On Fri, Aug 22, 2008 at 03:11:16PM +0200, Claus Larsen wrote:
> Well I did get a bit futher with the problem, it seems it was cause by a
> firewall blocking some of the traffic.
> 
> So new problem now.
> Using the Greenbow vpn client.
> 
> It says "Phase 2 algoritm problem".
> 
> From the isakmpd output I get (a larger portion of the output included
> below):
> 164658.900458 Default responder_recv_HASH_SA_NONCE: peer proposed invalid
> phase 2 IDs: initiator id d5ade2e5: 213.173.226.229, responder id c0a80102:
> 192.168.1.2
> 164658.901274 Default dropped message from 213.173.226.229 port 500 due to
> notification type NO_PROPOSAL_CHOSEN
> 
> Any idea whats going on?

  when this happens to me, it is a config mismatch between the two peers.

  sometimes the mismatch can be excruciatingly subtle.

  but one wrong little anything will make the flow or sa or whatever it
  is that the "wrong" peer installs end up completely not matching
  what the other has.

  at times i've resorted to doing line-by-line "echo $LINE | md5" to
  help speed the process of finding the mismatch along.

  given that in this case, there's 1918 IP on one side and !1918 on the
  other, the 1918 peer is perhaps using its 1918 IP by default but the
  other peer expects him to be sending his public IP.

  you can also see this type of mismatch with loglines that say
  something like "Expected: 3DES, Received: $whatever_you're_trying_to_use"
  for the algorithm in question; has always been the same thing 
  for me in that case, (potentially subtle) config mismatch.
  
> > /etc/ipsec.conf
> > ike passive from any to any \
> >  main auth hmac-sha1 enc 3des group modp1024 \
> >  quick auth hmac-sha1 enc 3des group none \
> >  psk openbsdrules

  hrm; i guess i'd assume 'any' would make it not care, so maybe my
  whole suggestion is shot.  maybe for starters, copy that off to a
  new ike setup and specifically define the stuff that it seems
  the remote peer is sending that your end is complaining about, and
  then work back from there after you get that working.

-- 

  jared

Reply via email to