Thread: isakmp to ipsec
View Single Post
  #1   (View Single Post)  
Old 17th November 2010
badguy badguy is offline
Fdisk Soldier
 
Join Date: Jul 2009
Location: MD, USA
Posts: 59
Default isakmp to ipsec

I am trying to convert from isakmp.conf/iskmpd.policy to ipsec.conf and I am using preshared keys.
Here are the configs. I want to use ipsec.conf as I can’t seem to get it to work with isakmp.conf. Can I get a little assistance with this? The whole idea is to allow remote clients (spokes) use the greenbow vpn client to connect to an openbsd box that is at the office (hub). Thanks

Right now I get this error -->
Nov 16 15:12:29 vpnKim isakmpd[8569]: attribute_unacceptable: AUTHENTICATION_METHOD: got PRE_SHARED, expected RSA_SIG
Nov 16 15:12:29 vpnKim isakmpd[8569]: message_negotiate_sa: no compatible proposal found
Nov 16 15:12:29 vpnKim isakmpd[8569]: dropped message from 9.2.9.2 port 51717 due to notification type NO_PROPOSAL_CHOSEN

# cat /etc/isakmpd/isakmpd.conf
[General]
Retransmits= 3

[Phase 1]
default = thegreenbowP1

[Phase 2]
Passives-connections= thegreenbowP2

[thegreenbowP1]
Phase= 1
Transport= udp
Address= 0.0.0.0 # change this
Configuration= Default-main-mode
Authentication= seriously?

[thegreenbowP2]
Phase= 2
ISAKMP-peer= thegreenbowP1
Configuration= Default-quick-mode
Local-ID= network_corporate
Remote-ID= client_thegreenbow

[network_corporate]
ID-type= IPV4_ADDR_SUBNET
Network= 10.0.0.0
Netmask= 255.0.0.0

[client_thegreenbow]
ID-type= IPV4_ADDR
Address= 10.3.100.1

[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA-GRP2

[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-AES-SHA-PFS-SUITE

# cat /etc/isakmpd/isakmpd.policy
KeyNote-Version: 2
Comment: This policy accepts ESP SAs from a remote that uses the right password
Example of configuration between TheGreenBow VPN client and OpenBSD
Authorizer: "POLICY"
Licensees: "passphrase: seriously?"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg == "aes" &&
esp_auth_alg == "hmac-sha" -> "true";


GREENBOW CONF
[General]
Shared-SADB = Defined
Retransmits = 2
Exchange-max-time = 15
Default-phase-1-lifetime = 3600,360:28800
Bitblocking = 0
Xauth-interval = 60
DPD-interval = 30
DPD_retrans = 5
DPD_wait = 15

[Default-phase-2-lifetime]
LIFE_TYPE = SECONDS
LIFE_DURATION = 3600,300:28800

# ==================== PHASES 1 ====================

[Phase 1]
8.8.8.6 = tgbtest-P1

[tgbtest-main-mode]
DOI = IPSEC
EXCHANGE_TYPE = ID_PROT
Transforms = 3DES-SHA-GRP2

[tgbtest-P1]
Phase = 1
Address = 8.8.8.6
Transport = udp
Configuration = tgbtest-main-mode
Authentication = "seriously?""

# ==================== PHASES 2 ====================

[Phase 2]
Manual-connections = tgbtest-tgbtest-P2

[tgbtest-tgbtest-P2]
Phase = 2
ISAKMP-peer = tgbtest-P1
Local-ID = tgbtest-local-addr
Remote-ID = tgbtest-remote-addr
Configuration = tgbtest-quick-mode
AutoStart = 0
USBStart = 0

# ==================== Ipsec ID ====================

[tgbtest-local-addr]
ID-type = IPV4_ADDR
Address = 10.3.1.2

[tgbtest-remote-addr]
ID-type = IPV4_ADDR_SUBNET
Network = 10.0.0.0
Netmask = 255.0.0.0

# ==================== TRANSFORMS ====================

[tgbtest-quick-mode]
DOI = IPSEC
EXCHANGE_TYPE = QUICK_MODE
Suites = tgbtest-quick-mode-suite

[tgbtest-quick-mode-suite]
Protocols = TGBQM-ESP-AES128-SHA-PFSGRP2-TUN

[TGBQM-ESP-AES128-SHA-PFSGRP2-TUN]
PROTOCOL_ID = IPSEC_ESP
Transforms = TGBQM-ESP-AES128-SHA-PFSGRP2-TUN-XF

[TGBQM-ESP-AES128-SHA-PFSGRP2-TUN-XF]
TRANSFORM_ID = AES
KEY_LENGTH = 128,128:256
AUTHENTICATION_ALGORITHM = HMAC_SHA
GROUP_DESCRIPTION = MODP_1024
ENCAPSULATION_MODE = TUNNEL
Life = Default-phase-2-lifetime

# ==================== CERTIFICATES ====================
Reply With Quote