[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: isakmpd between 2.9 and 3.1 broken ?
On Sun, 7 Jul 2002 email@example.com wrote:
> 020321.811287 Negt 70 attribute_unacceptable: AUTHENTICATION_METHOD: got
> PRE_SHARED, expected RSA_SIG
> # Those these are defaults - it seems essential
> # to include them as otherwise 3.1 gives me
> # an error 'EXCHANGE_TYPE' not defined.
(yes, you need to define how main and quick mode should be negotiated)
> DOI= IPSEC
> EXCHANGE_TYPE= ID_PROT
> Transforms= 3DES-SHA
> DOI= IPSEC
> EXCHANGE_TYPE= QUICK_MODE
> Suites= QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-3DES-MD5-PFS-SUITE
These look fine, but...
> 020318.620517 Default conf_get_list: empty field, ignoring...
> 020318.620803 Default conf_get_list: empty field, ignoring...
> 020318.621025 Default conf_get_list: empty field, ignoring...
> 020318.621247 Default conf_get_list: empty field, ignoring...
... these indicate syntactic/parse errors in isakmpd.conf, looking at the
later errors, probably around the configuration lines above.
I added some additional config file checks around 3.1-time sometime.
Perhaps you wan't to try isakmpd from -current instead? Otherwise, look
for trailing whitespace and such. Also, if you've edited this in a Windows
environment, you may have CR+LF linebreaks, instead of just LF.
Other than this, your configuration file looks ok.
(Even though I think I coded those additional checks correctly, if an
isakmpd from 2.9 parses the file without problems, but a 3.1 does not,
I'd be interested in knowing what failed. I've seen no such problems
myself lately (3.1 and later)...)
> 020319.686018 Exch 10 ipsec_responder: got NOTIFY of type NO_PROPOSAL_CHOSEN
The other side does not like what we sent it, probably because of the
> 020321.811287 Negt 70 attribute_unacceptable: AUTHENTICATION_METHOD: got PRE_SHARED, expected RSA_SIG
> 020321.811623 Negt 20 ike_phase_1_validate_prop: failure
> 020321.811913 Negt 30 message_negotiate_sa: proposal 1 failed
> 020321.812174 Default message_negotiate_sa: no compatible proposal found
> 020321.812557 Default dropped message from 188.8.131.52 port 500 due to notification type NO_PROPOSAL_CHOSEN
And this is us rejecting the proposal from the other side, most likely
similar data may be found in that debug file. Again, likely due to
syntax/parse errors above.
Generally, lines with "Default" indicate a serious problem, or atleast
something that you really want to correct.
Håkan Olsson <firstname.lastname@example.org> (+46) 708 437 337 Carlstedt Research
Unix, Networking, Security (+46) 31 701 4264 & Technology AB