Re: [m0n0wall] VPN broken in current beta

From:	Chris Buechler <cbuechler at gmail dot com>
To:	"Christopher M. Iarocci" <iarocci at eastendsc dot com>
Cc:	m0n0wall mailing list <m0n0wall at lists dot m0n0 dot ch>
Subject:	Re: [m0n0wall] VPN broken in current beta
Date:	Mon, 18 Oct 2004 23:19:30 -0400

On Mon, 18 Oct 2004 13:02:36 -0400, Christopher M. Iarocci
<iarocci at eastendsc dot com> wrote:

> >
>  From the cisco:
> 
> %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi
> for destaddr=x.x.x.x, prot=50, spi=0x5A9AAF(5937839), srcaddr=x.x.x.x
> 
> from my m0n0wall:
> 
> racoon: ERROR: proposal.c:235:cmpsaprop_alloc(): pfs group mismatched:
> my:2 peer:0
> 

That's exactly what I saw on mine.  Fred said 0 isn't even a valid
setting, and said he wasn't sure if that was a racoon bug or what.


> It would appear settings are mismatched, however, they are not as far as
> we can tell.  The Cisco defaults to 1024 bit encryption, so the fact
> that the m0n0wall is seeing the pfs group as 0 has me confused.
> 

I changed my PFS group to "off" in phase 2 on m0n0wall, which stopped
that message and the constant dropping.

Give that a shot.

-Chris