From owner-freebsd-questions Wed Jan 22 17: 8: 1 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8A7A737B401 for ; Wed, 22 Jan 2003 17:07:59 -0800 (PST) Received: from fep3.cogeco.net (smtp.cogeco.net [216.221.81.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id CF0DD43F1E for ; Wed, 22 Jan 2003 17:07:58 -0800 (PST) (envelope-from dlavigne6@cogeco.ca) Received: from dhcp-17-14.kico2.on.cogeco.ca (d226-42-146.home.cgocable.net [24.226.42.146]) by fep3.cogeco.net (Postfix) with ESMTP id 70CEA1234; Wed, 22 Jan 2003 19:33:44 -0500 (EST) Date: Wed, 22 Jan 2003 19:37:52 -0500 (EST) From: Dru X-X-Sender: dlavigne6@dhcp-17-14.kico2.on.cogeco.ca To: Scott Penno Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Problems with IPSec In-Reply-To: <003c01c2b2bb$26770d00$0128a8c0@jupiter> Message-ID: <20030122193532.P201@dhcp-17-14.kico2.on.cogeco.ca> References: <001f01c2b2bb$0bf04780$0128a8c0@jupiter> <003c01c2b2bb$26770d00$0128a8c0@jupiter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, 3 Jan 2003, Scott Penno wrote: > Hi all, > > Wasn't sure where I should ask for help with this problem, so I'm starting > here. If there's a more appropriate place, please let me know. > > I have a FreeBSD box running -STABLE which has had IPSec working with other > hosts for quite some time without a problem. I've just setup another > FreeBSD box running 5.0-RC1 and am trying to establish a VPN tunnel but am > not getting too far. I'm using racoon and when attempting the negotiation > with debugging enabled, the following message appears: > 2003-01-20 12:00:23: ERROR: pfkey.c:207:pfkey_handler(): pfkey ADD failed: > Invalid argument > and the following message is logged via syslog: > Jan 20 12:00:23 atlas kernel: key_mature: invalid AH key length 160 (128-128 > allowed) > > The relevant section of racoon.conf which is identical on both boxes is: > sainfo anonymous > { > pfs_group 1; > lifetime time 86400 sec; > encryption_algorithm 3des ; > authentication_algorithm hmac_sha1 ; > compression_algorithm deflate ; > } > > The box running -STABLE has been working fine with this configuration so I'm > assuming the problem is with the box running 5.0-RC1. Interestingly, I've > also tried using des as the encryption algorithm and hmac_md5 as the > authentication algorithm and I receive the following error message: > racoon: failed to parse configuration file. > > If anyone has any suggestions for a fix, or how I go about further > diagnosing this problem, I'd love to hear from you. What's the result of setkey -PD on both boxes? Sanitize the addresses of the public IPs, but leave the private IPs as is. Dru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message