jmvpnc at loplof
May 6, 2008, 4:48 PM
Post #2 of 2
(165 views)
Permalink
|
On Sun, Apr 13, 2008 at 08:19:27PM -0400, Andre-John Mas wrote:
> concentrator configured to require a firewall
> this locks out even Cisco clients on any platform expect windows
> which is an obvious security improvment. There is no workaround
> (yet).
>
> This would seem to correspond to the error given in the logs of the
> official client:
>
> 50 20:16:53.539 04/13/2008 Sev=Info/4 IKE/0x4300004B
> Discarding IKE SA negotiation (I_Cookie=70593E34D6E6CB58
> R_Cookie=D2B5378BC8534DFD) reason = PEER_DELETE-
> IKE_DELETE_FIREWALL_MISMATCH
>
> 51 20:16:53.539 04/13/2008 Sev=Info/4 CM/0x43100012
> Phase 1 SA deleted before first Phase 2 SA is up cause by
> "PEER_DELETE-IKE_DELETE_FIREWALL_MISMATCH". 0 Crypto Active IKE SA,
> 0 User Authenticated IKE SA in the system
>
> I am curious as to whether any analysis has been made of what it would
> take to add the firewall capability to vpnc? What are the current
> hurdles at this point?
Can you please send a complete log of the official client with a) correct
and b) no firewall running. Please turn on maximum debugging options.
Also, it would be nice to capture the traffic at the same time with a
network sniffer software like Wireshark (www.wireshark.org).
Ciao
Joerg
--
Joerg Mayer <jmayer[at]loplof.de>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.
_______________________________________________
vpnc-devel mailing list
vpnc-devel[at]unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/
|
