Problemer med isakmpd og protocols suites

From: Kim Nielsen (none@kn--insecurity.dk.lh.bsd-dk.dk)
Date: Tue 18 Oct 2005 - 11:44:01 CEST 

Date: Tue, 18 Oct 2005 11:44:01 +0200
From: Kim Nielsen <none@kn--insecurity.dk.lh.bsd-dk.dk>
To: bsd-dk@bsd-dk.dk
Subject: Problemer med isakmpd og protocols suites

Hejsa,

Jeg har et problem med at få $random vpn klient til at forbinde til min
isakmpd (OpenBSD). Min isakmpd.conf er sat op til roadwarriors som på
samme måde som http://www.allard.nu/openbsd/greenbow/ (Endda også samme
klient) men ..

Problemet er at i loggen (/var/log/daemon) bliver det ved med at forsøge
at forhandle andre protokoller end dem jeg har sat i min main mode og klient

snip:
Oct 18 11:40:24 tefnut isakmpd[1935]: ike_phase_1_validate_prop: failure
Oct 18 11:40:24 tefnut isakmpd[1935]: message_negotiate_sa: proposal 0
failed
Oct 18 11:40:24 tefnut isakmpd[1935]: hash_get: requested algorithm 1
Oct 18 11:40:24 tefnut isakmpd[1935]: message_negotiate_sa: transform 2
proto 1 proposal 0 ok
Oct 18 11:40:24 tefnut isakmpd[1935]: sa_add_transform: proto 0x3c147dc0
no 0 proto 1 chosen 0x3c14c720 sa 0x3c12e400 id 1
Oct 18 11:40:24 tefnut isakmpd[1935]: conf_get_str:
[Default-phase-1-configuration]:Transforms->3DES-SHA-RSA_SIG
Oct 18 11:40:24 tefnut isakmpd[1935]: conf_get_str:
[3DES-SHA-RSA_SIG]:Life->LIFE_MAIN_MODE
Oct 18 11:40:24 tefnut isakmpd[1935]: conf_get_str:
[3DES-SHA-RSA_SIG]:Life->LIFE_MAIN_MODE
Oct 18 11:40:24 tefnut isakmpd[1935]: conf_get_str:
[LIFE_MAIN_MODE]:LIFE_TYPE->SECONDS
Oct 18 11:40:24 tefnut isakmpd[1935]: conf_get_str:
[3DES-SHA-RSA_SIG]:Life->LIFE_MAIN_MODE
Oct 18 11:40:24 tefnut isakmpd[1935]: conf_get_str:
[3DES-SHA-RSA_SIG]:Life->LIFE_MAIN_MODE
Oct 18 11:40:24 tefnut isakmpd[1935]: conf_get_str:
[LIFE_MAIN_MODE]:LIFE_DURATION->3600,60:86400
Oct 18 11:40:24 tefnut isakmpd[1935]: conf_get_str:
[LIFE_MAIN_MODE]:LIFE_DURATION->3600,60:86400
Oct 18 11:40:24 tefnut isakmpd[1935]: conf_match_num:
LIFE_MAIN_MODE:LIFE_DURATION 60<=3600<=86400?
Oct 18 11:40:24 tefnut isakmpd[1935]: conf_get_str:
[3DES-SHA-RSA_SIG]:ENCRYPTION_ALGORITHM->3DES_CBC
Oct 18 11:40:24 tefnut isakmpd[1935]: conf_get_str:
[3DES-SHA-RSA_SIG]:HASH_ALGORITHM->SHA
Oct 18 11:40:24 tefnut isakmpd[1935]: conf_get_str:
[3DES-SHA-RSA_SIG]:AUTHENTICATION_METHOD->RSA_SIG
Oct 18 11:40:24 tefnut isakmpd[1935]: attribute_unacceptable:
AUTHENTICATION_METHOD: got PRE_SHARED, expected RSA_SIG
Oct 18 11:40:24 tefnut isakmpd[1935]: ike_phase_1_validate_prop: failure
Oct 18 11:40:24 tefnut isakmpd[1935]: message_negotiate_sa: proposal 0
failed
Oct 18 11:40:24 tefnut isakmpd[1935]: hash_get: requested algorithm 0
Oct 18 11:40:24 tefnut isakmpd[1935]: message_negotiate_sa: transform 3
proto 1 proposal 0 ok
Oct 18 11:40:24 tefnut isakmpd[1935]: sa_add_transform: proto 0x3c149000
no 0 proto 1 chosen 0x3c14c840 sa 0x3c12e400 id 1
Oct 18 11:40:24 tefnut isakmpd[1935]: conf_get_str:
[Default-phase-1-configuration]:Transforms->3DES-SHA-RSA_SIG
Oct 18 11:40:24 tefnut isakmpd[1935]: conf_get_str:
[3DES-SHA-RSA_SIG]:Life->LIFE_MAIN_MODE
Oct 18 11:40:24 tefnut isakmpd[1935]: conf_get_str:
[3DES-SHA-RSA_SIG]:Life->LIFE_MAIN_MODE
Oct 18 11:40:24 tefnut isakmpd[1935]: conf_get_str:
[LIFE_MAIN_MODE]:LIFE_TYPE->SECONDS
Oct 18 11:40:24 tefnut isakmpd[1935]: conf_get_str:
[3DES-SHA-RSA_SIG]:Life->LIFE_MAIN_MODE
Oct 18 11:40:24 tefnut isakmpd[1935]: conf_get_str:
[3DES-SHA-RSA_SIG]:Life->LIFE_MAIN_MODE
Oct 18 11:40:24 tefnut isakmpd[1935]: conf_get_str:
[LIFE_MAIN_MODE]:LIFE_DURATION->3600,60:86400
Oct 18 11:40:24 tefnut isakmpd[1935]: conf_get_str:
[LIFE_MAIN_MODE]:LIFE_DURATION->3600,60:86400
Oct 18 11:40:24 tefnut isakmpd[1935]: conf_match_num:
LIFE_MAIN_MODE:LIFE_DURATION 60<=3600<=86400?
Oct 18 11:40:24 tefnut isakmpd[1935]: conf_get_str:
[3DES-SHA-RSA_SIG]:ENCRYPTION_ALGORITHM->3DES_CBC
Oct 18 11:40:24 tefnut isakmpd[1935]: conf_get_str:
[3DES-SHA-RSA_SIG]:HASH_ALGORITHM->SHA
Oct 18 11:40:24 tefnut isakmpd[1935]: attribute_unacceptable:
HASH_ALGORITHM: got MD5, expected SHA
Oct 18 11:40:24 tefnut isakmpd[1935]: ike_phase_1_validate_prop: failure
Oct 18 11:40:24 tefnut isakmpd[1935]: message_negotiate_sa: proposal 0
failed
Oct 18 11:40:24 tefnut isakmpd[1935]: message_negotiate_sa: no
compatible proposal found
Oct 18 11:40:24 tefnut isakmpd[1935]: dropped message from
62.242.xxx.xxx port 500 due to notification type NO_PROPOSAL_CHOSEN

isakmpd.conf:

[General]
Retransmits= 5
Exchange-max-time= 120
Listen-on= 83.93.xxx.xxx
Shared-SADB= Defined
NAT-T-Keepalive= 10

[Phase 1]
Default= ISAKMP-clients

[Phase 2]
Connections= IPsec-home-mi,IPsec-home-motd
Passive-Connections= IPsec-clients

# Roadwarriors
[ISAKMP-clients]
Phase= 1
Transport= udp
Configuration= Greenbow-main-mode
Authentication= rapand

[IPsec-clients]
Phase= 2
ISAKMP-peer= ISAKMP-peer-A
Configuration= Greenbow-quick-mode
Local-ID= default-route
Remote-ID= dummy-remote

[default-route]
ID-type= IPV4_ADDR_SUBNET
Network= 0.0.0.0
Netmask= 0.0.0.0

[dummy-remote]
ID-type= IPV4_ADDR
Address= 0.0.0.0

[Greenbow-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= AES-SHA-GRP2

[Greenbow-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-AES-SHA-PFS-GR2-SUITE

Nogen der har en ide om hvorfor isakmpd ikke forsøger at bruge de
protocol suites (main mode, quick mode) jeg har forsøgt at sætte op ?
Jeg har endda forsøgt at tage loggen fra greenbow klienten for at se
hvad den reelt sender og smide det i min konfiguration men da det ikke
ser ud til at den rent faktisk forsøger at bruge værdierne virker det ikke.

Mvh
Kim

This archive was generated by hypermail 2b30 : Wed 15 Nov 2006 - 18:24:53 CET