[Openswan Users] Openswan & ISAKMP (OpenBSD) interoperability

Peter McGill petermcgill at goco.net
Tue Aug 26 12:37:33 EDT 2008 

Laurent,

The error your getting is caused by configuration mismatch.

I've never attempted with isakmpd myself, but from the
isakmpd ipsec.conf man page, I would suggest the following:

OpenBSD ipsec.conf:
ike esp from 10.50.0.0/24 to 192.168.9.0/24 peer 1.2.3.4 \
	main auth hmac-sha1 enc aes group modp1024 \
	quick auth hmac-sha1 enc aes group modp1024 \
	psk "mynicepassphrase"

Linux ipsec.conf:
conn lnx-bsd
	left=1.2.3.4
	leftsubnet=192.168.9.0/24
	right=2.3.4.5
	rightsubnet=10.50.0.0/24
	ike=aes-sha1;modp1024
	esp=aes-sha1
	pfs=yes
	authby=secret
	auto=start

The isakmpd main line matches the ike line in openswan, likewise
the isakmpd quick line matches the esp and pfs lines in openswan.

Peter

Laurent CARON wrote:
> Hi,
> 
> I'm basically trying to setup a VPN between Openswan (Linux) and ISAKMPd 
> (OpenBSD).
> 
> 1.2.3.4 the public IP of the linux box
> 2.3.4.5 the public IP of the bsd box
> 
> /etc/ipsec.conf on OpenBSD
> ike esp from 10.50.0.0/24 to 192.168.9.0/24 \
> 	peer 1.2.3.4 psk "mynicepassphrase"
> 
> 
> /etc/ipsec.conf on Linux
> conn lnx-bsd
>      leftsubnet=192.168.9.0/24
>      left=1.2.3.4
>      right=2.3.4.5
>      rightsubnet=10.50.0.0/24
>      authby=secret
>      auto=start
> 
> Needless to say there is a matching entry in /etc/ipsec.secrets
> 1.2.3.4 2.3.4.5 : PSK "mynicepassphrase"
> 
> Here are the logs on the BSD side:
> Aug 26 17:26:09 fw-001 isakmpd[19145]: attribute_unacceptable: 
> ENCRYPTION_ALGORITHM: got 3DES_CBC, expected AES_CBC
> Aug 26 17:26:09 fw-001 last message repeated 3 times
> Aug 26 17:26:09 fw-001 isakmpd[19145]: message_negotiate_sa: no 
> compatible proposal found
> Aug 26 17:26:09 fw-001 isakmpd[19145]: dropped message from 1.2.3.4 port 
> 500 due to notification type NO_PROPOSAL_CHOSEN
> 
> 
> Here are the logs on the Linux side:
> Aug 26 22:25:02 jakarta pluto[11508]: packet from 2.3.4.5:500: ignoring 
> informational payload, type NO_PROPOSAL_CHOSEN
> Aug 26 22:25:02 jakarta pluto[11508]: packet from 2.3.4.5:500: received 
> and ignored informational message
> 
> Did anyone set-up such a vpn between ISAKMPd and OpenSwan ?
> 
> Thanks
> 
> Laurent
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>

More information about the Users mailing list