Date: Fri, 16 Nov 2001 11:54:17 +1000 From: Nick Slager <ns@BlueSkyFrog.COM> To: freebsd-security@freebsd.org Subject: KAME IPsec <--> Cisco Message-ID: <20011116115417.F22136@BlueSkyFrog.COM>
next in thread | raw e-mail | index | archive | help
I'm attempting to set up a VPN between a box running FreeBSD 4.4-RELEASE and a third party using a Cisco 36xx with IOS 12.2(5). Using racoon 20011026a for key exchange. When I ping the other end, racoon logs the following: ... 2001-11-16 11:45:03: DEBUG: isakmp.c:2290:isakmp_printpacket(): begin. 2001-11-16 11:45:03: DEBUG: isakmp_inf.c:114:isakmp_info_recv(): receive Information. 2001-11-16 11:45:03: DEBUG: isakmp.c:1133:isakmp_parsewoh(): begin. 2001-11-16 11:45:03: DEBUG: isakmp.c:1160:isakmp_parsewoh(): seen nptype=11(notify) 2001-11-16 11:45:03: DEBUG: isakmp.c:1198:isakmp_parsewoh(): succeed. 2001-11-16 11:45:03: ERROR: isakmp_inf.c:769:isakmp_info_recv_n(): delete phase1 handle. 2001-11-16 11:45:03: ERROR: schedule.c:210:sched_scrub_param(): insanity schedule found. 2001-11-16 11:45:03: ERROR: isakmp_inf.c:792:isakmp_info_recv_n(): invalid spi_size in notification payload. 2001-11-16 11:45:03: DEBUG: isakmp_inf.c:797:isakmp_info_recv_n(): notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=1 spi=(size=0). And that's as far as we get. An SA is not established. I'm guessing that "invalid spi_size" message is the problem; the next line "spi=(size=0)" also seems odd. Is anyone able to shed some light on what is going wrong? Relevant sections of racoon.conf are below. Note that the Cisco supports only DES/MD5. Thanks, Nick remote 203.x.x.x { exchange_mode aggressive,main; doi ipsec_doi; situation identity_only; my_identifier address; peers_identifier address; nonce_size 16; lifetime time 24 hour; # sec,min,hour initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal { encryption_algorithm des; hash_algorithm md5; authentication_method pre_shared_key ; dh_group 1 ; } } sainfo address 203.x.x.x any address 203.y.y.y any { pfs_group 1; lifetime time 30 sec; encryption_algorithm des ; authentication_algorithm hmac_md5; compression_algorithm deflate ; } To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011116115417.F22136>