Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 19 Mar 2004 23:06:38 +0100
From:      "Holger Eitzenberger" <Holger.Eitzenberger@t-online.de>
To:        freebsd-net@freebsd.org
Subject:   IPsec: problems after upgrade 4.8 to 4.9
Message-ID:  <20040319230638.A25674@eitzenberger.name>
next in thread | raw e-mail | index | archive | help 

--WIyZ46R2i8wDzkSu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi,

I was sucessfully running FBSD 4.8 with X509 certicate VPN.
After installation of FBSD 4.9 I get the following error messages:

	isakmp.c:899:isakmp_ph1begin_r(): begin Identity Protection mode.
	ERROR: ipsec_doi.c:1318:get_transform(): Only a single transform payload i=
s allowed during phase 1 processing.
	(*) ERROR: ipsec_doi.c:440:print_ph1mismatched(): rejected dh_group: DB(pr=
op#1:trns#1):Peer(prop#0:trns#0) =3D 1024-bit MODP group:1536-bit MODP group
	ERROR: ipsec_doi.c:243:get_ph1approval(): no suitable proposal found.
	ERROR: isakmp_ident.c:782:ident_r1recv(): failed to get valid proposal.
	ERROR: isakmp.c:913:isakmp_ph1begin_r(): failed to process packet. =20

The connecting peer is a Linux box (FreeSwan 1.99).

Line (*) looks suspicious to me.  Is there some persistant data
between too VPN "sessions", which is now missing on one side of
the link after installation?

This is my racoon configuration:

    path include "/usr/local/etc/racoon" ;
    path certificate "/usr/local/etc/racoon/cert";

    log notify;							# notify, debug, debug2

    padding
    {
        maximum_length 20;	# maximum padding length.
        strict_check off;	# enable strict check.
        exclusive_tail off;	# extract last one octet.
    }

    listen
    {
        isakmp XXX.XXX.XXX.XXX [500];
    }

    timer
    {
        counter 5;
        interval 20 sec;
        persend 1;

        phase1 30 sec;
        phase2 15 sec;
    }

    remote anonymous
    {
        exchange_mode main;

        my_identifier asn1dn;
        peers_identifier asn1dn;
        certificate_type x509 "XXX.pem" "XXX.pem";
        peers_certfile "YYY.pem";
        passive on;

        lifetime time 1 hour;				# sec,min,hour
        support_proxy on;
        proposal_check obey;

        proposal {
            encryption_algorithm 3des;
            hash_algorithm md5;
            authentication_method rsasig;
            dh_group 2;
        }
    }

    sainfo anonymous
    {
        pfs_group 1;
        lifetime time 30 sec;
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1,hmac_md5;
        compression_algorithm deflate;
    }

/Holger


--=20
++ GnuPG Key -> http://www.t-online.de/~holger.eitzenberger ++

--WIyZ46R2i8wDzkSu
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAW27uwVlL9V2akAURAqOvAJ9YqBwybt2gJrLGm69vyuhoZ74UBgCdHmzC
ace4jKGwcQirSFJ0IFx1U08=
=2C8V
-----END PGP SIGNATURE-----

--WIyZ46R2i8wDzkSu--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040319230638.A25674>