> I have a FreeBSD box running -STABLE which has had IPSec working with other > hosts for quite some time without a problem. I've just setup another > FreeBSD box running 5.0-RC1 and am trying to establish a VPN tunnel but am > not getting too far. I'm using racoon and when attempting the negotiation > with debugging enabled, the following message appears: > 2003-01-20 12:00:23: ERROR: pfkey.c:207:pfkey_handler(): pfkey ADD failed: > Invalid argument > and the following message is logged via syslog: > Jan 20 12:00:23 atlas kernel: key_mature: invalid AH key length 160 (128-128 > allowed) > > The relevant section of racoon.conf which is identical on both boxes is: > sainfo anonymous > { > pfs_group 1; > lifetime time 86400 sec; > encryption_algorithm 3des ; > authentication_algorithm hmac_sha1 ; > compression_algorithm deflate ; > } > > The box running -STABLE has been working fine with this configuration so I'm > assuming the problem is with the box running 5.0-RC1. Interestingly, I've > also tried using des as the encryption algorithm and hmac_md5 as the > authentication algorithm and I receive the following error message: > racoon: failed to parse configuration file. > > If anyone has any suggestions for a fix, or how I go about further > diagnosing this problem, I'd love to hear from you. > > Regards, > > Scott. >
It looks like the AH key length needs to be forced to 128 bits??? From: http://www.qnx.com/developer/docs/momentics_nc_docs/neutrino/utilities/r/racoon.conf.html "For algorithms that can take variable-length keys, algorithm names can be followed by a key length, like blowfish 448." Have you tried something along the lines of '3des 128' ? Just a guess. -Daxbert To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message