[Ipsec-tools-devel] multiple transforms - no explanation to failure

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

I'm trying to accept an IPSec connection from a Cisco PIX-515 and I'm
hitting a little problem.  Unfortunately the RTT to the engineer at
the other end is pretty long :-(

They are sending over five transforms in phase1, the first looks like a
match to me, but racoon is still saying "nope".

In the non-DEBUG output I see this:

Jan 29 13:57:33 localhost racoon: INFO: respond new phase 1 negotiation: ....[500]<=>....[500] 
Jan 29 13:57:33 localhost racoon: INFO: begin Identity Protection mode. 
Jan 29 13:57:33 localhost racoon: INFO: received broken Microsoft ID: FRAGMENTATION 
Jan 29 13:57:33 localhost racoon: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#2) = 7:3DES-CBC 
Jan 29 13:57:33 localhost racoon: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#2) = SHA:MD5 
Jan 29 13:57:33 localhost racoon: ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#3) = 1024-bit MODP group:768-bit MODP group 
Jan 29 13:57:33 localhost racoon: ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#4) = 1024-bit MODP group:1536-bit MODP group 
Jan 29 13:57:33 localhost racoon: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#5) = 7:3DES-CBC 
Jan 29 13:57:33 localhost racoon: ERROR: no suitable proposal found. 
Jan 29 13:57:33 localhost racoon: ERROR: failed to get valid proposal. 
Jan 29 13:57:33 localhost racoon: ERROR: failed to process packet. 

I'm still very new to racoon, but those ERRORS seem to be rejecting
the 2,3,4,5th transforms (correctly, the algorithms, DH groups etc
don't match).  However it doesn't say anything about the 1st transform
which _does_ match.  It then says "no suitable proposal" and stops.

The only thing I see (which I've asked them to change and I'm awaiting
a reply) is that the lifetimes don't match:
Jan 29 13:52:12 localhost racoon: DEBUG: Compared: DB:Peer 
Jan 29 13:52:12 localhost racoon: DEBUG: (lifetime = 28800:86400) 
Jan 29 13:52:12 localhost racoon: DEBUG: (lifebyte = 0:0) 
Jan 29 13:52:12 localhost racoon: DEBUG: enctype = 7:7 
Jan 29 13:52:12 localhost racoon: DEBUG: (encklen = 256:256) 
Jan 29 13:52:12 localhost racoon: DEBUG: hashtype = SHA:SHA 
Jan 29 13:52:12 localhost racoon: DEBUG: authmethod = pre-shared key:pre-shared key 
Jan 29 13:52:12 localhost racoon: DEBUG: dh_group = 1024-bit MODP group:1024-bit  MODP group 

I've not set proposal_check in racoon.conf, in the case where the
other end is starting the connection, who is the "responder" (is that
me or them?)

Or is there something else I'm missing here?

Thanks for any advice!

Adrian
-- 
Email: ad...@sm...  -*-  GPG key available on public key servers
Debian GNU/Linux - the maintainable distribution   -*-  www.debian.org