NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Simple IPSEC client with certificate - phase 1 time out



On Thu, Feb 25, 2016 at 3:10 PM, Frank Wille <frank%phoenix.owl.de@localhost> wrote:
> Seems I forgot IPSEC_DEBUG, so I missed important information? I tried it
> again with a 7.0 kernel and IPSEC_DEBUG on my PowerBook and the cause
> turned out to be a bad "authentication_method" in my propsal:
>
> Feb 25 22:30:08 powerbook racoon: [1.2.3.4] ERROR: notification
> NO-PROPOSAL-CHOSEN received in unencrypted informational exchange.
>
> I had to replace "hybrid_rsa_client" by "rsasig" - although I'm not
> completely sure about the difference. I have a signed certificate and don't
> want to use any username or password authentication with xauth, so "rsasig"
> is probably ok...?
>
>
> Now I reach phase 2 and it looks to me that the VPN connection is
> established for a second, but a few seconds later I get "DPD: remote seems
> to be dead". No idea at the moment.
>
> Do I have to worry about "WARNING: unable to get certificate CRL(3)" ?
>
> What does "KA" mean?

Sorry, not a lot of help here, I just felt like replying.

I've been trying to get IPSEC transport mode set up between NetBSD and
a stupid router who's name I won't mention and it's not working. I
tried it with Linux and it's not working. I tried it with another
brand of router and it's not working. I tried the same brand of router
and it works. Probably because all the names of the toggles line up or
something ridiculous like that.

It might be worth trying some other OS or device just to sanity check
it and make sure it CAN work before you assume it's a NetBSD issue.

Would be really nice if there was an IPSEC secret decoder ring for
device compatibility/setup.

Andy


Home | Main Index | Thread Index | Old Index