Kelvin Chiang wrote:
Hi, I am still figuring out how to get IPSec working using RSA
signature. Still no luck but I think I am getting closer. I have seen
errors messages below, does anyone know what is "exchange type 6"?
Mar 24 09:25:41 racoon: INFO: respond new phase 1 negotiation:
210.23.14.8[500]<=>218.186.35.230[500]
Mar 24 09:25:41 racoon: INFO: begin Identity Protection mode.
Mar 24 09:25:41 racoon: INFO: received Vendor ID: CISCO-UNITY
Mar 24 09:25:41 racoon: WARNING: unable to get certificate CRL(3) at
depth:0 SubjectName:/C=SG/ST=Singapore/L=Singapore/O=Laxo Global Access
Pte Ltd/OU=Network/CN=Kelvin Chiang/[EMAIL PROTECTED]
Mar 24 09:25:41 racoon: INFO: ISAKMP-SA established
210.23.14.8[500]-218.186.35.230[500] spi:acc291a49b2a3750:a40aa2dc238e66db
Mar 24 09:25:41 racoon: ERROR: Invalid exchange type 6 from
218.186.35.230[500].
You are passing RSA authentication now without error. Exchange type 6 is
the modecfg exchange and is used after phase 1 and before phase 2. You
will see this error when using an old verson of ipsec-tools or a newer
version that has been compiled without the --enable-hybdid configure
option. I believe the version of ipsec-tools shipped with pfsense is a
rather old version.
If you happen to be using the Shrew Soft VPN Client to connect with a
pfsense gateway, here is a post on the vpn help mailing list that you
may find useful. It basically describes what options need to be
configured manually so that the modecfg exchange will be skipped.
http://lists.shrew.net/pipermail/vpn-help/2006-October/000610.html
-Matthew
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
