From owner-freebsd-net@FreeBSD.ORG  Sun Mar 21 19:28:24 2004
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9CCBE16A4CE
	for <freebsd-net@freebsd.org>; Sun, 21 Mar 2004 19:28:24 -0800 (PST)
Received: from shuttle.wide.toshiba.co.jp (shuttle.wide.toshiba.co.jp
	[202.249.10.124])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 214A543D2F
	for <freebsd-net@freebsd.org>; Sun, 21 Mar 2004 19:28:24 -0800 (PST)
	(envelope-from jinmei@isl.rdc.toshiba.co.jp)
Received: from ocean.jinmei.org (unknown [2001:200:0:8002:200:39ff:fe5e:cfd7])
	by shuttle.wide.toshiba.co.jp (Postfix) with ESMTP
	id 7415015210; Mon, 22 Mar 2004 12:28:22 +0900 (JST)
Date: Mon, 22 Mar 2004 12:28:20 +0900
Message-ID: <y7vk71dd0h7.wl@ocean.jinmei.org>
From: JINMEI Tatuya / =?ISO-2022-JP?B?GyRCP0BMQEMjOkgbKEI=?=
	<jinmei@isl.rdc.toshiba.co.jp>
To: "Holger Eitzenberger" <Holger.Eitzenberger@t-online.de>
In-Reply-To: <20040319230638.A25674@eitzenberger.name>
References: <20040319230638.A25674@eitzenberger.name>
User-Agent: Wanderlust/2.10.1 (Watching The Wheels) Emacs/21.3 Mule/5.0
	(SAKAKI)
Organization: Research & Development Center, Toshiba Corp., Kawasaki, Japan.
MIME-Version: 1.0 (generated by SEMI 1.14.5 - "Awara-Onsen")
Content-Type: text/plain; charset=US-ASCII
cc: freebsd-net@freebsd.org
Subject: Re: IPsec: problems after upgrade 4.8 to 4.9
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Mar 2004 03:28:24 -0000

>>>>> On Fri, 19 Mar 2004 23:06:38 +0100, 
>>>>> "Holger Eitzenberger" <Holger.Eitzenberger@t-online.de> said:

> I was sucessfully running FBSD 4.8 with X509 certicate VPN.
> After installation of FBSD 4.9 I get the following error messages:

> 	isakmp.c:899:isakmp_ph1begin_r(): begin Identity Protection mode.
> 	ERROR: ipsec_doi.c:1318:get_transform(): Only a single transform payload is allowed during phase 1 processing.
> 	(*) ERROR: ipsec_doi.c:440:print_ph1mismatched(): rejected dh_group: DB(prop#1:trns#1):Peer(prop#0:trns#0) = 1024-bit MODP group:1536-bit MODP group
> 	ERROR: ipsec_doi.c:243:get_ph1approval(): no suitable proposal found.
> 	ERROR: isakmp_ident.c:782:ident_r1recv(): failed to get valid proposal.
> 	ERROR: isakmp.c:913:isakmp_ph1begin_r(): failed to process packet.  

> The connecting peer is a Linux box (FreeSwan 1.99).

> Line (*) looks suspicious to me.  Is there some persistant data
> between too VPN "sessions", which is now missing on one side of
> the link after installation?

If you don't mind, could you ask the question at racoon@kame.net
please?  Right now the primary developer of racoon (it's not me, BTW)
is too busy to answer questions, but there are other experts who may
be able to help you at the mailing list.

					JINMEI, Tatuya
					Communication Platform Lab.
					Corporate R&D Center, Toshiba Corp.
					jinmei@isl.rdc.toshiba.co.jp