Hi,

anybody ever managed to connect a Nokia Cellphone (in my case the
Nokia E90 communicator) against an OpenBSD 4.2 based VPN with
certificates? If so: what kind of settings did you use with the "Nokia
Mobile VPN Client Policy Tool" (see: http://www.businesssoftware.nokia.co..._downloads.php
) ?

My OpenBSD configuration seems to be okay. I managed to connect a Test-
Notebook using the Shrewsoft VPN-Client 2.1.1 successfully to the
OpenBSD-Box using Certificates.

Using Debugging I get messages like:
----- cut here ----
031735.781606 Default rsa_sig_decode_hash: SIG payload length does not
match public key
031735.781869 Default dropped message from a.b.c.d port 500 due to
notification type INVALID_ID_INFORMATION
----- cut here ----
but I'm not sure if those messages actually are my problem or the just
the result of an error I didn't yet see. Anyway I don't know how I can
fix this problem and having tried for hours now I feel sort of like a
dumbass :-(

Anybody out there who can help?

Regards

Hi all,

ok, I got a bit further. Sorry I'm not that experienced with IPSEC on
OpenBSD. I now have the following configuration:
---------------------- snip --------------------------
ike passive esp tunnel from any to 192.168.3.0/24 local
armamix.dorfplatz \
main auth hmac-sha1 enc aes group modp1024 \
quick auth hmac-sha1 enc aes group none srcid armamix.dorfplatz psk
mysecretpwd tag vpn_$id
ike passive esp tunnel from any to 192.168.1.2 local armamix.dorfplatz
\
main auth hmac-sha1 enc aes group modp1024 \
quick auth hmac-sha1 enc aes group none srcid armamix.dorfplatz psk
mysecretpwd tag vpn_$id
--------------------- snip ---------------------------

I now can see traffic going thru the tunnel and coming back.
Unfortunately my firewall always tells the road warrior that the IP it
wants to reach is unreachable. See the following tcpdump:

---------------------- snip ---------------------
21:50:24.760625 (authentic,confidential): SPI 0x7ddefb10:
10.129.196.1.39892 > 192.168.3.151.3389: P 48:416(368) ack 12 win
65218 <nop,nop,timestamp 3160391928 2104003155> (DF) (encap)
21:50:24.766522 (authentic,confidential): SPI 0x78916094:
192.168.3.151.3389 > 10.129.196.1.39892: P 12:337(325) ack 416 win
63825 <nop,nop,timestamp 2104003158 3160391928> (DF) (encap)
21:50:25.160969 (authentic,confidential): SPI 0x7ddefb10:
10.129.196.1.39892 > 192.168.3.151.3389: P 416:428(12) ack 337 win
64893 <nop,nop,timestamp 3160847053 2104003158> (DF) (encap)
21:50:25.161403 (authentic,confidential): SPI 0x78916094: 192.168.1.2
> 10.129.196.1: icmp: host 192.168.3.151 unreachable (encap)
21:50:27.380852 (authentic,confidential): SPI 0x7ddefb10:
10.129.196.1.39892 > 192.168.3.151.3389: P 416:436(20) ack 337 win
64893 <nop,nop,timestamp 3163076428 2104003158> (DF) (encap)
21:50:27.381266 (authentic,confidential): SPI 0x78916094: 192.168.1.2
> 10.129.196.1: icmp: host 192.168.3.151 unreachable (encap)
---------------------- snip --------------------------

What happens here? The Firewall (you see it here as 192.168.1.2) is
also directly connected to 192.168.3.151 as it has an interface in
192.168.3.x. Why does the firewall thinks that 192.168.3.151 is
unreachable?
Another thing which is weird: If I'm using a Notebook instead of the
Cellphone, everything works without any problem !!! Then I don't get
any Unreachables !!! Doing ipsecctl -m didn't show that much of a
difference in both connections.

I simply don't understand.

Anyone out there, any idea which can help?
I'd appreciate it.

Regards