Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 6 Sep 2011 14:03:16 -0300
From:      "Mikhail Goriachev" <mikhailg@webanoide.org>
To:        "Mike Tancsa" <mike@sentex.net>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: IPsec phase 1 and 2 negotiation in an infinite loop.
Message-ID:  <37a5375d54158ec5977ecb4ea7b6b935.squirrel@www.vap.navalradio.net>
In-Reply-To: <4E661E83.9050507@sentex.net>
References:  <8d457de47ed92550a511265436c183f9.squirrel@www.vap.navalradio.net> <4E657CEA.7080300@sentex.net> <d768d645fb3fc7938f5fea41e2738014.squirrel@www.vap.navalradio.net> <4E661E83.9050507@sentex.net>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

Mike Tancsa wrote:
> On 9/5/2011 11:58 PM, Mikhail Goriachev wrote:
>>         (p: #1 protoid=isakmp transform=1
>>             (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration
>> value=7080)(type=enc value=3des)(type=auth
>> value=preshared)(type=hash value=sha1)(type=group desc
>> value=modp1024))))
>>     (vid: len=16 afcad71372a1f1c96b8696fc99570100)
>> 03:17:31.637424 IP (tos 0x0, ttl 50, id 0, offset 0, flags [DF], proto
>> UDP
>> (17), length 108)
>>     w.x.y.z.500 > a.b.c.d.500: [udp sum ok] isakmp 1.0 msgid  cookie ->:
>> phase 1 R ident:
>>     (sa: doi=ipsec situation=identity
>>         (p: #1 protoid=isakmp transform=1
>>             (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration
>> value=7080)(type=enc value=3des)(type=auth
>> value=preshared)(type=hash value=sha1)(type=group desc
>> value=modp1024))))
>
>
> OK, both sides are 3des, psk and sha1 dhgroup 1. Thats good.
>
>>
>> Note: a.b.c.d is my end. w.x.y.z is the other end. "vid:", "ke:" and
>> "nonce:" are scrambled.
>> flag=0x8000, lorv=AES-CBC
>> Sep  5 20:40:27 vpnmach racoon: DEBUG: encryption(aes)
>> Sep  5 20:40:27 vpnmach racoon: DEBUG: type=Hash Algorithm, flag=0x8000,
>> lorv=MD5
>> Sep  5 20:40:27 vpnmach racoon: DEBUG: hash(md5)
>> Sep  5 20:40:27 vpnmach racoon: DEBUG: type=Authentication Method,
>
>
> ... yet, you have AES and md5 ?? where are those coming from ? Do you
> have an extra config for the remote somewhere in your files perhaps that
> is matching ?


Nop. There're no extra files. The only thing the other guys gave me was:

Operation Mode: Tunnel (Net to Net)
Authentication Type: Pre shared secret
Phase 1: 3DES/SHA1, DH Group=2
Phase 2: 3DES/SHA1, PFS=no, DH Group=any

Based on that I got it working.

So, do you reckon the other end suddenly began advertising/requesting aes
and md5 instead of 3des and sha1?



> 	---Mike
>
>> remote w.x.y.z {
>>         exchange_mode main;
>>         proposal_check obey;
>>
>>         proposal {
>>                 encryption_algorithm 3des;
>>                 hash_algorithm sha1;
>>                 authentication_method pre_shared_key;
>>                 dh_group modp1024;
>>         }
>> }
>>
>
>
>
>
> --
> -------------------
> Mike Tancsa, tel +1 519 651 3400
> Sentex Communications, mike@sentex.net
> Providing Internet services since 1994 www.sentex.net
> Cambridge, Ontario Canada   http://www.tancsa.com/
>


-- 
Mikhail Goriachev
Webanoide

Mobile: +56 9 78772741
Web: www.webanoide.org




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?37a5375d54158ec5977ecb4ea7b6b935.squirrel>