I have a isakmpd.conf and didn't work... why?
Here is isakmpd.conf
1. Configuration for VPN Gateway at location One (COSTA)

[General]
Retransmits= 5
Exchange-max-time= 120
Default-phase-1-lifetime= 600,60:86400
Default-phase-2-lifetime= 200,60:86400

[Phase 1]
87.77.58.53= COSTA
87.77.56.6= ACASA
87.77.50.6= STEFAN

[Phase 2]
Connections= COSTAgate-ACASAgate, COSTAgate-STEFANgate,
COSTAgate-ACASAlan, COSTAgate-STEFANlan,
COSTAlan-ACASAgate, COSTAlan-STEFANgate,
COSTAlan-ACASAlan, COSTAlan-STEFANlan

## ISAKMP Phase 1 peer sections for COSTA (using authentication-keys 1 & 2)

[ACASA]
Phase= 1
Transport= udp
Local-Address= 87.77.58.53
Address= 87.77.56.6
Configuration= Default-main-mode
Authentication= 4162428485550fc0105768f533c0eca5

[STEFAN]
Phase= 1
Transport= udp
Local-Address= 87.77.58.53
Address= 87.77.50.6
Configuration= Default-main-mode
Authentication= d24747784d85f3e328b3ccaad05741d6

## IPSEC Phase 2 sections

[COSTAgate-ACASAgate]
Phase= 2
ISAKMP-peer= ACASA
Configuration= Default-quick-mode
Local-ID= COSTAgate
Remote-ID= ACASAgate

[COSTAgate-STEFANgate]
Phase= 2
ISAKMP-peer= STEFAN
Configuration= Default-quick-mode
Local-ID= COSTAgate
Remote-ID= STEFANgate

[COSTAgate-ACASAlan]
Phase= 2
ISAKMP-peer= ACASA
Configuration= Default-quick-mode
Local-ID= COSTAgate
Remote-ID= ACASAlan

[COSTAgate-STEFANlan]
Phase= 2
ISAKMP-peer= STEFAN
Configuration= Default-quick-mode
Local-ID= COSTAgate
Remote-ID= STEFANlan

[COSTAlan-ACASAgate]
Phase= 2
ISAKMP-peer= ACASA
Configuration= Default-quick-mode
Local-ID= COSTAlan
Remote-ID= ACASAgate

[COSTAlan-STEFANgate]
Phase= 2
ISAKMP-peer= STEFAN
Configuration= Default-quick-mode
Local-ID= COSTAlan
Remote-ID= STEFANgate

[COSTAlan-ACASAlan]
Phase= 2
ISAKMP-peer= ACASA
Configuration= Default-quick-mode
Local-ID= COSTAlan
Remote-ID= ACASAlan

[COSTAlan-STEFANlan]
Phase= 2
ISAKMP-peer= STEFAN
Configuration= Default-quick-mode
Local-ID= COSTAlan
Remote-ID= STEFANlan

## Client ID sections

[COSTAlan]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.1.0
Netmask= 255.255.255.0

[ACASAlan]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.2.0
Netmask= 255.255.255.0

[STEFANlan]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.3.0
Netmask= 255.255.255.0

## Mode Descriptions

[Default-main-mode]
DOI= IPSEC
Exchange_Type= ID_PROT
Transforms= BLF-MD5

[Default-quick-mode]
DOI= IPSEC
Exchange_Type= QUICK_MODE
Suites= QM-ESP-BLF-MD5-SUITE

## Main Mode Transforms

[BLF-MD5]
Encryption_Algorithm= BLOWFISH_CBC
Key_Length= 128,96:192
Hash_Algorithm= MD5
Authentication_Method= pre_shared
Group_Description= EC2N_155
Life= LIFE_60_SECS,LIFE_1000_KB

[LIFE_60_SECS]
Life_Type= seconds
Life_Duration= 60,45:72

[LIFE_1000_KB]
Life_Type= kilobytes
Life_Duration= 1000,768:1536


2. Configuration for VPN Gateway at location Two (ACASA)

[General]
Retransmits= 5
Exchange-max-time= 120
Default-phase-1-lifetime= 600,60:86400
Default-phase-2-lifetime= 200,60:86400

[Phase 1]
87.77.56.6= ACASA
87.77.58.53= COSTA
87.77.50.6= STEFAN

[Phase 2]
Connections= ACASAgate-COSTAgate, ACASAgate-STEFANgate,
ACASAgate-COSTAlan, ACASAgate-STEFANlan,
ACASAlan-COSTAgate, ACASAlan-STEFANgate,
ACASAlan-COSTAlan, ACASAlan-STEFANlan

## ISAKMP Phase 1 peer sections for ACASA (using authentication-keys 1 & 3)

[COSTA]
Phase= 1
Transport= udp
Local-Address= 87.77.56.6
Address= 87.77.58.53
Configuration= Default-main-mode
Authentication= 4162428485550fc0105768f533c0eca5

[STEFAN]
Phase= 1
Transport= udp
Local-Address= 87.77.56.6
Address= 87.77.50.6
Configuration= Default-main-mode
Authentication= 03548fb63add9f6552b5400b33db3b00

## IPSEC Phase 2 sections

[ACASAgate-COSTAgate]
Phase= 2
ISAKMP-peer= COSTA
Configuration= Default-quick-mode
Local-ID= ACASAgate
Remote-ID= COSTAgate

[ACASAgate-STEFANgate]
Phase= 2
ISAKMP-peer= STEFAN
Configuration= Default-quick-mode
Local-ID= ACASAgate
Remote-ID= STEFANgate

[ACASAgate-COSTAlan]
Phase= 2
ISAKMP-peer= COSTA
Configuration= Default-quick-mode
Local-ID= ACASAgate
Remote-ID= COSTAlan

[ACASAgate-STEFANlan]
Phase= 2
ISAKMP-peer= STEFAN
Configuration= Default-quick-mode
Local-ID= ACASAgate
Remote-ID= STEFANlan

[ACASAlan-COSTAgate]
Phase= 2
ISAKMP-peer= COSTA
Configuration= Default-quick-mode
Local-ID= ACASAlan
Remote-ID= COSTAgate

[ACASAlan-STEFANgate]
Phase= 2
ISAKMP-peer= STEFAN
Configuration= Default-quick-mode
Local-ID= ACASAlan
Remote-ID= STEFANgate

[ACASAlan-COSTAlan]
Phase= 2
ISAKMP-peer= COSTA
Configuration= Default-quick-mode
Local-ID= ACASAlan
Remote-ID= COSTAlan

[ACASAlan-STEFANlan]
Phase= 2
ISAKMP-peer= STEFAN
Configuration= Default-quick-mode
Local-ID= ACASAlan
Remote-ID= STEFANlan

## Client ID sections

[ACASAlan]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.2.0
Netmask= 255.255.255.0

[COSTAlan]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.1.0
Netmask= 255.255.255.0

[STEFANlan]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.3.0
Netmask= 255.255.255.0

## Mode Descriptions

[Default-main-mode]
DOI= IPSEC
Exchange_Type= ID_PROT
Transforms= BLF-MD5

[Default-quick-mode]
DOI= IPSEC
Exchange_Type= QUICK_MODE
Suites= QM-ESP-BLF-MD5-SUITE

## Main Mode Transforms

[BLF-MD5]
Encryption_Algorithm= BLOWFISH_CBC
Key_Length= 128,96:192
Hash_Algorithm= MD5
Authentication_Method= pre_shared
Group_Description= EC2N_155
Life= LIFE_60_SECS,LIFE_1000_KB

[LIFE_60_SECS]
Life_Type= seconds
Life_Duration= 60,45:72

[LIFE_1000_KB]
Life_Type= kilobytes
Life_Duration= 1000,768:1536


3. Configuration for VPN Gateway at location Three (STEFAN)

[General]
Retransmits= 5
Exchange-max-time= 120
Default-phase-1-lifetime= 600,60:86400
Default-phase-2-lifetime= 200,60:86400

[Phase 1]
87.77.50.6= STEFAN
87.77.58.53= COSTA
87.77.56.6= ACASA

[Phase 2]
Connections= STEFANgate-COSTAgate, STEFANgate-ACASAgate,
STEFANgate-COSTAlan, STEFANgate-ACASAlan,
STEFANlan-COSTAgate, STEFANlan-ACASAgate,
STEFANlan-COSTAlan, STEFANlan-ACASAlan

## ISAKMP Phase 1 peer sections for STEFAN (using authentication-keys 2 & 3)

[COSTA]
Phase= 1
Transport= udp
Local-Address= 87.77.50.6
Address= 87.77.58.53
Configuration= Default-main-mode
Authentication= d24747784d85f3e328b3ccaad05741d6

[ACASA]
Phase= 1
Transport= udp
Local-Address= 87.77.50.6
Address= 87.77.56.6
Configuration= Default-main-mode
Authentication= 03548fb63add9f6552b5400b33db3b00

## IPSEC Phase 2 sections

[STEFANgate-COSTAgate]
Phase= 2
ISAKMP-peer= COSTA
Configuration= Default-quick-mode
Local-ID= STEFANgate
Remote-ID= COSTAgate

[STEFANgate-ACASAgate]
Phase= 2
ISAKMP-peer= ACASA
Configuration= Default-quick-mode
Local-ID= STEFANgate
Remote-ID= ACASAgate

[STEFANgate-COSTAlan]
Phase= 2
ISAKMP-peer= COSTA
Configuration= Default-quick-mode
Local-ID= STEFANgate
Remote-ID= COSTAlan

[STEFANgate-ACASAlan]
Phase= 2
ISAKMP-peer= ACASA
Configuration= Default-quick-mode
Local-ID= STEFANgate
Remote-ID= ACASAlan

[STEFANlan-COSTAgate]
Phase= 2
ISAKMP-peer= COSTA
Configuration= Default-quick-mode
Local-ID= STEFANlan
Remote-ID= COSTAgate

[STEFANlan-ACASAgate]
Phase= 2
ISAKMP-peer= ACASA
Configuration= Default-quick-mode
Local-ID= STEFANlan
Remote-ID= ACASAgate

[STEFANlan-COSTAlan]
Phase= 2
ISAKMP-peer= COSTA
Configuration= Default-quick-mode
Local-ID= STEFANlan
Remote-ID= COSTAlan

[STEFANlan-ACASAlan]
Phase= 2
ISAKMP-peer= ACASA
Configuration= Default-quick-mode
Local-ID= STEFANlan
Remote-ID= ACASAlan

## Client ID sections

[STEFANlan]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.3.0
Netmask= 255.255.255.0

[ACASAlan]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.2.0
Netmask= 255.255.255.0

[COSTAlan]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.1.0
Netmask= 255.255.255.0

## Mode Descriptions

[Default-main-mode]
DOI= IPSEC
Exchange_Type= ID_PROT
Transforms= BLF-MD5

[Default-quick-mode]
DOI= IPSEC
Exchange_Type= QUICK_MODE
Suites= QM-ESP-BLF-MD5-SUITE

## Main Mode Transforms

[BLF-MD5]
Encryption_Algorithm= BLOWFISH_CBC
Key_Length= 128,96:192
Hash_Algorithm= MD5
Authentication_Method= pre_shared
Group_Description= EC2N_155
Life= LIFE_60_SECS,LIFE_1000_KB

[LIFE_60_SECS]
Life_Type= seconds
Life_Duration= 60,45:72

[LIFE_1000_KB]
Life_Type= kilobytes
Life_Duration= 1000,768:1536

I could see a few problems, but first off, which is suppose to be your main concentrator? Also, what errors are you getting?

I just briefly looked over them, and you might consider setting a default in your Phase 1 to one to be the concentrator, instead of all three trying to authenticate each other.

my concentrator is COSTA.... and i receive on COSTA that message
isakmpd[31893]: conf_get_list: empty field, ignoring...
isakmpd[31893]: ipsec_get_id: section COSTAFORUgate has no "ID-type" tag
isakmpd[31893]: connection_init: could not record connection COSTAgate-ACASAgate"
isakmpd[31893]: ipsec_get_id: section COSTAFORUgate has no "ID-type" tag
isakmpd[31893]: connection_init: could not record connection COSTAFORUgate-STEFANgate"

on ACASA i receive
isakmpd[7200]: transport_send_messages: either this message did not reach the other peer
isakmpd[7200]: transport_send_messages: or the responsemessage did not reach us back

On COSTA, have it's Phase 1 connect to itself, like so:

[Phase 1]
Default= ISAKMP-peer-default

Get rid of those other connections in Phase 1. COSTA doesn't need to connect to them, but do leave the peer parameters in the next section.


Then add this to your Phase 1 peer section:


[ISAKMP-peer-default]
Phase= 1
Transport= udp
Configuration= Default-aggressive-mode

Since this is accepting the incoming transmits, then it shouldn't have to connect to anything but itself.

Also, on your Phase 2, you have more connections than you need. For instance, you have 'COSTAgate-ACASAlan' , 'COSTAlan-ACASAgate' , and 'COSTAlan-ACASAlan'. It looks like you ar getting your networks and peers mixed up in the naming. On the Phase 2 peer sections, you are only going to need 2. [concentrator-client1] and [concentrator-client2]. Then in the Phase 2 Local and Remote IDs, the Local is going to be the system using the conf file. So for COSTA, all Local-IDs will be COSTAlan. And the Remote will be the peer's network.

kernel killer i run your isakmpd.conf and on the client side i receive

141945.060818 Default conf_parse: last line non-terminated, ignored.
141946.915000 Default exchange_run: doi->initiator (0x3c12a000) failed
142246.110791 Default exchange_run: doi->initiator (0x3c066a00) failed
142446.131275 Default exchange_run: doi->initiator (0x3c066a00) failed

Did you happen to check out the Tutorial (http://screamingelectron.org/forum/showthread.php?t=1686) I wrote for such a setup? It covers the exact same setup you are wanting to accomplish. Also, you might want to start with just 2 networks first, and then add the 3rd one in. I'll be more thna happy to help you with your questions, but I think you are missing some of the logic that goes along with the configuration.

Also, please start a new thread so that others can also benifit from your specific questions

i have that isakmpd.conf file...

192.168.110.0 - 192.168.110.101/xx.xx.xx.xx -> INTERNET <- yy.yy.yy.yy/192.168.120.120 <- 192.168.120.0

#Costaforu ISAKMPD.conf

[General]
Retransmits= 5
Exchange-max-time= 120
Listen-on= xx.xx.xx.xx

[Phase 1]
yy.yy.yy.yy= StefanGW

[Phase 2]
Connections= CostaforuNET-StefanNET

[StefanGW]
Phase= 1
Transport= udp
Local-address= xx.xx.xx.xx
Address= yy.yy.yy.yy
Configuration= Default-main-mode
Authentication= parola

[CostaforuNET-StefanNET]
Phase= 2
ISAKMP-peer= StefanGW
Configuration= Default-quick-mode
Local-ID= CostaforuNET
Remote-ID= StefanNET

[StefanNET]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.120.0
Netmask= 255.255.255.0

[CostaforuNET]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.110.0
Netmask= 255.255.255.0

[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA

[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-PFS-SUITE

isakmpd.policy (Costaforu and Stefan)

KeyNote-Version: 2
Comment: This policy accepts ESP SAs from a remote that uses the right password
Authorizer: "POLICY"
Licensees: "passphrase:parola"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg != "NULL" -> "true";


#Stefan ISAKMPD.conf

[General]
Retransmits= 5
Exchange-max-time= 120
Listen-on= yy.yy.yy.yy

[Phase 1]
xx.xx.xx.xx= CostaforuGW

[Phase 2]
Connections= StefanNET-CostaforuNET

[CostaforuGW]
Phase= 1
Transport= udp
Local-address= yy.yy.yy.yy
Address= xx.xx.xx.xx
Configuration= Default-main-mode
Authentication= parola

[StefanNET-CostaforuNET]
Phase= 2
ISAKMP-peer= CostaforuGW
Configuration= Default-quick-mode
Local-ID= StefanNET
Remote-ID= CostaforuNET

[StefanNET]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.120.0
Netmask= 255.255.255.0

[CostaforuNET]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.110.0
Netmask= 255.255.255.0

[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA

[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-PFS-SUITE

I run that config file and i receive on Costaforu..
isakmpd[9894]: dropped message from yy.yy.yy.yy port 500 due to notification type NO_PROPOSAL_CHOSEN

what should i do
Thanks

Try it without the policy file, and see if it works without it.

it's work with that policy file

KeyNote-Version: 2
Comment: This policy accepts ESP SAs from a remote that uses the right password
Authorizer: "POLICY"
Licensees: "passphrase:password"
Conditions: app_domain == "IPsec policy" -> "true";

Thank's Kernel Killer