This is not (directly) a problem with the isakmpd.conf file(s), rather you
have an error in the isakmpd.policy file(s). Note the message of the first
debug line you included in your original mail.

If the policy does not permit an SA to be established... well, there you
are. The other messages appear as a result of this initial failure.

Check your policy file again. I normally use the following while testing:

Keynote-version: 2
Authorizer: "POLICY"
Conditions: app_domain == "IPsec policy" &&
            esp_present == "yes" &&
            esp_enc_alg != "null" -> "true";

then, after I get things working, I can tighten the policy as desired.

/H

On Sun, 16 Sep 2001, Peter Bristow wrote:

> Hi all, I have just started playing with isakmpd and am trying to use the
> sample files to setup a 2 computer link. I have copied the
> singlehost-west.conf and east files onto 2 computers and have altered them to
> reflect my network (changed the ip addresses). When I run isakmpd -d I the
> following errors.
> 151453.585374 Default check_policy: negotiated SA failed policy check
> 151453.585714 Default message_negotiate_sa: no compatible proposal found
> 151453.585904 Default dropped message from 192.168.0.3 port 500 due to
> notification type NO_PROPOSAL_CHOSEN
> 151453.587259 Default responder_recv_HASH_SA_NONCE: KEY_EXCH payload without a
> group desc. attribute
> 151453.589545 Default dropped message from 192.168.0.3 port 500 due to
> notification type NO_PROPOSAL_CHOSEN
> 151453.590910 Default group_get: group ID (0) out of range
> The other computer generates identical output accept the ip address is the
> second computer. I have looked in the archives and it says that it may be a
> incompatibility in the encoding suites choosen but they are identical.

--
Håkan Olsson <hocrt.se>        (+46) 708 437 337     Carlstedt Research
Unix, Networking, Security      (+46) 31 701 4264        & Technology AB

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]