[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snap-users
Subject:    (KAME-snap 5053) Re: (snap 20010611) Still have PFS problems
From:       VANHULLEBUS Yvan <vanhu () free ! fr>
Date:       2001-06-28 18:46:55
[Download RAW message or body]

On Thu, Jun 28, 2001 at 10:55:06PM +0900, Shoichi Sakane wrote:
> > > VANHULLEBUS, I have checked it with the configuration you specified.
> > > the difference between you and I is that I used IPv6. 
> > > unfortunately I have got a success.  of course, i have used latest racoon
> > > and the kernel.  but it may not be problem because i haven't modified
> > > "proposal_check" routine since last autumn.
> > > did you make any mistake ? or have you find any bug in racoon ?
> 
> > The only difference is the result with 'obey' I had during the last
> > test: I always used 'claim' in my preceding tests.
> 
> when i checked your report, i used "claim" because your configuration
> you specified included "claim", didn't it ?  also i used 'obey'.
> there was no problem in both case.  umm where was the problem ?

If I use 'claim', phase 2 negociation will fail, and I'll have
the following error in my racoon.log:
ERROR: isakmp_quick.c:1064:quick_r1recv(): KE payload and PFS attribute
mismatched. 

If I use 'obey' for the responder, negociation will be done and the
tunnel will work. I don"t know how to be sure that PFS is used but
I think it really works (I'll test with a third party VPN peer with
PFS actived to be 100% sure).


> > Can someone else test in IPv4 and confirms that PFS works/doesn't works ?
> 
> i believe PFS works well in racoon.

Yes, I also believe so, but I think there could be a problem in phase 2
negociation.

I should have added "with claim option for responder"..


Regards,

VANHULLEBUS Yvan.

[prev in list] [next in list] [prev in thread] [next in thread]