Date: Fri, 16 Nov 2001 11:09:30 +0900 From: Shoichi Sakane <sakane@kame.net> To: ns@BlueSkyFrog.COM Cc: freebsd-security@freebsd.org Subject: Re: KAME IPsec <--> Cisco Message-ID: <20011116110930M.sakane@kame.net> In-Reply-To: Your message of "Fri, 16 Nov 2001 11:54:17 %2B1000" <20011116115417.F22136@BlueSkyFrog.COM> References: <20011116115417.F22136@BlueSkyFrog.COM>
next in thread | previous in thread | raw e-mail | index | archive | help
> I'm attempting to set up a VPN between a box running FreeBSD
> 4.4-RELEASE and a third party using a Cisco 36xx with IOS 12.2(5).
> Using racoon 20011026a for key exchange.
> When I ping the other end, racoon logs the following:
> 2001-11-16 11:45:03: DEBUG: isakmp.c:2290:isakmp_printpacket(): begin.
> 2001-11-16 11:45:03: DEBUG: isakmp_inf.c:114:isakmp_info_recv(): receive Information.
> 2001-11-16 11:45:03: DEBUG: isakmp.c:1133:isakmp_parsewoh(): begin.
> 2001-11-16 11:45:03: DEBUG: isakmp.c:1160:isakmp_parsewoh(): seen nptype=11(notify)
> 2001-11-16 11:45:03: DEBUG: isakmp.c:1198:isakmp_parsewoh(): succeed.
> 2001-11-16 11:45:03: ERROR: isakmp_inf.c:769:isakmp_info_recv_n(): delete phase1 handle.
> 2001-11-16 11:45:03: ERROR: schedule.c:210:sched_scrub_param(): insanity schedule found.
it's not a error, ignore it.
> 2001-11-16 11:45:03: ERROR: isakmp_inf.c:792:isakmp_info_recv_n(): invalid spi_size in notification payload.
umm, could you show me what the packet is sent by the cisco ?
there is a part of the hex dump of the packet in the racoon logs.
> 2001-11-16 11:45:03: DEBUG: isakmp_inf.c:797:isakmp_info_recv_n(): notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=1 spi=(size=0).
the cisco complained about the proposal racoon sent. i'm not sure what
the phase was. check if the phase 1 established, and then the proposal
if these are same.
> Relevant sections of racoon.conf are below. Note that the Cisco
> supports only DES/MD5.
> sainfo address 203.x.x.x any address 203.y.y.y any
> {
> pfs_group 1;
> lifetime time 30 sec;
> encryption_algorithm des ;
> authentication_algorithm hmac_md5;
> compression_algorithm deflate ;
> }
does the cisco support PFS ? and can the cisco accept the lifetime of
30 seconds ?
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011116110930M.sakane>