Chris Buechler wrote:

>On Mon, 18 Oct 2004 13:02:36 -0400, Christopher M. Iarocci
><iarocci at eastendsc dot com> wrote:
>
>  
>
>> From the cisco:
>>
>>%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi
>>for destaddr=x.x.x.x, prot=50, spi=0x5A9AAF(5937839), srcaddr=x.x.x.x
>>
>>from my m0n0wall:
>>
>>racoon: ERROR: proposal.c:235:cmpsaprop_alloc(): pfs group mismatched:
>>my:2 peer:0
>>
>>    
>>
>
>That's exactly what I saw on mine.  Fred said 0 isn't even a valid
>setting, and said he wasn't sure if that was a racoon bug or what.
>
>
>  
>
>>It would appear settings are mismatched, however, they are not as far as
>>we can tell.  The Cisco defaults to 1024 bit encryption, so the fact
>>that the m0n0wall is seeing the pfs group as 0 has me confused.
>>
>>    
>>
>
>I changed my PFS group to "off" in phase 2 on m0n0wall, which stopped
>that message and the constant dropping.
>
>Give that a shot.
>
>-Chris
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>  
>
Gave it a shot, and bam, tunnels stay up.  Thank you Chris, I appreciate 
the help.  It seems the settings ARE mismatched, even though they don't 
appear to be in the configs.  Of course NOW they appear mismatched, but 
they work so I'm not complaining.  :-)

Chris