From: Peter E. <pe...@bo...> - 2007-02-16 01:05:01
|
I've pulled from CVS and confirmed that this is still the case with current source. With the config excerpt noted below except that I have 'pfs_group 2' in the anonymous SA block I get the following: Feb 15 18:46:12 adder racoon: ERROR: pfs group mismatched: my:2 peer:0 Feb 15 18:46:12 adder racoon: ERROR: not matched Feb 15 18:46:12 adder racoon: ERROR: no suitable policy found. Feb 15 18:46:12 adder racoon: ERROR: failed to pre-process packet. I re-ran this with -dddF and I have the trace available. I don't want to put it in the public domain as it leaks out info but I can make it available out of band. peter On 2/15/07 11:13 AM, "Peter Eisch" <pe...@bo...> wrote: > > I've [somewhat painfully] discovered that the SA definition (like below) > will fail to match and fall through to anonymous (which will match without > pfs_group defined). In testing we added a pfs_group to the definition and > the definition was selected properly. > > Has this been documented before? In this case the peer was checkpoint, but > I don't know that it's pertinent to the situation. I'll pull down the > pending 0.7 and test with it when I get a window. > > sainfo address LOCAL any address REMOTE any > { > # NO PFS > lifetime time 1 hour ; > encryption_algorithm 3des ; > authentication_algorithm hmac_sha1 ; > compression_algorithm deflate ; > } > sainfo address REMOTE any address LOCAL any > { > # NO PFS > lifetime time 1 hour ; > encryption_algorithm 3des ; > authentication_algorithm hmac_sha1 ; > compression_algorithm deflate ; > } > ... > sainfo anonymous > { > lifetime time 1 hour ; > encryption_algorithm 3des, aes; > authentication_algorithm hmac_md5, hmac_sha1 ; > compression_algorithm deflate ; > } > > Thanks, > > peter > > |