[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: isakmpd between 2.9 and 3.1 broken ?

To: dirkx@covalent.net
Subject: Re: isakmpd between 2.9 and 3.1 broken ?
From: Hakan Olsson <ho@crt.se>
Date: Sun, 7 Jul 2002 20:27:44 +0200 (MET DST)
Cc: tech@openbsd.org

On Sun, 7 Jul 2002 dirkx@covalent.net wrote:
...
> 020321.811287 Negt 70 attribute_unacceptable: AUTHENTICATION_METHOD: got
> 	PRE_SHARED, expected RSA_SIG
...
> 	# Those these are defaults - it seems essential
> 	# to include them as otherwise 3.1 gives me
> 	# an error 'EXCHANGE_TYPE' not defined.
> 	#
 (yes, you need to define how main and quick mode should be negotiated)

> 	[Default-main-mode]
> 	DOI=                    IPSEC
> 	EXCHANGE_TYPE=          ID_PROT
> 	Transforms=             3DES-SHA
>
> 	[Default-quick-mode]
> 	DOI=                    IPSEC
> 	EXCHANGE_TYPE=          QUICK_MODE
> 	Suites=                 QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-3DES-MD5-PFS-SUITE

These look fine, but...

...
> 020318.620517 Default conf_get_list: empty field, ignoring...
> 020318.620803 Default conf_get_list: empty field, ignoring...
> 020318.621025 Default conf_get_list: empty field, ignoring...
> 020318.621247 Default conf_get_list: empty field, ignoring...

... these indicate syntactic/parse errors in isakmpd.conf, looking at the
later errors, probably around the configuration lines above.

I added some additional config file checks around 3.1-time sometime.
Perhaps you wan't to try isakmpd from -current instead? Otherwise, look
for trailing whitespace and such. Also, if you've edited this in a Windows
environment, you may have CR+LF linebreaks, instead of just LF.

Other than this, your configuration file looks ok.

(Even though I think I coded those additional checks correctly, if an
 isakmpd from 2.9 parses the file without problems, but a 3.1 does not,
 I'd be interested in knowing what failed. I've seen no such problems
 myself lately (3.1 and later)...)

...
> 020319.686018 Exch 10 ipsec_responder: got NOTIFY of type NO_PROPOSAL_CHOSEN

The other side does not like what we sent it, probably because of the
above.

...
> 020321.811287 Negt 70 attribute_unacceptable: AUTHENTICATION_METHOD: got PRE_SHARED, expected RSA_SIG
> 020321.811623 Negt 20 ike_phase_1_validate_prop: failure
> 020321.811913 Negt 30 message_negotiate_sa: proposal 1 failed
> 020321.812174 Default message_negotiate_sa: no compatible proposal found
> 020321.812557 Default dropped message from 66.124.87.42 port 500 due to notification type NO_PROPOSAL_CHOSEN

And this is us rejecting the proposal from the other side, most likely
similar data may be found in that debug file. Again, likely due to
syntax/parse errors above.

Generally, lines with "Default" indicate a serious problem, or atleast
something that you really want to correct.

/H

--
Håkan Olsson <ho@crt.se>        (+46) 708 437 337     Carlstedt Research
Unix, Networking, Security      (+46) 31 701 4264        & Technology AB

Follow-Ups:
- Re: isakmpd between 2.9 and 3.1 broken ?
  - From: dirkx@covalent.net

References:
- isakmpd between 2.9 and 3.1 broken ?
  - From: dirkx@covalent.net

Prev by Date: isakmpd between 2.9 and 3.1 broken ?
Next by Date: Re: isakmpd between 2.9 and 3.1 broken ?
Prev by thread: isakmpd between 2.9 and 3.1 broken ?
Next by thread: Re: isakmpd between 2.9 and 3.1 broken ?
Index(es):
- Date
- Thread