[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: something broken in isakmpd since 3.5
Many thanks Hans.
Yes main mode works correctly but unfortunately the peers have dynamic ips.
I guess my only options are to get fixed IPs or replace the peers (these
are netopia routers btw)
> On Fri, Jun 18, 2004 at 12:19:41PM +0200, Alexandre wrote:
>> 165138.875443 Default message_recv: cleartext phase 1 message
>> 165138.875880 Default dropped message from x.x.x.x port 500 due to
>> notification type INVALID_FLAGS
> your peer sends and unencrypted phase 1 message, but it must be encrypted
> assume this is message three, you can check this with tcpdump). isakmpd
> as of
> 3.4 accepted those messages, which was a sever security problem. This was
> fixed in 3.4-current and isakmpd rejects those message -- and this is
> The problem here is your peer. You could try to use main mode instead of
> aggressive. Maybe the peer does that one correctly.