[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: something broken in isakmpd since 3.5
On Fri, Jun 18, 2004 at 12:19:41PM +0200, Alexandre wrote:
> 165138.875443 Default message_recv: cleartext phase 1 message
> 165138.875880 Default dropped message from x.x.x.x port 500 due to
> notification type INVALID_FLAGS
your peer sends and unencrypted phase 1 message, but it must be encrypted (I
assume this is message three, you can check this with tcpdump). isakmpd as of
3.4 accepted those messages, which was a sever security problem. This was
fixed in 3.4-current and isakmpd rejects those message -- and this is good.
The problem here is your peer. You could try to use main mode instead of
aggressive. Maybe the peer does that one correctly.