Home » Mailing list archives » openbsd-misc » 2008 » June » 30

Re: isakmpd -- NCP IPsec client: peer proposed invalid phase 2 IDs

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
[view in full thread]
From: Harald Dunkel
Subject: Re: isakmpd -- NCP IPsec client: peer proposed invalid phase 2 IDs
Date: Monday, June 30, 2008 - 12:17 am

Hi Prabhu,

I do get a connection for

	ike passive esp from 192.168.5.0/31 to 192.168.1.249

but not for

	ike passive esp from 192.168.5.1 to 192.168.1.249

(192.168.1.249 is the remote Windows laptop running NCP IPsec client.)

So I doubt that this is a problem of aes vs 3des. AFAICS the problem
is that isakmpd doesn't accept the proposal packet with

	:
	payload: ID len: 12 type: IPV4_ADDR = 192.168.1.249
	payload: ID len: 16 type: IPV4_ADDR_SUBNET = 192.168.5.1/255.255.255.255 [ttl 0] (id 1, len 248)
	:

If I setup an IPsec tunnel between 2 OpenBSD hosts, then the
proposal packet says

	:
	payload: ID len: 12 type: IPV4_ADDR = 192.168.5.3
	payload: ID len: 12 type: IPV4_ADDR = 192.168.5.1 [ttl 0] (id 1, len 312)
	:

which seems to be fine for isakmpd.

The questions are:

Does NCP's IPsec client violate some RFC?
Can isakmpd adjusted to accept "IPV4_ADDR_SUBNET" in the proposal
packet, if this is fine with the RFCs?


Regards

Harri
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
Messages in current thread:
isakmpd -- NCP IPsec client: peer proposed invalid phase 2 IDs, Harald Dunkel, (Fri Jun 27, 6:10 am)
Re: isakmpd -- NCP IPsec client: peer proposed invalid pha ..., Prabhu Gurumurthy, (Fri Jun 27, 10:16 am)
Re: isakmpd -- NCP IPsec client: peer proposed invalid pha ..., Harald Dunkel, (Mon Jun 30, 12:17 am)
Re: isakmpd -- NCP IPsec client: peer proposed invalid pha ..., Mitja Muženič, (Mon Jun 30, 12:38 am)
Re: isakmpd -- NCP IPsec client: peer proposed invalid pha ..., Harald Dunkel, (Mon Jun 30, 2:48 am)
Re: isakmpd -- NCP IPsec client: peer proposed invalid pha ..., Harald Dunkel, (Mon Jun 30, 4:03 am)