20 KiB
20 KiB
Mon Aug 13 2001 - Fri Aug 17 2001
$KAME: helsinki-result.jp,v 1.49 2001/08/17 14:33:48 sakane Exp $
generic
sec* interface($B<u$1B&$@$1$@$1$I$M)$B$O$&$^$/F0$/!#$I$NSPD entry$B$H
$B$I$N%$%s%?%U%'!<%9$,4XO"$E$$$F$$$k$N$+CN$k<jCJ$,I,MW(PF_KEY
API$B$^$?JQ99?)$B!#$H$3$m$G!"tunnel/transport$B$OSPD entry$B$Nproperty$B$G$"$k$H
$B==J,9g0U$5$l$F$$$k$+?
tunnel mode$B$Nproposal$BHf3S!#see F-Secure
phase 1$B$G$NAES/SHA2 support$BMW!#(AES$B$OF0:n3NG':Q)
Q. $B0E9f2=$7$?7k2L$,IV$BD9$h$jC;$$>l9g$O!)$=$s$J$N$"$j$($J$$!)
phase 1$B$G80D9$N%M%4$,$G$-$J$$!#($B$G$-$k!#4*0c$$$@$C$?)
IPsec$B$G$NSHA2 support$B3NG'($BE:IU$9$kbit$B?t)$B!#
SSH$B<R$+$itoolkit$B$rGc$C$F;H$C$F$$$k$H$3$m$,BgJQB?$$!#$J$s$+SSH$B<R$N
$B$?$a$Kbakeoff$B$7$F$$$k$h$&$J5$$,$7$F$-$?!#$H$$$&$+!"ipsec$B<+BNSSH$B<R$N
$BMx1W$N$?$a$N%W%m%H%3%k$8$c$J$$$+$H$$$&5$$9$i$7$F$/$k!#J#;($K$9$l$P
$B$9$k$[$ISSH$B<R$OLY$+$k... (conspiracy theory)
id payload$B$KBP$9$kpolicy database$B8!:w$N8+D>$7!#any$B$N>l9gwildcard$B$@$H
$B;W$C$F8!:w$9$Y$-!#exactly right!!
phase 2$B$G!"ipsec enc mode$B$,$D$$$F$$$J$+$C$?$H$-$N<h$j07$$
(transport mode$B$H;W$C$F$h$$$N$G$O$J$$$+)$B!#($B=$@5:Q)
$BD9$$KEYMAT$B$N7W;;$N$H$-!"I,MW80D9$N7W;;$Kbug$B$"$j ($B=$@5:Q)
DH$B8x3+>pJs$O;vA0$K7W;;$7$H$/J}$,$$$$$+$b
subjectAltName$B$HID payload$BHf3S$K$D$$$F$h$/9M$($J$$$H>ZL@=q$O;H$($J$$!#
$B>ZL@=q$rAw$kA0$K!"$I$NID$B$rsubjectAltName$B$K;H$&$+7h$a$J$$$H$$$1$J$$$+$i!#
ndp$B$rbypass$B$5$;$k%U%i%0$+%]%j%7$,$"$C$?J}$,$$$$$+$b!#
$B0l1~ipsec_setsocket(NULL)$B$O$7$F$$$k!#ip6_output()$B$K%U%i%0EO$9?
$BH~$7$/$J$$... (itojun)
latest isakmpd on KAME
Tue Aug 14 01:42:55 JST 2001
isakmpd$B$Ninterface selection$BIt$rD>$7$?$iphase 1$B$O@.8y$7$?!#
phase 2$B$,$&$^$/$$$+$J$$LOMM!#B?J,@_DjLdBj!#
35:36.982316 130.233.9.166:500 -> 130.233.9.165:500: isakmp 1.0 msgid 00000000:
phase 1 ? ident[E]: [encrypted id]
2001-08-13 23:35:36: DEBUG: isakmp.c:402:isakmp_main(): malformed cookie receive
d or the spi expired.
USAGI linux
Tue Aug 14 01:42:55 JST 2001
$B$J$s$+:#$O$^$C$F$$$k$i$7$$!#
Wed Aug 15 JST
ESP 3des, des$B$Nmanual key$B$O@.8y
Thu Aug 16 JST
$B$H$j$"$($:pluto$B$@$1F0$+$7$?!#phase 2$B$O40N;$9$k$,7k2L$N80$,0c$&!#
Compaq Tru54 UNIX X5.1B-BL4
Tue Aug 14 17:09:18 JST 2001
IPv4, ESP, tunnel mode
phase 1/2$B$H$b3DES + SHA1, group 2
phase 1 lifetime = 10min, phase 2 lifetime = 5min
IPv6, ESP + AH, transport tunnel mode
phase 1/2$B$H$b3DES + SHA1, group 2
phase 1 lifetime = 10min, phase 2 lifetime = 5min
IPv6, IPComp + ESP + AH, transport mode
phase 1/2$B$H$b3DES + SHA1 + defalte, group 2
phase 1 lifetime = 10min, phase 2 lifetime = 5min
initiator/responder$B$I$A$i$b$d$C$?!#
Compaq$B$,initiator$B$N>l9g$KLdBj$"$j!#
Compaq$BB&$Ophase 2 lifetime$B$Nproposal$B:n$jItJ,$Kbug$B$,5o$k$h$&$G!"
GUI$B$G5min$B$H8@$C$F$b10min$B$H8@$C$F$/$k(phase 1 lifetime$B$NCM$r
$B%3%T!<$7$F$$$k?)$B!#
chargen$BCf$Nrekey$BEy$b;n$7$?!#LdBj$J$7!#
IPv4 over IPv6/IPv6 over IPv4$B$d$m$&$H8@$o$l$?$,$G$-$:!#sec* transition
$B=*$o$C$?$i$d$l$k$+$J!#
$BL@F|12:00 RSA signature mode$B$G:F@o
$B$`$`!"authentication-failed$B$G<:GT!#$3$C$A$NLdBj$+!)
Fitec$B$H8=>]$O0l=o!#openssl 0.9.6 $B$r;H$&$HLdBj$J$7!#
openssl$B$N%P!<%8%g%s2<$2$A$c$C$?$N$G
ipv6 address as subjectAltName $B$O=PMh$:!#
Sun
Thu Aug 16 16:30 EEST 2001
phase1: RSA signature, 3des, sha1, dh5
phase2: ESP transport, aes 128, sha1, dh5
$BLdBj$J$7
Sun$B$O phase2$B$NAES$B$N80D9$r$D$1$F$J$+$C$?!#draft$B$K$h$k$Hmust$B!#
racoon$BB&$,default$B80D9$r%;%C%H$9$k$h$&$K$7$FBP1~!#
IBM AIX 5.1
Tue Aug 14 17:33:43 JST 2001
IPv6 test$B$7$h$&$H8@$o$l$k$b!"@hJ}$N%^%7%s($B1s3VCO)$B$Kglobal address$B$J$7!#
Thu Aug 16 21:00 ESST 2001
IPv6$B$@$1
phase1 pre-shared-key, 3des, sha1, dh2
phase2 esp transport, 3des, sha1, pfs2
$B:G=i$N1$B2s$OLdBj$J$7!#
phase2 SA$B$r>C$7$F:F%M%4$9$k$Hisakmpd$B$,$@$s$^$j$K$J$k!#
ibm isakmpd $B$KLdBj$"$k$C$]$$!#
san diego$B$G$d$C$?;~$O manual $B$@$C$?$+$J!)
$B$=$&$G$9(itojun)
prasad$B7/$O%$%s%I$K5"$C$F$k$N$GMh$J$$!#
F-Secure VPN+ 5.40
Tue Aug 14 19:44:15 JST 2001
IPv4, ESP, tunnel mode
phase 1 3DES + SHA1, group 5, lifetime = 10min
phase 2 AES + SHA1, group 5, lifetime = 2min
IPv4, IPComp + ESP, transport mode
phase 1 3DES + SHA1, group 5, lifetime = 10min
phase 2 AES + SHA1 + deflate, group 5, lifetime = 2min
$B$I$A$i$bLdBj$J$7!"rekey$B$bOK$B!#
IPComp + ESP tunnel mode (IP ESP IPComp IP payload)$B$r$d$m$&$H$7$F
ipcomp/tunnel//use esp/transport//use$B$H%]%j%7$r=q$$$?$i!"
IKE phase 2$BE*$K
$B8~$3$&: IPComp tunnel, ESP tunnel
$B$3$C$A: IPComp tunnel, ESP transport
$B$Nproposal$B$rHf3S$7$F!"no proposal chosen$B$K$J$k!#$3$C$A$NLdBj
(bundle$B$N<h$j07$$)
$B$G$C$+$$DH group$B!"phase 1 SHA2-256/AES$B$b$G$-$k$i$7$$!#8e$G$d$j$?$$!#
(modp4096, phase 1 aes $B$Ook)
Fri Aug 17 11:00 EEST 2001
phase1: aggressive mode modp4096, aes, sha1, rsa signature
phase2: pfs 5, esp tunnel, aes, hmac sha1
aes for phase1 $B$bOK.
f-secure$B$OsubjectAltName$B$K%"%I%l%9=q$+$J$$$H%Q%1%C%H$@$;$J$$!#
invalid signature$B$Gf-secure$B$KE\$i$l$F<:GT!#860xITL@!#
-> f-secure$B$OsubjectAltName$B$r1$B$D$7$+<u$1$D$1$J$$!#
$B>ZL@=q$r:n$jD>$7$F@.8y!#
DH$B8x3+>pJs$O;vA0$K7W;;$7$H$/J}$,$$$$$+$b
SecGo CryptoIP v3
Tue Aug 14 21:41:36 JST 2001
IPv4, ESP, transport mode
phase 1 3DES + SHA1, group 5, lifetime = 10min
phase 2 blowfish, group 5, lifetime = 2min
phase 2 AES$B$b;n$=$&$H$7$?$,<:GT(SecGo$BB&$,12$B0J30$Nalgorithm #$B$r
$B;H$C$F$$$? or $B%3%s%Q%$%k$7$F$J$+$C$?)$B!#rekey$B$b$d$C$F$_$?!#
phase 1 AES$B$b$G$-$k$i$7$$(SSH toolkit$B;HMQ)$B!#
Wed Aug 15 00:16:35 JST 2001
IPv4, ESP, transport mode
phase 1 3DES + SHA1, lifetime = 10min
phase 2 AES, lifetime = 2min
tested rekey as well.
Oullim information technologies SECUREWORKS VPN gateway 3.0
Tue Aug 14 21:48:36 JST 2001
phase 2 AES/blowfish$B$O$I$&$@$M$H%J%s%Q$7$F$_$k$b!"not ready$B!#
$BL@F|$+L@8eF|$M$H$N$3$H!#
Wed Aug 15 17:15:09 JST 2001
IPv4, ESP, tunnel mode
phase 1 3DES + SHA1, group 2, lifetime = 10min
phase 2 AES + SHA1, group 2, lifetime = 2min
$B<:GT!#@hJ}$,AES$B$N$H$-$KESP ICV check$B$K<:GT$9$k!#
IPv4, ESP, tunnel mode
phase 1 3DES + SHA1, group 2, lifetime = 10min
phase 2 AES + MD5, group 2, lifetime = 2min
$B$*$J$8$/<:GT
IPv4, ESP, tunnel mode
phase 1 3DES + SHA1, group 2, lifetime = 10min
phase 2 3DES + MD5, group 2, lifetime = 2min
$B@.8y!#
$B@hJ}$,$3$&$$$&$NEj$2$F$/$k$N$G!"$3$C$A$OE\$k(id payload$B$N=g=x$,
$BIaDL$G$O$J$$)$B!#
>11:59.824877 130.233.10.30:500 -> 130.233.9.166:500: isakmp 1.0 msgid 75973360: phase 2/others ? oakley-quick:
> (hash: len=20)
> (sa: doi=ipsec situation=identity
> (p: #1 protoid=ipsec-esp transform=1 spi=6fd60ca5
> (t: #1 id=3des (type=lifetype value=sec)(type=life value=0078)(type=enc mode value=tunnel)(type=auth value=hmac-md5)(type=group desc value=modp1024))))
> (nonce: n len=16)
> (ke: key len=128)
> (id: idtype=IPv4 protoid=0 port=0 len=4 130.233.9.166)
> (id: idtype=IPv4net protoid=0 port=0 len=8 192.168.10.0/255.255.255.0)
Wed Aug 15 18:39:11 JST 2001
IPv4, ESP, tunnel mode
phase 1 3DES + SHA1, group 2, lifetime = 10min
phase 2 AES, group 2, lifetime = 2min
IKE$BE*$K$OBg>fIW!#IPsec$BE*$K$^$@BLL\!#
Wed Aug 15 19:09:05 JST 2001
IPv4, ESP, tunnel mode
phase 1 3DES + SHA1, group 2, lifetime = 10min
phase 2 AES, group 2, lifetime = 2min
IPv4, ESP, tunnel mode
phase 1 3DES + SHA1, group 2, lifetime = 10min
phase 2 AES + SHA1, group 2, lifetime = 2min
$B8~$3$&$,AES code$B$r=$@5$7$?!#IKE$BE*$K$bIPsec$BE*$K$bBg>fIW!#
rekey$B$b0l1~@.8y($B8~$3$&$Oreal lifetime == soft, real * 1.2 == hard$B$H$+$K
$B@_Dj$7$F$$$k$N$G$A$g$C$H%X%s$@$C$?$1$I)$B!#
Thu Aug 16 22:01:57 JST 2001
$B$b$&$$$A$I!#$"$H$OID payload$B$N=g=x$@$1!#
Fri Aug 17 02:00 JST$B:"
$B:FD)@o!#@.8y!#
Trilogy AdmitOne 2.6
Tue Aug 14 21:58:01 JST 2001
30$BJ,8e$H8@$o$l$?!#
Wed Aug 15 01:53:42 JST 2001
$BL@F|!#
Wed Aug 15 16:09:50 JST 2001
IPv4, ESP, transport mode
phase 1 3DES + SHA1, group 1, lifetime = 10min
phase 2 AES + SHA1, group 1, lifetime = 2min
Trilogy$BB&$OIKE phase 2$B$Nkey length$B$,byte$BC10L$@$H;W$C$F$$$k$i$7$/
negotiation$B<:GT!#=$@58e:FD)@o!#
Wed Aug 15 17:40:05 JST 2001
IPv4, ESP, transport mode
phase 1 3DES + SHA1, group 1, lifetime = 10min
phase 2 AES + SHA1, group 1, lifetime = 2min
$B:FD)@o!#$3$A$i$,initiator$B$N$H$-$O$&$^$/$$$/!#$"$A$i$,initiator$B$N
$B>l9g!"id payload$B$Kproto=icmp$B$,Kd$^$C$F$*$j!"$3$A$i$Nkernel policy
proto=any$B$Kmatch$B$;$:no policy found$B$K$J$k!#MW=$@5!#
>spdadd 130.233.9.166 130.233.10.167 any -P out ipsec esp/transport//use;
>spdadd 130.233.10.167 130.233.9.166 any -P in ipsec esp/transport//use;
>35:45.215745 130.233.10.167:500 -> 130.233.9.166:500: isakmp 1.0 msgid dba05304: phase 2/others ? oakley-quick:
> (hash: len=20)
> (sa: doi=ipsec situation=identity
> (p: #1 protoid=ipsec-esp transform=1 spi=dba05304
> (t: #1 id=aes (type=lifetype value=sec)(type=life value=7080)(type=lifetype value=kb)(type=life value=2000)(type=
>group desc value=modp768)(type=enc mode value=transport)(type=auth value=hmac-sha1)(type=keylen value=0080))))
> (nonce: n len=64)
> (ke: key len=96)
> (id: idtype=IPv4 protoid=icmp port=0 len=4 130.233.10.167)
> (id: idtype=IPv4 protoid=icmp port=0 len=4 130.233.9.166)
>2001-08-15 17:35:45: DEBUG: isakmp_quick.c:1951:get_proposal_r(): get a src address from ID payload 130.233.10.167[0] prefixlen=32 ul_proto=1
>2001-08-15 17:35:45: DEBUG: isakmp_quick.c:1956:get_proposal_r(): get dst address from ID payload 130.233.9.166[0] prefixlen=32 ul_proto=1
>2001-08-15 17:35:45: DEBUG: policy.c:245:cmpspidxwild(): sub:0xbfbfd350: 130.233.10.167/32[0] 130.233.9.166/32[0] proto=icmp dir=in
>2001-08-15 17:35:45: DEBUG: policy.c:246:cmpspidxwild(): db: 0x80ca408: 130.233.10.167/32[0] 130.233.9.166/32[0] proto=any dir=in
>2001-08-15 17:35:45: DEBUG: policy.c:245:cmpspidxwild(): sub:0xbfbfd350: 130.233.10.167/32[0] 130.233.9.166/32[0] proto=icmp dir=in
>2001-08-15 17:35:45: DEBUG: policy.c:246:cmpspidxwild(): db: 0x80ca808: 130.233.9.166/32[0] 130.233.10.167/32[0] proto=any dir=out
>2001-08-15 17:35:45: ERROR: isakmp_quick.c:1979:get_proposal_r(): no policy found: 130.233.10.167/32[0] 130.233.9.166/32[0] proto=icmp dir=in
ZyXEL
Tue Aug 14 12:00 ESST 2001
phase1 main mode, pre-shared key, des, sha1, dh1
phase2 esp, des, sha1, tunnel
$BLdBj$J$7!#proposal$B$O1$B$D$@$1<u$1$D$1$k!#rekey$B$O$G$-$J$$!#
III
Tue Aug 14 14:00 ESST 2001
phase1 main mode, pre-shared key, 3des, md5, dh2
phase2 esp, des, md5, tunnel
$BLdBj$J$7!#proposal$B$O1$BHVL\$r;H$&!#rekey$B$O$G$-$J$$!#
$BBfOQ$N>e;J$KKAME$B$H%F%9%H$7$F$3$$$H8@$o$l$?$i$7$$!#
WindowsXP
Tue Aug 14 20:00
phase1 main mode, pre-shared key, 3des, sha1, modp3072
phase2 esp, 3des, sha1, transport
modp3072$B$d$m$&$h$H%J%s%Q$5$l$k!#
dh$B$N7W;;: fbsd43 P100MHz$B$GLs7(s)
XP P2 200MHz$B$GLs9(s)
$BL@F|M<J} RSA signature mode$B$G:F@o!#
$B5"$C$A$c$C$?$N$G$G$-$J$$!#
Ashley
Tue Aug 14 18:00
invalid-signature$B$HJ86g$r8@$o$l$k!#
$B8_$$$K ssh-ca1$B$+$i=pL>$7$F$b$i$C$?$H8@$C$F$k$,!"
$B<B$Otest-ca1.ssh.com$B$Hbakeoff-ca1.ssh.com$B$N2$B$D$"$k;v$,H=L@!D
test-ca1.ssh.com$B$KE}0l$7$F:F@oM=Ls
Fri Aug 17 10:30
Ashley$B<BAu$Kpkcs#1 padding$B$NLdBj$"$j!#%M%4$G$-$:!#
Netoctave
Wed Aug 15 11:00
$B$3$C$A$, initiate$B$9$k$H no-proposal-chosen$B$,5"$C$F$/$k!#
$BE($+$iping$B$7$F$b$i$&$HIKE$B$N%Q%1%C%H$,=P$J$$!#
$B>u673NG'$7$F$b$i$C$F8e$+$i:F@o$9$kM=Dj!#
isakmpd (jakob@openbsd)
Tue Aug 14
IPv4, ESP, transport mode
phase 1 3DES + SHA1, group 2, lifetime = 10min
phase 2 AES + SHA1, group 2, lifetime = 2min
$BLdBj$J$7!#
Wed Aug 15 21:25:49 JST 2001
IPv6, ESP, tunnel mode
phase 1 3DES + SHA1, group 2, lifetime = 10min
phase 2 AES + SHA1, group 2, lifetime = 2min
$B8~$3$&$Omain mode$B$GFQDN$B$rID$B$K;H$$$?$,$C$?$,!"$3$&$$$&%(%i!<$GE\$i$l$k!#
sakane$B$O$3$l$Owg$B$G$N9g0U$H;W$C$F$$$k$,!"MW3NG'!#
2001-08-15 21:14:41: ERROR: ipsec_doi.c:3063:ipsecdoi_checkid1(): Expecting IP address type in main mode, but FQDN.
Fri Aug 17 10:00
rsa signature.
$BLdBj$J$7!#
isakmpd$B$O subjectAltName$B$r1$B$D$7$+<u$1$D$1$J$$!#
Fitec
Wed Aug 15 13:00
RSA signature
invalid-authentication $B$GD7$M$i$l$k!#$$$h$$$h$3$C$A$NLdBj$+...
KeyUsage $B$rIKE$B$K$7$H$+$J$$$HE\$i$l$k!#
$BB>$N<BAu$H$&$^$/$$$+$J$$$N$O!"$3$l$,860x$+!)
$B$=$&$G$b$J$5$=$&!"openssl$B$NLdBj$+$b!#
openssl 0.9.6 $B$K$7$?$i@.8y!#0c$$$,J,$+$i$:!#
SSH
IPv6$B$@$1$d$C$?
ssh solaris version:
ssh$BB&: IKE$B$N%Q%1%C%H$,=P$J$$!#
nd cache$B$NLdBj$+!)
tcp$B$@$1$N%]%j%7$G$bIKE$B$N%Q%1%C%H$,=P$;$J$$!#
solaris$B$Ostatic cache entry$BF~$l$k%3%^%s%I$,$J$$$i$7$$!#
$B0lC6ping6$B$7$Fcache$B$r:n$C$?5$$K$J$C$F$bNS$B$r=P$=$&$H$9$k!#
$B860xD4::$9$k$+$i:F@o$7$F$M$H8@$o$l$k!#
$B:F@o. $BLdBj$J$7
$BBt;3$Nphase2 proposal(43440B$B$NUDP$B%Q%1%C%H)$B$r<u$1$k$H
racoon $B$^$G%Q%1%C%H$,>e$,$C$FMh$J$$!#
500 proposal$B$rEj$2$F$/$k!#proposal#$B$O1byte$B$J$N$GCF$/$Y$-!#
racoon$B$O:G=i$KA4It%Q!<%9$7$F$k$_$?$$!#
RSA signature mode
ssh$BB&$Kpublic key$B7W;;$KLdBj$"$C$?!#D>$7$FOK
ssh$B$Ossh-test-ca1$B$,%5%$%s$7$?>ZL@=q$r;H$$!"
racoon$B$Ofujixerox$B$,%5%$%s$7$?>ZL@=q$G$bOK
AES phase1 $B$,$&$^$/$$$+$J$$!#4V0c$$$J$/racoon$B$NLdBj!#($BD>$7$FF0:n3NG':Q)
phase1 proposal$B$N%Q!<%9$KCn$,$$$k$+$b!#MW3NG'
freeswan
IPv4, IPComp + ESP, transport mode
phase 1 3DES + SHA1, group 5, lifetime = 10min
phase 2 3DES + SHA1 + deflate, group 5, lifetime = 2min
IPComp$B$K$OLdBj$J$7!#
$B@hJ}$,initiate$B$7$F$-$?$H$-$KLdBj$"$j!#phase 2$B$G!"ipcomp enc mode$B$,
$BL5;XDj$N>l9g!"ipcomp$B$N>l9g$@$1$Otransport$B$H;W$o$J$1$l$P$J$i$J$$!#
$B$,!"racoon$B$O8=>u$3$l$rRFC2407$BE*$K(Any$B$H$7$F)$B<h$j07$&!#$N$G!"no
proposal chosen$B$K$J$k!#
RFC2407$B$+$i$9$k$H!"enc mode unspecified == transport$B$G$b$h$$$h$&$J
$B5$$,$9$k$,... ("host-dependent"$B$C$F=q$$$F$"$k$+$i)
RFC2407
> Encapsulation Mode
> RESERVED 0
> Tunnel 1
> Transport 2
>
> Values 3-61439 are reserved to IANA. Values 61440-65535 are
> for private use.
>
> If unspecified, the default value shall be assumed to be
> unspecified (host-dependent).
draft-shacham-ippcp-rfc2393bis-08.txt
> Encapsulation Mode
>
> To propose a non-default Encapsulation Mode (such as Tunnel
> Mode), an IPComp proposal MUST include an Encapsulation Mode
> attribute. If the Encapsulation Mode is unspecified, the
> default value of Transport Mode is assumed.
>42:28.211568 130.233.9.175:500 -> 130.233.9.166:500: isakmp 1.0 msgid 6935cbd8: phase 2/others ? oakley-quick:
> (hash: len=20)
> (sa: doi=ipsec situation=identity
> (p: #0 protoid=ipsec-esp transform=2 spi=3a47a3e7
> (t: #0 id=3des (type=group desc value=0005)(type=enc mode value=transport)(type=lifetype value=sec)(type=life value=7080)(type=auth value=hmac-md5))
> (t: #1 id=3des (type=group desc value=0005)(type=enc mode value=transport)(type=lifetype value=sec)(type=life value=7080)(type=auth value=hmac-sha1)))
> (p: #0 protoid=ipcomp transform=1 spi=ac23
> (t: #0 id=deflate (type=lifetype value=sec)(type=life value=7080))))
> (nonce: n len=16)
> (ke: key len=192)
>2001-08-15 16:42:28: DEBUG: ipsec_doi.c:1024:get_ph2approvalx(): peer's single bundle:
>2001-08-15 16:42:28: DEBUG: proposal.c:814:printsaproto(): (proto_id=ESP spisize=4 spi=3a47a3e7 spi_p=00000000 encmode=Transport reqid=0:0)
>2001-08-15 16:42:28: DEBUG: proposal.c:848:printsatrns(): (trns_id=3DES encklen=0 authtype=1)
>2001-08-15 16:42:28: DEBUG: proposal.c:848:printsatrns(): (trns_id=3DES encklen=0 authtype=2)
>2001-08-15 16:42:28: DEBUG: proposal.c:814:printsaproto(): (proto_id=IPCOMP spisize=2 spi=0000ac23 spi_p=00000000 encmode=Any reqid=0:0)
>2001-08-15 16:42:28: DEBUG: proposal.c:855:printsatrns(): (trns_id=DEFLATE)
>2001-08-15 16:42:28: DEBUG: ipsec_doi.c:1027:get_ph2approvalx(): my single bundle:
>2001-08-15 16:42:28: DEBUG: proposal.c:814:printsaproto(): (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Transport reqid=0:0)
>2001-08-15 16:42:28: DEBUG: proposal.c:848:printsatrns(): (trns_id=3DES encklen=0 authtype=2)
>2001-08-15 16:42:28: DEBUG: proposal.c:814:printsaproto(): (proto_id=IPCOMP spisize=4 spi=00000000 spi_p=00000000 encmode=Transport reqid=0:0)
>2001-08-15 16:42:28: DEBUG: proposal.c:855:printsatrns(): (trns_id=DEFLATE)
>2001-08-15 16:42:28: ERROR: proposal.c:497:cmpsatrns(): authtype mismatched: my:1 peer:2
>2001-08-15 16:42:28: ERROR: proposal.c:365:cmpsaprop_alloc(): IPComp SPI size promoted from 16bit to 32bit
>2001-08-15 16:42:28: ERROR: proposal.c:378:cmpsaprop_alloc(): encmode mismatched: my:2 peer:0 <-----
Thu Aug 16 16:49:08 JST 2001
IPv4, IPComp + ESP, transport mode
phase 1 3DES + SHA1, group 5, lifetime = 10min
phase 2 3DES + SHA1 + deflate, group 5, lifetime = 2min
$B:FD)@o!#=$@5$G$-$?$3$H$r3NG'!#
netopia
Wed Aug 15 19:00 JST$B:"
IPv6, ESP, transport mode
phase 1 3DES + SHA1, group 2, lifetime = 24h
phase 2 3DES + SHA1, group 2, lifetime = 1h
KAME$B%Y!<%9<BAu!#CPU$B$,$7$g$\$$$i$7$/D-H$B$K5$BIC$/$i$$$+$+$C$F$I$-$I$-$9$k!#
bug report$B$J$I$"$C$?$iAw$C$F$b$i$&$h$&$*4j$$$9$k!#
Ericsson
Wed Aug 15 20:30 JST$B:"
IPv6, ESP, transport mode
phase 1 3DES + SHA1, group 2, lifetime = 24h
phase 2 AES + SHA1, group 2, lifetime = 1h
$B@.8y
IPv6, ESP, transport mode
phase 1 3DES + SHA1, group 2, lifetime = 24h
phase 2 blowfish + SHA1, group 2, lifetime = 1h
$B<:GT!#blowfish$B!"$3$C$A$,$o$N80$N@8@.$,$*$+$7$$(= $BD9$$80$N>l9g)$B!#
IPv6, ESP, transport mode
phase 1 3DES + SHA1, group 2, lifetime = 24h
phase 2 3DES + SHA1, group 2, lifetime = 1h
$B<:GT!#ericsson$BB&!"ND$B$,$*$+$7$$!#
Nokia EPOC
Wed Aug 15 20:51:25 JST 2001
IPv6, ESP, tunnel mode
phase 1 3DES + SHA1, group 2, lifetime = 3600min
phase 2 3DES + SHA1 + deflate, group 2, lifetime = 2min
IPsec key$B$bF~$k$,!"@hJ}$N%]%j%7LdBj$Gping$B$OJV$i$J$$!#
Trustworks TrustedClient v3.2
Thu Aug 16 20:17:51 JST 2001
IPv6, AH + ESP, transport mode
phase 1 3DES + SHA1, group 5, lifetime = 3min
phase 2 3DES + SHA1, group 5, lifetime = 2min
$B@hJ}$,responder$B$N$H$-!"808r49$,=*N;$7$?=V4V@hJ}$NIKE daemon$B$,panic$B!#
$B$^$"808r49<+BN$O$G$-$F$$$k$h$&$@!#
Nortel GatewayController/CallServer 2000 (not released yet)
Fri Aug 17 00:16:23 JST 2001
IPv4, ESP, transport mode
phase 1 3DES + SHA1, group 5, lifetime = 3min
phase 2 AES + SHA1, group 5, lifetime = 2min
Nortel$BB&initiator: round=10$B$H$$$&attribute$B$r$D$1$F$/$k$N$Gno proposal
chosen
KAME$BB&initiator: id payload$BH4$-(ip address$B;H$()$B$@$HNortel$BB&$O
$B$X$/$k$N$GBLL\
IPv4, ESP, transport mode
phase 1 3DES + SHA1, group 5, lifetime = 3min
phase 2 3DES + SHA1, group 5, lifetime = 2min
Nortel$BB&initiator: ok
KAME$BB&initiator: id payload$BH4$-$@$HNortel$BB&$O$X$/$k$N$GBLL\
$KAME: helsinki-result.jp,v 1.49 2001/08/17 14:33:48 sakane Exp $
generic
sec* interface($B<u$1B&$@$1$@$1$I$M)$B$O$&$^$/F0$/!#$I$NSPD entry$B$H
$B$I$N%$%s%?%U%'!<%9$,4XO"$E$$$F$$$k$N$+CN$k<jCJ$,I,MW(PF_KEY
API$B$^$?JQ99?)$B!#$H$3$m$G!"tunnel/transport$B$OSPD entry$B$Nproperty$B$G$"$k$H
$B==J,9g0U$5$l$F$$$k$+?
tunnel mode$B$Nproposal$BHf3S!#see F-Secure
phase 1$B$G$NAES/SHA2 support$BMW!#(AES$B$OF0:n3NG':Q)
Q. $B0E9f2=$7$?7k2L$,IV$BD9$h$jC;$$>l9g$O!)$=$s$J$N$"$j$($J$$!)
phase 1$B$G80D9$N%M%4$,$G$-$J$$!#($B$G$-$k!#4*0c$$$@$C$?)
IPsec$B$G$NSHA2 support$B3NG'($BE:IU$9$kbit$B?t)$B!#
SSH$B<R$+$itoolkit$B$rGc$C$F;H$C$F$$$k$H$3$m$,BgJQB?$$!#$J$s$+SSH$B<R$N
$B$?$a$Kbakeoff$B$7$F$$$k$h$&$J5$$,$7$F$-$?!#$H$$$&$+!"ipsec$B<+BNSSH$B<R$N
$BMx1W$N$?$a$N%W%m%H%3%k$8$c$J$$$+$H$$$&5$$9$i$7$F$/$k!#J#;($K$9$l$P
$B$9$k$[$ISSH$B<R$OLY$+$k... (conspiracy theory)
id payload$B$KBP$9$kpolicy database$B8!:w$N8+D>$7!#any$B$N>l9gwildcard$B$@$H
$B;W$C$F8!:w$9$Y$-!#exactly right!!
phase 2$B$G!"ipsec enc mode$B$,$D$$$F$$$J$+$C$?$H$-$N<h$j07$$
(transport mode$B$H;W$C$F$h$$$N$G$O$J$$$+)$B!#($B=$@5:Q)
$BD9$$KEYMAT$B$N7W;;$N$H$-!"I,MW80D9$N7W;;$Kbug$B$"$j ($B=$@5:Q)
DH$B8x3+>pJs$O;vA0$K7W;;$7$H$/J}$,$$$$$+$b
subjectAltName$B$HID payload$BHf3S$K$D$$$F$h$/9M$($J$$$H>ZL@=q$O;H$($J$$!#
$B>ZL@=q$rAw$kA0$K!"$I$NID$B$rsubjectAltName$B$K;H$&$+7h$a$J$$$H$$$1$J$$$+$i!#
ndp$B$rbypass$B$5$;$k%U%i%0$+%]%j%7$,$"$C$?J}$,$$$$$+$b!#
$B0l1~ipsec_setsocket(NULL)$B$O$7$F$$$k!#ip6_output()$B$K%U%i%0EO$9?
$BH~$7$/$J$$... (itojun)
latest isakmpd on KAME
Tue Aug 14 01:42:55 JST 2001
isakmpd$B$Ninterface selection$BIt$rD>$7$?$iphase 1$B$O@.8y$7$?!#
phase 2$B$,$&$^$/$$$+$J$$LOMM!#B?J,@_DjLdBj!#
35:36.982316 130.233.9.166:500 -> 130.233.9.165:500: isakmp 1.0 msgid 00000000:
phase 1 ? ident[E]: [encrypted id]
2001-08-13 23:35:36: DEBUG: isakmp.c:402:isakmp_main(): malformed cookie receive
d or the spi expired.
USAGI linux
Tue Aug 14 01:42:55 JST 2001
$B$J$s$+:#$O$^$C$F$$$k$i$7$$!#
Wed Aug 15 JST
ESP 3des, des$B$Nmanual key$B$O@.8y
Thu Aug 16 JST
$B$H$j$"$($:pluto$B$@$1F0$+$7$?!#phase 2$B$O40N;$9$k$,7k2L$N80$,0c$&!#
Compaq Tru54 UNIX X5.1B-BL4
Tue Aug 14 17:09:18 JST 2001
IPv4, ESP, tunnel mode
phase 1/2$B$H$b3DES + SHA1, group 2
phase 1 lifetime = 10min, phase 2 lifetime = 5min
IPv6, ESP + AH, transport tunnel mode
phase 1/2$B$H$b3DES + SHA1, group 2
phase 1 lifetime = 10min, phase 2 lifetime = 5min
IPv6, IPComp + ESP + AH, transport mode
phase 1/2$B$H$b3DES + SHA1 + defalte, group 2
phase 1 lifetime = 10min, phase 2 lifetime = 5min
initiator/responder$B$I$A$i$b$d$C$?!#
Compaq$B$,initiator$B$N>l9g$KLdBj$"$j!#
Compaq$BB&$Ophase 2 lifetime$B$Nproposal$B:n$jItJ,$Kbug$B$,5o$k$h$&$G!"
GUI$B$G5min$B$H8@$C$F$b10min$B$H8@$C$F$/$k(phase 1 lifetime$B$NCM$r
$B%3%T!<$7$F$$$k?)$B!#
chargen$BCf$Nrekey$BEy$b;n$7$?!#LdBj$J$7!#
IPv4 over IPv6/IPv6 over IPv4$B$d$m$&$H8@$o$l$?$,$G$-$:!#sec* transition
$B=*$o$C$?$i$d$l$k$+$J!#
$BL@F|12:00 RSA signature mode$B$G:F@o
$B$`$`!"authentication-failed$B$G<:GT!#$3$C$A$NLdBj$+!)
Fitec$B$H8=>]$O0l=o!#openssl 0.9.6 $B$r;H$&$HLdBj$J$7!#
openssl$B$N%P!<%8%g%s2<$2$A$c$C$?$N$G
ipv6 address as subjectAltName $B$O=PMh$:!#
Sun
Thu Aug 16 16:30 EEST 2001
phase1: RSA signature, 3des, sha1, dh5
phase2: ESP transport, aes 128, sha1, dh5
$BLdBj$J$7
Sun$B$O phase2$B$NAES$B$N80D9$r$D$1$F$J$+$C$?!#draft$B$K$h$k$Hmust$B!#
racoon$BB&$,default$B80D9$r%;%C%H$9$k$h$&$K$7$FBP1~!#
IBM AIX 5.1
Tue Aug 14 17:33:43 JST 2001
IPv6 test$B$7$h$&$H8@$o$l$k$b!"@hJ}$N%^%7%s($B1s3VCO)$B$Kglobal address$B$J$7!#
Thu Aug 16 21:00 ESST 2001
IPv6$B$@$1
phase1 pre-shared-key, 3des, sha1, dh2
phase2 esp transport, 3des, sha1, pfs2
$B:G=i$N1$B2s$OLdBj$J$7!#
phase2 SA$B$r>C$7$F:F%M%4$9$k$Hisakmpd$B$,$@$s$^$j$K$J$k!#
ibm isakmpd $B$KLdBj$"$k$C$]$$!#
san diego$B$G$d$C$?;~$O manual $B$@$C$?$+$J!)
$B$=$&$G$9(itojun)
prasad$B7/$O%$%s%I$K5"$C$F$k$N$GMh$J$$!#
F-Secure VPN+ 5.40
Tue Aug 14 19:44:15 JST 2001
IPv4, ESP, tunnel mode
phase 1 3DES + SHA1, group 5, lifetime = 10min
phase 2 AES + SHA1, group 5, lifetime = 2min
IPv4, IPComp + ESP, transport mode
phase 1 3DES + SHA1, group 5, lifetime = 10min
phase 2 AES + SHA1 + deflate, group 5, lifetime = 2min
$B$I$A$i$bLdBj$J$7!"rekey$B$bOK$B!#
IPComp + ESP tunnel mode (IP ESP IPComp IP payload)$B$r$d$m$&$H$7$F
ipcomp/tunnel//use esp/transport//use$B$H%]%j%7$r=q$$$?$i!"
IKE phase 2$BE*$K
$B8~$3$&: IPComp tunnel, ESP tunnel
$B$3$C$A: IPComp tunnel, ESP transport
$B$Nproposal$B$rHf3S$7$F!"no proposal chosen$B$K$J$k!#$3$C$A$NLdBj
(bundle$B$N<h$j07$$)
$B$G$C$+$$DH group$B!"phase 1 SHA2-256/AES$B$b$G$-$k$i$7$$!#8e$G$d$j$?$$!#
(modp4096, phase 1 aes $B$Ook)
Fri Aug 17 11:00 EEST 2001
phase1: aggressive mode modp4096, aes, sha1, rsa signature
phase2: pfs 5, esp tunnel, aes, hmac sha1
aes for phase1 $B$bOK.
f-secure$B$OsubjectAltName$B$K%"%I%l%9=q$+$J$$$H%Q%1%C%H$@$;$J$$!#
invalid signature$B$Gf-secure$B$KE\$i$l$F<:GT!#860xITL@!#
-> f-secure$B$OsubjectAltName$B$r1$B$D$7$+<u$1$D$1$J$$!#
$B>ZL@=q$r:n$jD>$7$F@.8y!#
DH$B8x3+>pJs$O;vA0$K7W;;$7$H$/J}$,$$$$$+$b
SecGo CryptoIP v3
Tue Aug 14 21:41:36 JST 2001
IPv4, ESP, transport mode
phase 1 3DES + SHA1, group 5, lifetime = 10min
phase 2 blowfish, group 5, lifetime = 2min
phase 2 AES$B$b;n$=$&$H$7$?$,<:GT(SecGo$BB&$,12$B0J30$Nalgorithm #$B$r
$B;H$C$F$$$? or $B%3%s%Q%$%k$7$F$J$+$C$?)$B!#rekey$B$b$d$C$F$_$?!#
phase 1 AES$B$b$G$-$k$i$7$$(SSH toolkit$B;HMQ)$B!#
Wed Aug 15 00:16:35 JST 2001
IPv4, ESP, transport mode
phase 1 3DES + SHA1, lifetime = 10min
phase 2 AES, lifetime = 2min
tested rekey as well.
Oullim information technologies SECUREWORKS VPN gateway 3.0
Tue Aug 14 21:48:36 JST 2001
phase 2 AES/blowfish$B$O$I$&$@$M$H%J%s%Q$7$F$_$k$b!"not ready$B!#
$BL@F|$+L@8eF|$M$H$N$3$H!#
Wed Aug 15 17:15:09 JST 2001
IPv4, ESP, tunnel mode
phase 1 3DES + SHA1, group 2, lifetime = 10min
phase 2 AES + SHA1, group 2, lifetime = 2min
$B<:GT!#@hJ}$,AES$B$N$H$-$KESP ICV check$B$K<:GT$9$k!#
IPv4, ESP, tunnel mode
phase 1 3DES + SHA1, group 2, lifetime = 10min
phase 2 AES + MD5, group 2, lifetime = 2min
$B$*$J$8$/<:GT
IPv4, ESP, tunnel mode
phase 1 3DES + SHA1, group 2, lifetime = 10min
phase 2 3DES + MD5, group 2, lifetime = 2min
$B@.8y!#
$B@hJ}$,$3$&$$$&$NEj$2$F$/$k$N$G!"$3$C$A$OE\$k(id payload$B$N=g=x$,
$BIaDL$G$O$J$$)$B!#
>11:59.824877 130.233.10.30:500 -> 130.233.9.166:500: isakmp 1.0 msgid 75973360: phase 2/others ? oakley-quick:
> (hash: len=20)
> (sa: doi=ipsec situation=identity
> (p: #1 protoid=ipsec-esp transform=1 spi=6fd60ca5
> (t: #1 id=3des (type=lifetype value=sec)(type=life value=0078)(type=enc mode value=tunnel)(type=auth value=hmac-md5)(type=group desc value=modp1024))))
> (nonce: n len=16)
> (ke: key len=128)
> (id: idtype=IPv4 protoid=0 port=0 len=4 130.233.9.166)
> (id: idtype=IPv4net protoid=0 port=0 len=8 192.168.10.0/255.255.255.0)
Wed Aug 15 18:39:11 JST 2001
IPv4, ESP, tunnel mode
phase 1 3DES + SHA1, group 2, lifetime = 10min
phase 2 AES, group 2, lifetime = 2min
IKE$BE*$K$OBg>fIW!#IPsec$BE*$K$^$@BLL\!#
Wed Aug 15 19:09:05 JST 2001
IPv4, ESP, tunnel mode
phase 1 3DES + SHA1, group 2, lifetime = 10min
phase 2 AES, group 2, lifetime = 2min
IPv4, ESP, tunnel mode
phase 1 3DES + SHA1, group 2, lifetime = 10min
phase 2 AES + SHA1, group 2, lifetime = 2min
$B8~$3$&$,AES code$B$r=$@5$7$?!#IKE$BE*$K$bIPsec$BE*$K$bBg>fIW!#
rekey$B$b0l1~@.8y($B8~$3$&$Oreal lifetime == soft, real * 1.2 == hard$B$H$+$K
$B@_Dj$7$F$$$k$N$G$A$g$C$H%X%s$@$C$?$1$I)$B!#
Thu Aug 16 22:01:57 JST 2001
$B$b$&$$$A$I!#$"$H$OID payload$B$N=g=x$@$1!#
Fri Aug 17 02:00 JST$B:"
$B:FD)@o!#@.8y!#
Trilogy AdmitOne 2.6
Tue Aug 14 21:58:01 JST 2001
30$BJ,8e$H8@$o$l$?!#
Wed Aug 15 01:53:42 JST 2001
$BL@F|!#
Wed Aug 15 16:09:50 JST 2001
IPv4, ESP, transport mode
phase 1 3DES + SHA1, group 1, lifetime = 10min
phase 2 AES + SHA1, group 1, lifetime = 2min
Trilogy$BB&$OIKE phase 2$B$Nkey length$B$,byte$BC10L$@$H;W$C$F$$$k$i$7$/
negotiation$B<:GT!#=$@58e:FD)@o!#
Wed Aug 15 17:40:05 JST 2001
IPv4, ESP, transport mode
phase 1 3DES + SHA1, group 1, lifetime = 10min
phase 2 AES + SHA1, group 1, lifetime = 2min
$B:FD)@o!#$3$A$i$,initiator$B$N$H$-$O$&$^$/$$$/!#$"$A$i$,initiator$B$N
$B>l9g!"id payload$B$Kproto=icmp$B$,Kd$^$C$F$*$j!"$3$A$i$Nkernel policy
proto=any$B$Kmatch$B$;$:no policy found$B$K$J$k!#MW=$@5!#
>spdadd 130.233.9.166 130.233.10.167 any -P out ipsec esp/transport//use;
>spdadd 130.233.10.167 130.233.9.166 any -P in ipsec esp/transport//use;
>35:45.215745 130.233.10.167:500 -> 130.233.9.166:500: isakmp 1.0 msgid dba05304: phase 2/others ? oakley-quick:
> (hash: len=20)
> (sa: doi=ipsec situation=identity
> (p: #1 protoid=ipsec-esp transform=1 spi=dba05304
> (t: #1 id=aes (type=lifetype value=sec)(type=life value=7080)(type=lifetype value=kb)(type=life value=2000)(type=
>group desc value=modp768)(type=enc mode value=transport)(type=auth value=hmac-sha1)(type=keylen value=0080))))
> (nonce: n len=64)
> (ke: key len=96)
> (id: idtype=IPv4 protoid=icmp port=0 len=4 130.233.10.167)
> (id: idtype=IPv4 protoid=icmp port=0 len=4 130.233.9.166)
>2001-08-15 17:35:45: DEBUG: isakmp_quick.c:1951:get_proposal_r(): get a src address from ID payload 130.233.10.167[0] prefixlen=32 ul_proto=1
>2001-08-15 17:35:45: DEBUG: isakmp_quick.c:1956:get_proposal_r(): get dst address from ID payload 130.233.9.166[0] prefixlen=32 ul_proto=1
>2001-08-15 17:35:45: DEBUG: policy.c:245:cmpspidxwild(): sub:0xbfbfd350: 130.233.10.167/32[0] 130.233.9.166/32[0] proto=icmp dir=in
>2001-08-15 17:35:45: DEBUG: policy.c:246:cmpspidxwild(): db: 0x80ca408: 130.233.10.167/32[0] 130.233.9.166/32[0] proto=any dir=in
>2001-08-15 17:35:45: DEBUG: policy.c:245:cmpspidxwild(): sub:0xbfbfd350: 130.233.10.167/32[0] 130.233.9.166/32[0] proto=icmp dir=in
>2001-08-15 17:35:45: DEBUG: policy.c:246:cmpspidxwild(): db: 0x80ca808: 130.233.9.166/32[0] 130.233.10.167/32[0] proto=any dir=out
>2001-08-15 17:35:45: ERROR: isakmp_quick.c:1979:get_proposal_r(): no policy found: 130.233.10.167/32[0] 130.233.9.166/32[0] proto=icmp dir=in
ZyXEL
Tue Aug 14 12:00 ESST 2001
phase1 main mode, pre-shared key, des, sha1, dh1
phase2 esp, des, sha1, tunnel
$BLdBj$J$7!#proposal$B$O1$B$D$@$1<u$1$D$1$k!#rekey$B$O$G$-$J$$!#
III
Tue Aug 14 14:00 ESST 2001
phase1 main mode, pre-shared key, 3des, md5, dh2
phase2 esp, des, md5, tunnel
$BLdBj$J$7!#proposal$B$O1$BHVL\$r;H$&!#rekey$B$O$G$-$J$$!#
$BBfOQ$N>e;J$KKAME$B$H%F%9%H$7$F$3$$$H8@$o$l$?$i$7$$!#
WindowsXP
Tue Aug 14 20:00
phase1 main mode, pre-shared key, 3des, sha1, modp3072
phase2 esp, 3des, sha1, transport
modp3072$B$d$m$&$h$H%J%s%Q$5$l$k!#
dh$B$N7W;;: fbsd43 P100MHz$B$GLs7(s)
XP P2 200MHz$B$GLs9(s)
$BL@F|M<J} RSA signature mode$B$G:F@o!#
$B5"$C$A$c$C$?$N$G$G$-$J$$!#
Ashley
Tue Aug 14 18:00
invalid-signature$B$HJ86g$r8@$o$l$k!#
$B8_$$$K ssh-ca1$B$+$i=pL>$7$F$b$i$C$?$H8@$C$F$k$,!"
$B<B$Otest-ca1.ssh.com$B$Hbakeoff-ca1.ssh.com$B$N2$B$D$"$k;v$,H=L@!D
test-ca1.ssh.com$B$KE}0l$7$F:F@oM=Ls
Fri Aug 17 10:30
Ashley$B<BAu$Kpkcs#1 padding$B$NLdBj$"$j!#%M%4$G$-$:!#
Netoctave
Wed Aug 15 11:00
$B$3$C$A$, initiate$B$9$k$H no-proposal-chosen$B$,5"$C$F$/$k!#
$BE($+$iping$B$7$F$b$i$&$HIKE$B$N%Q%1%C%H$,=P$J$$!#
$B>u673NG'$7$F$b$i$C$F8e$+$i:F@o$9$kM=Dj!#
isakmpd (jakob@openbsd)
Tue Aug 14
IPv4, ESP, transport mode
phase 1 3DES + SHA1, group 2, lifetime = 10min
phase 2 AES + SHA1, group 2, lifetime = 2min
$BLdBj$J$7!#
Wed Aug 15 21:25:49 JST 2001
IPv6, ESP, tunnel mode
phase 1 3DES + SHA1, group 2, lifetime = 10min
phase 2 AES + SHA1, group 2, lifetime = 2min
$B8~$3$&$Omain mode$B$GFQDN$B$rID$B$K;H$$$?$,$C$?$,!"$3$&$$$&%(%i!<$GE\$i$l$k!#
sakane$B$O$3$l$Owg$B$G$N9g0U$H;W$C$F$$$k$,!"MW3NG'!#
2001-08-15 21:14:41: ERROR: ipsec_doi.c:3063:ipsecdoi_checkid1(): Expecting IP address type in main mode, but FQDN.
Fri Aug 17 10:00
rsa signature.
$BLdBj$J$7!#
isakmpd$B$O subjectAltName$B$r1$B$D$7$+<u$1$D$1$J$$!#
Fitec
Wed Aug 15 13:00
RSA signature
invalid-authentication $B$GD7$M$i$l$k!#$$$h$$$h$3$C$A$NLdBj$+...
KeyUsage $B$rIKE$B$K$7$H$+$J$$$HE\$i$l$k!#
$BB>$N<BAu$H$&$^$/$$$+$J$$$N$O!"$3$l$,860x$+!)
$B$=$&$G$b$J$5$=$&!"openssl$B$NLdBj$+$b!#
openssl 0.9.6 $B$K$7$?$i@.8y!#0c$$$,J,$+$i$:!#
SSH
IPv6$B$@$1$d$C$?
ssh solaris version:
ssh$BB&: IKE$B$N%Q%1%C%H$,=P$J$$!#
nd cache$B$NLdBj$+!)
tcp$B$@$1$N%]%j%7$G$bIKE$B$N%Q%1%C%H$,=P$;$J$$!#
solaris$B$Ostatic cache entry$BF~$l$k%3%^%s%I$,$J$$$i$7$$!#
$B0lC6ping6$B$7$Fcache$B$r:n$C$?5$$K$J$C$F$bNS$B$r=P$=$&$H$9$k!#
$B860xD4::$9$k$+$i:F@o$7$F$M$H8@$o$l$k!#
$B:F@o. $BLdBj$J$7
$BBt;3$Nphase2 proposal(43440B$B$NUDP$B%Q%1%C%H)$B$r<u$1$k$H
racoon $B$^$G%Q%1%C%H$,>e$,$C$FMh$J$$!#
500 proposal$B$rEj$2$F$/$k!#proposal#$B$O1byte$B$J$N$GCF$/$Y$-!#
racoon$B$O:G=i$KA4It%Q!<%9$7$F$k$_$?$$!#
RSA signature mode
ssh$BB&$Kpublic key$B7W;;$KLdBj$"$C$?!#D>$7$FOK
ssh$B$Ossh-test-ca1$B$,%5%$%s$7$?>ZL@=q$r;H$$!"
racoon$B$Ofujixerox$B$,%5%$%s$7$?>ZL@=q$G$bOK
AES phase1 $B$,$&$^$/$$$+$J$$!#4V0c$$$J$/racoon$B$NLdBj!#($BD>$7$FF0:n3NG':Q)
phase1 proposal$B$N%Q!<%9$KCn$,$$$k$+$b!#MW3NG'
freeswan
IPv4, IPComp + ESP, transport mode
phase 1 3DES + SHA1, group 5, lifetime = 10min
phase 2 3DES + SHA1 + deflate, group 5, lifetime = 2min
IPComp$B$K$OLdBj$J$7!#
$B@hJ}$,initiate$B$7$F$-$?$H$-$KLdBj$"$j!#phase 2$B$G!"ipcomp enc mode$B$,
$BL5;XDj$N>l9g!"ipcomp$B$N>l9g$@$1$Otransport$B$H;W$o$J$1$l$P$J$i$J$$!#
$B$,!"racoon$B$O8=>u$3$l$rRFC2407$BE*$K(Any$B$H$7$F)$B<h$j07$&!#$N$G!"no
proposal chosen$B$K$J$k!#
RFC2407$B$+$i$9$k$H!"enc mode unspecified == transport$B$G$b$h$$$h$&$J
$B5$$,$9$k$,... ("host-dependent"$B$C$F=q$$$F$"$k$+$i)
RFC2407
> Encapsulation Mode
> RESERVED 0
> Tunnel 1
> Transport 2
>
> Values 3-61439 are reserved to IANA. Values 61440-65535 are
> for private use.
>
> If unspecified, the default value shall be assumed to be
> unspecified (host-dependent).
draft-shacham-ippcp-rfc2393bis-08.txt
> Encapsulation Mode
>
> To propose a non-default Encapsulation Mode (such as Tunnel
> Mode), an IPComp proposal MUST include an Encapsulation Mode
> attribute. If the Encapsulation Mode is unspecified, the
> default value of Transport Mode is assumed.
>42:28.211568 130.233.9.175:500 -> 130.233.9.166:500: isakmp 1.0 msgid 6935cbd8: phase 2/others ? oakley-quick:
> (hash: len=20)
> (sa: doi=ipsec situation=identity
> (p: #0 protoid=ipsec-esp transform=2 spi=3a47a3e7
> (t: #0 id=3des (type=group desc value=0005)(type=enc mode value=transport)(type=lifetype value=sec)(type=life value=7080)(type=auth value=hmac-md5))
> (t: #1 id=3des (type=group desc value=0005)(type=enc mode value=transport)(type=lifetype value=sec)(type=life value=7080)(type=auth value=hmac-sha1)))
> (p: #0 protoid=ipcomp transform=1 spi=ac23
> (t: #0 id=deflate (type=lifetype value=sec)(type=life value=7080))))
> (nonce: n len=16)
> (ke: key len=192)
>2001-08-15 16:42:28: DEBUG: ipsec_doi.c:1024:get_ph2approvalx(): peer's single bundle:
>2001-08-15 16:42:28: DEBUG: proposal.c:814:printsaproto(): (proto_id=ESP spisize=4 spi=3a47a3e7 spi_p=00000000 encmode=Transport reqid=0:0)
>2001-08-15 16:42:28: DEBUG: proposal.c:848:printsatrns(): (trns_id=3DES encklen=0 authtype=1)
>2001-08-15 16:42:28: DEBUG: proposal.c:848:printsatrns(): (trns_id=3DES encklen=0 authtype=2)
>2001-08-15 16:42:28: DEBUG: proposal.c:814:printsaproto(): (proto_id=IPCOMP spisize=2 spi=0000ac23 spi_p=00000000 encmode=Any reqid=0:0)
>2001-08-15 16:42:28: DEBUG: proposal.c:855:printsatrns(): (trns_id=DEFLATE)
>2001-08-15 16:42:28: DEBUG: ipsec_doi.c:1027:get_ph2approvalx(): my single bundle:
>2001-08-15 16:42:28: DEBUG: proposal.c:814:printsaproto(): (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Transport reqid=0:0)
>2001-08-15 16:42:28: DEBUG: proposal.c:848:printsatrns(): (trns_id=3DES encklen=0 authtype=2)
>2001-08-15 16:42:28: DEBUG: proposal.c:814:printsaproto(): (proto_id=IPCOMP spisize=4 spi=00000000 spi_p=00000000 encmode=Transport reqid=0:0)
>2001-08-15 16:42:28: DEBUG: proposal.c:855:printsatrns(): (trns_id=DEFLATE)
>2001-08-15 16:42:28: ERROR: proposal.c:497:cmpsatrns(): authtype mismatched: my:1 peer:2
>2001-08-15 16:42:28: ERROR: proposal.c:365:cmpsaprop_alloc(): IPComp SPI size promoted from 16bit to 32bit
>2001-08-15 16:42:28: ERROR: proposal.c:378:cmpsaprop_alloc(): encmode mismatched: my:2 peer:0 <-----
Thu Aug 16 16:49:08 JST 2001
IPv4, IPComp + ESP, transport mode
phase 1 3DES + SHA1, group 5, lifetime = 10min
phase 2 3DES + SHA1 + deflate, group 5, lifetime = 2min
$B:FD)@o!#=$@5$G$-$?$3$H$r3NG'!#
netopia
Wed Aug 15 19:00 JST$B:"
IPv6, ESP, transport mode
phase 1 3DES + SHA1, group 2, lifetime = 24h
phase 2 3DES + SHA1, group 2, lifetime = 1h
KAME$B%Y!<%9<BAu!#CPU$B$,$7$g$\$$$i$7$/D-H$B$K5$BIC$/$i$$$+$+$C$F$I$-$I$-$9$k!#
bug report$B$J$I$"$C$?$iAw$C$F$b$i$&$h$&$*4j$$$9$k!#
Ericsson
Wed Aug 15 20:30 JST$B:"
IPv6, ESP, transport mode
phase 1 3DES + SHA1, group 2, lifetime = 24h
phase 2 AES + SHA1, group 2, lifetime = 1h
$B@.8y
IPv6, ESP, transport mode
phase 1 3DES + SHA1, group 2, lifetime = 24h
phase 2 blowfish + SHA1, group 2, lifetime = 1h
$B<:GT!#blowfish$B!"$3$C$A$,$o$N80$N@8@.$,$*$+$7$$(= $BD9$$80$N>l9g)$B!#
IPv6, ESP, transport mode
phase 1 3DES + SHA1, group 2, lifetime = 24h
phase 2 3DES + SHA1, group 2, lifetime = 1h
$B<:GT!#ericsson$BB&!"ND$B$,$*$+$7$$!#
Nokia EPOC
Wed Aug 15 20:51:25 JST 2001
IPv6, ESP, tunnel mode
phase 1 3DES + SHA1, group 2, lifetime = 3600min
phase 2 3DES + SHA1 + deflate, group 2, lifetime = 2min
IPsec key$B$bF~$k$,!"@hJ}$N%]%j%7LdBj$Gping$B$OJV$i$J$$!#
Trustworks TrustedClient v3.2
Thu Aug 16 20:17:51 JST 2001
IPv6, AH + ESP, transport mode
phase 1 3DES + SHA1, group 5, lifetime = 3min
phase 2 3DES + SHA1, group 5, lifetime = 2min
$B@hJ}$,responder$B$N$H$-!"808r49$,=*N;$7$?=V4V@hJ}$NIKE daemon$B$,panic$B!#
$B$^$"808r49<+BN$O$G$-$F$$$k$h$&$@!#
Nortel GatewayController/CallServer 2000 (not released yet)
Fri Aug 17 00:16:23 JST 2001
IPv4, ESP, transport mode
phase 1 3DES + SHA1, group 5, lifetime = 3min
phase 2 AES + SHA1, group 5, lifetime = 2min
Nortel$BB&initiator: round=10$B$H$$$&attribute$B$r$D$1$F$/$k$N$Gno proposal
chosen
KAME$BB&initiator: id payload$BH4$-(ip address$B;H$()$B$@$HNortel$BB&$O
$B$X$/$k$N$GBLL\
IPv4, ESP, transport mode
phase 1 3DES + SHA1, group 5, lifetime = 3min
phase 2 3DES + SHA1, group 5, lifetime = 2min
Nortel$BB&initiator: ok
KAME$BB&initiator: id payload$BH4$-$@$HNortel$BB&$O$X$/$k$N$GBLL\