From owner-freebsd-net@FreeBSD.ORG  Fri Mar 19 14:05:48 2004
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 24E2916A4CE
	for <freebsd-net@freebsd.org>; Fri, 19 Mar 2004 14:05:48 -0800 (PST)
Received: from mailout02.sul.t-online.com (mailout02.sul.t-online.com
	[194.25.134.17])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B7C7E43D2F
	for <freebsd-net@freebsd.org>; Fri, 19 Mar 2004 14:05:47 -0800 (PST)
	(envelope-from Holger.Eitzenberger@t-online.de)
Received: from fwd01.aul.t-online.de 
	by mailout02.sul.t-online.com with smtp 
	id 1B4S7e-0004O9-07; Fri, 19 Mar 2004 23:05:46 +0100
Received: from kruemel.eitzenberger.name
	(bdHSI2ZCYeN+vjfkJ9hcPv4KA8m63Vt+rGE4TEAi+WzVmDPOukp6Ur@[62.224.20.157]) by
	fwd01.sul.t-online.com
	with esmtp id 1B4S7a-0q7al60; Fri, 19 Mar 2004 23:05:42 +0100
Received: from [192.168.10.10] (helo=jonathan.eitzenberger.name)
	by kruemel.eitzenberger.name with esmtp (Exim 4.22)
	id 1B4S6x-00009u-QD
	for freebsd-net@freebsd.org; Fri, 19 Mar 2004 23:05:03 +0100
Received: from holger by jonathan.eitzenberger.name with local (Exim 3.35 #1
	(Debian))	id 1B4S8U-0006gN-00
	for <freebsd-net@freebsd.org>; Fri, 19 Mar 2004 23:06:38 +0100
Date: Fri, 19 Mar 2004 23:06:38 +0100
To: freebsd-net@freebsd.org
Message-ID: <20040319230638.A25674@eitzenberger.name>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="WIyZ46R2i8wDzkSu"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
From: "Holger Eitzenberger" <Holger.Eitzenberger@t-online.de>
X-Seen: false
X-ID: bdHSI2ZCYeN+vjfkJ9hcPv4KA8m63Vt+rGE4TEAi+WzVmDPOukp6Ur
Subject: IPsec: problems after upgrade 4.8 to 4.9
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Mar 2004 22:05:48 -0000


--WIyZ46R2i8wDzkSu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi,

I was sucessfully running FBSD 4.8 with X509 certicate VPN.
After installation of FBSD 4.9 I get the following error messages:

	isakmp.c:899:isakmp_ph1begin_r(): begin Identity Protection mode.
	ERROR: ipsec_doi.c:1318:get_transform(): Only a single transform payload i=
s allowed during phase 1 processing.
	(*) ERROR: ipsec_doi.c:440:print_ph1mismatched(): rejected dh_group: DB(pr=
op#1:trns#1):Peer(prop#0:trns#0) =3D 1024-bit MODP group:1536-bit MODP group
	ERROR: ipsec_doi.c:243:get_ph1approval(): no suitable proposal found.
	ERROR: isakmp_ident.c:782:ident_r1recv(): failed to get valid proposal.
	ERROR: isakmp.c:913:isakmp_ph1begin_r(): failed to process packet. =20

The connecting peer is a Linux box (FreeSwan 1.99).

Line (*) looks suspicious to me.  Is there some persistant data
between too VPN "sessions", which is now missing on one side of
the link after installation?

This is my racoon configuration:

    path include "/usr/local/etc/racoon" ;
    path certificate "/usr/local/etc/racoon/cert";

    log notify;							# notify, debug, debug2

    padding
    {
        maximum_length 20;	# maximum padding length.
        strict_check off;	# enable strict check.
        exclusive_tail off;	# extract last one octet.
    }

    listen
    {
        isakmp XXX.XXX.XXX.XXX [500];
    }

    timer
    {
        counter 5;
        interval 20 sec;
        persend 1;

        phase1 30 sec;
        phase2 15 sec;
    }

    remote anonymous
    {
        exchange_mode main;

        my_identifier asn1dn;
        peers_identifier asn1dn;
        certificate_type x509 "XXX.pem" "XXX.pem";
        peers_certfile "YYY.pem";
        passive on;

        lifetime time 1 hour;				# sec,min,hour
        support_proxy on;
        proposal_check obey;

        proposal {
            encryption_algorithm 3des;
            hash_algorithm md5;
            authentication_method rsasig;
            dh_group 2;
        }
    }

    sainfo anonymous
    {
        pfs_group 1;
        lifetime time 30 sec;
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1,hmac_md5;
        compression_algorithm deflate;
    }

/Holger


--=20
++ GnuPG Key -> http://www.t-online.de/~holger.eitzenberger ++

--WIyZ46R2i8wDzkSu
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAW27uwVlL9V2akAURAqOvAJ9YqBwybt2gJrLGm69vyuhoZ74UBgCdHmzC
ace4jKGwcQirSFJ0IFx1U08=
=2C8V
-----END PGP SIGNATURE-----

--WIyZ46R2i8wDzkSu--