Date: Tue, 6 Sep 2011 14:03:16 -0300 From: "Mikhail Goriachev" <mikhailg@webanoide.org> To: "Mike Tancsa" <mike@sentex.net> Cc: freebsd-questions@freebsd.org Subject: Re: IPsec phase 1 and 2 negotiation in an infinite loop. Message-ID: <37a5375d54158ec5977ecb4ea7b6b935.squirrel@www.vap.navalradio.net> In-Reply-To: <4E661E83.9050507@sentex.net> References: <8d457de47ed92550a511265436c183f9.squirrel@www.vap.navalradio.net> <4E657CEA.7080300@sentex.net> <d768d645fb3fc7938f5fea41e2738014.squirrel@www.vap.navalradio.net> <4E661E83.9050507@sentex.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Mike Tancsa wrote: > On 9/5/2011 11:58 PM, Mikhail Goriachev wrote: >> (p: #1 protoid=isakmp transform=1 >> (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration >> value=7080)(type=enc value=3des)(type=auth >> value=preshared)(type=hash value=sha1)(type=group desc >> value=modp1024)))) >> (vid: len=16 afcad71372a1f1c96b8696fc99570100) >> 03:17:31.637424 IP (tos 0x0, ttl 50, id 0, offset 0, flags [DF], proto >> UDP >> (17), length 108) >> w.x.y.z.500 > a.b.c.d.500: [udp sum ok] isakmp 1.0 msgid cookie ->: >> phase 1 R ident: >> (sa: doi=ipsec situation=identity >> (p: #1 protoid=isakmp transform=1 >> (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration >> value=7080)(type=enc value=3des)(type=auth >> value=preshared)(type=hash value=sha1)(type=group desc >> value=modp1024)))) > > > OK, both sides are 3des, psk and sha1 dhgroup 1. Thats good. > >> >> Note: a.b.c.d is my end. w.x.y.z is the other end. "vid:", "ke:" and >> "nonce:" are scrambled. >> flag=0x8000, lorv=AES-CBC >> Sep 5 20:40:27 vpnmach racoon: DEBUG: encryption(aes) >> Sep 5 20:40:27 vpnmach racoon: DEBUG: type=Hash Algorithm, flag=0x8000, >> lorv=MD5 >> Sep 5 20:40:27 vpnmach racoon: DEBUG: hash(md5) >> Sep 5 20:40:27 vpnmach racoon: DEBUG: type=Authentication Method, > > > ... yet, you have AES and md5 ?? where are those coming from ? Do you > have an extra config for the remote somewhere in your files perhaps that > is matching ? Nop. There're no extra files. The only thing the other guys gave me was: Operation Mode: Tunnel (Net to Net) Authentication Type: Pre shared secret Phase 1: 3DES/SHA1, DH Group=2 Phase 2: 3DES/SHA1, PFS=no, DH Group=any Based on that I got it working. So, do you reckon the other end suddenly began advertising/requesting aes and md5 instead of 3des and sha1? > ---Mike > >> remote w.x.y.z { >> exchange_mode main; >> proposal_check obey; >> >> proposal { >> encryption_algorithm 3des; >> hash_algorithm sha1; >> authentication_method pre_shared_key; >> dh_group modp1024; >> } >> } >> > > > > > -- > ------------------- > Mike Tancsa, tel +1 519 651 3400 > Sentex Communications, mike@sentex.net > Providing Internet services since 1994 www.sentex.net > Cambridge, Ontario Canada http://www.tancsa.com/ > -- Mikhail Goriachev Webanoide Mobile: +56 9 78772741 Web: www.webanoide.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?37a5375d54158ec5977ecb4ea7b6b935.squirrel>