Re: [rlug] racoon

Tue, 07 Aug 2007 03:54:11 -0700 

Florin Samareanu wrote:

În data de Ma, 07-08-2007 la 13:41 +0300, Mihai Badici a scris:


bundle: espauth/encryption: 3desouter/authentication: sha
key management mode: isakmp
key encryption: 3desrouter/key authentication: sha
Pai criptarea 3des in loc de des si sha in loc de md5 ... cel putin la prima vedere ar trebui sa fie de ajuns 


tot nu vrea. logul full:


2007-08-07 13:39:33: DEBUG: begin.
2007-08-07 13:39:33: DEBUG: seen nptype=2(prop)
2007-08-07 13:39:33: DEBUG: succeed.
2007-08-07 13:39:33: DEBUG: proposal #1 len=424
2007-08-07 13:39:33: DEBUG: begin.
2007-08-07 13:39:33: DEBUG: seen nptype=3(trns)
2007-08-07 13:39:33: DEBUG: seen nptype=3(trns)
2007-08-07 13:39:33: DEBUG: seen nptype=3(trns)
2007-08-07 13:39:33: DEBUG: seen nptype=3(trns)
2007-08-07 13:39:33: DEBUG: succeed.
2007-08-07 13:39:33: DEBUG: transform #1 len=104
2007-08-07 13:39:33: DEBUG: type=Encryption Algorithm, flag=0x8000,
lorv=3DES-CBC
2007-08-07 13:39:33: DEBUG: encryption(3des)
2007-08-07 13:39:33: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA
2007-08-07 13:39:33: DEBUG: hash(sha1)
2007-08-07 13:39:33: DEBUG: type=Group Description, flag=0x8000,
lorv=1024-bit MODP group
2007-08-07 13:39:33: DEBUG: hmac(modp1024)
2007-08-07 13:39:33: DEBUG: type=Authentication Method, flag=0x8000,
lorv=GSS-API on Kerberos 5
2007-08-07 13:39:33: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
2007-08-07 13:39:33: DEBUG: type=Life Duration, flag=0x0000, lorv=4
2007-08-07 13:39:33: DEBUG: type=GSS-API endpoint name, flag=0x0000,
lorv=64
2007-08-07 13:39:33: DEBUG: transform #2 len=104
2007-08-07 13:39:33: DEBUG: type=Encryption Algorithm, flag=0x8000,
lorv=3DES-CBC
2007-08-07 13:39:33: DEBUG: encryption(3des)
2007-08-07 13:39:33: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=MD5
2007-08-07 13:39:33: DEBUG: hash(md5)
2007-08-07 13:39:33: DEBUG: type=Group Description, flag=0x8000,
lorv=1024-bit MODP group
2007-08-07 13:39:33: DEBUG: hmac(modp1024)
2007-08-07 13:39:33: DEBUG: type=Authentication Method, flag=0x8000,
lorv=GSS-API on Kerberos 5
2007-08-07 13:39:33: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
2007-08-07 13:39:33: DEBUG: type=Life Duration, flag=0x0000, lorv=4
2007-08-07 13:39:33: DEBUG: type=GSS-API endpoint name, flag=0x0000,
lorv=64
2007-08-07 13:39:33: DEBUG: transform #3 len=104
2007-08-07 13:39:33: DEBUG: type=Encryption Algorithm, flag=0x8000,
lorv=DES-CBC
2007-08-07 13:39:33: DEBUG: encryption(des)
2007-08-07 13:39:33: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA
2007-08-07 13:39:33: DEBUG: hash(sha1)
2007-08-07 13:39:33: DEBUG: type=Group Description, flag=0x8000,
lorv=768-bit MODP group
2007-08-07 13:39:33: DEBUG: hmac(modp768)
2007-08-07 13:39:33: DEBUG: type=Authentication Method, flag=0x8000,
lorv=GSS-API on Kerberos 5
2007-08-07 13:39:33: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
2007-08-07 13:39:33: DEBUG: type=Life Duration, flag=0x0000, lorv=4
2007-08-07 13:39:33: DEBUG: type=GSS-API endpoint name, flag=0x0000,
lorv=64
2007-08-07 13:39:33: DEBUG: transform #4 len=104
2007-08-07 13:39:33: DEBUG: type=Encryption Algorithm, flag=0x8000,
lorv=DES-CBC
2007-08-07 13:39:33: DEBUG: encryption(des)
2007-08-07 13:39:33: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=MD5
2007-08-07 13:39:33: DEBUG: hash(md5)
2007-08-07 13:39:33: DEBUG: type=Group Description, flag=0x8000,
lorv=768-bit MODP group
2007-08-07 13:39:33: DEBUG: hmac(modp768)
2007-08-07 13:39:33: DEBUG: type=Authentication Method, flag=0x8000,
lorv=GSS-API on Kerberos 5
2007-08-07 13:39:33: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
2007-08-07 13:39:33: DEBUG: type=Life Duration, flag=0x0000, lorv=4
2007-08-07 13:39:33: DEBUG: type=GSS-API endpoint name, flag=0x0000,
lorv=64
2007-08-07 13:39:33: DEBUG: pair 1:
2007-08-07 13:39:33: DEBUG:  0x80c09f8: next=(nil) tnext=0x80c0a10
2007-08-07 13:39:33: DEBUG:   0x80c0a10: next=(nil) tnext=0x80c0a28
2007-08-07 13:39:33: DEBUG:    0x80c0a28: next=(nil) tnext=0x80bfc48
2007-08-07 13:39:33: DEBUG:     0x80bfc48: next=(nil) tnext=(nil)
2007-08-07 13:39:33: DEBUG: proposal #1: 4 transform
2007-08-07 13:39:33: DEBUG: prop#=1, prot-id=ISAKMP, spi-size=0, #trns=4
2007-08-07 13:39:33: DEBUG: trns#=1, trns-id=IKE
2007-08-07 13:39:33: DEBUG: type=Encryption Algorithm, flag=0x8000,
lorv=3DES-CBC
2007-08-07 13:39:33: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA
2007-08-07 13:39:33: DEBUG: type=Group Description, flag=0x8000,
lorv=1024-bit MODP group
2007-08-07 13:39:33: DEBUG: type=Authentication Method, flag=0x8000,
lorv=GSS-API on Kerberos 5
2007-08-07 13:39:33: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
2007-08-07 13:39:33: DEBUG: type=Life Duration, flag=0x0000, lorv=4
2007-08-07 13:39:33: DEBUG: type=GSS-API endpoint name, flag=0x0000,
lorv=64
2007-08-07 13:39:33: DEBUG: Compared: DB:Peer
2007-08-07 13:39:33: DEBUG: (lifetime = 1800:28800)
2007-08-07 13:39:33: DEBUG: (lifebyte = 0:0)
2007-08-07 13:39:33: DEBUG: enctype = 3DES-CBC:3DES-CBC
2007-08-07 13:39:33: DEBUG: (encklen = 0:0)
2007-08-07 13:39:33: DEBUG: hashtype = SHA:SHA
2007-08-07 13:39:33: DEBUG: authmethod = GSS-API on Kerberos 5:GSS-API
on Kerberos 5
2007-08-07 13:39:33: DEBUG: dh_group = 768-bit MODP group:1024-bit MODP
group
2007-08-07 13:39:33: DEBUG: prop#=1, prot-id=ISAKMP, spi-size=0, #trns=4
2007-08-07 13:39:33: DEBUG: trns#=2, trns-id=IKE
2007-08-07 13:39:33: DEBUG: type=Encryption Algorithm, flag=0x8000,
lorv=3DES-CBC
2007-08-07 13:39:33: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=MD5
2007-08-07 13:39:33: DEBUG: type=Group Description, flag=0x8000,
lorv=1024-bit MODP group
2007-08-07 13:39:33: DEBUG: type=Authentication Method, flag=0x8000,
lorv=GSS-API on Kerberos 5
2007-08-07 13:39:33: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
2007-08-07 13:39:33: DEBUG: type=Life Duration, flag=0x0000, lorv=4
2007-08-07 13:39:33: DEBUG: type=GSS-API endpoint name, flag=0x0000,
lorv=64
2007-08-07 13:39:33: DEBUG: Compared: DB:Peer
2007-08-07 13:39:33: DEBUG: (lifetime = 1800:28800)
2007-08-07 13:39:33: DEBUG: (lifebyte = 0:0)
2007-08-07 13:39:33: DEBUG: enctype = 3DES-CBC:3DES-CBC
2007-08-07 13:39:33: DEBUG: (encklen = 0:0)
2007-08-07 13:39:33: DEBUG: hashtype = SHA:MD5
2007-08-07 13:39:33: DEBUG: authmethod = GSS-API on Kerberos 5:GSS-API
on Kerberos 5
2007-08-07 13:39:33: DEBUG: dh_group = 768-bit MODP group:1024-bit MODP
group
2007-08-07 13:39:33: DEBUG: prop#=1, prot-id=ISAKMP, spi-size=0, #trns=4
2007-08-07 13:39:33: DEBUG: trns#=3, trns-id=IKE
2007-08-07 13:39:33: DEBUG: type=Encryption Algorithm, flag=0x8000,
lorv=DES-CBC
2007-08-07 13:39:33: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA
2007-08-07 13:39:33: DEBUG: type=Group Description, flag=0x8000,
lorv=768-bit MODP group
2007-08-07 13:39:33: DEBUG: type=Authentication Method, flag=0x8000,
lorv=GSS-API on Kerberos 5
2007-08-07 13:39:33: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
2007-08-07 13:39:33: DEBUG: type=Life Duration, flag=0x0000, lorv=4
2007-08-07 13:39:33: DEBUG: type=GSS-API endpoint name, flag=0x0000,
lorv=64
2007-08-07 13:39:33: DEBUG: Compared: DB:Peer
2007-08-07 13:39:33: DEBUG: (lifetime = 1800:28800)
2007-08-07 13:39:33: DEBUG: (lifebyte = 0:0)
2007-08-07 13:39:33: DEBUG: enctype = 3DES-CBC:DES-CBC
2007-08-07 13:39:33: DEBUG: (encklen = 0:0)
2007-08-07 13:39:33: DEBUG: hashtype = SHA:SHA
2007-08-07 13:39:33: DEBUG: authmethod = GSS-API on Kerberos 5:GSS-API
on Kerberos 5
2007-08-07 13:39:33: DEBUG: dh_group = 768-bit MODP group:768-bit MODP
group
2007-08-07 13:39:33: DEBUG: prop#=1, prot-id=ISAKMP, spi-size=0, #trns=4
2007-08-07 13:39:33: DEBUG: trns#=4, trns-id=IKE
2007-08-07 13:39:33: DEBUG: type=Encryption Algorithm, flag=0x8000,
lorv=DES-CBC
2007-08-07 13:39:33: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=MD5
2007-08-07 13:39:33: DEBUG: type=Group Description, flag=0x8000,
lorv=768-bit MODP group
2007-08-07 13:39:33: DEBUG: type=Authentication Method, flag=0x8000,
lorv=GSS-API on Kerberos 5
2007-08-07 13:39:33: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
2007-08-07 13:39:33: DEBUG: type=Life Duration, flag=0x0000, lorv=4
2007-08-07 13:39:33: DEBUG: type=GSS-API endpoint name, flag=0x0000,
lorv=64
2007-08-07 13:39:33: DEBUG: Compared: DB:Peer
2007-08-07 13:39:33: DEBUG: (lifetime = 1800:28800)
2007-08-07 13:39:33: DEBUG: (lifebyte = 0:0)
2007-08-07 13:39:33: DEBUG: enctype = 3DES-CBC:DES-CBC
2007-08-07 13:39:33: DEBUG: (encklen = 0:0)
2007-08-07 13:39:33: DEBUG: hashtype = SHA:MD5
2007-08-07 13:39:33: DEBUG: authmethod = GSS-API on Kerberos 5:GSS-API
on Kerberos 5
2007-08-07 13:39:33: DEBUG: dh_group = 768-bit MODP group:768-bit MODP
group
2007-08-07 13:39:33: DEBUG: type=Encryption Algorithm, flag=0x8000,
lorv=3DES-CBC
2007-08-07 13:39:33: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA
2007-08-07 13:39:33: DEBUG: type=Group Description, flag=0x8000,
lorv=1024-bit MODP group
2007-08-07 13:39:33: DEBUG: type=Authentication Method, flag=0x8000,
lorv=GSS-API on Kerberos 5
2007-08-07 13:39:33: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
2007-08-07 13:39:33: DEBUG: type=Life Duration, flag=0x0000, lorv=4
2007-08-07 13:39:33: DEBUG: type=GSS-API endpoint name, flag=0x0000,
lorv=64
2007-08-07 13:39:33: ERROR: rejected dh_group:
DB(prop#1:trns#1):Peer(prop#1:trns#1) = 768-bit MODP group:1024-bit MODP
group
2007-08-07 13:39:33: DEBUG: type=Encryption Algorithm, flag=0x8000,
lorv=3DES-CBC
2007-08-07 13:39:33: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=MD5
2007-08-07 13:39:33: DEBUG: type=Group Description, flag=0x8000,
lorv=1024-bit MODP group
2007-08-07 13:39:33: DEBUG: type=Authentication Method, flag=0x8000,
lorv=GSS-API on Kerberos 5
2007-08-07 13:39:33: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
2007-08-07 13:39:33: DEBUG: type=Life Duration, flag=0x0000, lorv=4
2007-08-07 13:39:33: DEBUG: type=GSS-API endpoint name, flag=0x0000,
lorv=64
2007-08-07 13:39:33: ERROR: rejected hashtype:
DB(prop#1:trns#1):Peer(prop#1:trns#2) = SHA:MD5
2007-08-07 13:39:33: ERROR: rejected dh_group:
DB(prop#1:trns#1):Peer(prop#1:trns#2) = 768-bit MODP group:1024-bit MODP
group
2007-08-07 13:39:33: DEBUG: type=Encryption Algorithm, flag=0x8000,
lorv=DES-CBC
2007-08-07 13:39:33: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA
2007-08-07 13:39:33: DEBUG: type=Group Description, flag=0x8000,
lorv=768-bit MODP group
2007-08-07 13:39:33: DEBUG: type=Authentication Method, flag=0x8000,
lorv=GSS-API on Kerberos 5
2007-08-07 13:39:33: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
2007-08-07 13:39:33: DEBUG: type=Life Duration, flag=0x0000, lorv=4
2007-08-07 13:39:33: DEBUG: type=GSS-API endpoint name, flag=0x0000,
lorv=64
2007-08-07 13:39:33: ERROR: rejected enctype:
DB(prop#1:trns#1):Peer(prop#1:trns#3) = 3DES-CBC:DES-CBC
2007-08-07 13:39:33: DEBUG: type=Encryption Algorithm, flag=0x8000,
lorv=DES-CBC
2007-08-07 13:39:33: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=MD5
2007-08-07 13:39:33: DEBUG: type=Group Description, flag=0x8000,
lorv=768-bit MODP group
2007-08-07 13:39:33: DEBUG: type=Authentication Method, flag=0x8000,
lorv=GSS-API on Kerberos 5
2007-08-07 13:39:33: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
2007-08-07 13:39:33: DEBUG: type=Life Duration, flag=0x0000, lorv=4
2007-08-07 13:39:33: DEBUG: type=GSS-API endpoint name, flag=0x0000,
lorv=64
2007-08-07 13:39:33: ERROR: rejected enctype:
DB(prop#1:trns#1):Peer(prop#1:trns#4) = 3DES-CBC:DES-CBC
2007-08-07 13:39:33: ERROR: rejected hashtype:
DB(prop#1:trns#1):Peer(prop#1:trns#4) = SHA:MD5
2007-08-07 13:39:33: ERROR: no suitable proposal found.
2007-08-07 13:39:33: ERROR: failed to get valid proposal.
2007-08-07 13:39:33: ERROR: failed to process packet.



configul:


bb01 racoon # cat racoon.conf
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
log debug2;

remote 1.2.3.4 {
        proposal {
                encryption_algorithm 3des;

--> ar-ul tau cred ca vrea des, nu 3des


                hash_algorithm sha1;
#                authentication_method pre_shared_key;
                authentication_method gssapi_krb;
                dh_group modp768;
parca am vazut ceva cu 1024 in ce zicea ar-ul (recunosc, am citit pe sarite) ? 


--
"A computer will not make a good manager out of a bad manager.
It makes a good manager better faster and a bad manager worse faster."
    Ed Esber, president, Ashton-Tate, 1986



_______________________________________________
RLUG mailing list
[email protected]
http://lists.lug.ro/mailman/listinfo/rlug

Raspunde prin e-mail lui