Re: IPSec

Mon, 03 Sep 2007 07:24:28 -0700 

Sep  3 15:05:16 obsd1 isakmpd[25239]: dropped message from
172.26.10.83 port 500 due to notification type NO_PROPOSAL_CHOSEN
Sep  3 15:05:16 obsd1 isakmpd[25239]: responder_recv_HASH_SA_NONCE:
KEY_EXCH payload without a group desc. attribute
Sep  3 15:05:16 obsd1 isakmpd[25239]: dropped message from
172.26.10.83 port 500 due to notification type NO_PROPOSAL_CHOSEN
Sep  3 15:05:16 obsd1 isakmpd[25239]: responder_recv_HASH_SA_NONCE:
peer proposed invalid phase 2 IDs: initiator id ac1a0a53:
172.26.10.83, responder id 0a000080/ffffff80:
10.0.0.128/255.255.255.128


Same thing:

btw, ISA Server 2006 gives me this:

------ LOCAL --------

Local Tunnel Endpoint: 172.26.10.83
Remote Tunnel Endpoint: 172.26.10.82

To allow HTTP proxy or NAT traffic to the remote site,
the remote site configuration must contain the local
site tunnel end-point IP address.

IKE Phase I Parameters:
    Mode: Main mode
    Encryption: 3DES
    Integrity: SHA1
    Diffie-Hellman group: Group 2 (1024 bit)
    Authentication Method: Pre-shared secret (teste)
    Security Association Lifetime: 28800 seconds


IKE Phase II Parameters:
    Mode: ESP tunnel mode
    Encryption: 3DES
    Integrity: SHA1
    Perfect Forward Secrecy: ON
    Diffie-Hellman group: Group 2 (1024 bit)
    Time Rekeying: ON
    Security Association Lifetime: 3600 seconds

    Kbyte Rekeying: OFF

Remote Network 'OBSD1' IP Subnets:
    Subnet: 10.0.0.1/255.255.255.255
    Subnet: 10.0.0.2/255.255.255.254
    Subnet: 10.0.0.4/255.255.255.252
    Subnet: 10.0.0.8/255.255.255.248
    Subnet: 10.0.0.16/255.255.255.240
    Subnet: 10.0.0.32/255.255.255.224
    Subnet: 10.0.0.64/255.255.255.192
    Subnet: 10.0.0.128/255.255.255.128

Local Network 'Internal' IP Subnets:
    Subnet: 10.0.1.0/255.255.255.0

Routable Local IP Addresses:
    Subnet: 10.0.1.0/255.255.255.0

------ REMOTE ------

Local Tunnel Endpoint: 172.26.10.82
Remote Tunnel Endpoint: 172.26.10.83

IKE Phase I Parameters:
    Mode: Main mode
    Encryption: 3DES
    Integrity: SHA1
    Diffie-Hellman group: Group 2 (1024 bit)
    Authentication Method: Pre-shared secret (teste)
    Security Association Lifetime: 28800 seconds


IKE Phase II Parameters:
    Mode: ESP tunnel mode
    Encryption: 3DES
    Integrity: SHA1
    Perfect Forward Secrecy: ON
    Diffie-Hellman group: Group 2 (1024 bit)
    Time Rekeying: ON
    Security Association Lifetime: 3600 seconds

    Kbyte Rekeying: OFF

Site-to-Site Network IP Subnets:
    Subnet: 10.0.1.0/255.255.255.0


I've defined only the Class C of 10.0.0.1 to 10.0.0.255 and there's a
lot of subnets! Maybe that's the issue?

On 9/3/07, Hans-Joerg Hoexer <[EMAIL PROTECTED]> wrote:
> On Mon, Sep 03, 2007 at 02:45:46PM +0100, JosC) Costa wrote:
> > 3des, sha1, PFS disabled.
>
> ok, then enable pfs, use modp1024

Reply via email to