Subject: Re: PGPNet and isakmpd problem
To: Matt Hempel <email@example.com>
From: Hakan Olsson <firstname.lastname@example.org>
Date: 10/06/2001 14:24:59
On Thu, 4 Oct 2001, Matt Hempel wrote:
> DOI=3D IPSEC
> EXCHANGE_TYPE=3D QUICK_MODE
> Suites=3D QM-ESP-3DES-SHA-PFS-SUITE
> # Suites
> Protocols=3D QM-ESP-3DES-SHA-PFS
> # Quick mode protocols
> PROTOCOL_ID=3D IPSEC_ESP
> Transforms=3D QM-ESP-3DES-SHA-PFS-XF
The above section should have been named just 'QM-ESP-3DES-SHA-PFS', i.e
you should skip the trailing '-XF'.
It is a bit dangerous, although perfectly legitimate, to re-use the names
of the autogenerated configuration. The problem, of course, is that typos
are hard to spot and you'll probably end up with a configuration that
isakmpd will accept since the default values are still there, but your
negotiations may fail since you depend on a critical changed value
somwhere. In this case, you most likely fell through to a TUNNEL mode
transform using the "predefined" QM-ESP-3DES-SHA-PFS name.
Actually, in your case you should be able to get by with just the
following (using one of the predef'd values for transport mode IPsec):
and skip the rest, i.e suites, protocols and xform definitions. Note that
the '-TRP' above means transport mode.
Additionally, you may want to tweak
to match your 'LIFE_PHASE2'...
For more info, read isakmpd.conf(5).
H=E5kan Olsson <email@example.com> (+46) 708 437 337 Carlstedt Research
Unix, Networking, Security (+46) 31 701 4264 & Technology AB