This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ASL 5 <-> OpenBSD

I am trying to get a net to net VPN set up between isakmpd in OpenBSD and ASL 5 and I am having some problems.  The OpenBSD box is stating:
Default exchange_run: exchange_validate failed
Default dropped message from 172.16.107.2 port 500 due to notification type PAYLOAD_MALFORMED

And the output from ASL is:
000
000 "S_CFCU_-_HAFP_0": 10.0.1.0/24===172.16.107.2...172.16.107.19[C=US, ST=Indiana, L=West Lafayette, O=HAFP, OU=IT, CN=test1.org, E=root@test2.org]===10.0.3.0/24
000 "S_CFCU_-_HAFP_0":   CAs: 'C=us, ST=Indiana, L=West Lafayette, O=CFCU, OU=IT, CN=gatekeeper, E=user@test.net'...'%any'
000 "S_CFCU_-_HAFP_0":   ike_life: 3600s; ipsec_life: 600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "S_CFCU_-_HAFP_0":   policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth1; unrouted
000 "S_CFCU_-_HAFP_0":   newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000 "S_CFCU_-_HAFP_0":   IKE algorithms wanted: 5_000-2-2, flags=-strict
000 "S_CFCU_-_HAFP_0":   IKE algorithms found:  5_192-2_160-2,
000 "S_CFCU_-_HAFP_0":   ESP algorithms wanted: 3_000-1, ; pfsgroup=2; flags=-strict
000 "S_CFCU_-_HAFP_0":   ESP algorithms loaded: 3_168-1_128,
000
000 #2: "S_CFCU_-_HAFP_0" STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 30s
000

I will post the configs below...

This thread was automatically locked due to age.

Parents

0 notoriousiroc over 21 years ago

OpenBSD Config:

[General]
Policy-File=            /etc/isakmpd/isakmpd.policy
Retransmits=            5
Exchange-max-time=      120
Listen-on=              172.16.107.19
[Phase 1]
172.16.107.2=           cfcu-gw
[Phase 2]
Connections=            hafp-gw-cfcu-gw
[cfcu-gw]
Phase=                  1
Transport=              udp
Local-address=          172.16.107.19
Address=                172.16.107.2
ID=                     my-ID
Configuration=          Default-main-mode
[my-ID]
ID-type=                FQDN
Name=           gateway.test.org
[hafp-gw-cfcu-gw]
Phase=                  2
ISAKMP-peer=            cfcu-gw
Configuration=          Default-quick-mode
Local-ID=               Net-hafp
Remote-ID=              Net-cfcu
[Net-hafp]
ID-type=                IPV4_ADDR_SUBNET
Network=                10.0.3.0
Netmask=                255.255.255.0
[Net-cfcu]
ID-type=                IPV4_ADDR_SUBNET
Network=                10.0.1.0
Netmask=                255.255.255.0
[Default-main-mode]
#DOI=                    IPSEC
EXCHANGE_TYPE=          ID_PROT
Transforms=             3DES-SHA,3DES-MD5
[X509-certificates]
CA-directory=           /etc/isakmpd/ca/
Cert-directory=         /etc/isakmpd/certs/
Private-key=            /etc/isakmpd/private/local.key
[3DES-MD5]
ENCRYPTION_ALGORITHM=   3DES_CBC
HASH_ALGORITHM=         MD5
AUTHENTICATION_METHOD=  RSA_SIG
GROUP_DESCRIPTION=      MODP_1024
Life=                   LIFE_3600_SECS #,LIFE_1000_KB
[3DES-SHA]
ENCRYPTION_ALGORITHM=   3DES_CBC
HASH_ALGORITHM=         SHA
AUTHENTICATION_METHOD=  RSA_SIG
GROUP_DESCRIPTION=      MODP_1024
Life=                   LIFE_3600_SECS
[Default-quick-mode]
EXCHANGE_TYPE=          QUICK_MODE
Suites=                 QM-ESP-AES-SHA-PFS-SUITE,QM-ESP-AES-SHA-PFS-SUITE
[QM-ESP-3DES-MD5-PFS-SUITE]
Protocols=              QM-ESP-3DES-MD5-PFS
[QM-ESP-3DES-MD5-PFS]
PROTOCOL_ID=            IPSEC_ESP
Transforms=             QM-ESP-3DES-MD5-PFS-XF
[QM-ESP-3DES-MD5-PFS-XF]
TRANSFORM_ID=           3DES
ENCAPSULATION_MODE=     TUNNEL
AUTHENTICATION_ALGORITHM=       HMAC_MD5
GROUP_DESCRIPTION=      MODP_1024
Life=                   LIFE_600_SECS
[QM-ESP-AES-SHA-PFS-SUITE]
Protocols=              QM-ESP-AES-SHA-PFS
[QM-ESP-AES-MD5-PFS-SUITE]
Protocols=              QM-ESP-AES-MD5-PFS
[QM-ESP-AES-SHA-PFS]
PROTOCOL_ID=            IPSEC_ESP
Transforms=             QM-ESP-AES-SHA-PFS-XF
[QM-ESP-AES-MD5-PFS]
PROTOCOL_ID=            IPSEC_ESP
Transforms=             QM-ESP-AES-MD5-PFS-XF
[QM-ESP-AES-SHA-PFS-XF]
TRANSFORM_ID=            AES
ENCAPSULATION_MODE=      TUNNEL
AUTHENTICATION_ALGORITHM=HMAC_SHA
GROUP_DESCRIPTION=       MODP_1024
Life=                    LIFE_600_SECS
[QM-ESP-AES-SHA-MD5-XF]
TRANSFORM_ID=            AES
ENCAPSULATION_MODE=      TUNNEL
AUTHENTICATION_ALGORITHM=HMAC_MD5
GROUP_DESCRIPTION=       MODP_1024
Life=                    LIFE_600_SECS
[LIFE_600_SECS]
LIFE_TYPE=              SECONDS
LIFE_DURATION=          600,450/720
[LIFE_3600_SECS]
LIFE_TYPE=              SECONDS
LIFE_DURATION=          3600,1800:7200
Cancel
Vote Up 0 Vote Down

Cancel
0 notoriousiroc over 21 years ago in reply to notoriousiroc

IPSec Connection CFCU - HAFP
Type: Standard
IPSec Policy: HAFP
Auto Packet Filter: On
Strict Routing: On
Local Endpoint: Outside
Remote Endpoint: HAFP Outside
Local Subnet: Internal (Network)
Remote Subnet: HAFP Internal
Key: X509: HAFP

Policy:

IKE Mode: Main Mode
Encryption Algorithm: 3DES 168bit
Authentication Algorithm: MD5 128bit
IKE DH Group: DH Group 2 (MODP1024)
SA Lifetime (secs): 3600
IPSec Mode: Tunnel
IPSec Protocol: ESP
Encryption Algorithm: 3DES-CBC 168bit
Enforce Algorithms: Off
Authentication Algorithm: MD5 128bit
SA Lifetime (secs): 600
PFS: PFS Group 2 (MODP1024)
Compression: Off

I am trying to set these up with certificates and I believe the certs should be fine. Any ideas?
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 notoriousiroc over 21 years ago in reply to notoriousiroc

IPSec Connection CFCU - HAFP
Type: Standard
IPSec Policy: HAFP
Auto Packet Filter: On
Strict Routing: On
Local Endpoint: Outside
Remote Endpoint: HAFP Outside
Local Subnet: Internal (Network)
Remote Subnet: HAFP Internal
Key: X509: HAFP

Policy:

IKE Mode: Main Mode
Encryption Algorithm: 3DES 168bit
Authentication Algorithm: MD5 128bit
IKE DH Group: DH Group 2 (MODP1024)
SA Lifetime (secs): 3600
IPSec Mode: Tunnel
IPSec Protocol: ESP
Encryption Algorithm: 3DES-CBC 168bit
Enforce Algorithms: Off
Authentication Algorithm: MD5 128bit
SA Lifetime (secs): 600
PFS: PFS Group 2 (MODP1024)
Compression: Off

I am trying to set these up with certificates and I believe the certs should be fine. Any ideas?
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data