On Thu, Feb 25, 2016 at 3:10 PM, Frank Wille <fr...@phoenix.owl.de> wrote: > Seems I forgot IPSEC_DEBUG, so I missed important information? I tried it > again with a 7.0 kernel and IPSEC_DEBUG on my PowerBook and the cause > turned out to be a bad "authentication_method" in my propsal: > > Feb 25 22:30:08 powerbook racoon: [1.2.3.4] ERROR: notification > NO-PROPOSAL-CHOSEN received in unencrypted informational exchange. > > I had to replace "hybrid_rsa_client" by "rsasig" - although I'm not > completely sure about the difference. I have a signed certificate and don't > want to use any username or password authentication with xauth, so "rsasig" > is probably ok...? > > > Now I reach phase 2 and it looks to me that the VPN connection is > established for a second, but a few seconds later I get "DPD: remote seems > to be dead". No idea at the moment. > > Do I have to worry about "WARNING: unable to get certificate CRL(3)" ? > > What does "KA" mean?
Sorry, not a lot of help here, I just felt like replying. I've been trying to get IPSEC transport mode set up between NetBSD and a stupid router who's name I won't mention and it's not working. I tried it with Linux and it's not working. I tried it with another brand of router and it's not working. I tried the same brand of router and it works. Probably because all the names of the toggles line up or something ridiculous like that. It might be worth trying some other OS or device just to sanity check it and make sure it CAN work before you assume it's a NetBSD issue. Would be really nice if there was an IPSEC secret decoder ring for device compatibility/setup. Andy
