thanks for the clarification. Indeed I can see in the traces that obsd isakmpd accepts 61443 and send out it's reply with the same value.
But it uses 3, if it initiates the exchange. if so, I would guess that is the reason for the 'NO PROPOSAL CHOSEN' messages. Can I configure 61443 es encapsulation mode in isakmpd.conf? Thanks again Christoph > -----Urspr|ngliche Nachricht----- > Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Im Auftrag von Stuart Henderson > Gesendet: Dienstag, 25. November 2008 11:51 > An: misc@openbsd.org > Betreff: Re: ISAKMPD <-> cisco : attribute ENCAPSULATION_MODE > = 61443 (unknown) > > > On 2008-11-25, Christoph Leser <[EMAIL PROTECTED]> wrote: > > I see the above message in the tcpdump of > /var/run/isakmpd.pcap, when > > a cisco router establishes quick mode to my openbsd. The > connect works > > ok, just wondering what this message could mean. I have only seen > > 'ENCAPSULATION MODE = TUNNEL' in this context. > > That's the encapsulation mode used by > draft-ietf-ipsec-nat-t-ike. The non-draft version uses 3 not 61443. > > (There is also 61433 used by some broken Watchguard products). > > > As connect setup fails in the opposite direction ( with NO PROPOSAL > > CHOSEN from cisco ), using the same parameters. > > You need a lot more information to work out what's happening here.
