Problem with IPSEC between OpenBSD and VMWare vcloud air platform

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Problem with IPSEC between OpenBSD and VMWare vcloud air platform

georgek
Hi,
I am trying to create an IPSEC tunnel between an OpenBSD 5.8 and VMWare's
vcloud air cloud platform.

The options that I can set from the vmware side (they provide a GUI) are
specific and they are the following:

-Local networks
-Remote networks
-Peer
-Pre shared key
-Encryption (3DES)

On the OpenBSD side I use ipsec.conf and the contents are the following:

ike esp from 192.168.66.0/24 to 192.168.55.0/24 peer ABC.DEF.GHI.JKL main
auth hmac-sha1 enc 3des group modp1024 quick auth hmac-sha2-256 enc
blowfish psk MY-PSK-PHRASE

When I start isakmpd and ipsecctl -f /etc/ipsec.conf I always get the
following message and the SAs are never created.

133935.717470 Default attribute_unacceptable: AUTHENTICATION_METHOD: got
PRE_SHARED, expected RSA_SIG
133935.717808 Default message_negotiate_sa: no compatible proposal found
133935.717916 Default dropped message from ABC.DEF.GHI.JKL port 500 due to
notification type NO_PROPOSAL_CHOSEN
133944.988656 Default transport_send_messages: giving up on exchange
peer-ABC.DEF.GHI.JKL , no response from peer ABC.DEF.GHI.JKL :500
133945.755693 Default attribute_unacceptable: AUTHENTICATION_METHOD: got
PRE_SHARED, expected RSA_SIG
133945.755884 Default message_negotiate_sa: no compatible proposal found
133945.755930 Default dropped message from ABC.DEF.GHI.JKL port 500 due to
notification type NO_PROPOSAL_CHOSEN

It seems that although I specify that I want a psk to be used, it expects a
pub key.

Thank you,
George

Reply | Threaded
Open this post in threaded view
|

Re: Problem with IPSEC between OpenBSD and VMWare vcloud air platform

georgek
It seems that I was provided the wrong peer IP (which was also running an
IPSEC endpoint but with different settings). So after placing the right IP
address in the ipsec.conf the flows are established although I get some
errors like:

Default responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs:
initiator id 192.168.55.0/255.255.255.0, responder id
192.168.66.0/255.255.255.0
180852.346361 Default dropped message from A.B.C.D port 500 due to
notification type INVALID_ID_INFORMATION

The problem now is that I can ping from one side to another (from cloud to
our premises) but not the opposite direction.

Thanks,
George

On Tue, May 10, 2016 at 1:40 PM, George Kourvoulis <[hidden email]> wrote:

> Hi,
> I am trying to create an IPSEC tunnel between an OpenBSD 5.8 and VMWare's
> vcloud air cloud platform.
>
> The options that I can set from the vmware side (they provide a GUI) are
> specific and they are the following:
>
> -Local networks
> -Remote networks
> -Peer
> -Pre shared key
> -Encryption (3DES)
>
> On the OpenBSD side I use ipsec.conf and the contents are the following:
>
> ike esp from 192.168.66.0/24 to 192.168.55.0/24 peer ABC.DEF.GHI.JKL main
> auth hmac-sha1 enc 3des group modp1024 quick auth hmac-sha2-256 enc
> blowfish psk MY-PSK-PHRASE
>
> When I start isakmpd and ipsecctl -f /etc/ipsec.conf I always get the
> following message and the SAs are never created.
>
> 133935.717470 Default attribute_unacceptable: AUTHENTICATION_METHOD: got
> PRE_SHARED, expected RSA_SIG
> 133935.717808 Default message_negotiate_sa: no compatible proposal found
> 133935.717916 Default dropped message from ABC.DEF.GHI.JKL port 500 due to
> notification type NO_PROPOSAL_CHOSEN
> 133944.988656 Default transport_send_messages: giving up on exchange
> peer-ABC.DEF.GHI.JKL , no response from peer ABC.DEF.GHI.JKL :500
> 133945.755693 Default attribute_unacceptable: AUTHENTICATION_METHOD: got
> PRE_SHARED, expected RSA_SIG
> 133945.755884 Default message_negotiate_sa: no compatible proposal found
> 133945.755930 Default dropped message from ABC.DEF.GHI.JKL port 500 due to
> notification type NO_PROPOSAL_CHOSEN
>
> It seems that although I specify that I want a psk to be used, it expects
> a pub key.
>
> Thank you,
> George