From owner-freebsd-security@FreeBSD.ORG Tue Nov 20 10:57:18 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 615B316A420 for ; Tue, 20 Nov 2007 10:57:18 +0000 (UTC) (envelope-from johndecot@yahoo.com) Received: from web55401.mail.re4.yahoo.com (web55401.mail.re4.yahoo.com [206.190.58.195]) by mx1.freebsd.org (Postfix) with SMTP id 2B2C713C4CC for ; Tue, 20 Nov 2007 10:57:17 +0000 (UTC) (envelope-from johndecot@yahoo.com) Received: (qmail 27550 invoked by uid 60001); 20 Nov 2007 10:57:17 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=tkZn/YPs+7RQYcBJjFwgYTfxE9414C6g8ov+JeTxjEdSLu2zA4i36BsEObeMs/YGa/nlMR3mz479bBdTR0MPjwKCp438qmqcnq5XjSaMvxzVRN8spCJ0/Eq1sxZ7JzUrTTCMLvaNVDhjApLvv/BGoJ1YtfPRhwRjedZsLgW5YK4=; X-YMail-OSG: Uew_llQVM1mVHSipdxpXZxslBGXHzCcGOD_HOG9q5ZRmt5Cs_ICu72EQltGJ9hArSWsXxrgzdUzq3aFvzhQtf0e3zuHQQ.Sc.CnFqXPj8xyz0_e5aI7yTVFyE2rwxMHFEKIBr_KWLnuBOCU- Received: from [63.219.0.15] by web55401.mail.re4.yahoo.com via HTTP; Tue, 20 Nov 2007 02:57:17 PST Date: Tue, 20 Nov 2007 02:57:17 -0800 (PST) From: john decot To: VANHULLEBUS Yvan In-Reply-To: <20071119093829.GA22050@zen.inc> MIME-Version: 1.0 Message-ID: <216526.27461.qm@web55401.mail.re4.yahoo.com> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: IPSEC help X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Nov 2007 10:57:18 -0000 Hi, I have checked with different mode that obey and found error no valid proposal and again i change lifetime too in bsd server. But I can't found where should i have to change those parameter in remote windows ipsec box. Could you please suggest me. Thankyou, Regards, John VANHULLEBUS Yvan wrote: On Sat, Nov 17, 2007 at 01:06:32AM -0800, john decot wrote: > Hi , Hi. > As per suggestion, The following are the logs generated by racoon : > [....] > 2007-11-17 13:46:22: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY > 2007-11-17 13:46:22: INFO: received Vendor ID: FRAGMENTATION > 2007-11-17 13:46:22: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Some people should learn that an RFC has been published for NAT-T :-) [....] > 2007-11-17 13:46:22: DEBUG: Compared: DB:Peer > 2007-11-17 13:46:22: DEBUG: (lifetime = 1800:28800) > 2007-11-17 13:46:22: DEBUG: (lifebyte = 0:0) > 2007-11-17 13:46:22: DEBUG: enctype = 3DES-CBC:3DES-CBC > 2007-11-17 13:46:22: DEBUG: (encklen = 0:0) > 2007-11-17 13:46:22: DEBUG: hashtype = SHA:SHA > 2007-11-17 13:46:22: DEBUG: authmethod = RSA signatures:RSA signatures > 2007-11-17 13:46:22: DEBUG: dh_group = 1024-bit MODP group:1024-bit MODP group > 2007-11-17 13:46:22: DEBUG: an acceptable proposal found. > 2007-11-17 13:46:22: DEBUG: hmac(modp1024) Ok, your racoon found "an acceptable proposal", even if DB's lifetime is really shorter than peer's one. That means you're in CLAIN or OBEY checkmode. Those modes are well known to generate as much problems as they solve, you should really consider using exact or at least strict checkmode, and fix your lifetime in your configuration (on the side you want, but have the same lifetime on both peers). [....] > 2007-11-17 13:46:22: DEBUG: 84 bytes message received from 203.91.130.173[500] to 202.70.87.123[500] [....] > 2007-11-17 13:46:22: ERROR: ignore information because ISAKMP-SA has not been established yet. May be an INITIAL-CONTACT sent a bit too early, or may also be a negociation related INFORMATIONAL message. Could you do a network capture of a negociation, and have a look at that message in a tool like wireshark, to have more details ? [....] > 2007-11-17 13:46:32: DEBUG: resend phase1 packet a40e0e86c6a792cc:082dacfe812390c3 [....] > 2007-11-17 13:46:42: DEBUG: resend phase1 packet a40e0e86c6a792cc:082dacfe812390c3 [....] > 2007-11-17 13:46:52: DEBUG: resend phase1 packet a40e0e86c6a792cc:082dacfe812390c3 [....] > 2007-11-17 13:47:02: DEBUG: resend phase1 packet a40e0e86c6a792cc:082dacfe812390c3 [....] > 2007-11-17 13:47:12: DEBUG: resend phase1 packet a40e0e86c6a792cc:082dacfe812390c3 > 2007-11-17 13:47:22: ERROR: phase1 negotiation failed due to time up. a40e0e86c6a792cc:082dacfe812390c3 Really looks like the peer did not like the answer we sent, so did not respond to it (or sent an informational which has not been handled). Fix your lifetimes, switch to strict checkmode, fix any other negociation parameter which may generate an error now you're in strict checkmode, and if that still don't work, have a look at the INFORMATIONAL message sent by your peer, and/or have a look at any log on your peer. Yvan. -- NETASQ http://www.netasq.com _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" --------------------------------- Get easy, one-click access to your favorites. Make Yahoo! your homepage.