Menu
▾
▴
Re: [Ipsec-tools-users] SA fails to match if pfs_group is not defined w/0.6.6
|
From: Peter E. <pe...@bo...> - 2007-02-16 01:05:01
|
I've pulled from CVS and confirmed that this is still the case with current
source. With the config excerpt noted below except that I have 'pfs_group
2' in the anonymous SA block I get the following:
Feb 15 18:46:12 adder racoon: ERROR: pfs group mismatched: my:2 peer:0
Feb 15 18:46:12 adder racoon: ERROR: not matched
Feb 15 18:46:12 adder racoon: ERROR: no suitable policy found.
Feb 15 18:46:12 adder racoon: ERROR: failed to pre-process packet.
I re-ran this with -dddF and I have the trace available. I don't want to
put it in the public domain as it leaks out info but I can make it available
out of band.
peter
On 2/15/07 11:13 AM, "Peter Eisch" <pe...@bo...> wrote:
>
> I've [somewhat painfully] discovered that the SA definition (like below)
> will fail to match and fall through to anonymous (which will match without
> pfs_group defined). In testing we added a pfs_group to the definition and
> the definition was selected properly.
>
> Has this been documented before? In this case the peer was checkpoint, but
> I don't know that it's pertinent to the situation. I'll pull down the
> pending 0.7 and test with it when I get a window.
>
> sainfo address LOCAL any address REMOTE any
> {
> # NO PFS
> lifetime time 1 hour ;
> encryption_algorithm 3des ;
> authentication_algorithm hmac_sha1 ;
> compression_algorithm deflate ;
> }
> sainfo address REMOTE any address LOCAL any
> {
> # NO PFS
> lifetime time 1 hour ;
> encryption_algorithm 3des ;
> authentication_algorithm hmac_sha1 ;
> compression_algorithm deflate ;
> }
> ...
> sainfo anonymous
> {
> lifetime time 1 hour ;
> encryption_algorithm 3des, aes;
> authentication_algorithm hmac_md5, hmac_sha1 ;
> compression_algorithm deflate ;
> }
>
> Thanks,
>
> peter
>
>
|