[ previous ] [ next ] [ threads ]
 
 From:  wmorgan at ffpir dot org
 To:  "Eric Adler" <eadler at sarlog dot de>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] VPN - IPsec break down without changing anything
 Date:  Fri, 4 Apr 2008 06:40:50 -0600
It looks like the other end of the connection is only offering to use
DES encryption and a 768-bit DH group. This is _not_ secure, but some
older hardware (notably Cisco) doesn't support anything better.

I'd start by seeing if you can turn on 3DES or AES encryption and at
least a 1024-bit DH (aka MODP) group on the other end for the phase 1
negotiation.
Wes


On 4/4/08, Eric Adler <eadler at sarlog dot de> wrote:
> Hello all,
>
>
>
> maybe somebody can help me in that case. IPsec (static IP - each site) - all
> other setting's are okay, as usual. Suddenly the VPN was down. Nobody knows
> why.
>
>
>
> I deleted, created new, changed the pre-shared-key (both sides) deleted SPD
> - hardware reset (incl. disconnected power link)
>
>
>
> No result. I copied in my logs. Maybe somebody can read this
>
>
>
>
>
>
> Apr 4 13:45:12
>
> racoon: INFO: request for establishing IPsec-SA was queued due to no phase1
> found.
>
>
> Apr 4 13:45:17
>
> racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
>
>
> Apr 4 13:45:17
>
> racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
>
>
> Apr 4 13:45:17
>
> racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
>
>
> Apr 4 13:45:17
>
> racoon: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#1) =
> 3DES-CBC:DES-CBC
>
>
> Apr 4 13:45:17
>
> racoon: ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#1) =
> 1024-bit MODP group:768-bit MODP group
>
>
> Apr 4 13:45:17
>
> racoon: ERROR: no suitable proposal found.
>
>
> Apr 4 13:45:17
>
> racoon: ERROR: failed to get valid proposal.
>
>
> Apr 4 13:45:27
>
> racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
>
>
> Apr 4 13:45:27
>
> racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
>
>
> Apr 4 13:45:27
>
> racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
>
>
> Apr 4 13:45:27
>
> racoon: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#1) =
> 3DES-CBC:DES-CBC
>
>
> Apr 4 13:45:27
>
> racoon: ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#1) =
> 1024-bit MODP group:768-bit MODP group
>
>
> Apr 4 13:45:27
>
> racoon: ERROR: no suitable proposal found.
>
>
> Apr 4 13:45:27
>
> racoon: ERROR: failed to get valid proposal.
>
>
> Apr 4 13:45:38
>
> racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
>
>
> Apr 4 13:45:38
>
> racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
>
>
> Apr 4 13:45:38
>
> racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
>
>
> Apr 4 13:45:38
>
> racoon: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#1) =
> 3DES-CBC:DES-CBC
>
>
> Apr 4 13:45:38
>
> racoon: ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#1) =
> 1024-bit MODP group:768-bit MODP group
>
>
> Apr 4 13:45:38
>
> racoon: ERROR: no suitable proposal found.
>
>
> Apr 4 13:45:38
>
> racoon: ERROR: failed to get valid proposal.
>
>
> Apr 4 13:45:43
>
> racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1.
> ESP 194.151.13.99[500]->88.79.85.204[500]
>
>
> Apr 4 13:45:43
>
> racoon: INFO: delete phase 2 handler.
>
>
>
>
>
> Please help me with this problem
>
>
>
> Mit freundlichen Gruessen  /  Best Regards
>
>
>
> Eric Adler
>
>


-- 
"Small acts of humanity amid the chaos of inhumanity provide hope. But
small acts are insufficient."

- Paul Rusesabagina, Rwandan and former hotel manager whose actions
inspired the movie Hotel Rwanda