IPsec phase 1 and 2 negotiation in an infinite loop.
Mike Tancsa
mike at sentex.net
Tue Sep 6 13:22:27 UTC 2011
On 9/5/2011 11:58 PM, Mikhail Goriachev wrote:
> (p: #1 protoid=isakmp transform=1
> (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration
> value=7080)(type=enc value=3des)(type=auth
> value=preshared)(type=hash value=sha1)(type=group desc
> value=modp1024))))
> (vid: len=16 afcad71372a1f1c96b8696fc99570100)
> 03:17:31.637424 IP (tos 0x0, ttl 50, id 0, offset 0, flags [DF], proto UDP
> (17), length 108)
> w.x.y.z.500 > a.b.c.d.500: [udp sum ok] isakmp 1.0 msgid cookie ->:
> phase 1 R ident:
> (sa: doi=ipsec situation=identity
> (p: #1 protoid=isakmp transform=1
> (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration
> value=7080)(type=enc value=3des)(type=auth
> value=preshared)(type=hash value=sha1)(type=group desc
> value=modp1024))))
OK, both sides are 3des, psk and sha1 dhgroup 1. Thats good.
>
> Note: a.b.c.d is my end. w.x.y.z is the other end. "vid:", "ke:" and
> "nonce:" are scrambled.
> flag=0x8000, lorv=AES-CBC
> Sep 5 20:40:27 vpnmach racoon: DEBUG: encryption(aes)
> Sep 5 20:40:27 vpnmach racoon: DEBUG: type=Hash Algorithm, flag=0x8000,
> lorv=MD5
> Sep 5 20:40:27 vpnmach racoon: DEBUG: hash(md5)
> Sep 5 20:40:27 vpnmach racoon: DEBUG: type=Authentication Method,
... yet, you have AES and md5 ?? where are those coming from ? Do you
have an extra config for the remote somewhere in your files perhaps that
is matching ?
---Mike
> remote w.x.y.z {
> exchange_mode main;
> proposal_check obey;
>
> proposal {
> encryption_algorithm 3des;
> hash_algorithm sha1;
> authentication_method pre_shared_key;
> dh_group modp1024;
> }
> }
>
--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
More information about the freebsd-questions
mailing list