Racoon vs. WinVista

Milan BERKA ber na eunet.cz
Čtvrtek Červen 12 06:20:38 CEST 2008 

Dobrý den,

ne že bych věděl v čem je problém, ale padá to na time out. DH group viz 
niže (možná)

MB

Jan Marek napsal(a):
> Dobry den,
> 
> zapolim s pripojenim WinVista na racoon (a xl2tp)... Zatim jsem
> nepresel pres racoon.
> 
> Co mi pise:
> 
> racoon: INFO: respond new phase 1 negotiation: 193.179.40.166[500]<=>160.217.1.20[500]
> racoon: INFO: begin Identity Protection mode.
> racoon: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
> racoon: INFO: received Vendor ID: RFC 3947
> racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
> racoon: INFO: received Vendor ID: FRAGMENTATION
> racoon: INFO: Selected NAT-T version: RFC 3947
> racoon: ERROR: invalid DH group 20.
> racoon: ERROR: invalid DH group 19.
> racoon: ERROR: phase1 negotiation failed due to time up.
> 
> racoon.conf (s vyhozenyma adresama):
> 
> path certificate "/etc/ssl";
> 
> remote anonymous {
>         exchange_mode aggressive, main;
>         passive on;
>         certificate_type x509 "server.pem" "server.key";
>         my_identifier asn1dn;
>         peers_identifier asn1dn;
>         proposal_check obey;
>         generate_policy on;
>         nat_traversal on;
>         verify_cert on;
>         dpd_delay 20;
>         ike_frag on;
>         proposal {
>                 encryption_algorithm 3des;
>                 hash_algorithm sha1;
>                 authentication_method rsasig;
>                 dh_group 2;

A co tady?

>         }
> }
> 
> sainfo anonymous {
> #       pfs_group 2;
>         lifetime time 1 hour;
>         encryption_algorithm aes, 3des, des;
>         authentication_algorithm hmac_sha1;
>         compression_algorithm deflate;
> }
> 
> V podstate tusim, ze je problem v dh_group, ale kdyz jsem zkousel
> nastavit v racoon.conf dh_group 19 nebo 20, tak jsem narazil a ve
> Vistach nevim, jak by bylo mozne nastavit, ze chci napr. dh_group
> 2. Na internet-u vyhledane navody (ktere udajne chodi), jsou
> prakticky totozne s tim, co mam v konfiguraku (obcas se objevi
> jine sifry apod, ale podle meho zjisteni si na tyto parametry
> stezuje racoon nejmene).
> 
> Mate, prosim, nekdo nejaky napad, jak to posunout dale?
> 
> Dekuje a zdravi
> Honza Marek

Další informace o konferenci Linux