Date: Fri, 23 Mar 2001 23:54:59 -0500 From: "Jeremy Karteczka" <jerkart@mw.mediaone.net> To: <freebsd-security@FreeBSD.ORG> Subject: Trying to set up an IKE vpn between FreeBSD and Checkpoint FW-1 Message-ID: <05c501c0b41e$97277d20$0200a8c0@jose>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
Greetings,
I am trying to get an IKE vpn going between a 4.2-RELEASE machine (using racoon
for key exchange) and a Checkpoint firewall (v4.1 SP3). I have tried both sha1
and md5. Every time I try to establish a connection phase 1 negotiation
succeeds and phase 2 says it succeeds in the racoon log file, but then I get
this message at the bottom of /var/log/messages:
When using md5:
key_mature: invalid AH key length 128 (160-160 allowed)
with sha1:
key_mature: invalid AH key length 160 (128-128 allowed)
I was able to speak with Checkpoint Tech support on this and they did confirm
that Firewall-1 uses a 128-bit key for md5 and a 160-bit key for sha1.
I have looked for RFCs to find out which is the accepted standard but could not
find one that specifically states how long the key should be for each hash
method.
Can anyone point me to the proper RFCs and/or tell me if there is a way I can
reverse the expected key lenght on the FreeBSD side? The Checkpoint tech I
spoke with stated that Firewall-1 is compliant with RFCs 2408 and 2409 but I see
no mention of AH key length for hash methods.
I have attached a copy of the racoon log (the external IPs have been cleansed)
and the conf used for an attempt to connect while using sha1.
Thanks in advance,
Jeremy
[-- Attachment #2 --]
"(:racoon.tar�\[oFg[]W;I#7`w1Xź،%Q!v{)ʺڢl'b
t:*&=D+�K~`4�11+ ~iYկEsW~^0:rL3W^e+OnPAVχYHeյ+hW;:#kȋ
;
4w_pÃʁ
Q>-`&>k=rQnU2NG:t5F|yWe#(p(t^bk\#P$/=oO[,0:gxlI
^umBZ
y\eFר#W]ypP8;qw
\tl.!|v5-j|\.A$ [W@C"=*U^_=Khh'L
eX
V0kp\[vfU]<x qBm)Ykz
Q$<pUnTC3q
g|y;
f7pT
՛7ҝ4WU6I1xcѤm|=2,s ![%ʽϷhėU) HlF+RxzMDza4
MC
տ~L?3h<RF3/)4B?c
3' ~>O3}*~<>__<v$C7(
Y1d./
]SSߠ+s_ݢC끁H>ib`>cCho-%χ7YՃ몚!θ,zswWC8
b9Iu:
_4aPd~x
m!B5ve0K
`VgX85Z&!,Ҏ
ov
G+>auG7vO7
Au7qY|6G+&E:U2mtaef;D-d8J:7Nch+
1@OTj`+wi_^bS̻;HB{oJ{/,"
fde
fCq,v_/S$IdOV,r'Y h.JÈ~Ah2h`<EH!
]�XV_UsUhήmhnn|ޅKoʃkҧP.Pf(_}},O`߽=f'%LY?crɸhhi'f1Clo}m{|j aK.`EKL,}z1@i͖0G. 2Srz!JVXJ�OQWJG~Kn%2sFɴ[$_�!^^ݼr݁)
݁ȷ�۟C<P>KOn�
:
;Hg
PNA2�stt-aD?<4O�7hr,|S8AYw<+
T(
$U]NU(ްC'"ð
M}-bnK2xIqRPE[kCߡla0 $a"6"HJlH&|oqpzP
m@wk`8uᡨGd~}=t@UMwGX{u_!(# .t4i\hp @|wpP=Ul2DHď"tv[i<A8G刭B3gm
wqqy#M܋C:.lN.NX-Ӯ`ũ:M2[4ϩOObhv&>A
0s=ڙ:_nS@蘑⋤Z&b? ۅ2
FjRE`A(UM
Jjs?_l0
.6mo .
y@
5
ު.۹n]
x!瀯s`>3 :Ç.[L�)pw6љ
htNDZ.YRO6
HgVt#|:{ޮ|`[>]ߔ̇Х56k:SmΣ�!!m8p\l1_~ýmBm$WssI^V+goߦ6|7E.ԅf7Ea##ߧ2kZ=Y`|10os`cw8//FZؕ-i
o\
uJc&|sJ,I$SL$5 Y(R'1<AҀ N^}xُܣ`|fX*c
®;b:K(gyoπ0\$r!xJYL9>N^xt&JL)є<pI4V;7Jf^Ӕ8
HF J$5k(q
[T!b&.F)86V07Szx&F'Kl
)EFǐVhHeb00v,ISM!xd嚦w]-4#r$
NfƂb.&j 4T"8c
PB՚G8468ɑI"6J*psc.#$#B"
2qR&y�xġ'+B$r#)^Ѡ5RkE$ȥ<b
mfZꮋ<
yǫAFK7~(>(O^.Mhp&3K[nZ0tcSDNH-/Bci
;#gj͍%bًQh=[?g><h�W,>7
<;
Y5ysdx҇״2{>#TbL1:_
Wu
y
N9R<aۘ(&x
Gf^à#ag֏٫t9�-I8Op?yqc53(c
BaF
'ijRyXf\˫yHQVe82GU
c=rB*,A#>
cjv
b9Ӥb+2h(g-Us!uj_׆f06
(+-0>i
0`5/̄]|"'нBJ@w
n
:(k><^<^<7m
( e(NpV:xSijyy*, ?b:&j{Zq^nΞ68ZQL
-
UpdE(
zhvP?vXc=
x$DW>uTTRs.
p(DJ!aHb9bbcq>0N"UݼpkM I�R6݅q(fN`ccL#0͡D'Pj&/
,a
AރJc3i8&\c>PKX"u9'$N,.8T@$1&FIĴIl̄Gl$V;P(< &oTcĔa8$&P)vcDs&5WTヾ`
cΗ*̤0"I"Hj=9?%IjNq'I6GXMwۿ牻y,"Mu sd?ٿIṕK2$@JYxR<#}N<JeyNLKx^ڈNl�/,7*jG\
Z$!Ϧ8L hwk#lŏb\N�隻ZڛvBʰ3HtU:M
F7h
^ mF)
Sp|ؖK {HMClx6ou1rG.F:Dy!JMVuOOXI-# R_s`MbF_%0B^uQEY*6`rM0">uv[!))vnpjjᢦQ[}ݣ_<D/gf|q3-T^ޜp.7Jh&
;}\2y}fu[mnwBd#"u{>]h<dzo56(wN%ۈwxuW.&ZevD<64F7m== [ m73[YH$6
w ֔h�X4hXɈJkibdbNhWY ,(TS
3a(+TaiE5"K#ځ4"ȁoH8g(f*
Z@.M
בE:Pi1bFXod8X!D#LcIv_,ѮV2ջ=={ 漱q$W,A_ut;}ag ۛ
;|wd4>6�<vݴt
:|mQʾw̙zBZ_mj5gDjw?}qnuo(A5Ѳq[jHcB~+Ӈ/i#8#M}ZvMbd_yS
{9J4."MM+@ۙT]fd3!rw_p^1#xw-ndWl guK&c,fo
uvvȏST%Vܳg[
G(R[5@.vZ:|^!&z.!fɕkB\|4^u!NK)ww�+]ƳA++gM
@ud!LB%[;yݾX0f '^%6w2KN
�O]څu"bu?;W? @;hkֽ)BiHf-}6.ݦ#
#j6uYҰ?^bT
;�
A~k
4r8{_O?˦:^wU*1hxpz#Jꇗlv߂,- Kě!;1}_ΨCE77/zyY=<=?_uU^TZ(jCP8MfڐUNm""ؗ>`
!
/w|0z{ 14@ma8)08
oV^s~)o_T@$ҝI9E"JmVO2JtmY˓)VHd=yꄝ0w,4qq6,pF- fIM8,ܳ$GoVHl=&yxP/H#],`=l
My<&xwl,氱<zGn ߎS]
� _~O~?~8t=p>TRY
]AX ޢo=.6{(-R朗MZCC3$W5>vӗԘ41%JkU+ܙs+>"h*TK?yN&s) yg.ΨPן5@
)T9_m%㡺XT+L17fނΑ(:gRd]+-
h/FWxXNfR^u)*V,u
|KKb^\qڶk{$,)ĮnV-콋)'ҭ/ƎCr]^ש7f/Ghd/^b4RVb0{YdFQb4"JPK=Y fbo6ا?z1KWz4l_%�Dtޅ+C}@?IsZrŌ&$ew٨awr..
dJ+^Pr(HVS99rw#m;
}
Y't%(;o2Y8:ؔ5\7,|e95kvbx
5bbŔ
TmtFm|Ce,e_m9ԠИԩXRJ2UP0/tQA\+XWٓ
p
d\U=}ʡ䜅/2Bzf
-PB
MUy)㨺KcU
%VxHqdIMMX,
KJ
nt9VH'YSRY4䌲DAe $ZE%
MIADF@i%ۺYh1L3 l
UцB_(Fla9Z
,NFHZybr ki
\}ɒULB5
u+*cͩZv@9ҷ ^97u8yۚ_ԑ a)DT|um[rv=Dذ>dX]9ÚmS
ݔl~\S'.ľCK+ʈד5W0fm,}a]XqCƁ/fAz^dcyl*&Y,@I >
? ?&M �;ǐʇ]pk/M_AUjZa_EKB
61Kܮu i]ߝ'de8< ISB-?]OI4DwS6"-G[LnI߱Hnuc.M-5
)Mi?{vI]L.&I]LbD359rrEJt9C"rrEt9ɶILmxbh/\(|8bxL|9Çv6~Ns
g+PBUb%i0R)X4]pR Q*E7fYqlc
4tK*&h3)@v:xB
Qs2/DHtYNԕL7nsM3$~ɡ#תYy
K*leሁC[W
D,
L"u)* kUCH ,u]dKPdQrfR
9hsICzfwem`. 1d
$Y)
^
QgWNH.>
A ^YNz1
"$9J`keոH
ݕr+@D(!t(1Rg6MBFi^Y*CM+Q
S5ܬΑt"{HQc)DKM1c28l`J;<2屜8D)= U97WU
#IV/pPR<N+/yY=
'+y&9&/y`K+)$Vf.#>L <R$њ@J:
YoyC/a"7K9 lӕд@)2e83*K*x"Ȃb>4΄TeA5b
e
h[%݊Ki.5jV@
b
a6/8C#@ѕr+x9E`|(>!F{`9
."%ad1T 㷁dIq:u5ۗ\XЖ+(f?F/lc!b3@
JX+"nSUcjQ0USj@0/wl䉷?>%tyRom\Ꚛ65sE?"ݿM
M{M\
լCuة
[j
Vf"Lu8eǮL@./3^ `^T0
B24VA 5BwiL%'\fY1tT`:/DL5@3r6-߇
K )J&kc<�*djqiQ1\!hLJBc䒬;
zVk"ss$
F`
\�Umha~
#I~I%XIh!Ii
Y (p1 s",�QѴ!1
45JomrEr`
ATcM&Ɖ},BW[b_'=ghz27!ԋσ z?7(P^:>@Ϸ)"h63NQz24f=?~t
A]S$R
E 4PkZ-lH/O^B**
ĕF䉫<H{!mNbILO]L%Kړ_}*=Xz{EcuhWow璚Wp%9oiA
ΰh ,xr'rzPWIC0;$͎
~ibG˯ٵ\;j rM}$&ANnYl4uhc(HrL,GacuZвN!]_]ũBeO
ЫƦ?õ';
Su:
>_Hɥ2"Eymgvmgvm_hk_ha(%rK+ܗ[vss1a;0Gղ|պ2
˛rjxTBCeA>6} nHS;'w:{`[{z'S3:56k@̮z[YD38P=uTлNooV ۶/ǛOfzp;;
70a!ɨoD^,ft σ-k\>Ɨ/~.dOfc�2w2/
Xkk`+|}'X}'r}e辿zGuo `<U{VM*EjH
*< ʰ[/*xTgS'>!"hܡ
p
w"<sXd3ҜFNh;"`O.`sߞ&`o,*/"]<y
ؓ'7`Os
gxu
\(3VԮKZ/X &c
JH]`7:&
AuS%V *'�}7>{bWSd-xY김GQR.2x53GLRZ9f<W8'^
b&4LSl`ZPd%5Sɻ!3jkX+ Z-
>bȪ`CZ¯АBVR2V=Kvk<e*'Y%>dljYHV
v 9q(�/^/wymǸu8Àzu"P?vuʧ?
[]_x 8'%*`G)8 TI828-(Qs+j,E6 S2IAp.MG�ҤJ2!e6aRL
hi4ޔ3oyKb:3oq3EFPܲoeMqUEYY8"*d*^
�-k$Lk
+D.O�IzUq9aK8B[69˾Yxa
ϠݧlT X:)
no7]
\
7<e
mw{ݳwVu._3uw1|/3hw#Pܻsz/yv%frzw
7⻃�Ģ!ǡ
Lv@>`jumHnH!w74"H|za 9(n{
bi9-$w%Dz_̝WeFgc~P
9vޟ_A\JEO?C9?s~9?s~9??C J���
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?05c501c0b41e$97277d20$0200a8c0>