niXforums Forum Index
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   PreferencesPreferences   Log in to check your private messagesLog in to check your private messages   Log inLog in 
·  nixdoc.net ·  man pages ·  Linux HOWTOs ·  FreeBSD Tips ·  Forums
navigation Forum index » *nix » BSD » OpenBSD
isakmpd-netscreen vpn problem
Post new topic   Reply to topic Page 1 of 1 [4 Posts] View previous topic :: View next topic
Author Message
Marco Mascagni
*nix forums beginner


Joined: 17 Jun 2006
Posts: 3

PostPosted: Sat Jun 17, 2006 5:17 pm    Post subject: isakmpd-netscreen vpn problem Reply with quote
Good morning,
I, tring to establish a vpn between an openbsd 3.9 box and a nescreen 5gt.
My problem is that i always receive the following from isakmpd daemon:

211413.373841 Default check_policy: negotiated SA failed policy check
211413.374349 Default dropped message from a.b.c.d. port 500 due to
notification type NO_PROPOSAL_CHOSEN
211413.374925 Default initiator_recv_HASH_SA_NONCE: policy check failed

and from netscreen box:
IKE<e.f.g.h>: Received a notification message for DOI <1> <14>
<NO-PROPOSAL-CHOSEN>.

I' using the same suite on netscreen, and openbsd (QM-ESP-3DES-SHA-SUITE)
Thank You very much
Back to top
Marco Mascagni
*nix forums beginner


Joined: 17 Jun 2006
Posts: 3

PostPosted: Sat Jun 17, 2006 6:39 pm    Post subject: Re: isakmpd-netscreen vpn problem Reply with quote
Update:
this is isakmd.conf file:
[General]
Listen-On= b.b.b.b

[Phase 1]
a.a.a.a= peer-asp

[Phase 2]
Connections= VPN-test-asp

[peer-asp]
Phase= 1
Transport= udp
Address= a.a.a.a
Configuration= Default-main-mode
Authentication= my-key

[VPN-test-asp]
Phase= 2
ISAKMP-peer= peer-asp
Configuration= Default-quick-mode
Local-ID= test-internal-network
Remote-ID= asp-internal-network

[test-internal-network]
ID-type= IPV4_ADDR_SUBNET
Network= 10.10.10.0
Netmask= 255.255.255.0

[asp-internal-network]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.0.0
Netmask= 255.255.255.0


[LIFE_MAIN_MODE]
LIFE_TYPE= SECONDS
LIFE_DURATION= 3600,120:86400

[LIFE_QUICK_MODE]
LIFE_TYPE= SECONDS
LIFE_DURATION= 1800,60:28800

[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA,3DES-SHA

[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE,QM-ESP-3DES-SHA-SUITE

This is isakmpd.policy file:

KeyNote-Version: 2
Authorizer: "POLICY"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg != "null" -> "true" &&;

and finally netscreen cfg:

set clock timezone 1
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "squid" protocol tcp src-port 0-65535 dst-port 3128-3128
set service "PC-ANY" protocol tcp src-port 5600-5799 dst-port 5600-5799
set service "PC-ANY" + udp src-port 5600-5799 dst-port 5600-5799
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "VLAN" block
set zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
unset interface vlan1 ip
set interface trust ip 192.168.0.254/24
set interface trust nat
set interface untrust ip a.a.a.a/29
set interface untrust nat
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface trust ip manageable
set interface untrust ip manageable
set interface untrust manage ping
set interface untrust manage ssh
set interface untrust manage telnet
set interface untrust manage snmp
set interface untrust manage ssl
set interface untrust manage web
set interface untrust manage ident-reset
set flow tcp-mss
unset flow tcp-syn-check
set hostname ns5gt

set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 151.1.1.1
set dns host dns2 62.94.0.1
set address Trust "rete_aspviareggio" 192.168.0.0 255.255.255.0
set address Untrust "test" 10.10.10.0 255.255.255.0 "prova di mascagni"
set ike gateway "gw_test" address b.b.b.b Main outgoing-interface "untrust"
preshare "my-key" proposal "pre-g2-3des-sha" "pre-g2-3des-sha"
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "vpn_test" gateway "gw_test" no-replay tunnel idletime 0 proposal
"nopfs-esp-3des-sha" "nopfs-esp-3des-sha"
set scheduler "agg_antivirus" recurrent monday start 13:30 stop 14:30
set scheduler "agg_antivirus" recurrent tuesday start 13:30 stop 14:30
set scheduler "agg_antivirus" recurrent wednesday start 13:30 stop 14:30
set scheduler "agg_antivirus" recurrent thursday start 13:30 stop 14:30
set scheduler "agg_antivirus" recurrent friday start 13:30 stop 14:30
unset av http webmail enable
set av profile "scan-mgr"
set ftp scan-mode scan-all
set ftp decompress-layer 2
set http scan-mode scan-all
set imap scan-mode scan-all
set imap decompress-layer 2
set pop3 scan-mode scan-all
set pop3 decompress-layer 2
unset smtp enable
set smtp scan-mode scan-all
set smtp decompress-layer 2
exit
set av scan-mgr pattern-update-url
http://5gt-p.activeupdate.trendmicro.com:80/activeupdate/server.ini interval
150
set av scan-mgr max-content-size 4000
unset av scan-mgr max-content-size drop
unset av scan-mgr max-msgs drop
set url protocol sc-cpa
exit
set policy id 36 name "test" from "Untrust" to "Trust" "test"
"rete_aspviareggio" "ANY" tunnel vpn "vpn_test" id 7 pair-policy 35
set policy id 36
exit
set policy id 35 name "test" from "Trust" to "Untrust" "rete_aspviareggio"
"test" "ANY" tunnel vpn "vpn_test" id 7 pair-policy 36
set policy id 35
exit
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit log
set policy id 1
exit
set global-pro policy-manager primary outgoing-interface untrust
set global-pro policy-manager secondary outgoing-interface untrust
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
set modem speed 115200
set modem retry 3
set modem interval 10
set modem idle-time 10
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface untrust gateway c.c.c.c
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit



thank you very much
Back to top
jKILLSPAM.schipper@math.u
*nix forums Guru Wannabe


Joined: 13 Nov 2005
Posts: 202

PostPosted: Sun Jun 18, 2006 11:50 am    Post subject: Re: isakmpd-netscreen vpn problem Reply with quote
Marco Mascagni <mas.marco@tiscali.it> wrote:
Quote:
Update:

This is isakmpd.policy file:

KeyNote-Version: 2
Authorizer: "POLICY"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg != "null" -> "true" &&;

Looks malformed, remove the '&&' at the end. The null condition,
apparently, is allowed but fails every time. So, you end up with an
algorithm that is not allowed.

Joachim
Back to top
Marco Mascagni
*nix forums beginner


Joined: 17 Jun 2006
Posts: 3

PostPosted: Sun Jun 18, 2006 1:38 pm    Post subject: Re: isakmpd-netscreen vpn problem Reply with quote
Thank You very much.
I removed final "&&" and now it works (also by adding a line).
this is the final (working) version of isakmpd.policy for my vpn.

KeyNote-Version: 2
Comment: Accept ESP SAs from a remote that uses the right password
Authorizer: "POLICY"
Licensees: "passphrase:my-key"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg == "3des" &&
esp_auth_alg == "hmac-sha" -> "true";
Back to top
Google
Back to top
Display posts from previous:   
Post new topic   Reply to topic Page 1 of 1 [4 Posts] View previous topic :: View next topic
The time now is Tue Dec 02, 2008 3:40 pm | All times are GMT
navigation Forum index » *nix » BSD » OpenBSD
Jump to:  

Similar Topics
Topic Author Forum Replies Last Post
No new posts Unknown in header problem -SOLVED- Light Speed Postfix 0 Thu Jul 03, 2008 10:40 am
No new posts problem with sending mail nuxia Postfix 0 Mon Apr 21, 2008 3:58 am
No new posts Postfix 2.3.8 Virtual problem Blotto Postfix 0 Fri Apr 04, 2008 6:11 am
No new posts Postfix sending problem for local domain remote email monkey_magix Postfix 0 Mon Sep 10, 2007 10:17 am
No new posts bounce problem murkis Postfix 0 Sun Oct 08, 2006 3:45 pm

Credit Card | Mortgage Calculator | Premade MySpace Layouts | Find a Better Job | Mortgage Calculator
Copyright © 2004-2005 DeniX Solutions SRL
 
Other DeniX Solutions sites: Unix/Linux blog |  electronics forum |  medicine forum |  science forum | 
Privacy Policy


Powered by phpBB © 2001, 2005 phpBB Group

[ Time: 0.2910s ][ Queries: 16 (0.1825s) ][ GZIP on - Debug on ]