On Mon, 18 Oct 2004 13:02:36 -0400, Christopher M. Iarocci
<iarocci at eastendsc dot com> wrote:
> From the cisco:
> %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi
> for destaddr=x.x.x.x, prot=50, spi=0x5A9AAF(5937839), srcaddr=x.x.x.x
> from my m0n0wall:
> racoon: ERROR: proposal.c:235:cmpsaprop_alloc(): pfs group mismatched:
> my:2 peer:0
That's exactly what I saw on mine. Fred said 0 isn't even a valid
setting, and said he wasn't sure if that was a racoon bug or what.
> It would appear settings are mismatched, however, they are not as far as
> we can tell. The Cisco defaults to 1024 bit encryption, so the fact
> that the m0n0wall is seeing the pfs group as 0 has me confused.
I changed my PFS group to "off" in phase 2 on m0n0wall, which stopped
that message and the constant dropping.
Give that a shot.