Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 16 Nov 2001 11:54:17 +1000
From:      Nick Slager <ns@BlueSkyFrog.COM>
To:        freebsd-security@freebsd.org
Subject:   KAME IPsec <--> Cisco
Message-ID:  <20011116115417.F22136@BlueSkyFrog.COM>
next in thread | raw e-mail | index | archive | help 
I'm attempting to set up a VPN between a box running FreeBSD
4.4-RELEASE and a third party using a Cisco 36xx with IOS 12.2(5).
Using racoon 20011026a for key exchange.

When I ping the other end, racoon logs the following:

...
2001-11-16 11:45:03: DEBUG: isakmp.c:2290:isakmp_printpacket(): begin.
2001-11-16 11:45:03: DEBUG: isakmp_inf.c:114:isakmp_info_recv(): receive Information.
2001-11-16 11:45:03: DEBUG: isakmp.c:1133:isakmp_parsewoh(): begin.
2001-11-16 11:45:03: DEBUG: isakmp.c:1160:isakmp_parsewoh(): seen nptype=11(notify)
2001-11-16 11:45:03: DEBUG: isakmp.c:1198:isakmp_parsewoh(): succeed.
2001-11-16 11:45:03: ERROR: isakmp_inf.c:769:isakmp_info_recv_n(): delete phase1 handle.
2001-11-16 11:45:03: ERROR: schedule.c:210:sched_scrub_param(): insanity schedule found.
2001-11-16 11:45:03: ERROR: isakmp_inf.c:792:isakmp_info_recv_n(): invalid spi_size in notification payload.
2001-11-16 11:45:03: DEBUG: isakmp_inf.c:797:isakmp_info_recv_n(): notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=1 spi=(size=0).


And that's as far as we get. An SA is not established.

I'm guessing that "invalid spi_size" message is the problem; the next
line "spi=(size=0)" also seems odd. Is anyone able to shed some light
on what is going wrong?

Relevant sections of racoon.conf are below. Note that the Cisco
supports only DES/MD5.

Thanks,


Nick


remote 203.x.x.x
{
        exchange_mode aggressive,main;
        doi ipsec_doi;
        situation identity_only;

        my_identifier address;
        peers_identifier address;

        nonce_size 16;
        lifetime time 24 hour;  # sec,min,hour
        initial_contact on;
        support_mip6 on;
        proposal_check obey;    # obey, strict or claim

        proposal {
                encryption_algorithm des;
                hash_algorithm md5;
                authentication_method pre_shared_key ;
                dh_group 1 ;
        }
}

sainfo address 203.x.x.x any address 203.y.y.y any
{
        pfs_group 1;
        lifetime time 30 sec;
        encryption_algorithm des ;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate ;
}


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011116115417.F22136>