Hello everyone, ...and here are snips from my barf, wherein the last 2 lines of my auth.log suggests a known problem with WIN2K being able to operate using 3DES, then secretly revert to 1DES as discussed in this link: http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/07/msg00151.html.
But I'm under the impression that this only happens if I hadn't installed SP2. Actually I've installed SP3 along with ALL other patches available for my WIN2K machine as recommended by Win Update. Any hints as to what else I can try out to fix this? Using third party tools such as ssh sentinel (w/c looks very promising) or pgpnet is currently not an option (as these are commercial wares). And btw, is l2tp a stable alternative to this? Along with l2tpd in Linux? Any comments about l2tp? TIA and still searching... Vic Thu Feb 13 13:48:04 UTC 2003 + _________________________ version + + ipsec --version Linux FreeS/WAN 1.99 See `ipsec --copyright' for copyright information. + _________________________ proc/version + + cat /proc/version Linux version 2.2.20-3-DIGIPH (root@zxivlin) (gcc version egcs-2.91.66 19990314/Linux (egcs-1.1.2 release)) #4 Mon Feb 10 13:30:21 PHT 2003 + _________________________ proc/net/ipsec_eroute + + sort +3 /proc/net/ipsec_eroute sort: +3: No such file or directory + cat /proc/net/ipsec_eroute 0 192.168.246.0/24 -> 192.168.0.0/24 => [EMAIL PROTECTED] + _________________________ netstart-rn + + netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0 192.168.245.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0 192.168.246.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.0.0 192.168.3.200 255.255.255.0 UG 0 0 0 ipsec0 0.0.0.0 192.168.3.200 0.0.0.0 UG 0 0 0 eth0 + _________________________ proc/net/ipsec_spi + + cat /proc/net/ipsec_spi [EMAIL PROTECTED] ESP_3DES_HMAC_MD5: dir=out src=192.168.3.1 iv_bits=64bits iv=0x1c8e92b1b5d3776b ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(25,0,0) [EMAIL PROTECTED] IPIP: dir=out src=192.168.3.1 life(c,s,h)=addtime(25,0,0) [EMAIL PROTECTED] IPIP: dir=in src=192.168.2.1 life(c,s,h)=addtime(25,0,0) [EMAIL PROTECTED] ESP_3DES_HMAC_MD5: dir=in src=192.168.2.1 iv_bits=64bits iv=0x9df466f1e0c7d580 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(25,0,0) + _________________________ proc/net/ipsec_spigrp + + cat /proc/net/ipsec_spigrp [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] + _________________________ proc/net/ipsec_tncfg + + cat /proc/net/ipsec_tncfg ipsec0 -> eth0 mtu=16260(1500) -> 1500 ipsec1 -> NULL mtu=0(0) -> 0 ipsec2 -> NULL mtu=0(0) -> 0 ipsec3 -> NULL mtu=0(0) -> 0 + _________________________ ipsec/status + + ipsec auto --status 000 interface ipsec0/eth0 192.168.3.1 000 000 "SR3K-NET": 192.168.246.0/24===192.168.3.1---192.168.3.200...192.168.2.200---192.168.2.1 ===192.168.0.0/24 000 "SR3K-NET": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "SR3K-NET": policy: PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK; interface: eth0; erouted 000 "SR3K-NET": newest ISAKMP SA: #1; newest IPsec SA: #2; eroute owner: #2 000 000 #2: "SR3K-NET" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27874s; newest IPSEC; eroute owner 000 #2: "SR3K-NET" [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] 000 #1: "SR3K-NET" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2608s; newest ISAKMP 000 + _________________________ plog + + sed -n 178,$p /var/log/auth.log + egrep -i pluto + cat Feb 13 13:47:35 SR3K ipsec__plutorun: Starting Pluto subsystem... Feb 13 13:47:36 SR3K pluto[8362]: Starting Pluto (FreeS/WAN Version 1.99) Feb 13 13:47:36 SR3K pluto[8362]: including X.509 patch (Version 0.9.15) Feb 13 13:47:36 SR3K pluto[8362]: Changing to directory '/etc/ipsec.d/cacerts' Feb 13 13:47:36 SR3K pluto[8362]: Warning: empty directory Feb 13 13:47:36 SR3K pluto[8362]: Changing to directory '/etc/ipsec.d/crls' Feb 13 13:47:36 SR3K pluto[8362]: Warning: empty directory Feb 13 13:47:36 SR3K pluto[8362]: could not open my default X.509 cert file '/etc/x509cert.der' Feb 13 13:47:36 SR3K pluto[8362]: OpenPGP certificate file '/etc/pgpcert.pgp' not found Feb 13 13:47:37 SR3K pluto[8362]: added connection description "SR3K-NET" Feb 13 13:47:37 SR3K pluto[8362]: listening for IKE messages Feb 13 13:47:37 SR3K pluto[8362]: adding interface ipsec0/eth0 192.168.3.1 Feb 13 13:47:37 SR3K pluto[8362]: loading secrets from "/etc/ipsec.secrets" Feb 13 13:47:37 SR3K pluto[8362]: "SR3K-NET" #1: initiating Main Mode Feb 13 13:47:38 SR3K pluto[8362]: "SR3K-NET" #1: ignoring Vendor ID payload Feb 13 13:47:38 SR3K pluto[8362]: "SR3K-NET" #1: Peer ID is ID_IPV4_ADDR: '192.168.2.1' Feb 13 13:47:38 SR3K pluto[8362]: "SR3K-NET" #1: ISAKMP SA established Feb 13 13:47:38 SR3K pluto[8362]: "SR3K-NET" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK Feb 13 13:47:39 SR3K pluto[8362]: "SR3K-NET" #2: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag Feb 13 13:47:39 SR3K pluto[8362]: "SR3K-NET" #2: sent QI2, IPsec SA established Feb 13 13:47:39 SR3K pluto[8362]: "SR3K-NET" #2: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag Feb 13 13:47:39 SR3K pluto[8362]: "SR3K-NET" #2: message ignored because it contains an payload type (ISAKMP_NEXT_HASH) unexpected in this message ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
