[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: something broken in isakmpd since 3.5


On Fri, Jun 18, 2004 at 12:19:41PM +0200, Alexandre wrote:
> 165138.875443 Default message_recv: cleartext phase 1 message
> 165138.875880 Default dropped message from x.x.x.x port 500 due to
> notification type INVALID_FLAGS

your peer sends and unencrypted phase 1 message, but it must be encrypted (I
assume this is message three, you can check this with tcpdump).  isakmpd as of
3.4 accepted those messages, which was a sever security problem.  This was
fixed in 3.4-current and isakmpd rejects those message -- and this is good.

The problem here is your peer.  You could try to use main mode instead of
aggressive.  Maybe the peer does that one correctly.