[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: something broken in isakmpd since 3.5

To: hshoexer@openbsd.org
Subject: Re: something broken in isakmpd since 3.5
From: "Alexandre" <alex@vbone.net>
Date: Fri, 18 Jun 2004 15:16:01 +0200 (CEST)
Cc: tech@openbsd.org
References: <19208.81.255.22.10.1087553981.squirrel@81.255.22.10> <20040618111332.GA1775@yerbouti.franken.de>
User-Agent: SquirrelMail/1.5.0

Many thanks Hans.

Yes main mode works correctly but unfortunately the peers have dynamic ips.

I guess my only options are to get fixed IPs or replace the peers (these
are netopia routers btw)

Regards,
Alexandre

> Hi,
>
> On Fri, Jun 18, 2004 at 12:19:41PM +0200, Alexandre wrote:
>> 165138.875443 Default message_recv: cleartext phase 1 message
>> 165138.875880 Default dropped message from x.x.x.x port 500 due to
>> notification type INVALID_FLAGS
>
> your peer sends and unencrypted phase 1 message, but it must be encrypted
> (I
> assume this is message three, you can check this with tcpdump).  isakmpd
> as of
> 3.4 accepted those messages, which was a sever security problem.  This was
> fixed in 3.4-current and isakmpd rejects those message -- and this is
> good.
>
> The problem here is your peer.  You could try to use main mode instead of
> aggressive.  Maybe the peer does that one correctly.
>
> HJ.

Follow-Ups:
- Re: something broken in isakmpd since 3.5
  - From: Hakan Olsson <ho@openbsd.org>

References:
- something broken in isakmpd since 3.5
  - From: "Alexandre" <alex@vbone.net>
- Re: something broken in isakmpd since 3.5
  - From: hshoexer@openbsd.org

Prev by Date: Re: something broken in isakmpd since 3.5
Next by Date: mony
Prev by thread: Re: something broken in isakmpd since 3.5
Next by thread: Re: something broken in isakmpd since 3.5
Index(es):
- Date
- Thread