From owner-freebsd-security  Thu Nov 15 18: 9:37 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mine.kame.net (kame195.kame.net [203.178.141.195])
	by hub.freebsd.org (Postfix) with ESMTP id 403EC37B417
	for <freebsd-security@freebsd.org>; Thu, 15 Nov 2001 18:09:32 -0800 (PST)
Received: from localhost ([3ffe:501:41c:2000:e89c:3277:c904:dbcf])
	by mine.kame.net (8.11.1/3.7W) with ESMTP id fAG24ix11781;
	Fri, 16 Nov 2001 11:04:44 +0900 (JST)
To: ns@BlueSkyFrog.COM
Cc: freebsd-security@freebsd.org
Subject: Re: KAME IPsec <--> Cisco
In-Reply-To: Your message of "Fri, 16 Nov 2001 11:54:17 +1000"
	<20011116115417.F22136@BlueSkyFrog.COM>
References: <20011116115417.F22136@BlueSkyFrog.COM>
X-Mailer: Cue version 0.6 (011026-1440/sakane)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Message-Id: <20011116110930M.sakane@kame.net>
Date: Fri, 16 Nov 2001 11:09:30 +0900
From: Shoichi Sakane <sakane@kame.net>
X-Dispatcher: imput version 20000228(IM140)
Lines: 41
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

> I'm attempting to set up a VPN between a box running FreeBSD
> 4.4-RELEASE and a third party using a Cisco 36xx with IOS 12.2(5).
> Using racoon 20011026a for key exchange.

> When I ping the other end, racoon logs the following:

> 2001-11-16 11:45:03: DEBUG: isakmp.c:2290:isakmp_printpacket(): begin.
> 2001-11-16 11:45:03: DEBUG: isakmp_inf.c:114:isakmp_info_recv(): receive Information.
> 2001-11-16 11:45:03: DEBUG: isakmp.c:1133:isakmp_parsewoh(): begin.
> 2001-11-16 11:45:03: DEBUG: isakmp.c:1160:isakmp_parsewoh(): seen nptype=11(notify)
> 2001-11-16 11:45:03: DEBUG: isakmp.c:1198:isakmp_parsewoh(): succeed.
> 2001-11-16 11:45:03: ERROR: isakmp_inf.c:769:isakmp_info_recv_n(): delete phase1 handle.
> 2001-11-16 11:45:03: ERROR: schedule.c:210:sched_scrub_param(): insanity schedule found.

it's not a error, ignore it.

> 2001-11-16 11:45:03: ERROR: isakmp_inf.c:792:isakmp_info_recv_n(): invalid spi_size in notification payload.

umm, could you show me what the packet is sent by the cisco ?
there is a part of the hex dump of the packet in the racoon logs.

> 2001-11-16 11:45:03: DEBUG: isakmp_inf.c:797:isakmp_info_recv_n(): notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=1 spi=(size=0).

the cisco complained about the proposal racoon sent.  i'm not sure what
the phase was.  check if the phase 1 established, and then the proposal
if these are same.

> Relevant sections of racoon.conf are below. Note that the Cisco
> supports only DES/MD5.

> sainfo address 203.x.x.x any address 203.y.y.y any
> {
>         pfs_group 1;
>         lifetime time 30 sec;
>         encryption_algorithm des ;
>         authentication_algorithm hmac_md5;
>         compression_algorithm deflate ;
> }

does the cisco support PFS ?  and can the cisco accept the lifetime of
30 seconds ?

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message