On Thu, Mar 05, 2009 at 02:32:36PM -0700, Cameron Schaus wrote: > I recently configured an IPSEC tunnel between OpenBSD 4.4 machine and a Cisco > gateway. I had trouble during the key exchange because I had configured DH > group 2. The Cisco sent a proposal for DH group 5 with a lifetime of 7800 > seconds, along with a proposal for DH group 2 with a lifetime of 00015180 > seconds. > > The key exchange would not complete until I changed the OpenBSD side to use > DH group 5. The only difference in the proposal appears to be the lifetime. > > Does anyone know why the Cisco would send a lifetime of 00015180 seconds (the > Cisco tech said he configured it for 86400 seconds)?
0x15180 is 86400 decimal > I'm also interested why OpenBSD responded with NO_PROPOSAL_CHOSEN in this > instance? > > payload: SA len: 160 DOI: 1(IPSEC) situation: IDENTITY_ONLY > payload: PROPOSAL len: 148 proposal: 1 proto: ISAKMP spisz: 0 > xforms: 4 > payload: TRANSFORM len: 32 > transform: 1 ID: ISAKMP > attribute ENCRYPTION_ALGORITHM = 3DES_CBC > attribute HASH_ALGORITHM = SHA > attribute GROUP_DESCRIPTION = MODP_1536 > attribute AUTHENTICATION_METHOD = PRE_SHARED > attribute LIFE_TYPE = SECONDS > attribute LIFE_DURATION = 7800 > payload: TRANSFORM len: 36 > transform: 2 ID: ISAKMP > attribute ENCRYPTION_ALGORITHM = 3DES_CBC > attribute HASH_ALGORITHM = SHA > attribute GROUP_DESCRIPTION = MODP_1024 > attribute AUTHENTICATION_METHOD = PRE_SHARED > attribute LIFE_TYPE = SECONDS > attribute LIFE_DURATION = 00015180 > > Mar 5 08:30:28 gw1 isakmpd[6650]: dropped message from x.x.x.x port 500 due > to notification type NO_PROPOSAL_CHOSEN > > Thanks, > Cam
