[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: isakmpd problems
On Fri, 24 Sep 2004 16:12:28 -0600, Colin Harford
<colin.harford@exr.ualberta.ca> wrote:
> Clients are told that there is an UNEQUAL PAYLOAD LENGTH
> isakmpd -d -DA=75
i found using a debug of > 90 for ... i think it is either 2 or 9.. which
ever the one is that spams the daylights out of you initially by
talking about all the permutations of the suites that it is finding....
that one has good information in it when the two parts of the
exchange aren't agreeing.
did a lot of that when i was getting isakmpd to work with a friend's
raccoon/linux system.
it says things like, 'expected XXXX, found YYYY', or
expected/received, or some similar thing that basically told me
exactly what the discrepancy was. then i went in and explicity
declared the buildout of my Phase-1 and my Suite like this:
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= custom.net-Phase-1
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= custom.net-QM-SHA-suite
[custom.net-Phase-1]
ENCRYPTION_ALGORITHM= AES_CBC
KEY_LENGTH= 256,128:256
HASH_ALGORITHM= SHA
AUTHENTICATION_METHOD= RSA_SIG
GROUP_DESCRIPTION= MODP_2048
Life= LIFE_MAIN_MODE
[custom.net-QM-SHA-suite]
Protocols= custom.net-QM-SHA
[custom.net-QM-SHA]
PROTOCOL_ID= IPSEC_ESP
Transforms= custom.net-QM-SHA-XF
[custom.net-QM-SHA-XF]
TRANSFORM_ID= AES
KEY_LENGTH= 256,128:256
ENCAPSULATION_MODE= TUNNEL
AUTHENTICATION_ALGORITHM= HMAC_SHA
GROUP_DESCRIPTION= MODP_2048
Life= LIFE_QUICK_MODE
this might not be directly related to your situation, but if you can get
past the debugging spam at the beginning of a >90 debuglevel,
it might have useful info.
jared
--
[ openbsd 3.6 GENERIC.MP ( sep 12 ) // i386 ]