From: Peter E. <pe...@bo...> - 2006-06-30 13:00:13
|
On 6/30/06 6:07 AM, "Emmanuel Dreyfus" <ma...@ne...> wrote: > Peter Eisch <pe...@bo...> wrote: > >> I've recently upgraded from NetBSD 2.0 to 3.0 and with it came 0.6.3. A >> peer that I could initiate to before now rejects me. Neither side's config >> has changed. > > You were using KAME racoon that came built-in with NetBSD 2.0, or you > installed an ipsec-tools release? > When I, at one point, tried to use the pkgsrc ipsec-tools I saw this same problem, had a snit with tron and rolled back to the KAME set. > On NetBSD 3.0, if you try to install a newer ipsec-tools release, does > it fix your problem? It looked like the pkgsrc version was the same as what what is in 3.0 (0.6.3) so I haven't tried that yet. I'm only hesitant of going outside of bundled and pkgsrc because I have less-savvy people as support backups -- I'd have to symlink everything to keep them effective. Late last night my "peer" emailed: > This is the error message I got in my log: > > 1201 06/29/2006 19:29:49.730 SEV=5 IKE/75 RPT=1758 <my-addr> > Group [<my-addr>] > Overriding Initiator's IPSec rekeying duration from 43200 to 28800 > seconds > > 1203 06/29/2006 19:29:49.800 SEV=5 IKE/68 RPT=80 <my-addr> > Group [<my-addr>] > Received non-routine Notify message: Attributes not supported (13) > > After so research and checking RFC 2409, it seems this might have > something to do with the Perfect Forward Secrecy group value. While not pertinent to the error, we think, the rekeying message is interesing. We're both set to 8 hours, but it seems that my side is proposing something other than 28800, the 43200. I'm not sure where that number comes from. The Attribute message is the one that gets logged before it then shuts down the session. Thanks Manu, peter |