mobile client to ipsec gateway

[milo974]

Hello,

I'm trying to do an ipsec tunnel using openbsd and client software : "Shrew Vpn client" (Windows xp) ; in first time i try it on my local network (not over internet). I ve also read man pages of ipsec.conf ; isakmpd ; ipsecctl

Here what i ve done :
On the openbsd (4.5) gateway (vpn.my.domain) ip: 192.168.0.111:
**rc.conf.local :
ipsec=YES
isakmpd="-K"
**ipsec.conf :
ike dynamic from any to any \
main auth hmac-sha1 enc aes group modp1024
quick auth hmac-sha1 enc aes psk 123456A
**pf is disable

On the client side :
Windows XP SP3
Shrew Vpn Client vers : 2.1.4
What i have done :
**Remote host : 192.168.0.111 port 500
Auto config ike config pull
** Local Host : use a virtual adapter
10.0.0.1/24
** Client
Nat disable
**Name resolution
all is disable
**Auth
Local host : auto ip address
Remote : auto ip address
Credential : mutual PSK and entry the preshared key (123456A).
**Phase 1
Exchange type : main
**Phase 2
Exchange type : esp-aes
**Policy
Obtain automatically...

When i try to connect i have the following message :
"config loaded for site '192.168.0.111'
configuring client settings ...
attached to key daemon ...
peer configured
iskamp proposal configured
esp proposal configured
client configured
pre-shared key configured
bringing up tunnel ...
invalid message from gateway
tunnel disabled
detached from key daemon . "

I cant open ipsec tunnel, can you help me please ?

[jggimi]

Look for isakmpd negotiation errors in /var/log/daemon.

[milo974]

here is deamon log file :
isakmpd[29133] : udp_create : no address configured for "peer defaut"
isakmpd[29133] : exchange transport "udp" for peer default could not be created
;
;
Im looking for isakmpd.conf, i haven't it ...
Can you help me for this please ?
Thank's a lot !

[jggimi]

Quote:

Im looking for isakmpd.conf, i haven't it ...

You are using ipsecctl, and will not use an isakmpd.conf file. You are using the "-K" option with isakmpd; your configuration is in ipsec.conf instead. You should read man pages, when you are confused.

Quote:

-K When this option is given, isakmpd does not read the policy con-
figuration file and no keynote(4) policy check is accomplished.
This option can be used when policies for flows and SA establish-
ment are arranged by other programs like ipsecctl(8) or bgpd(8).

The error you are seeing:

Code:

isakmpd[29133] : udp_create : no address configured for "peer defaut"

is related to your ipsec.conf. Let's review it. If what you posted, above, is its exact contents:

Code:

ike dynamic from any to any \
 main auth hmac-sha1 enc aes group modp1024
 quick auth hmac-sha1 enc aes psk 123456A

It is missing a continuation "\" on the second line, preventing the third line from being used, and should have produced an error message when ipsecctl(8) attempted to configure it. It is using dynamic keying, which is inappropriate for gateways. It is using "peer default", which appears to be a problem, also.

Let me guess... you found this configuration in a "howto" somewhere on the Internet?

[milo974]

Hello,

i ve not forgotten the "\".
I don't see why it dosen't work, i need your help...

[jggimi]

I have never used Shrew, and cannot assist you with that side of your configuration.
----
Correct your ipsec.conf settings:

1. dynamic is an incorrect IKE mode. I recommend passive mode. Quoting the ipsec.conf(5) man page, red highlights mine:
   Quote:

   When passive is specified, isakmpd(8) will not immediately start negotiation of this tunnel, but wait for an incoming request from the remote peer. When active or dynamic is specified, negotiation will be started at once. The dynamic mode will additionally enable Dead Peer Detection (DPD) and use the local hostname as the identity of the local peer, if not specified by the srcid parameter. dynamic mode should be used for hosts with dynamic IP addresses like road warriors or dialup hosts.

2. The addresses in the ike configuration describe IP packets which get placed under ESP or AH protocols. You have described "any to any" but you do not define peers; peers are the tunnel end points.
3. One of your tunnel end points (peers) is 192.168.0.111. The other is the address of your workstation. The man page says:
   Quote:

   The peer parameter specifies the address or FQDN of the remote end-point. For host-to-host connections where dst is identical to remote, this option is generally not needed as it will be set to dst automatically. If it is not specified or if the keyword any is given, the default peer is used.

   Yours is not a host-to-host connection, it is, instead, any-to-any. Your error message stated
   Quote:

   no address configured for "peer default"

   Try adding a peer parameter to your ike statement.

[milo974]

In my case, "passive ike" is not a good thing, because i want the final use it at home (i ve dynamic ip).
Can you help me ?
Thank's

[jggimi]

Have you tried any peer settings, Milo? What else have you tried?

We can't see your console from here. From your posts, it looks like you're not doing any testing, just waiting for someone to tell you what to type in.

Try this ipsec.conf. Use passive, until you get this working, since you are testing this inside your local network. Note that this configuration does not use any-to-any:

Code:

ike passive from any to 192.168.0.111 peer any \
 main auth hmac-sha1 enc aes group modp1024 \
 quick auth hmac-sha1 enc aes psk 123456A

ike passive from 192.168.0.111 to any  \
  main auth hmac-sha1 enc aes group modp1024 \
  quick auth hmac-sha1 enc aes psk 123456A

Try this ipsec.conf. Reset the environment, by stopping isakmpd. After editing ipsec.conf, run isakmpd from the console, so you can see the output. For example:

# pkill isak
# vi /etc/ipsec.conf (edit as above)
# isakmpd -Kvd &
# ipsecctl -f /etc/ipsec.conf

Any error or success messages will appear on your console.

[milo974]

Hello,

Thank's a lot !
I ve done what you advise me :
Put this in my ipsec.conf
ike passive from any to 192.168.0.111 peer any \
main auth hmac-sha1 enc aes group modp1024 \
quick auth hmac-sha1 enc aes psk 123456A
ike passive from 192.168.0.111 to any \
main auth hmac-sha1 enc aes group modp1024 \
quick auth hmac-sha1 enc aes psk 123456A

I ve tested tunnel ipsec with GreenBow VPN Client, it works fine !
so thank you very much i will try this over internet.