[vpnc-devel] Various questions with netscreen
Johan Fischer
jfischer at cmss-systems.com
Sat Sep 8 07:31:44 CEST 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi List,
Continuing to improve vpnc with a netscreen :)
Great fix for the DPD too, I was looking at that issue yesterday, and now it's
fixed!
Mostly 2 questions:
why is the IKE lifetime hardcoded in vpnc.c (make_transform_ike) ? I tried to
set it to 0 or to remove the entire block from the code to get the lifetime set
on the proposals on the server, but none of them work. As I still don't pass the
phase 2 key renewal (ipsec lifetime), I can't really test that one, but it's a
bit surprising...
the second question is about the possibility of autodetecting the vendor using
the IKE initial received packet. On my current configuration, one of the payload
is a VID which just tell me that it's a netscreen system:
PARSING PAYLOAD type: 0d (ISAKMP_PAYLOAD_VID)
next_type: 0d (ISAKMP_PAYLOAD_VID)
length: 0020
ke.data:
166f932d 55eb64d8 e4df4fd3 7e2313f0 d0fd8451 00000000 00000000
DONE PARSING PAYLOAD type: 0d (ISAKMP_PAYLOAD_VID)
unknown ISAKMP_PAYLOAD_VID:
166f932d 55eb64d8 e4df4fd3 7e2313f0 d0fd8451 00000000 00000000
Looking at ike-scan template file, this payload represent 'Netscreen-15'.
So if we parsed that payload, it could set the vendor option to netscreen
automatically (shouldn't it?).
As I don't know how cisco and other vpn system works, I can't be sure that this
would be compatible with the rest.
Update on my proxyID problem ipsec lifetime problem will come later with debug
output (that I know understand a bit more).
Cheers.
J.
- --
Johan Fischer
Capital Markets Surveillance Services Pty Limited
Level 4, 55 Harrington Street, Sydney NSW 2000
Tel: +61 2 8083 9000 Direct: +61 2 8083 9050
Fax: +61 2 8083 9099 http://www.cmss-systems.com
Capital Markets Surveillance Services Pty Ltd (CMSS) - Confidential
Communication
The information contained in this e-mail is confidential. It is intended
solely for the addressee. If you receive this e-mail by mistake please
promptly inform us by reply e-mail and then delete the e-mail and
destroy any printed copy. You must not disclose or use in any way the
information in the e-mail. There is no warranty that this e-mail is
error or virus free. It may be a private communication, and if so, does
not represent the views of the CMCRC and its associates. If it is a
private communication, care should be taken in opening it to ensure that
undue offence is not given.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFG4jPAVTWY7Y0+uVoRArecAJ9ptF82HuDT1dWAfD3xU62hZi2ygACgr9AW
PhUvwOYQKVSJPxbzLcuMVeE=
=B8KI
-----END PGP SIGNATURE-----
More information about the vpnc-devel
mailing list