|
|||
isakmp to ipsec
I am trying to convert from isakmp.conf/iskmpd.policy to ipsec.conf and I am using preshared keys.
Here are the configs. I want to use ipsec.conf as I can’t seem to get it to work with isakmp.conf. Can I get a little assistance with this? The whole idea is to allow remote clients (spokes) use the greenbow vpn client to connect to an openbsd box that is at the office (hub). Thanks Right now I get this error --> Nov 16 15:12:29 vpnKim isakmpd[8569]: attribute_unacceptable: AUTHENTICATION_METHOD: got PRE_SHARED, expected RSA_SIG Nov 16 15:12:29 vpnKim isakmpd[8569]: message_negotiate_sa: no compatible proposal found Nov 16 15:12:29 vpnKim isakmpd[8569]: dropped message from 9.2.9.2 port 51717 due to notification type NO_PROPOSAL_CHOSEN # cat /etc/isakmpd/isakmpd.conf [General] Retransmits= 3 [Phase 1] default = thegreenbowP1 [Phase 2] Passives-connections= thegreenbowP2 [thegreenbowP1] Phase= 1 Transport= udp Address= 0.0.0.0 # change this Configuration= Default-main-mode Authentication= seriously? [thegreenbowP2] Phase= 2 ISAKMP-peer= thegreenbowP1 Configuration= Default-quick-mode Local-ID= network_corporate Remote-ID= client_thegreenbow [network_corporate] ID-type= IPV4_ADDR_SUBNET Network= 10.0.0.0 Netmask= 255.0.0.0 [client_thegreenbow] ID-type= IPV4_ADDR Address= 10.3.100.1 [Default-main-mode] DOI= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA-GRP2 [Default-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-AES-SHA-PFS-SUITE # cat /etc/isakmpd/isakmpd.policy KeyNote-Version: 2 Comment: This policy accepts ESP SAs from a remote that uses the right password Example of configuration between TheGreenBow VPN client and OpenBSD Authorizer: "POLICY" Licensees: "passphrase: seriously?" Conditions: app_domain == "IPsec policy" && esp_present == "yes" && esp_enc_alg == "aes" && esp_auth_alg == "hmac-sha" -> "true"; GREENBOW CONF [General] Shared-SADB = Defined Retransmits = 2 Exchange-max-time = 15 Default-phase-1-lifetime = 3600,360:28800 Bitblocking = 0 Xauth-interval = 60 DPD-interval = 30 DPD_retrans = 5 DPD_wait = 15 [Default-phase-2-lifetime] LIFE_TYPE = SECONDS LIFE_DURATION = 3600,300:28800 # ==================== PHASES 1 ==================== [Phase 1] 8.8.8.6 = tgbtest-P1 [tgbtest-main-mode] DOI = IPSEC EXCHANGE_TYPE = ID_PROT Transforms = 3DES-SHA-GRP2 [tgbtest-P1] Phase = 1 Address = 8.8.8.6 Transport = udp Configuration = tgbtest-main-mode Authentication = "seriously?"" # ==================== PHASES 2 ==================== [Phase 2] Manual-connections = tgbtest-tgbtest-P2 [tgbtest-tgbtest-P2] Phase = 2 ISAKMP-peer = tgbtest-P1 Local-ID = tgbtest-local-addr Remote-ID = tgbtest-remote-addr Configuration = tgbtest-quick-mode AutoStart = 0 USBStart = 0 # ==================== Ipsec ID ==================== [tgbtest-local-addr] ID-type = IPV4_ADDR Address = 10.3.1.2 [tgbtest-remote-addr] ID-type = IPV4_ADDR_SUBNET Network = 10.0.0.0 Netmask = 255.0.0.0 # ==================== TRANSFORMS ==================== [tgbtest-quick-mode] DOI = IPSEC EXCHANGE_TYPE = QUICK_MODE Suites = tgbtest-quick-mode-suite [tgbtest-quick-mode-suite] Protocols = TGBQM-ESP-AES128-SHA-PFSGRP2-TUN [TGBQM-ESP-AES128-SHA-PFSGRP2-TUN] PROTOCOL_ID = IPSEC_ESP Transforms = TGBQM-ESP-AES128-SHA-PFSGRP2-TUN-XF [TGBQM-ESP-AES128-SHA-PFSGRP2-TUN-XF] TRANSFORM_ID = AES KEY_LENGTH = 128,128:256 AUTHENTICATION_ALGORITHM = HMAC_SHA GROUP_DESCRIPTION = MODP_1024 ENCAPSULATION_MODE = TUNNEL Life = Default-phase-2-lifetime # ==================== CERTIFICATES ==================== |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Need Help Please About IPsec | wong_baru | FreeBSD Security | 2 | 21st June 2010 08:00 AM |
dhcpd, dhcrelay, and ipsec VPN | dontek | OpenBSD General | 2 | 22nd May 2010 08:52 PM |
connect to an other site using ipsec-nat | wesley | OpenBSD Security | 30 | 23rd September 2009 09:41 AM |
ipsec with client nat | sicute | OpenBSD General | 0 | 30th October 2008 05:39 PM |
IPsec on openbsd | hitete | OpenBSD Installation and Upgrading | 1 | 12th July 2008 01:57 AM |