> # cat ipsec.conf
> ike dynamic from any to any \
> main auth hmac-sha1 enc 3des group modp1024 \
> quick auth hmac-sha1 enc 3des psk TheSecret
>
this should be "ike passive from ..."
roger that...
# cat ipsec.conf
ike passive from any to any \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des psk TheSecret
The INVALID_COOKIE messages have been replaced with this:
# isakmpd -K4dv
092755.013577 Default isakmpd: phase 1 done: initiator id ac1e0114:
172.30.1.20, responder id ac1e0101: 172.30.1.1, src: 172.30.1.1 dst:
172.30.1.20
092755.017234 Default responder_recv_HASH_SA_NONCE: peer proposed
invalid phase 2 IDs: initiator id ac1e0114: 172.30.1.20, responder id
ac1e0101: 172.30.1.1
092755.017569 Default dropped message from 172.30.1.20 port 500 due
to notification type NO_PROPOSAL_CHOSEN
092758.020965 Default responder_recv_HASH_SA_NONCE: peer proposed
invalid phase 2 IDs: initiator id ac1e0114: 172.30.1.20, responder id
ac1e0101: 172.30.1.1
The proposal messages repeat until Mac timeout or I cancel. ipsecctl -
m shows nothing.
I had a similar proposal error when 'main auth' was set to 'enc aes'.
I increased the reporting level of isakmpd and noticed a message that
said something to the effect of "client proposed 3DES, expected AES".
That was when i changed my encryption type to 3DES. I see no such
hints from isakmpd during the invalid phase 2 exchange.
I tried altering my ipsec.conf to try different encryption algorithms
for phase 2. 3des, aes, aesctr, and blowfish all report the same
proposal error. I shall try changing the authentication method.
If i change anything in the phase 1 section 'main', phase 1 fails.
My continued thanks for any assistance