From owner-freebsd-net@FreeBSD.ORG Fri Mar 19 14:05:48 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 24E2916A4CE for ; Fri, 19 Mar 2004 14:05:48 -0800 (PST) Received: from mailout02.sul.t-online.com (mailout02.sul.t-online.com [194.25.134.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id B7C7E43D2F for ; Fri, 19 Mar 2004 14:05:47 -0800 (PST) (envelope-from Holger.Eitzenberger@t-online.de) Received: from fwd01.aul.t-online.de by mailout02.sul.t-online.com with smtp id 1B4S7e-0004O9-07; Fri, 19 Mar 2004 23:05:46 +0100 Received: from kruemel.eitzenberger.name (bdHSI2ZCYeN+vjfkJ9hcPv4KA8m63Vt+rGE4TEAi+WzVmDPOukp6Ur@[62.224.20.157]) by fwd01.sul.t-online.com with esmtp id 1B4S7a-0q7al60; Fri, 19 Mar 2004 23:05:42 +0100 Received: from [192.168.10.10] (helo=jonathan.eitzenberger.name) by kruemel.eitzenberger.name with esmtp (Exim 4.22) id 1B4S6x-00009u-QD for freebsd-net@freebsd.org; Fri, 19 Mar 2004 23:05:03 +0100 Received: from holger by jonathan.eitzenberger.name with local (Exim 3.35 #1 (Debian)) id 1B4S8U-0006gN-00 for ; Fri, 19 Mar 2004 23:06:38 +0100 Date: Fri, 19 Mar 2004 23:06:38 +0100 To: freebsd-net@freebsd.org Message-ID: <20040319230638.A25674@eitzenberger.name> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="WIyZ46R2i8wDzkSu" Content-Disposition: inline User-Agent: Mutt/1.2.5i From: "Holger Eitzenberger" X-Seen: false X-ID: bdHSI2ZCYeN+vjfkJ9hcPv4KA8m63Vt+rGE4TEAi+WzVmDPOukp6Ur Subject: IPsec: problems after upgrade 4.8 to 4.9 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Mar 2004 22:05:48 -0000 --WIyZ46R2i8wDzkSu Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, I was sucessfully running FBSD 4.8 with X509 certicate VPN. After installation of FBSD 4.9 I get the following error messages: isakmp.c:899:isakmp_ph1begin_r(): begin Identity Protection mode. ERROR: ipsec_doi.c:1318:get_transform(): Only a single transform payload i= s allowed during phase 1 processing. (*) ERROR: ipsec_doi.c:440:print_ph1mismatched(): rejected dh_group: DB(pr= op#1:trns#1):Peer(prop#0:trns#0) =3D 1024-bit MODP group:1536-bit MODP group ERROR: ipsec_doi.c:243:get_ph1approval(): no suitable proposal found. ERROR: isakmp_ident.c:782:ident_r1recv(): failed to get valid proposal. ERROR: isakmp.c:913:isakmp_ph1begin_r(): failed to process packet. =20 The connecting peer is a Linux box (FreeSwan 1.99). Line (*) looks suspicious to me. Is there some persistant data between too VPN "sessions", which is now missing on one side of the link after installation? This is my racoon configuration: path include "/usr/local/etc/racoon" ; path certificate "/usr/local/etc/racoon/cert"; log notify; # notify, debug, debug2 padding { maximum_length 20; # maximum padding length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } listen { isakmp XXX.XXX.XXX.XXX [500]; } timer { counter 5; interval 20 sec; persend 1; phase1 30 sec; phase2 15 sec; } remote anonymous { exchange_mode main; my_identifier asn1dn; peers_identifier asn1dn; certificate_type x509 "XXX.pem" "XXX.pem"; peers_certfile "YYY.pem"; passive on; lifetime time 1 hour; # sec,min,hour support_proxy on; proposal_check obey; proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method rsasig; dh_group 2; } } sainfo anonymous { pfs_group 1; lifetime time 30 sec; encryption_algorithm 3des; authentication_algorithm hmac_sha1,hmac_md5; compression_algorithm deflate; } /Holger --=20 ++ GnuPG Key -> http://www.t-online.de/~holger.eitzenberger ++ --WIyZ46R2i8wDzkSu Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAW27uwVlL9V2akAURAqOvAJ9YqBwybt2gJrLGm69vyuhoZ74UBgCdHmzC ace4jKGwcQirSFJ0IFx1U08= =2C8V -----END PGP SIGNATURE----- --WIyZ46R2i8wDzkSu--