NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > OpenBSD Security> 2007-08

Re: ipsec vpn?

From: Sergey Prysiazhnyi (apelsinatmnis.com)
Date: Wed Aug 22 2007 - 17:56:55 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Aug 16, 2007 at 09:56:05AM +0200, Hans-Joerg Hoexer wrote:
> Can you try to run isakmpd without "-K" and use a 2 line isakmpd.policy
> like this:
>
> KeyNote-Version: 2
> Authorizer: "POLICY"
>
> This policy accepts anything, so this should be done only for testing.

Well done this such policy Hans:

1. ps ax | g isa

914 ?? Is 0:00.02 isakmpd: monitor [priv] (isakmpd)
24931 ?? I 0:00.70 isakmpd

; ls -la /etc/isakmpd/isakmpd.policy
; -rw------- 1 root wheel 40 Aug 23 01:25 /etc/isakmpd/isakmpd.policy

2. cat /etc/ipsec.conf

   ike passive from any to 10.1.1.0/24 \
           main auth hmac-sha1 enc 3des group modp1024 \
        quick auth hmac-sha1 enc 3des psk q1w2e3

3. ipsecctl -F -f /etc/ipsec.conf

4. NO any problems from GreenBow VPN Client side:

20070823 014500 Default (SA CnxVpn1-P1) SEND phase 1 Main Mode [SA] [VID] [VID] [VID] [VID]
20070823 014500 Default (SA CnxVpn1-P1) RECV phase 1 Main Mode [SA] [VID] [VID] [VID] [VID] [VID]
20070823 014500 Default (SA CnxVpn1-P1) SEND phase 1 Main Mode [KEY_EXCH] [NONCE] [NAT_D] [NAT_D]
20070823 014500 Default (SA CnxVpn1-P1) RECV phase 1 Main Mode [KEY_EXCH] [NONCE] [NAT_D] [NAT_D]
20070823 014500 Default (SA CnxVpn1-P1) SEND phase 1 Main Mode [HASH] [ID]
20070823 014500 Default (SA CnxVpn1-P1) RECV phase 1 Main Mode [HASH] [ID] [NOTIFY]
20070823 014500 Default phase 1 done: initiator id 192.168.3.33, responder id 88.81.234.162
20070823 014500 Default (SA CnxVpn1-CnxVpn1-P2) SEND phase 2 Quick Mode [HASH] [SA] [NONCE] [ID] [ID]
20070823 014500 Default (SA CnxVpn1-CnxVpn1-P2) RECV phase 2 Quick Mode [HASH] [SA] [NONCE] [ID] [ID]
20070823 014500 Default (SA CnxVpn1-CnxVpn1-P2) SEND phase 2 Quick Mode [HASH]
20070823 014530 Default (SA CnxVpn1-P1) SEND Informational [HASH] [NOTIFY] type DPD_R_U_THERE
20070823 014530 Default (SA CnxVpn1-P1) RECV Informational [HASH] [NOTIFY] type DPD_R_U_THERE_ACK
20070823 014600 Default (SA CnxVpn1-P1) SEND Informational [HASH] [NOTIFY] type DPD_R_U_THERE
20070823 014600 Default (SA CnxVpn1-P1) RECV Informational [HASH] [NOTIFY] type DPD_R_U_THERE_ACK

; But, still not working for me without isakmpd.policies. ??? Thank you very much,

--
Sergey Prysiazhnyi

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]