Date: Wed, 22 Nov 2000 12:13:40 -0800 From: Boris <koester@x-itec.de> To: Josh Tiefenbach <josh@zipperup.org> Cc: freebsd-net@FreeBSD.ORG Subject: Re[2]: IPSEC Win2k Message-ID: <3144961691.20001122121340@x-itec.de> In-Reply-To: <20001121223533.B43748@zipperup.org> References: <838997467.20001121113524@x-itec.de> <20001121124847.F37765@zipperup.org> <1563982125.20001122005041@x-itec.de> <20001121223533.B43748@zipperup.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello Josh, Tuesday, November 21, 2000, 7:35:33 PM, you wrote: >> spdadd 192.168.0.99/32 192.168.0.1 any -P out ipsec JT> ^^^^^^^^^^^ JT> This should probably be 192.168.0.1/32, but I dont think that has any effect JT> on the prblem your seeing. To avoid any problems, i have corrected this. JT> However, I see a whole bunch of 'unacceptable proposal' messages in there. Are JT> you sure that you've configured racoon to offer the same hash/encryption type JT> as Win2k. It seems, i think, that your Win2k machine is requesting single-DES, JT> while the FreeBSD machine only wants to do 3DES. I really tried everything since a week or so and i have found no solution. I canīt get it up running. It is very frustrating. I will show you all my complete configuration now, i canīt find anything wrong. Here is my racoon.conf, a little bit modificated. Maybe is there something wrong, but i do not think so: ----------------- [ racoon.conf ] ------------------------- #path include "/usr/local/etc/racoon" ; #include "remote.conf" ; # search this file for pre_shared_key with various ID key. #bk path pre_shared_key "/etc/psk.txt" ; # racoon will look for certificate file in the directory, # if the certificate/certificate request payload is received. path certificate "/usr/local/etc/cert" ; # "log" specifies logging level. It is followed by either "info", "notify", # "debug" or "debug2". log debug4; # "padding" defines some parameter of padding. You should not touch these. padding { maximum_length 20; # maximum padding length. randomize off;# enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } listen { #isakmp ::1 [7000]; #isakmp 202.249.11.124 [500]; #admin [7002]; # administrative's port by kmpstat. #strict_address; # required all addresses must be bound. } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 15 sec; } remote anonymous { #exchange_mode main,aggressive; exchange_mode aggressive,main; doi ipsec_doi; situation identity_only; #my_identifier address; #my_identifier address "192.168.0.99"; ##peers_identifier address "192.168.0.1"; #certificate_type x509 "mycert" "mypriv"; nonce_size 16; lifetime time 1 min; # sec,min,hour lifetime byte 5 MB; # B,KB,GB initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key ; dh_group 2 ; } } sainfo anonymous { pfs_group 1; lifetime time 3600 sec; lifetime byte 5000 KB; encryption_algorithm 3des,des,cast128,blowfish ; authentication_algorithm hmac_sha1,hmac_md5; compression_algorithm deflate ; } -------------------- [kernel settings] ------------------- .... #bk options IPSEC #IP security options IPSEC_ESP #IP security (crypto; define w/ IPSEC) options IPSEC_DEBUG #debug for IP security ... ----------------------- [ initial bash script ] --------------- #! /bin/sh # setkey -FP # Note. This and the next line will delete all previous SPD setkey -F # entries. setkey -c << EOF spdadd 192.168.0.99/32 192.168.0.1/32 any -P out ipsec esp/transport/192.168.0.99-192.168.0.1/require; spdadd 192.168.0.1/32 192.168.0.99/32 any -P in ipsec esp/transport/192.168.0.1-192.168.0.99/require; ------------------------------------------------ At this point i think we need 3des and md5. But even DES does not work. I have used a lot of combinations for the security settings on my win2k box. This is the current configuration. One rule for all traffic (i have removed the other ones because they did not want work, too and i wanted to try all combinations manually). * Require Security Security method: unchecked: data and address integrity (AH) checked: ESP with integrity: md5 and encryption: 3des Session key settings: unchecked at this moment I canīt figure out any solutions -((((( JT> josh -- Best regards, Boris mailto:koester@x-itec.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3144961691.20001122121340>