[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: DES Only IPsec?
- To: "KoAps" <koaps@g3k.cc>
- Subject: Re: DES Only IPsec?
- From: Ghislaine Labouret <Ghislaine.Labouret@hsc.fr>
- Date: Sun, 07 Oct 2001 15:34:53 +0200
- Cc: "Tech" <tech@openbsd.org>
- Organization: HSC (Herve Schauer Consultants)
- References: <018101c14798$1f0dbe40$49a1a8c0@coactive.com>
On Thu, 27 Sep 2001 14:05:17 -0700, KoAps wrote:
> I can break it or make it procedure to the step 5 failure by simply
> changing the Quick Mode Suites..
>
> If I use QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-DES-MD5-PFS-SUITE
>
> It will build to step 5 then fail with this....
>
> 124640.593513 Default exchange_run: doi->initiator (0x12ca00) failed
> 124922.350410 Default initiator_send_HASH_SA_NONCE: differing group
> descriptions in a proposal
In the pre-defined suites, 3DES implies Diffie-Hellman group 2, while
DES implies group 1. But a restriction in QM is that you can not send
proposals with different groups, so your list above is not a valid set
of proposals.
You either need to propose only 3DES or manualy redefine the DES
proposal to use DH2 for exemple.
> Now I know from Mailing list reading that this can be due to DES, and
> the AutoKeying going on is setting the group descriptions.. All fine
> and Dandy, I would rather not use DES...
Correct. What happens if you remove DES?
> But If I try to use AES or BLF it will fail waaaaay Earlier and I
> notice these statements...
>
> 100640.780707 Default check_policy: negotiated SA failed policy check
> ( I think this is normal right? ISAKMP will build the SAs right?)
What does your isakmp.policy file require?
Sincerely,
--
Ghislaine Labouret, Network security consultant
Hervé Schauer Consultants (HSC) - http://www.hsc.fr/
Phone (+33)-141-409-700 - Fax (+33)-141-409-709