From: Adrian B. <ad...@sm...> - 2009-01-30 09:07:26
|
I'm trying to accept an IPSec connection from a Cisco PIX-515 and I'm hitting a little problem. Unfortunately the RTT to the engineer at the other end is pretty long :-( They are sending over five transforms in phase1, the first looks like a match to me, but racoon is still saying "nope". In the non-DEBUG output I see this: Jan 29 13:57:33 localhost racoon: INFO: respond new phase 1 negotiation: ....[500]<=>....[500] Jan 29 13:57:33 localhost racoon: INFO: begin Identity Protection mode. Jan 29 13:57:33 localhost racoon: INFO: received broken Microsoft ID: FRAGMENTATION Jan 29 13:57:33 localhost racoon: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#2) = 7:3DES-CBC Jan 29 13:57:33 localhost racoon: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#2) = SHA:MD5 Jan 29 13:57:33 localhost racoon: ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#3) = 1024-bit MODP group:768-bit MODP group Jan 29 13:57:33 localhost racoon: ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#4) = 1024-bit MODP group:1536-bit MODP group Jan 29 13:57:33 localhost racoon: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#5) = 7:3DES-CBC Jan 29 13:57:33 localhost racoon: ERROR: no suitable proposal found. Jan 29 13:57:33 localhost racoon: ERROR: failed to get valid proposal. Jan 29 13:57:33 localhost racoon: ERROR: failed to process packet. I'm still very new to racoon, but those ERRORS seem to be rejecting the 2,3,4,5th transforms (correctly, the algorithms, DH groups etc don't match). However it doesn't say anything about the 1st transform which _does_ match. It then says "no suitable proposal" and stops. The only thing I see (which I've asked them to change and I'm awaiting a reply) is that the lifetimes don't match: Jan 29 13:52:12 localhost racoon: DEBUG: Compared: DB:Peer Jan 29 13:52:12 localhost racoon: DEBUG: (lifetime = 28800:86400) Jan 29 13:52:12 localhost racoon: DEBUG: (lifebyte = 0:0) Jan 29 13:52:12 localhost racoon: DEBUG: enctype = 7:7 Jan 29 13:52:12 localhost racoon: DEBUG: (encklen = 256:256) Jan 29 13:52:12 localhost racoon: DEBUG: hashtype = SHA:SHA Jan 29 13:52:12 localhost racoon: DEBUG: authmethod = pre-shared key:pre-shared key Jan 29 13:52:12 localhost racoon: DEBUG: dh_group = 1024-bit MODP group:1024-bit MODP group I've not set proposal_check in racoon.conf, in the case where the other end is starting the connection, who is the "responder" (is that me or them?) Or is there something else I'm missing here? Thanks for any advice! Adrian -- Email: ad...@sm... -*- GPG key available on public key servers Debian GNU/Linux - the maintainable distribution -*- www.debian.org |