Mailing List Archive: vpnc: devel

Upgrade changes pfs dh2 to dh5

Index | Next | Previous | View Threaded

vpnc at oldfield

Jul 21, 2004, 8:41 AM

Post #1 of 3 (645 views)
Permalink

Upgrade changes pfs dh2 to dh5

Hi,

I had been connecting to a Cisco VPN 3060 concentrator using
vpnc-0.2-rm+zomb-pre9 without any problems using "Perfect Forward
Secrecy dh2" (of PFS dh2 for short) in my vpnc.conf

After upgrading to vpnc-0.2-rm+zomb.1 PFS dh2 no longer works, but PFS
dh5 does.

This is odd as the configuration on the Cisco concentrator end has not
changed (it's still set to PFS dh2), and subsequent testing confirms
that pre9 only works with PFS dh2, and not with PFS dh5.

The error I receive when using the "wrong" PFS setting is
quick mode rejected: INVALID_PAYLOAD_TYPE
check pfs setting

Any suggestions as to what's going on here, and why the change?

Regards,
Kim

massar at unix-ag

Jul 21, 2004, 2:48 PM

Post #2 of 3 (608 views)
Permalink

Upgrade changes pfs dh2 to dh5 [In reply to]

hi,

> I had been connecting to a Cisco VPN 3060 concentrator using
> vpnc-0.2-rm+zomb-pre9 without any problems using "Perfect Forward
> Secrecy dh2" (of PFS dh2 for short) in my vpnc.conf

since pre9, vpnc should work without setting PFS in vpnc.conf/commandline..

> After upgrading to vpnc-0.2-rm+zomb.1 PFS dh2 no longer works, but PFS
> dh5 does.
>
> This is odd as the configuration on the Cisco concentrator end has not
> changed (it's still set to PFS dh2), and subsequent testing confirms
> that pre9 only works with PFS dh2, and not with PFS dh5.
>
> The error I receive when using the "wrong" PFS setting is
> quick mode rejected: INVALID_PAYLOAD_TYPE
> check pfs setting
>
> Any suggestions as to what's going on here, and why the change?

hmm.. I can not see what should have caused such a change...

could you try what happens if you use "--pfs server"?
also look at which dh-group setting is used at ike-phase1-sa

this "check pfs setting" can be a bit misleading, because
it is always print if an unexpected paket is received at a
certain stage (vpnc error handling is practically nonexistant.
vpnc does not understand error messages from the concentrator,
it just notices that it is not the "expected" paket and dies).

maybe it is something else..

cu
maurice

vpnc at oldfield

Jul 25, 2004, 5:15 AM

Post #3 of 3 (608 views)
Permalink

Upgrade changes pfs dh2 to dh5 [In reply to]

On 21 Jul 2004, Maurice Massar typed:
] hi,
]
] > I had been connecting to a Cisco VPN 3060 concentrator using
] > vpnc-0.2-rm+zomb-pre9 without any problems using "Perfect Forward
] > Secrecy dh2" (of PFS dh2 for short) in my vpnc.conf
]
] since pre9, vpnc should work without setting PFS in vpnc.conf/commandline..

Just tried removing the PFS setting, but the connection fails at the
same place ("check pfs setting").

] > After upgrading to vpnc-0.2-rm+zomb.1 PFS dh2 no longer works, but PFS
] > dh5 does.
]
] hmm.. I can not see what should have caused such a change...
]
] could you try what happens if you use "--pfs server"?

With zomb.1 I get the same problem, dh5 works and dh2 fails.

] also look at which dh-group setting is used at ike-phase1-sa

Checking the concentrator:
IKE Proposal, Diffie-Hellman Group: Group 2
Security Association, Perfect Forward Secrecy: Group 2
So both are set to dh2.

] this "check pfs setting" can be a bit misleading, because
] it is always print if an unexpected paket is received at a
] certain stage (vpnc error handling is practically nonexistant.
] vpnc does not understand error messages from the concentrator,
] it just notices that it is not the "expected" paket and dies).
]
] maybe it is something else..

Regards,
Kim

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads