IPsec: problems after upgrade 4.8 to 4.9

Holger Eitzenberger Holger.Eitzenberger at t-online.de
Fri Mar 19 14:05:48 PST 2004 

Hi,

I was sucessfully running FBSD 4.8 with X509 certicate VPN.
After installation of FBSD 4.9 I get the following error messages:

	isakmp.c:899:isakmp_ph1begin_r(): begin Identity Protection mode.
	ERROR: ipsec_doi.c:1318:get_transform(): Only a single transform payload is allowed during phase 1 processing.
	(*) ERROR: ipsec_doi.c:440:print_ph1mismatched(): rejected dh_group: DB(prop#1:trns#1):Peer(prop#0:trns#0) = 1024-bit MODP group:1536-bit MODP group
	ERROR: ipsec_doi.c:243:get_ph1approval(): no suitable proposal found.
	ERROR: isakmp_ident.c:782:ident_r1recv(): failed to get valid proposal.
	ERROR: isakmp.c:913:isakmp_ph1begin_r(): failed to process packet.  

The connecting peer is a Linux box (FreeSwan 1.99).

Line (*) looks suspicious to me.  Is there some persistant data
between too VPN "sessions", which is now missing on one side of
the link after installation?

This is my racoon configuration:

    path include "/usr/local/etc/racoon" ;
    path certificate "/usr/local/etc/racoon/cert";

    log notify;							# notify, debug, debug2

    padding
    {
        maximum_length 20;	# maximum padding length.
        strict_check off;	# enable strict check.
        exclusive_tail off;	# extract last one octet.
    }

    listen
    {
        isakmp XXX.XXX.XXX.XXX [500];
    }

    timer
    {
        counter 5;
        interval 20 sec;
        persend 1;

        phase1 30 sec;
        phase2 15 sec;
    }

    remote anonymous
    {
        exchange_mode main;

        my_identifier asn1dn;
        peers_identifier asn1dn;
        certificate_type x509 "XXX.pem" "XXX.pem";
        peers_certfile "YYY.pem";
        passive on;

        lifetime time 1 hour;				# sec,min,hour
        support_proxy on;
        proposal_check obey;

        proposal {
            encryption_algorithm 3des;
            hash_algorithm md5;
            authentication_method rsasig;
            dh_group 2;
        }
    }

    sainfo anonymous
    {
        pfs_group 1;
        lifetime time 30 sec;
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1,hmac_md5;
        compression_algorithm deflate;
    }

/Holger


-- 
++ GnuPG Key -> http://www.t-online.de/~holger.eitzenberger ++
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20040319/1c439ab4/attachment.bin

More information about the freebsd-net mailing list