Date: Tue, 6 Sep 2011 14:03:16 -0300 From: "Mikhail Goriachev" <mikhailg@webanoide.org> To: "Mike Tancsa" <mike@sentex.net> Cc: freebsd-questions@freebsd.org Subject: Re: IPsec phase 1 and 2 negotiation in an infinite loop. Message-ID: <37a5375d54158ec5977ecb4ea7b6b935.squirrel@www.vap.navalradio.net> In-Reply-To: <4E661E83.9050507@sentex.net> References: <8d457de47ed92550a511265436c183f9.squirrel@www.vap.navalradio.net> <4E657CEA.7080300@sentex.net> <d768d645fb3fc7938f5fea41e2738014.squirrel@www.vap.navalradio.net> <4E661E83.9050507@sentex.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Mike Tancsa wrote:
> On 9/5/2011 11:58 PM, Mikhail Goriachev wrote:
>> (p: #1 protoid=isakmp transform=1
>> (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration
>> value=7080)(type=enc value=3des)(type=auth
>> value=preshared)(type=hash value=sha1)(type=group desc
>> value=modp1024))))
>> (vid: len=16 afcad71372a1f1c96b8696fc99570100)
>> 03:17:31.637424 IP (tos 0x0, ttl 50, id 0, offset 0, flags [DF], proto
>> UDP
>> (17), length 108)
>> w.x.y.z.500 > a.b.c.d.500: [udp sum ok] isakmp 1.0 msgid cookie ->:
>> phase 1 R ident:
>> (sa: doi=ipsec situation=identity
>> (p: #1 protoid=isakmp transform=1
>> (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration
>> value=7080)(type=enc value=3des)(type=auth
>> value=preshared)(type=hash value=sha1)(type=group desc
>> value=modp1024))))
>
>
> OK, both sides are 3des, psk and sha1 dhgroup 1. Thats good.
>
>>
>> Note: a.b.c.d is my end. w.x.y.z is the other end. "vid:", "ke:" and
>> "nonce:" are scrambled.
>> flag=0x8000, lorv=AES-CBC
>> Sep 5 20:40:27 vpnmach racoon: DEBUG: encryption(aes)
>> Sep 5 20:40:27 vpnmach racoon: DEBUG: type=Hash Algorithm, flag=0x8000,
>> lorv=MD5
>> Sep 5 20:40:27 vpnmach racoon: DEBUG: hash(md5)
>> Sep 5 20:40:27 vpnmach racoon: DEBUG: type=Authentication Method,
>
>
> ... yet, you have AES and md5 ?? where are those coming from ? Do you
> have an extra config for the remote somewhere in your files perhaps that
> is matching ?
Nop. There're no extra files. The only thing the other guys gave me was:
Operation Mode: Tunnel (Net to Net)
Authentication Type: Pre shared secret
Phase 1: 3DES/SHA1, DH Group=2
Phase 2: 3DES/SHA1, PFS=no, DH Group=any
Based on that I got it working.
So, do you reckon the other end suddenly began advertising/requesting aes
and md5 instead of 3des and sha1?
> ---Mike
>
>> remote w.x.y.z {
>> exchange_mode main;
>> proposal_check obey;
>>
>> proposal {
>> encryption_algorithm 3des;
>> hash_algorithm sha1;
>> authentication_method pre_shared_key;
>> dh_group modp1024;
>> }
>> }
>>
>
>
>
>
> --
> -------------------
> Mike Tancsa, tel +1 519 651 3400
> Sentex Communications, mike@sentex.net
> Providing Internet services since 1994 www.sentex.net
> Cambridge, Ontario Canada http://www.tancsa.com/
>
--
Mikhail Goriachev
Webanoide
Mobile: +56 9 78772741
Web: www.webanoide.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?37a5375d54158ec5977ecb4ea7b6b935.squirrel>