From owner-freebsd-security Thu Nov 15 17:54:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from blue.blueskyfrog.com (blue.blueskyfrog.com [203.185.223.22]) by hub.freebsd.org (Postfix) with ESMTP id 150B337B417 for ; Thu, 15 Nov 2001 17:54:19 -0800 (PST) Received: from gold.internal.blueskyfrog.com ([192.168.121.34]) by blue.blueskyfrog.com with esmtp (Exim 3.12 #1 (Debian)) id 164YCv-0001LQ-00 for ; Fri, 16 Nov 2001 11:54:17 +1000 Received: from ns by gold.internal.blueskyfrog.com with local (Exim 3.12 #1 (Debian)) id 164YCv-0006Cn-00 for ; Fri, 16 Nov 2001 11:54:17 +1000 Date: Fri, 16 Nov 2001 11:54:17 +1000 From: Nick Slager To: freebsd-security@freebsd.org Subject: KAME IPsec <--> Cisco Message-ID: <20011116115417.F22136@BlueSkyFrog.COM> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i X-Homer: Whoohooooooo! Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm attempting to set up a VPN between a box running FreeBSD 4.4-RELEASE and a third party using a Cisco 36xx with IOS 12.2(5). Using racoon 20011026a for key exchange. When I ping the other end, racoon logs the following: ... 2001-11-16 11:45:03: DEBUG: isakmp.c:2290:isakmp_printpacket(): begin. 2001-11-16 11:45:03: DEBUG: isakmp_inf.c:114:isakmp_info_recv(): receive Information. 2001-11-16 11:45:03: DEBUG: isakmp.c:1133:isakmp_parsewoh(): begin. 2001-11-16 11:45:03: DEBUG: isakmp.c:1160:isakmp_parsewoh(): seen nptype=11(notify) 2001-11-16 11:45:03: DEBUG: isakmp.c:1198:isakmp_parsewoh(): succeed. 2001-11-16 11:45:03: ERROR: isakmp_inf.c:769:isakmp_info_recv_n(): delete phase1 handle. 2001-11-16 11:45:03: ERROR: schedule.c:210:sched_scrub_param(): insanity schedule found. 2001-11-16 11:45:03: ERROR: isakmp_inf.c:792:isakmp_info_recv_n(): invalid spi_size in notification payload. 2001-11-16 11:45:03: DEBUG: isakmp_inf.c:797:isakmp_info_recv_n(): notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=1 spi=(size=0). And that's as far as we get. An SA is not established. I'm guessing that "invalid spi_size" message is the problem; the next line "spi=(size=0)" also seems odd. Is anyone able to shed some light on what is going wrong? Relevant sections of racoon.conf are below. Note that the Cisco supports only DES/MD5. Thanks, Nick remote 203.x.x.x { exchange_mode aggressive,main; doi ipsec_doi; situation identity_only; my_identifier address; peers_identifier address; nonce_size 16; lifetime time 24 hour; # sec,min,hour initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal { encryption_algorithm des; hash_algorithm md5; authentication_method pre_shared_key ; dh_group 1 ; } } sainfo address 203.x.x.x any address 203.y.y.y any { pfs_group 1; lifetime time 30 sec; encryption_algorithm des ; authentication_algorithm hmac_md5; compression_algorithm deflate ; } To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message