Re: isakmpd does not initiate connections but wait for others

On Mon, 3 Mar 2003, Alexandre wrote:
...
> the right proposal is reached ? Could it be some incompatibilities

Yes, this is it. I missed this earlier.

3DES-SHA with DES-SHA for phase 1 is ok, but it is not ok to mix PFS and non-PFS suites for phase 2. This is mandated by the RFCs. (PFS suites include a group description.)

I could have sworn I added a section to isakmpd(8) or isakmpd.conf(5) warning about exactly this (expected) behaviour a year or two ago. Can't find it now though. I'll see if I can find and re-add it.

...
> 144302.765525 Misc 70 attribute_set_constant: no GROUP_DESCRIPTION in the QM-ESP-3DES-SHA-XF section
> 144302.766131 Default initiator_send_HASH_SA_NONCE: differing group descriptions in a proposal

Here, the suite does not include a group description (it's not a PFS suite), and "no group" differs from the previous "<some> group" (probably DH group 2), so you get the error.

/H

--
Håkan Olsson         (+46) 708 437 337     Carlstedt Research
Unix, Networking, Security      (+46) 31 701 4264        & Technology AB

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related openbsd.org Links advocacy announce bugs ipv6 misc ports ports-changes security-announce smp source-changes tech Request more information about Pantek