I recently configured an IPSEC tunnel between OpenBSD 4.4 machine and a Cisco
gateway. I had trouble during the key exchange because I had configured DH
group 2. The Cisco sent a proposal for DH group 5 with a lifetime of 7800
seconds, along with a proposal for DH group 2 with a lifetime of 00015180
seconds.
The key exchange would not complete until I changed the OpenBSD side to use DH
group 5. The only difference in the proposal appears to be the lifetime.
Does anyone know why the Cisco would send a lifetime of 00015180 seconds (the
Cisco tech said he configured it for 86400 seconds)?
I'm also interested why OpenBSD responded with NO_PROPOSAL_CHOSEN in this
instance?
payload: SA len: 160 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 148 proposal: 1 proto: ISAKMP spisz: 0
xforms: 4
payload: TRANSFORM len: 32
transform: 1 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute HASH_ALGORITHM = SHA
attribute GROUP_DESCRIPTION = MODP_1536
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 7800
payload: TRANSFORM len: 36
transform: 2 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute HASH_ALGORITHM = SHA
attribute GROUP_DESCRIPTION = MODP_1024
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 00015180
Mar 5 08:30:28 gw1 isakmpd[6650]: dropped message from x.x.x.x port 500 due to
notification type NO_PROPOSAL_CHOSEN
Thanks,
Cam
