From owner-freebsd-questions  Tue Nov 26 15: 8:38 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3D20E37B401
	for <questions@freebsd.org>; Tue, 26 Nov 2002 15:08:35 -0800 (PST)
Received: from herodotus.toolhouse.com (sw0.toolhouse.com [216.57.198.20])
	by mx1.FreeBSD.org (Postfix) with SMTP id C693943E88
	for <questions@freebsd.org>; Tue, 26 Nov 2002 15:08:34 -0800 (PST)
	(envelope-from cameron@toolhouse.com)
Received: (qmail 61025 invoked from network); 25 Nov 2002 20:10:42 -0000
Received: from cameron-mac.toolhouse.com (HELO toolhouse.com) (192.168.1.30)
  by 0 with SMTP; 25 Nov 2002 20:10:42 -0000
Date: Mon, 25 Nov 2002 12:20:27 -0800
Mime-Version: 1.0 (Apple Message framework v548)
Content-Type: text/plain; charset=US-ASCII; format=flowed
Subject: isakmpd issues
From: Cameron S.Watters <cameron@toolhouse.com>
To: questions@freebsd.org
Content-Transfer-Encoding: 7bit
Message-Id: <562F1486-00B3-11D7-8AC3-00306599D91A@toolhouse.com>
X-Mailer: Apple Mail (2.548)
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Hello,

I've been working on setting up an IPSec connection between two hosts 
using isakmpd.

I'm having two problems:

a) incorrect SPD entries being added by isakmpd
b) connection doesn't work if the FreeBSD/isakmpd box initiates

Any insight would be appreciated. If more info is needed I can provide 
that too.

Host A is an AS/400 running OS/400 V4R5. I don't control this host, and 
have had frustrating experiences with the brain-damaged IPSec 
implementation it has. Nonetheless I get to work with it.

Host B is a FreeBSD box (4.6-RELEASE) using ports/security/isakmpd as 
the IKE daemon because ports/security/racoon caused the AS/400 IPSec 
services to crash and burn.

A connection can successfully be established when/if the AS/400 is the 
initiator. However, if the FreeBSD/isakmpd box initiates, negotiation 
fails during phase 2 and the AS/400 sends a notify with 
"NO_PROPOSAL_CHOSEN" as the contents. I'm awaiting details of the 
AS/400's log when this occurs.

When a connection IS negotiated, the SPD entries added are as such:

a.a.a.a[any] b.b.b.b[any] any
         in ipsec
         ah/tunnel/a.a.a.a-b.b.b.b/use
         spid=96 seq=1 pid=41900
         refcnt=1
b.b.b.b[any] a.a.a.a[any] any
         out ipsec
         ah/tunnel/b.b.b.b-a.a.a.a/require
         spid=95 seq=0 pid=41900
         refcnt=1

whereas they should be like this:

a.a.a.a[any] 216.57.198.37[any] any
         in ipsec
         ah/transport/a.a.a.a-216.57.198.37/require
         spid=96 seq=1 pid=41900
         refcnt=1
b.b.b.b[any] a.a.a.a[any] any
         out ipsec
         ah/transport/b.b.b.b-a.a.a.a/require
         spid=95 seq=0 pid=41900
         refcnt=1

My configuration file (included below) clearly specifies that it set up 
a transport connection, and not a tunnel connection.

[General]
Policy-File=                    "/usr/local/etc/isakmpd/isakmpd.policy"
Listen-on=                      b.b.b.b
Default-phase-1-lifetime=       Widgetco-lifetime
Default-phase-2-lifetime=       Widgetco-lifetime

[Phase 1]
a.a.a.a=                ISAKMP-peer-widgetco

[Phase 2]
Connections=    IPsec-widgetco-toolhouse

[ISAKMP-peer-widgetco]
Phase=                  1
Transport=              udp
Local-address=          b.b.b.b
Address=                a.a.a.a
Configuration=          Widgetco-main-mode
Authentication=         2alantis

[IPsec-widgetco-toolhouse]
Phase=                  2
ISAKMP-peer=            ISAKMP-peer-widgetco
Configuration=          Widgetco-quick-mode
Local-ID=               Net-toolhouse
Remote-ID=              Net-widgetco

[Net-widgetco]
ID-type=                IPV4_ADDR
Address=                a.a.a.a

[Net-toolhouse]
ID-type=                IPV4_ADDR
Address=                b.b.b.b

[Widgetco-main-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          ID_PROT
Transforms=             MM-Widgetco

[Widgetco-quick-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          QUICK_MODE
Suites=                 QM-Widgetco-suite

[Widgetco-lifetime]
LIFE_TYPE=              SECONDS
LIFE_DURATION=          7200

[Widgetco-lifetime-p2]
LIFE_TYPE=              SECONDS
LIFE_DURATION=          1800

[QM-Widgetco-suite]
Protocols=              QM-Widgetco-protocol

[QM-Widgetco-protocol]
PROTOCOL_ID=            IPSEC_AH
Transforms=             QM-Widgetco-transform

[QM-Widgetco-transform]
TRANSFORM_ID=                   MD5
ENCAPSULATION_MODE=             TRANSPORT
AUTHENTICATION_ALGORITHM=       HMAC_MD5
GROUP_DESCRIPTION               MODP_768
Life=                           Widgetco-lifetime-p2

[MM-Widgetco]
ENCRYPTION_ALGORITHM=   DES_CBC
HASH_ALGORITHM=         SHA
AUTHENTICATION_METHOD=  PRE_SHARED
GROUP_DESCRIPTION=      MODP_768
Life=                   Widgetco-lifetime


Cameron S. Watters | Programmer | 360.676.9275.105


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message