Re: isakmpd -- NCP IPsec client: peer proposed invalid phase 2 IDs

On 2008-06-30, Harald Dunkel <[EMAIL PROTECTED]> wrote: > Mitja Mu>enih wrote: >> >> It is not a problem within isakmpd, it will accept IPV4_ADDR_SUBNET of size >> /32. >> >> As I already explained to you in a private mail, ipsecctl will export both >> 192.168.1.249 and 192.168.1.249/32 into IPV4

Re: isakmpd -- NCP IPsec client: peer proposed invalid phase 2 IDs

PS: If I don't define any remote networks in NCP client, then it tries to send all ip traffic via esp to the OpenBSD gateway, but isakmpd whoes: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id c0a801f9: 192.168.1.249, responder id /: 0.0.0.0/0.0.0.0

Re: isakmpd -- NCP IPsec client: peer proposed invalid phase 2 IDs

Mitja Mu>enih wrote: It is not a problem within isakmpd, it will accept IPV4_ADDR_SUBNET of size /32. As I already explained to you in a private mail, ipsecctl will export both 192.168.1.249 and 192.168.1.249/32 into IPV4_ADDR=192.168.1.249 while your windows client is sending IPV4_ADDR_SUBNET

Re: isakmpd -- NCP IPsec client: peer proposed invalid phase 2 IDs

On 2008-06-30, Mitja Mu>enih <[EMAIL PROTECTED]> wrote: > It is not a problem within isakmpd, it will accept IPV4_ADDR_SUBNET of size > /32. It would make more sense for isakmpd to treat IPV4_ADDR_SUBNET /32 and IPV4_ADDR as equivalent, otherwise I think you're unable to use 0.0.0.0 to accept dyna

Re: isakmpd -- NCP IPsec client: peer proposed invalid phase 2 IDs

> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Harald Dunkel > Sent: Monday, June 30, 2008 9:17 AM > To: [EMAIL PROTECTED] > Cc: Misc OpenBSD > Subject: Re: isakmpd -- NCP IPsec client: peer proposed > invalid phase 2 IDs &

Re: isakmpd -- NCP IPsec client: peer proposed invalid phase 2 IDs

Hi Prabhu, I do get a connection for ike passive esp from 192.168.5.0/31 to 192.168.1.249 but not for ike passive esp from 192.168.5.1 to 192.168.1.249 (192.168.1.249 is the remote Windows laptop running NCP IPsec client.) So I doubt that this is a problem of aes vs 3des. AFA

Re: isakmpd -- NCP IPsec client: peer proposed invalid phase 2 IDs

I do not know whether Windows XP native IPsec stack supports AES, I know it only supports upto 3des. With OpenBSD, the default is AES (128), that is why IKE is giving you NO_PROPOSAL_CHOSEN. Change you settings to include 3des and sha1 (or md5 may be) and you would get quick mode working. Prab

isakmpd -- NCP IPsec client: peer proposed invalid phase 2 IDs

Hi folks, I am trying to setup an IPsec connection between OpenBSD and WindowsXP (NCP IPsec client). ipsec.conf is just a single line: ike passive esp from 192.168.5.1 to 192.168.1.249 (192.168.1.249 is the Windows PC.) Phase I seems to work, but in Phase II isakmpd complains: Jun 27