[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: something broken in isakmpd since 3.5



Many thanks Hans.

Yes main mode works correctly but unfortunately the peers have dynamic ips.

I guess my only options are to get fixed IPs or replace the peers (these
are netopia routers btw)

Regards,
Alexandre

> Hi,
>
> On Fri, Jun 18, 2004 at 12:19:41PM +0200, Alexandre wrote:
>> 165138.875443 Default message_recv: cleartext phase 1 message
>> 165138.875880 Default dropped message from x.x.x.x port 500 due to
>> notification type INVALID_FLAGS
>
> your peer sends and unencrypted phase 1 message, but it must be encrypted
> (I
> assume this is message three, you can check this with tcpdump).  isakmpd
> as of
> 3.4 accepted those messages, which was a sever security problem.  This was
> fixed in 3.4-current and isakmpd rejects those message -- and this is
> good.
>
> The problem here is your peer.  You could try to use main mode instead of
> aggressive.  Maybe the peer does that one correctly.
>
> HJ.