> I have a FreeBSD box running -STABLE which has had IPSec working with other
> hosts for quite some time without a problem. I've just setup another
> FreeBSD box running 5.0-RC1 and am trying to establish a VPN tunnel but am
> not getting too far. I'm using racoon and when attempting the negotiation
> with debugging enabled, the following message appears:
> 2003-01-20 12:00:23: ERROR: pfkey.c:207:pfkey_handler(): pfkey ADD failed:
> Invalid argument
> and the following message is logged via syslog:
> Jan 20 12:00:23 atlas kernel: key_mature: invalid AH key length 160 (128-128
> allowed)
>
> The relevant section of racoon.conf which is identical on both boxes is:
> sainfo anonymous
> {
> pfs_group 1;
> lifetime time 86400 sec;
> encryption_algorithm 3des ;
> authentication_algorithm hmac_sha1 ;
> compression_algorithm deflate ;
> }
>
> The box running -STABLE has been working fine with this configuration so I'm
> assuming the problem is with the box running 5.0-RC1. Interestingly, I've
> also tried using des as the encryption algorithm and hmac_md5 as the
> authentication algorithm and I receive the following error message:
> racoon: failed to parse configuration file.
>
> If anyone has any suggestions for a fix, or how I go about further
> diagnosing this problem, I'd love to hear from you.
>
> Regards,
>
> Scott.
>
It looks like the AH key length needs to be forced to 128 bits???
From:
http://www.qnx.com/developer/docs/momentics_nc_docs/neutrino/utilities/r/racoon.conf.html
"For algorithms that can take variable-length keys, algorithm names can be followed by
a key length, like blowfish 448."
Have you tried something along the lines of '3des 128' ?
Just a guess.
-Daxbert
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message
