[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  "Christopher M. Iarocci" <iarocci at eastendsc dot com>
 Cc:  m0n0wall mailing list <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] VPN broken in current beta
 Date:  Mon, 18 Oct 2004 23:19:30 -0400
On Mon, 18 Oct 2004 13:02:36 -0400, Christopher M. Iarocci
<iarocci at eastendsc dot com> wrote:

> >
>  From the cisco:
> %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi
> for destaddr=x.x.x.x, prot=50, spi=0x5A9AAF(5937839), srcaddr=x.x.x.x
> from my m0n0wall:
> racoon: ERROR: proposal.c:235:cmpsaprop_alloc(): pfs group mismatched:
> my:2 peer:0

That's exactly what I saw on mine.  Fred said 0 isn't even a valid
setting, and said he wasn't sure if that was a racoon bug or what.

> It would appear settings are mismatched, however, they are not as far as
> we can tell.  The Cisco defaults to 1024 bit encryption, so the fact
> that the m0n0wall is seeing the pfs group as 0 has me confused.

I changed my PFS group to "off" in phase 2 on m0n0wall, which stopped
that message and the constant dropping.

Give that a shot.