.85.146.isakmp: [udp sum ok]
isakmp v1.0 exchange ID_PROT
cookie: ebae2c52fd2e69e7->0000000000000000 msgid: 00000000 len:
80
payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 40 proposal: 1 proto: ISAKMP spisz: 0
xforms: 1
payload: TRANSFORM len: 32
transform: 0 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600 [ttl 0] (id 1)
14:32:55.772408 216.82.85.146.isakmp > 209.194.103.41.isakmp: [udp sum
ok] isakmp v1.0 exchange ID_PROT
cookie: ebae2c52fd2e69e7->a1d10acaab508217 msgid: 00000000 len:
80
payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 40 proposal: 1 proto: ISAKMP spisz: 0
xforms: 1
payload: TRANSFORM len: 32
transform: 1 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600 [ttl 0] (id 1)
14:32:56.011063 209.194.103.41.isakmp > 216.82.85.146.isakmp: [udp sum
ok] isakmp v1.0 exchange ID_PROT
cookie: ebae2c52fd2e69e7->a1d10acaab508217 msgid: 00000000 len:
180
payload: KEY_EXCH len: 132
payload: NONCE len: 20 [ttl 0] (id 1)
14:32:56.034857 216.82.85.146.isakmp > 209.194.103.41.isakmp: [udp sum
ok] isakmp v1.0 exchange ID_PROT
cookie: ebae2c52fd2e69e7->a1d10acaab508217 msgid: 00000000 len:
184
payload: KEY_EXCH len: 132
payload: NONCE len: 24 [ttl 0] (id 1)
14:32:56.287838 209.194.103.41.isakmp > 216.82.85.146.isakmp: [udp sum
ok] isakmp v1.0 exchange ID_PROT
cookie: ebae2c52fd2e69e7->a1d10acaab508217 msgid: 00000000 len:
92
payload: ID len: 12 type: IPV4_ADDR = 209.194.103.41
payload: HASH len: 24
payload: NOTIFICATION len: 28
notification: INITIAL CONTACT
(ebae2c52fd2e69e7->a1d10acaab508217) [ttl 0] (id 1)
14:32:56.325774 216.82.85.146.isakmp > 209.194.103.41.isakmp: [udp sum
ok] isakmp v1.0 exchange ID_PROT
cookie: ebae2c52fd2e69e7->a1d10acaab508217 msgid: 00000000 len:
68
payload: ID len: 12 type: IPV4_ADDR = 216.82.85.146
payload: HASH len: 24 [ttl 0] (id 1)
14:32:56.328458 209.194.103.41.isakmp > 216.82.85.146.isakmp: [udp sum
ok] isakmp v1.0 exchange QUICK_MODE
cookie: ebae2c52fd2e69e7->a1d10acaab508217 msgid: df4dbec4 len:
152
payload: HASH len: 24
payload: SA len: 48 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 36 proposal: 1 proto: IPSEC_ESP
spisz: 4 xforms: 1 SPI: 0x7b0610c9
payload: TRANSFORM len: 24
transform: 1 ID: 3DES
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 1200
attribute ENCAPSULATION_MODE = TUNNEL
attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
payload: NONCE len: 20
payload: ID len: 16 type: IPV4_ADDR_SUBNET =
192.168.121.0/255.255.255.0
payload: ID len: 16 type: IPV4_ADDR_SUBNET =
192.168.120.0/255.255.255.0 [ttl 0] (id 1)
14:32:56.336346 216.82.85.146.isakmp > 209.194.103.41.isakmp: [udp sum
ok] isakmp v1.0 exchange QUICK_MODE
cookie: ebae2c52fd2e69e7->a1d10acaab508217 msgid: df4dbec4 len:
164
payload: HASH len: 24
payload: SA len: 48 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 36 proposal: 1 proto: IPSEC_ESP
spisz: 4 xforms: 1 SPI: 0xc0249854
payload: TRANSFORM len: 24
transform: 1 ID: 3DES
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 1200
attribute ENCAPSULATION_MODE = TUNNEL
attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
payload: NONCE len: 24
payload: ID len: 16 type: IPV4_ADDR_SUBNET =
192.168.121.0/255.255.255.0
payload: ID len: 16 type: IPV4_ADDR_SUBNET =
192.168.120.0/255.255.255.0 [ttl 0] (id 1)
14:32:56.347234 209.194.103.41.isakmp > 216.82.85.146.isakmp: [udp sum
ok] isakmp v1.0 exchange QUICK_MODE
cookie: ebae2c52fd2e69e7->a1d10acaab508217 msgid: df4dbec4 len:
52
payload: HASH len: 24 [ttl 0] (id 1)
14:32:58.785691 216.82.85.146.isakmp > 209.194.103.41.isakmp: [udp sum
ok] isakmp v1.0 exchange ID_PROT
cookie: b605a94819abb38e->0000000000000000 msgid: 00000000 len:
128
payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0
xforms: 1
payload: TRANSFORM len: 36
transform: 1 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 00093affffff80
payload: VENDOR len: 44 [ttl 0] (id 1)
14:32:58.791456 209.194.103.41.isakmp > 216.82.85.146.isakmp: [udp sum
ok] isakmp v1.0 exchange INFO
cookie: 7afb69599e1cb8ec->0000000000000000 msgid: 00000000 len:
40
payload: NOTIFICATION len: 12
notification: NO PROPOSAL CHOSEN [ttl 0] (id 1)
14:49:58.361877 209.194.103.41.isakmp > 216.82.85.146.isakmp: [udp sum
ok] isakmp v1.0 exchange QUICK_MODE
cookie: ebae2c52fd2e69e7->a1d10acaab508217 msgid: 25df76da len:
152
payload: HASH len: 24
payload: SA len: 48 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 36 proposal: 1 proto: IPSEC_ESP
spisz: 4 xforms: 1 SPI: 0x53052216
payload: TRANSFORM len: 24
transform: 1 ID: 3DES
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 1200
attribute ENCAPSULATION_MODE = TUNNEL
attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
payload: NONCE len: 20
payload: ID len: 16 type: IPV4_ADDR_SUBNET =
192.168.121.0/255.255.255.0
payload: ID len: 16 type: IPV4_ADDR_SUBNET =
192.168.120.0/255.255.255.0 [ttl 0] (id 1)
14:49:58.369707 216.82.85.146.isakmp > 209.194.103.41.isakmp: [udp sum
ok] isakmp v1.0 exchange QUICK_MODE
cookie: ebae2c52fd2e69e7->a1d10acaab508217 msgid: 25df76da len:
164
payload: HASH len: 24
payload: SA len: 48 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 36 proposal: 1 proto: IPSEC_ESP
spisz: 4 xforms: 1 SPI: 0xc0249855
payload: TRANSFORM len: 24
transform: 1 ID: 3DES
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 1200
attribute ENCAPSULATION_MODE = TUNNEL
attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
payload: NONCE len: 24
payload: ID len: 16 type: IPV4_ADDR_SUBNET =
192.168.121.0/255.255.255.0
payload: ID len: 16 type: IPV4_ADDR_SUBNET =
192.168.120.0/255.255.255.0 [ttl 0] (id 1)
14:49:58.371390 209.194.103.41.isakmp > 216.82.85.146.isakmp: [udp sum
ok] isakmp v1.0 exchange QUICK_MODE
cookie: ebae2c52fd2e69e7->a1d10acaab508217 msgid: 25df76da len:
52
payload: HASH len: 24 [ttl 0] (id 1)
isakmpd.conf:
[Phase 1]
216.82.85.146= gate2-peer
[Phase 2]
Connections= Office-VPN
[gate2-peer]
Phase= 1
Transport= udp
Address= 216.82.85.146
Configuration= Default-main-mode
Authentication= xxxxxxxxx
[Office-VPN]
Phase= 2
ISAKMP-peer= gate2-peer
Configuration= Default-quick-mode
Local-ID= Gate1-Internal-network
Remote-ID= Gate2-Internal-network
[Gate1-Internal-network]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.121.0
Netmask= 255.255.255.0
[Gate2-Internal-network]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.120.0
Netmask= 255.255.255.0
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE
isakmpd.policy:
Keynote-version: 2
Authorizer: "POLICY"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg != "null" -> "true";
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]