Date: Thu, 23 Jan 2003 15:34:41 +1100 From: "Scott Penno" <scott.penno@gennex.com.au> To: "Daxbert" <daxbert_news@dweebsoft.com>, <freebsd-questions@FreeBSD.ORG> Subject: Re: Problems with IPSec Message-ID: <00ad01c2c298$c1d192b0$0128a8c0@jupiter> References: <001f01c2b2bb$0bf04780$0128a8c0@jupiter> <003c01c2b2bb$26770d00$0128a8c0@jupiter> <09c601c2c274$16da37f0$0a0aa8c0@dweebsoft.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks for the suggestion. I'm fairly sure that in the cases of DES, 3DES,
MD5 and SHA1, the keylength is fixed. In any case, when I tried this,
racoon failed while parsing the configuration complaining that a key length
was not allowed.
Scott.
----- Original Message -----
From: "Daxbert" <daxbert_news@dweebsoft.com>
To: "Scott Penno" <scott.penno@gennex.com.au>;
<freebsd-questions@FreeBSD.ORG>
Sent: Thursday, January 23, 2003 11:12 AM
Subject: Re: Problems with IPSec
> I have a FreeBSD box running -STABLE which has had IPSec working with
other
> hosts for quite some time without a problem. I've just setup another
> FreeBSD box running 5.0-RC1 and am trying to establish a VPN tunnel but am
> not getting too far. I'm using racoon and when attempting the negotiation
> with debugging enabled, the following message appears:
> 2003-01-20 12:00:23: ERROR: pfkey.c:207:pfkey_handler(): pfkey ADD failed:
> Invalid argument
> and the following message is logged via syslog:
> Jan 20 12:00:23 atlas kernel: key_mature: invalid AH key length 160
(128-128
> allowed)
>
> The relevant section of racoon.conf which is identical on both boxes is:
> sainfo anonymous
> {
> pfs_group 1;
> lifetime time 86400 sec;
> encryption_algorithm 3des ;
> authentication_algorithm hmac_sha1 ;
> compression_algorithm deflate ;
> }
>
> The box running -STABLE has been working fine with this configuration so
I'm
> assuming the problem is with the box running 5.0-RC1. Interestingly, I've
> also tried using des as the encryption algorithm and hmac_md5 as the
> authentication algorithm and I receive the following error message:
> racoon: failed to parse configuration file.
>
> If anyone has any suggestions for a fix, or how I go about further
> diagnosing this problem, I'd love to hear from you.
>
> Regards,
>
> Scott.
>
It looks like the AH key length needs to be forced to 128 bits???
From:
http://www.qnx.com/developer/docs/momentics_nc_docs/neutrino/utilities/r/rac
oon.conf.html
"For algorithms that can take variable-length keys, algorithm names can be
followed by a key length, like blowfish 448."
Have you tried something along the lines of '3des 128' ?
Just a guess.
-Daxbert
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00ad01c2c298$c1d192b0$0128a8c0>