IPsec: problems after upgrade 4.8 to 4.9
Holger Eitzenberger
Holger.Eitzenberger at t-online.de
Fri Mar 19 14:05:48 PST 2004
Hi,
I was sucessfully running FBSD 4.8 with X509 certicate VPN.
After installation of FBSD 4.9 I get the following error messages:
isakmp.c:899:isakmp_ph1begin_r(): begin Identity Protection mode.
ERROR: ipsec_doi.c:1318:get_transform(): Only a single transform payload is allowed during phase 1 processing.
(*) ERROR: ipsec_doi.c:440:print_ph1mismatched(): rejected dh_group: DB(prop#1:trns#1):Peer(prop#0:trns#0) = 1024-bit MODP group:1536-bit MODP group
ERROR: ipsec_doi.c:243:get_ph1approval(): no suitable proposal found.
ERROR: isakmp_ident.c:782:ident_r1recv(): failed to get valid proposal.
ERROR: isakmp.c:913:isakmp_ph1begin_r(): failed to process packet.
The connecting peer is a Linux box (FreeSwan 1.99).
Line (*) looks suspicious to me. Is there some persistant data
between too VPN "sessions", which is now missing on one side of
the link after installation?
This is my racoon configuration:
path include "/usr/local/etc/racoon" ;
path certificate "/usr/local/etc/racoon/cert";
log notify; # notify, debug, debug2
padding
{
maximum_length 20; # maximum padding length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
listen
{
isakmp XXX.XXX.XXX.XXX [500];
}
timer
{
counter 5;
interval 20 sec;
persend 1;
phase1 30 sec;
phase2 15 sec;
}
remote anonymous
{
exchange_mode main;
my_identifier asn1dn;
peers_identifier asn1dn;
certificate_type x509 "XXX.pem" "XXX.pem";
peers_certfile "YYY.pem";
passive on;
lifetime time 1 hour; # sec,min,hour
support_proxy on;
proposal_check obey;
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method rsasig;
dh_group 2;
}
}
sainfo anonymous
{
pfs_group 1;
lifetime time 30 sec;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1,hmac_md5;
compression_algorithm deflate;
}
/Holger
--
++ GnuPG Key -> http://www.t-online.de/~holger.eitzenberger ++
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20040319/1c439ab4/attachment.bin
More information about the freebsd-net
mailing list