Luca Arzeni ha scritto: > I didn't spotted your second mail until now, but I've realized the bug > on ikea, so I set the asn1dn directly on the ~/.ike/ by hand and run > ikec -r default.
Well, the bug is not in saving the conf, but in loading it, so you can still use ikea, just remember that anytime you save the configuration you have to reset the client identity part to ASN.1 > I've set ike to 3DES/SHA1/1024 (the same parameters are used for phase > 2. If I' don't set 3des (using AES, for example), I receive a "peer > unknown notification" This is probably due to the server specific configuration: I have everything set to "auto", except for DH Exchange=group 2 in Phase1, PFS Exchange and Compression Algorithm in Phase 2, both set to disabled. Oh, and, of course "Enable Checkpoint Compatible...", but that' s quite obvious :) > Using 3des, it seems that phase1 was ok, but it cannot go with phase2. > Am I missing something?I'have no "firewall certificate" but only the > ca certificate. Aren't they the same thing? in this case, yes. > I spotted a message: "K! : recv X_SPDDUMP message failure ( errno = 2 > )" it's something important? As a vpn-stuff user (as opposed to developer), I can't really tell. I could guess that maybe not, 'cause it's just a dump operation (i.e. print) You could investigate what errno = 2 is. In http://www.shrew.net/software/todo "Long Term Goals: Write a setkey replacement based on libpfk" So, "man setkey" should still be a good starting point, at least for knowing what we are talking about (I actually don't. well, not a lot :) ). > The error is on the line "ii : received peer PAYLOAD-MALFORMED > notification". > Do you have any hint? I could make a guess that the client is sending something that the server consider to be wrong. I have to say that I tried to use srfw.exe to sniff traffic when using the windows proprietary client and, looking at the log file with wireshark, there were malformed packets *when the connection succeded*. Either I'm missing something, or CP client and server are really sending each other some weird proprietary stuff. If you haven't tried yet and you want to make a comparison between the logs (ike/linux vs CP/windows) , take a look a that page I mentioned: http://www.aelita.org/racoon/racoon-securemote-doc when it says: "2) The SecureClient has a powerfull debugging feature that you can activate..." Use wireshark to display the log file, check for "ISAKMP: Informational" messages, click on "Follow the UDP stream" and check the info in the lower frame. Bye -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Carmelo Iannello Codices s.r.l. Via G. Malasoma 24 56121 Pisa, loc. Ospedaletto Tel: +39 050-3163667 (diretto) Tel: +39 050-3160136 Fax: +39 050-9655150 http://www.codices.com/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ _______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
