Hi Prabhu,
I do get a connection for
ike passive esp from 192.168.5.0/31 to 192.168.1.249
but not for
ike passive esp from 192.168.5.1 to 192.168.1.249
(192.168.1.249 is the remote Windows laptop running NCP IPsec client.)
So I doubt that this is a problem of aes vs 3des. AFAICS the problem
is that isakmpd doesn't accept the proposal packet with
:
payload: ID len: 12 type: IPV4_ADDR = 192.168.1.249
payload: ID len: 16 type: IPV4_ADDR_SUBNET =
192.168.5.1/255.255.255.255 [ttl 0] (id 1, len 248)
:
If I setup an IPsec tunnel between 2 OpenBSD hosts, then the
proposal packet says
:
payload: ID len: 12 type: IPV4_ADDR = 192.168.5.3
payload: ID len: 12 type: IPV4_ADDR = 192.168.5.1 [ttl 0] (id 1, len
312)
:
which seems to be fine for isakmpd.
The questions are:
Does NCP's IPsec client violate some RFC?
Can isakmpd adjusted to accept "IPV4_ADDR_SUBNET" in the proposal
packet, if this is fine with the RFCs?
Regards
Harri
