From owner-freebsd-security@FreeBSD.ORG Mon Jul 26 07:23:19 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6F8AE16A4CE for ; Mon, 26 Jul 2004 07:23:19 +0000 (GMT) Received: from pc5.i.0x5.de (n.0x5.de [213.146.113.119]) by mx1.FreeBSD.org (Postfix) with ESMTP id 127C643D39 for ; Mon, 26 Jul 2004 07:23:17 +0000 (GMT) (envelope-from nicolas@i.0x5.de) Received: from pc5.i.0x5.de (nicolas@localhost [127.0.0.1]) by pc5.i.0x5.de (8.12.11/8.12.11) with ESMTP id i6Q7NDSP063879 for ; Mon, 26 Jul 2004 09:23:13 +0200 (CEST) (envelope-from nicolas@pc5.i.0x5.de) Received: (from nicolas@localhost) by pc5.i.0x5.de (8.12.11/8.12.11/Submit) id i6Q7NDDr063878 for freebsd-security@freebsd.org; Mon, 26 Jul 2004 09:23:13 +0200 (CEST) (envelope-from nicolas) Date: Mon, 26 Jul 2004 09:23:13 +0200 From: Nicolas Rachinsky To: freebsd-security@freebsd.org Message-ID: <20040726072312.GA61352@pc5.i.0x5.de> Mail-Followup-To: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="BOKacYhQ+x31HxR3" Content-Disposition: inline X-Powered-by: FreeBSD X-Homepage: http://www.rachinsky.de X-PGP-Keyid: C11ABC0E X-PGP-Fingerprint: 19DB 8392 8FE0 814A 7362 EEBD A53B 526A C11A BC0E X-PGP-Key: http://www.rachinsky.de/nicolas/nicolas_rachinsky.asc User-Agent: Mutt/1.5.6i X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: Fw: init scripts and su X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Jul 2004 07:23:19 -0000 --BOKacYhQ+x31HxR3 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hallo, I think the same problem exists in our rc.d scripts. Nicolas --BOKacYhQ+x31HxR3 Content-Type: message/rfc822 Content-Disposition: inline X-Env-From: X-Env-To: Received: from localhost (fetchmail@localhost [127.0.0.1]) by pc5.i.0x5.de (8.12.11/8.12.11) with ESMTP id i6Q4vp3s059776 for ; Mon, 26 Jul 2004 06:57:51 +0200 (CEST) bounce-debian-security=list=rachinsky.de@lists.debian.org) Envelope-to: list@rachinsky.de Delivery-date: Mon, 26 Jul 2004 06:55:49 +0200 Received: from pop.kundenserver.de [212.227.15.165]pt6334525-123) for nicolas@localhost (single-drop); Mon, 26 Jul 2004 06:57:51 +0200 (CEST) Received: from [146.82.138.6] (helo=murphy.debian.org) by mxng07.kundenserver.de with esmtp (Exim 3.35 #1) id 1BoxWf-0008Dq-00 for list@rachinsky.de; Mon, 26 Jul 2004 06:55:49 +0200 Received: from localhost (localhost [127.0.0.1]) by murphy.debian.org (Postfix) with QMQP id AA443F12F; Sun, 25 Jul 2004 23:54:07 -0500 (CDT) Old-Return-Path: X-Original-To: debian-security@lists.debian.org Received: from smtp.sws.net.au (smtp.sws.net.au [61.95.69.6]) by murphy.debian.org (Postfix) with ESMTP id 60F72F129; Sun, 25 Jul 2004 23:53:57 -0500 (CDT) Received: from localhost (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id 92F4061CA1; Mon, 26 Jul 2004 14:54:00 +1000 (EST) Received: from smtp.sws.net.au ([127.0.0.1]) by localhost (smtp [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 01992-10; Mon, 26 Jul 2004 14:54:00 +1000 (EST) Received: from lyta.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id EAD9161C9F; Mon, 26 Jul 2004 14:53:59 +1000 (EST) Received: from localhost (localhost [127.0.0.1]) by lyta.coker.com.au (Postfix) with ESMTP id B1D8BB59A6; Mon, 26 Jul 2004 14:53:57 +1000 (EST) From: Russell Coker Reply-To: russell@coker.com.au Subject: init scripts and su Date: Mon, 26 Jul 2004 14:53:56 +1000 User-Agent: KMail/1.6.2 To: debian-devel@lists.debian.org Cc: debian-security@lists.debian.org MIME-Version: 1.0 Content-Type: Multipart/Mixed; boundary="Boundary-00=_k5IBBE2GPW9IlXo" Message-Id: <200407261453.56729.russell@coker.com.au> X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at sws.net.au X-Rc-Virus: 2004-07-20_01 X-Rc-Spam: 2004-07-19_01 X-Spam-Checker-Version: SpamAssassin 2.63-lists.debian.org_2004_07_08_01 (2004-01-11) on murphy.debian.org X-Spam-Status: No, hits=-3.7 required=4.0 tests=IMPRONONCABLE_1,LDOSUBSCRIBER, MURPHY_WRONG_WORD1,MURPHY_WRONG_WORD2 autolearn=no version=2.63-lists.debian.org_2004_07_08_01 X-Spam-Level: Resent-Message-ID: Resent-From: debian-security@lists.debian.org X-Mailing-List: archive/latest/16015 X-Loop: debian-security@lists.debian.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Archive: Precedence: list Resent-Sender: debian-security-request@lists.debian.org Resent-Date: Sun, 25 Jul 2004 23:54:07 -0500 (CDT) X-SPAMFREE: BOGO=1 CRM=1 SAR=1 SAL=1 BOGOTE=1 BOGOTOE=1 CRM2=1 <20040726045805> --Boundary-00=_k5IBBE2GPW9IlXo Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline The start scripts for some daemons do "su - user" or use "start-stop-daemon -c" to launch the daemon, postgresql is one example. During the time between the daemon launch and it closing it's file handles and calling setsid(2) (which some daemons don't do because they are buggy) any other code running in the same UID could take over the process via ptrace, fork off a child process that inherits the administrator tty, and then stuff characters into the keyboard buffer with ioctl(fd,TIOCSTI,&c) (*). To address these issues for Fedora I have written a program named init_su. init_su closes all file handles other than 1 and 2 (stdout and stderr). File handles 1 and 2 are fstat()'d, if they are regular files or pipes then they are left open (no attack is possible through a file or pipe), otherwise they are closed and /dev/null is opened instead. /dev/null is opened for file handle 0 regardless of what it might have pointed to previously. Then setsid() is called to create a new session for the process (make it a group leader), this invalidates /dev/tty. Then the uid is changed and the daemon is started. I have attached the source code to init_su, please check it out and tell me what you think. After the discussion concludes I will write a patch for start-stop-daemon to give similar functionality. (*) On system boot and shutdown there is no problem. It's when the administrator uses /etc/init.d/postgresql to start or stop the database that there is potential for attack. http://www.redhat.com/archives/fedora-devel-list/2004-July/msg01314.html I have also started a similar discussion on the Fedora development list about this issue, see the above URL. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page --Boundary-00=_k5IBBE2GPW9IlXo-- -- To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org --BOKacYhQ+x31HxR3-- From owner-freebsd-security@FreeBSD.ORG Tue Jul 27 01:37:15 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3050816A4CE for ; Tue, 27 Jul 2004 01:37:15 +0000 (GMT) Received: from tripmail.triparish.net (tripmail.triparish.net [68.153.37.11]) by mx1.FreeBSD.org (Postfix) with SMTP id 70B8F43D1D for ; Tue, 27 Jul 2004 01:37:14 +0000 (GMT) (envelope-from admin@triparish.net) Received: (qmail 43273 invoked from network); 27 Jul 2004 01:37:12 -0000 Received: from unknown (HELO ?192.168.1.225?) (68.152.27.24) by tripmail.triparish.net with SMTP; 27 Jul 2004 01:37:12 -0000 From: Lewey Taylor To: freebsd-security@freebsd.org Content-Type: text/plain Message-Id: <1090892097.7219.0.camel@localhost> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Mon, 26 Jul 2004 20:34:58 -0500 Content-Transfer-Encoding: 7bit Subject: Cisco IOS and racoon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jul 2004 01:37:15 -0000 I am trying to get a tunnel from a cisco 1760 with IOS 12.2.15.t13 to a freebsd 4.9 install with racoon. I have package version freebsd-20040408a and internal version 20001216 in my log file. I posted the full racoon and cisco log below my configs. Racoon keeps saying: 2004-07-26 16:24:03: DEBUG: isakmp.c:2295:isakmp_printpacket(): begin. 2004-07-26 16:24:03: DEBUG: isakmp.c:1122:isakmp_parsewoh(): begin. 2004-07-26 16:24:03: DEBUG: isakmp.c:1149:isakmp_parsewoh(): seen nptype=5(id) 2004-07-26 16:24:03: DEBUG: isakmp.c:1155:isakmp_parsewoh(): invalid length of payload My Cisco config is: crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 lifetime 10000 crypto isakmp key donttell address 1.1.1.1 no-xauth ! crypto ipsec security-association lifetime seconds 6000 ! crypto ipsec transform-set MB esp-3des esp-md5-hmac ! crypto map FreeBSDIPSEC-MAP 1 ipsec-isakmp description BBE Map set peer 1.1.1.1 set security-association lifetime seconds 10000 set transform-set MB set pfs group2 match address 109 ! ! ! ! interface FastEthernet0/0 ip address 10.0.3.1 255.255.255.0 speed auto ! interface FastEthernet0/0.1 ! interface Serial0/0 ip address 2.2.2.2 255.255.255.252 service-module t1 timeslots 1-24 crypto map FreeBSDIPSEC-MAP ! ip default-gateway 2.2.2.3 ip classless ip route 0.0.0.0 0.0.0.0 2.2.2.3 no ip http server no ip http secure-server ! ! ! access-list 109 permit ip 10.0.3.0 0.0.0.255 10.0.10.0 0.0.0.255 access-list 109 permit ip 10.0.10.0 0.0.0.255 10.0.3.0 0.0.0.255 My racoon.conf # $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $ # "path" must be placed before it should be used. # You can overwrite which you defined, but it should not use due to confusing. path include "/usr/local/etc/racoon" ; #include "remote.conf" ; # search this file for pre_shared_key with various ID key. path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; # racoon will look for certificate file in the directory, # if the certificate/certificate request payload is received. path certificate "/usr/local/etc/cert" ; # "log" specifies logging level. It is followed by either "notify", "debug" # or "debug2". log debug2; # "padding" defines some parameter of padding. You should not touch these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # if no listen directive is specified, racoon will listen to all # available interface addresses. listen { #isakmp ::1 [7000]; isakmp 1.1.1.1 [500]; #admin [7002]; # administrative's port by kmpstat. #strict_address; # required all addresses must be bound. } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 15 sec; } remote anonymous { #exchange_mode main,aggressive; exchange_mode main,base,aggressive; doi ipsec_doi; #situation identity_only; my_identifier user_fqdn "bbedevil"; peers_identifier user_fqdn "bbeameliarouter"; nonce_size 16; lifetime time 10000 sec; initial_contact on; support_mip6 on; proposal_check obey; proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key ; dh_group 2 ; } } sainfo anonymous { pfs_group 2; lifetime time 10000 sec; encryption_algorithm 3des; authentication_algorithm hmac_md5; compression_algorithm deflate; } My spdadd #! /bin/sh #spdadd 1.1.1.1/32[500] 2.2.2.2/32[500] udp -P out none; #spdadd 1.1.1.1/32[500] 2.2.2.2/32[500] udp -P out none; case "$1" in start) setkey -F setkey -FP setkey -c <&2 ;; esac exit 0 My racoon error.log 2004-07-26 16:23:15: INFO: main.c:172:main(): @(#)package version freebsd-20040408a 2004-07-26 16:23:15: INFO: main.c:174:main(): @(#)internal version 20001216 sakane@kame.net 2004-07-26 16:23:15: INFO: main.c:175:main(): @(#)This product linked OpenSSL 0.9.7d 17 Mar 2004 (http://www.openssl.org/) 2004-07-26 16:23:15: DEBUG2: cftoken.l:474:yylex(): <3> 2004-07-26 16:23:15: DEBUG2: cftoken.l:179:yylex(): begin <11>padding 2004-07-26 16:23:15: DEBUG2: cftoken.l:183:yylex(): <11> 2004-07-26 16:23:15: DEBUG2: cftoken.l:390:yylex(): <11> 2004-07-26 16:23:15: DEBUG2: cftoken.l:474:yylex(): <11> 2004-07-26 16:23:15: DEBUG2: cftoken.l:181:yylex(): <11> 2004-07-26 16:23:15: DEBUG2: cftoken.l:286:yylex(): <11> 2004-07-26 16:23:15: DEBUG2: cftoken.l:474:yylex(): <11> 2004-07-26 16:23:15: DEBUG2: cftoken.l:184:yylex(): <11> 2004-07-26 16:23:15: DEBUG2: cftoken.l:286:yylex(): <11> 2004-07-26 16:23:15: DEBUG2: cftoken.l:474:yylex(): <11> 2004-07-26 16:23:15: DEBUG2: cftoken.l:185:yylex(): <11> 2004-07-26 16:23:15: DEBUG2: cftoken.l:286:yylex(): <11> 2004-07-26 16:23:15: DEBUG2: cftoken.l:474:yylex(): <11> 2004-07-26 16:23:15: DEBUG2: cftoken.l:474:yylex(): <3> 2004-07-26 16:23:15: DEBUG2: cftoken.l:474:yylex(): <3> 2004-07-26 16:23:15: DEBUG2: cftoken.l:189:yylex(): begin <13>listen 2004-07-26 16:23:15: DEBUG2: cftoken.l:474:yylex(): <13> 2004-07-26 16:23:15: DEBUG2: cftoken.l:191:yylex(): <13> 2004-07-26 16:23:15: DEBUG2: cftoken.l:435:yylex(): <13> 2004-07-26 16:23:15: DEBUG2: cftoken.l:299:yylex(): <13> 2004-07-26 16:23:15: DEBUG2: cftoken.l:474:yylex(): <13> 2004-07-26 16:23:15: DEBUG2: cftoken.l:474:yylex(): <13> 2004-07-26 16:23:15: DEBUG2: cftoken.l:474:yylex(): <3> 2004-07-26 16:23:15: DEBUG2: cftoken.l:197:yylex(): begin <15>timer 2004-07-26 16:23:15: DEBUG2: cftoken.l:474:yylex(): <15> 2004-07-26 16:23:15: DEBUG2: cftoken.l:199:yylex(): <15> 2004-07-26 16:23:15: DEBUG2: cftoken.l:390:yylex(): <15> 2004-07-26 16:23:15: DEBUG2: cftoken.l:474:yylex(): <15> 2004-07-26 16:23:15: DEBUG2: cftoken.l:200:yylex(): <15> 2004-07-26 16:23:15: DEBUG2: cftoken.l:390:yylex(): <15> 2004-07-26 16:23:15: DEBUG2: cftoken.l:379:yylex(): <15> 2004-07-26 16:23:15: DEBUG2: cftoken.l:474:yylex(): <15> 2004-07-26 16:23:15: DEBUG2: cftoken.l:201:yylex(): <15> 2004-07-26 16:23:15: DEBUG2: cftoken.l:390:yylex(): <15> 2004-07-26 16:23:15: DEBUG2: cftoken.l:474:yylex(): <15> 2004-07-26 16:23:15: DEBUG2: cftoken.l:474:yylex(): <15> 2004-07-26 16:23:15: DEBUG2: cftoken.l:202:yylex(): <15> 2004-07-26 16:23:15: DEBUG2: cftoken.l:390:yylex(): <15> 2004-07-26 16:23:15: DEBUG2: cftoken.l:379:yylex(): <15> 2004-07-26 16:23:15: DEBUG2: cftoken.l:203:yylex(): <15> 2004-07-26 16:23:15: DEBUG2: cftoken.l:390:yylex(): <15> 2004-07-26 16:23:15: DEBUG2: cftoken.l:379:yylex(): <15> 2004-07-26 16:23:15: DEBUG2: cftoken.l:228:yylex(): begin <25>remote 2004-07-26 16:23:15: DEBUG2: cftoken.l:229:yylex(): <25> 2004-07-26 16:23:15: DEBUG2: cftoken.l:474:yylex(): <27> 2004-07-26 16:23:15: DEBUG2: cftoken.l:233:yylex(): <27> 2004-07-26 16:23:15: DEBUG2: cftoken.l:236:yylex(): <27> 2004-07-26 16:23:15: DEBUG2: cftoken.l:234:yylex(): <27> 2004-07-26 16:23:15: DEBUG2: cftoken.l:235:yylex(): <27> 2004-07-26 16:23:15: DEBUG2: cftoken.l:234:yylex(): <27> 2004-07-26 16:23:15: DEBUG2: cftoken.l:237:yylex(): <27> 2004-07-26 16:23:15: DEBUG2: cftoken.l:238:yylex(): <27> 2004-07-26 16:23:15: DEBUG2: cftoken.l:239:yylex(): <27> 2004-07-26 16:23:15: DEBUG2: cftoken.l:474:yylex(): <27> 2004-07-26 16:23:15: DEBUG2: cftoken.l:245:yylex(): <27> 2004-07-26 16:23:15: DEBUG2: cftoken.l:367:yylex(): <27> 2004-07-26 16:23:15: DEBUG2: cftoken.l:420:yylex(): <27> 2004-07-26 16:23:15: DEBUG2: cftoken.l:246:yylex(): <27> 2004-07-26 16:23:15: DEBUG2: cftoken.l:367:yylex(): <27> 2004-07-26 16:23:15: DEBUG2: cftoken.l:420:yylex(): <27> 2004-07-26 16:23:15: DEBUG2: cftoken.l:256:yylex(): <27> 2004-07-26 16:23:15: DEBUG2: cftoken.l:390:yylex(): <27> 2004-07-26 16:23:15: DEBUG2: cftoken.l:268:yylex(): <27> 2004-07-26 16:23:15: DEBUG2: cftoken.l:269:yylex(): <27> 2004-07-26 16:23:15: DEBUG2: cftoken.l:390:yylex(): <27> 2004-07-26 16:23:15: DEBUG2: cftoken.l:379:yylex(): <27> 2004-07-26 16:23:15: DEBUG2: cftoken.l:260:yylex(): <27> 2004-07-26 16:23:15: DEBUG2: cftoken.l:285:yylex(): <27> 2004-07-26 16:23:15: DEBUG2: cftoken.l:258:yylex(): <27> 2004-07-26 16:23:15: WARNING: cftoken.l:514:yywarn(): /usr/local/etc/racoon/racoon.conf:63: "support_mip6" it is obsoleted. use "support_proxy". 2004-07-26 16:23:15: DEBUG2: cftoken.l:285:yylex(): <27> 2004-07-26 16:23:15: DEBUG2: cftoken.l:261:yylex(): <27> 2004-07-26 16:23:15: DEBUG2: cftoken.l:262:yylex(): <27> 2004-07-26 16:23:15: DEBUG2: cftoken.l:272:yylex(): begin <29>proposal 2004-07-26 16:23:15: DEBUG2: cftoken.l:278:yylex(): <29> 2004-07-26 16:23:15: DEBUG2: cftoken.l:319:yylex(): <29> 2004-07-26 16:23:15: DEBUG2: cftoken.l:280:yylex(): <29> 2004-07-26 16:23:15: DEBUG2: cftoken.l:339:yylex(): <29> 2004-07-26 16:23:15: DEBUG2: cftoken.l:279:yylex(): <29> 2004-07-26 16:23:15: DEBUG2: cftoken.l:358:yylex(): <29> 2004-07-26 16:23:15: DEBUG2: cftoken.l:281:yylex(): <29> 2004-07-26 16:23:15: DEBUG2: cftoken.l:390:yylex(): <29> 2004-07-26 16:23:15: DEBUG2: cfparse.y:1247:set_isakmp_proposal(): lifetime = 10000 2004-07-26 16:23:15: DEBUG2: cfparse.y:1250:set_isakmp_proposal(): lifebyte = 0 2004-07-26 16:23:15: DEBUG2: cfparse.y:1253:set_isakmp_proposal(): encklen=0 2004-07-26 16:23:15: DEBUG2: cfparse.y:1316:expand_isakmpspec(): p:1 t:1 2004-07-26 16:23:15: DEBUG2: cfparse.y:1320:expand_isakmpspec(): 3DES-CBC(5) 2004-07-26 16:23:15: DEBUG2: cfparse.y:1320:expand_isakmpspec(): MD5(1) 2004-07-26 16:23:15: DEBUG2: cfparse.y:1320:expand_isakmpspec(): 1024-bit MODP group(2) 2004-07-26 16:23:15: DEBUG2: cfparse.y:1320:expand_isakmpspec(): pre-shared key(1) 2004-07-26 16:23:15: DEBUG2: cfparse.y:1327:expand_isakmpspec(): 2004-07-26 16:23:15: DEBUG: algorithm.c:614:alg_oakley_dhdef(): hmac(modp1024) 2004-07-26 16:23:15: DEBUG2: cftoken.l:207:yylex(): begin <21>sainfo 2004-07-26 16:23:15: DEBUG2: cftoken.l:208:yylex(): <21> 2004-07-26 16:23:15: DEBUG2: cftoken.l:216:yylex(): <23> 2004-07-26 16:23:15: DEBUG2: cftoken.l:390:yylex(): <23> 2004-07-26 16:23:15: DEBUG2: cftoken.l:219:yylex(): <23> 2004-07-26 16:23:15: DEBUG2: cftoken.l:220:yylex(): <23> 2004-07-26 16:23:15: DEBUG2: cftoken.l:390:yylex(): <23> 2004-07-26 16:23:15: DEBUG2: cftoken.l:379:yylex(): <23> 2004-07-26 16:23:15: DEBUG2: cftoken.l:222:yylex(): <23> 2004-07-26 16:23:15: DEBUG2: cftoken.l:319:yylex(): <23> 2004-07-26 16:23:15: DEBUG2: cftoken.l:223:yylex(): <23> 2004-07-26 16:23:15: DEBUG2: cftoken.l:332:yylex(): <23> 2004-07-26 16:23:15: DEBUG2: cftoken.l:224:yylex(): <23> 2004-07-26 16:23:15: DEBUG2: cftoken.l:346:yylex(): <23> 2004-07-26 16:23:15: DEBUG: pfkey.c:2379:pk_checkalg(): compression algorithm can not be checked because sadb message doesn't support it. 2004-07-26 16:23:15: DEBUG2: cfparse.y:1429:cfparse(): parse successed. 2004-07-26 16:23:15: INFO: isakmp.c:1368:isakmp_open(): 1.1.1.1[500] used as isakmp port (fd=5) 2004-07-26 16:23:15: DEBUG: pfkey.c:197:pfkey_handler(): get pfkey X_SPDDUMP message 2004-07-26 16:23:15: DEBUG2: plog.c:193:plogdump(): 02120000 0f000100 01000000 0f020000 03000500 04180000 10020000 0a000300 00000000 00000000 03000600 04180000 10020000 0a000100 00000000 00000000 07001200 02000100 02000000 00000000 28003200 02020000 10020000 43203c92 00000000 00000000 10020000 43203c36 00000000 00000000 2004-07-26 16:23:15: DEBUG: pfkey.c:197:pfkey_handler(): get pfkey X_SPDDUMP message 2004-07-26 16:23:15: DEBUG2: plog.c:193:plogdump(): 02120000 0f000100 00000000 0f020000 03000500 04180000 10020000 0a000a00 00000000 00000000 03000600 04180000 10020000 0a000300 00000000 00000000 07001200 02000200 01000000 00000000 28003200 02020000 10020000 43203c36 00000000 00000000 10020000 43203c92 00000000 00000000 2004-07-26 16:23:15: DEBUG: policy.c:184:cmpspidxstrict(): sub:0xbfbff9b8: 10.0.10.0/24[0] 10.0.3.0/24[0] proto=4 dir=out 2004-07-26 16:23:15: DEBUG: policy.c:185:cmpspidxstrict(): db :0x80a2c08: 10.0.3.0/24[0] 10.0.1.0/24[0] proto=4 dir=in 2004-07-26 16:23:22: DEBUG: isakmp.c:233:isakmp_handler(): === 2004-07-26 16:23:22: DEBUG: isakmp.c:234:isakmp_handler(): 120 bytes message received from 2.2.2.2[500] 2004-07-26 16:23:22: DEBUG: plog.c:193:plogdump(): 77260cb1 24e74d13 00000000 00000000 01100200 00000000 00000078 0d000034 00000001 00000001 00000028 01010001 00000020 01010000 80010005 80020001 80040002 80030001 800b0001 800c2710 0d000014 7d9419a6 5310ca6f 2c179d92 15529d56 00000014 90cb8091 3ebb696e 086381b5 ec427b1f 2004-07-26 16:23:22: DEBUG: isakmp.c:2295:isakmp_printpacket(): begin. 2004-07-26 16:23:22: DEBUG: remoteconf.c:129:getrmconf(): anonymous configuration selected for 2.2.2.2[500]. 2004-07-26 16:23:22: DEBUG: isakmp.c:899:isakmp_ph1begin_r(): === 2004-07-26 16:23:22: INFO: isakmp.c:904:isakmp_ph1begin_r(): respond new phase 1 negotiation: 1.1.1.1[500]<=>2.2.2.2[500] 2004-07-26 16:23:22: INFO: isakmp.c:909:isakmp_ph1begin_r(): begin Identity Protection mode. 2004-07-26 16:23:22: DEBUG: isakmp.c:1122:isakmp_parsewoh(): begin. 2004-07-26 16:23:22: DEBUG: isakmp.c:1149:isakmp_parsewoh(): seen nptype=1(sa) 2004-07-26 16:23:22: DEBUG: isakmp.c:1149:isakmp_parsewoh(): seen nptype=13(vid) 2004-07-26 16:23:22: DEBUG: isakmp.c:1149:isakmp_parsewoh(): seen nptype=13(vid) 2004-07-26 16:23:22: DEBUG: isakmp.c:1188:isakmp_parsewoh(): succeed. 2004-07-26 16:23:22: DEBUG: vendorid.c:137:check_vendorid(): received unknown Vendor ID 2004-07-26 16:23:22: DEBUG: vendorid.c:137:check_vendorid(): received unknown Vendor ID 2004-07-26 16:23:22: DEBUG: ipsec_doi.c:1117:get_proppair(): total SA len=48 2004-07-26 16:23:22: DEBUG: plog.c:193:plogdump(): 00000001 00000001 00000028 01010001 00000020 01010000 80010005 80020001 80040002 80030001 800b0001 800c2710 2004-07-26 16:23:22: DEBUG: isakmp.c:1122:isakmp_parsewoh(): begin. 2004-07-26 16:23:22: DEBUG: isakmp.c:1149:isakmp_parsewoh(): seen nptype=2(prop) 2004-07-26 16:23:22: DEBUG: isakmp.c:1188:isakmp_parsewoh(): succeed. 2004-07-26 16:23:22: DEBUG: ipsec_doi.c:1170:get_proppair(): proposal #1 len=40 2004-07-26 16:23:22: DEBUG: isakmp.c:1122:isakmp_parsewoh(): begin. 2004-07-26 16:23:22: DEBUG: isakmp.c:1149:isakmp_parsewoh(): seen nptype=3(trns) 2004-07-26 16:23:22: DEBUG: isakmp.c:1188:isakmp_parsewoh(): succeed. 2004-07-26 16:23:22: DEBUG: ipsec_doi.c:1311:get_transform(): transform #1 len=32 2004-07-26 16:23:22: DEBUG: ipsec_doi.c:1870:check_attr_isakmp(): type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC 2004-07-26 16:23:22: DEBUG: algorithm.c:386:alg_oakley_encdef(): encription(3des) 2004-07-26 16:23:22: DEBUG: ipsec_doi.c:1870:check_attr_isakmp(): type=Hash Algorithm, flag=0x8000, lorv=MD5 2004-07-26 16:23:22: DEBUG: algorithm.c:256:alg_oakley_hashdef(): hash(md5) 2004-07-26 16:23:22: DEBUG: ipsec_doi.c:1870:check_attr_isakmp(): type=Group Description, flag=0x8000, lorv=1024-bit MODP group 2004-07-26 16:23:22: DEBUG: algorithm.c:614:alg_oakley_dhdef(): hmac(modp1024) 2004-07-26 16:23:22: DEBUG: ipsec_doi.c:1870:check_attr_isakmp(): type=Authentication Method, flag=0x8000, lorv=pre-shared key 2004-07-26 16:23:22: DEBUG: ipsec_doi.c:1870:check_attr_isakmp(): type=Life Type, flag=0x8000, lorv=seconds 2004-07-26 16:23:22: DEBUG: ipsec_doi.c:1870:check_attr_isakmp(): type=Life Duration, flag=0x8000, lorv=10000 2004-07-26 16:23:22: DEBUG: ipsec_doi.c:1213:get_proppair(): pair 1: 2004-07-26 16:23:22: DEBUG: proposal.c:895:print_proppair0(): 0x80a8dd0: next=0x0 tnext=0x0 2004-07-26 16:23:22: DEBUG: ipsec_doi.c:1248:get_proppair(): proposal #1: 1 transform 2004-07-26 16:23:22: DEBUG: ipsec_doi.c:322:get_ph1approvalx(): prop#=1, prot-id=ISAKMP, spi-size=0, #trns=1 2004-07-26 16:23:22: DEBUG: ipsec_doi.c:327:get_ph1approvalx(): trns#=1, trns-id=IKE 2004-07-26 16:23:22: DEBUG: ipsec_doi.c:491:t2isakmpsa(): type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC 2004-07-26 16:23:22: DEBUG: ipsec_doi.c:491:t2isakmpsa(): type=Hash Algorithm, flag=0x8000, lorv=MD5 2004-07-26 16:23:22: DEBUG: ipsec_doi.c:491:t2isakmpsa(): type=Group Description, flag=0x8000, lorv=1024-bit MODP group 2004-07-26 16:23:22: DEBUG: ipsec_doi.c:491:t2isakmpsa(): type=Authentication Method, flag=0x8000, lorv=pre-shared key 2004-07-26 16:23:22: DEBUG: ipsec_doi.c:491:t2isakmpsa(): type=Life Type, flag=0x8000, lorv=seconds 2004-07-26 16:23:22: DEBUG: ipsec_doi.c:491:t2isakmpsa(): type=Life Duration, flag=0x8000, lorv=10000 2004-07-26 16:23:22: DEBUG: ipsec_doi.c:338:get_ph1approvalx(): Compared: DB:Peer 2004-07-26 16:23:22: DEBUG: ipsec_doi.c:339:get_ph1approvalx(): (lifetime = 10000:10000) 2004-07-26 16:23:22: DEBUG: ipsec_doi.c:341:get_ph1approvalx(): (lifebyte = 0:0) 2004-07-26 16:23:22: DEBUG: ipsec_doi.c:343:get_ph1approvalx(): enctype = 3DES-CBC:3DES-CBC 2004-07-26 16:23:22: DEBUG: ipsec_doi.c:348:get_ph1approvalx(): (encklen = 0:0) 2004-07-26 16:23:22: DEBUG: ipsec_doi.c:350:get_ph1approvalx(): hashtype = MD5:MD5 2004-07-26 16:23:22: DEBUG: ipsec_doi.c:355:get_ph1approvalx(): authmethod = pre-shared key:pre-shared key 2004-07-26 16:23:22: DEBUG: ipsec_doi.c:360:get_ph1approvalx(): dh_group = 1024-bit MODP group:1024-bit MODP group 2004-07-26 16:23:22: DEBUG: ipsec_doi.c:248:get_ph1approval(): an acceptable proposal found. 2004-07-26 16:23:22: DEBUG: algorithm.c:614:alg_oakley_dhdef(): hmac(modp1024) 2004-07-26 16:23:22: DEBUG: isakmp.c:2006:isakmp_newcookie(): new cookie: e352ee142f02e4f2 2004-07-26 16:23:22: DEBUG: isakmp.c:2130:set_isakmp_payload_c(): add payload of len 48, next type 1 2004-07-26 16:23:22: DEBUG: isakmp.c:2130:set_isakmp_payload_c(): add payload of len 16, next type 13 2004-07-26 16:23:22: DEBUG: isakmp.c:2295:isakmp_printpacket(): begin. 2004-07-26 16:23:22: DEBUG: sockmisc.c:421:sendfromto(): sockname 1.1.1.1[500] 2004-07-26 16:23:22: DEBUG: sockmisc.c:423:sendfromto(): send packet from 1.1.1.1[500] 2004-07-26 16:23:22: DEBUG: sockmisc.c:425:sendfromto(): send packet to 2.2.2.2[500] 2004-07-26 16:23:22: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 100 bytes message will be sent to 2.2.2.2[500] 2004-07-26 16:23:22: DEBUG: plog.c:193:plogdump(): 77260cb1 24e74d13 e352ee14 2f02e4f2 01100200 00000000 00000064 0d000034 00000001 00000001 00000028 01010001 00000020 01010000 80010005 80020001 80040002 80030001 800b0001 800c2710 00000014 7003cbc1 097dbe9c 2600ba69 83bc8b35 2004-07-26 16:23:22: DEBUG: isakmp.c:1459:isakmp_ph1resend(): resend phase1 packet 77260cb124e74d13:e352ee142f02e4f2 2004-07-26 16:23:22: DEBUG: isakmp.c:233:isakmp_handler(): === 2004-07-26 16:23:22: DEBUG: isakmp.c:234:isakmp_handler(): 256 bytes message received from 2.2.2.2[500] 2004-07-26 16:23:22: DEBUG: plog.c:193:plogdump(): 77260cb1 24e74d13 e352ee14 2f02e4f2 04100200 00000000 00000100 0a000084 7cda6ebd d8f6e21d 3d39cbc5 52a3e564 d119a7cf c16164a3 cbfee711 2f40edb3 3d234f52 a66b11ac 57374d1c ab1c658d 1f1aa6c3 0fa6e476 3bd5f898 5ae8836b 1d7117e2 55186f70 462fadc7 0c71a9f4 445da4e7 92a3aee8 30293d7a 98a9cdcf e8b367c6 0133fc87 75b708e4 7cf6afba 47ec96e6 30ab0f33 3fd05435 0d54ecff 0d000018 5dfca701 956f4c3b 22b474e9 8c80ac6a ca6bb414 0d000014 12f5f28c 457168a9 702d9fe2 74cc0100 0d000014 afcad713 68a1f1c9 6b8696fc 77570100 0d000014 82e1abac 24e64d13 946773ca 77f7fe51 0000000c 09002689 dfd6b712 2004-07-26 16:23:22: DEBUG: isakmp.c:2295:isakmp_printpacket(): begin. 2004-07-26 16:23:22: DEBUG: isakmp.c:1122:isakmp_parsewoh(): begin. 2004-07-26 16:23:22: DEBUG: isakmp.c:1149:isakmp_parsewoh(): seen nptype=4(ke) 2004-07-26 16:23:22: DEBUG: isakmp.c:1149:isakmp_parsewoh(): seen nptype=10(nonce) 2004-07-26 16:23:22: DEBUG: isakmp.c:1149:isakmp_parsewoh(): seen nptype=13(vid) 2004-07-26 16:23:22: DEBUG: isakmp.c:1149:isakmp_parsewoh(): seen nptype=13(vid) 2004-07-26 16:23:22: DEBUG: isakmp.c:1149:isakmp_parsewoh(): seen nptype=13(vid) 2004-07-26 16:23:22: DEBUG: isakmp.c:1149:isakmp_parsewoh(): seen nptype=13(vid) 2004-07-26 16:23:22: DEBUG: isakmp.c:1188:isakmp_parsewoh(): succeed. 2004-07-26 16:23:22: DEBUG: vendorid.c:137:check_vendorid(): received unknown Vendor ID 2004-07-26 16:23:22: DEBUG: vendorid.c:137:check_vendorid(): received unknown Vendor ID 2004-07-26 16:23:22: DEBUG: vendorid.c:137:check_vendorid(): received unknown Vendor ID 2004-07-26 16:23:22: DEBUG: vendorid.c:137:check_vendorid(): received unknown Vendor ID 2004-07-26 16:23:22: DEBUG: isakmp.c:633:ph1_main(): === 2004-07-26 16:23:22: DEBUG: oakley.c:300:oakley_dh_generate(): compute DH's private. 2004-07-26 16:23:22: DEBUG: plog.c:193:plogdump(): 5cb32b6c 3e9febc3 cb777a15 eb049ce2 af60588b e214f80a 4d66df7b 1b5a26fc 766653b1 003fa259 d79a535c f058b6b8 d538319e abf71adf 02581d58 d73a1f51 c1a2b67a 9c6679b1 5b8b7850 63cbfdd0 f9639b97 35f96eef d1a8ee09 c8601300 a0d62f2d bf777d05 4e23592a e7995311 ac35184f b09dac2f ecb4b1a0 c1661e3b 2004-07-26 16:23:22: DEBUG: oakley.c:302:oakley_dh_generate(): compute DH's public. 2004-07-26 16:23:22: DEBUG: plog.c:193:plogdump(): 5dac51d5 9e392b0c e6498701 05274556 d0c674e7 b348619f 85fb1e81 8580c8ff bc068150 28759450 a7b0d15c 418eb074 85e64c7b fc4eea90 763cdc0c 596a2a4a 730016b9 1e4888aa b7bc8004 a90ffc90 75d22d09 459100d3 42c61c7c e0e28fa6 071c6baa a649db63 6fa65ad7 1f3fe91c aee336f0 ad18dcc5 352a6e0b 22e40dde 2004-07-26 16:23:22: DEBUG: isakmp.c:2130:set_isakmp_payload_c(): add payload of len 128, next type 4 2004-07-26 16:23:22: DEBUG: isakmp.c:2130:set_isakmp_payload_c(): add payload of len 16, next type 10 2004-07-26 16:23:22: DEBUG: isakmp.c:2130:set_isakmp_payload_c(): add payload of len 16, next type 13 2004-07-26 16:23:22: DEBUG: isakmp.c:2295:isakmp_printpacket(): begin. 2004-07-26 16:23:22: DEBUG: sockmisc.c:421:sendfromto(): sockname 1.1.1.1[500] 2004-07-26 16:23:22: DEBUG: sockmisc.c:423:sendfromto(): send packet from 1.1.1.1[500] 2004-07-26 16:23:22: DEBUG: sockmisc.c:425:sendfromto(): send packet to 2.2.2.2[500] 2004-07-26 16:23:22: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 200 bytes message will be sent to 2.2.2.2[500] 2004-07-26 16:23:22: DEBUG: plog.c:193:plogdump(): 77260cb1 24e74d13 e352ee14 2f02e4f2 04100200 00000000 000000c8 0a000084 5dac51d5 9e392b0c e6498701 05274556 d0c674e7 b348619f 85fb1e81 8580c8ff bc068150 28759450 a7b0d15c 418eb074 85e64c7b fc4eea90 763cdc0c 596a2a4a 730016b9 1e4888aa b7bc8004 a90ffc90 75d22d09 459100d3 42c61c7c e0e28fa6 071c6baa a649db63 6fa65ad7 1f3fe91c aee336f0 ad18dcc5 352a6e0b 22e40dde 0d000014 fcdeb51e a872e9f3 32fb0b9d 20262525 00000014 7003cbc1 097dbe9c 2600ba69 83bc8b35 2004-07-26 16:23:22: DEBUG: isakmp.c:1459:isakmp_ph1resend(): resend phase1 packet 77260cb124e74d13:e352ee142f02e4f2 2004-07-26 16:23:22: DEBUG: oakley.c:250:oakley_dh_compute(): compute DH's shared. 2004-07-26 16:23:22: DEBUG: plog.c:193:plogdump(): c21a9cbd 3ae743af 5f192a54 cd8dfc36 9c52f78b 46034118 40cddd67 bac653c7 83d6eaa7 6a932acf 159aa5ce 539771ba be3758e7 c30d3144 d504590d 23d78696 aec8dd1a 63644f4a 97a634ba 3cdd9e16 d6d24d0c dbac61ef 43bf6bd8 0a8fb60c 84e7f5b6 07924df2 fbc791e2 1ee817be e1f284d7 a91f389e 534e4378 87bae3ca 2004-07-26 16:23:22: DEBUG: oakley.c:2104:oakley_skeyid(): the psk found. 2004-07-26 16:23:22: DEBUG2: oakley.c:2106:oakley_skeyid(): psk: 2004-07-26 16:23:22: DEBUG2: plog.c:193:plogdump(): 646f6e74 74656c6c 09 2004-07-26 16:23:22: DEBUG: oakley.c:2119:oakley_skeyid(): nonce 1: 2004-07-26 16:23:22: DEBUG: plog.c:193:plogdump(): 5dfca701 956f4c3b 22b474e9 8c80ac6a ca6bb414 2004-07-26 16:23:22: DEBUG: oakley.c:2125:oakley_skeyid(): nonce 2: 2004-07-26 16:23:22: DEBUG: plog.c:193:plogdump(): fcdeb51e a872e9f3 32fb0b9d 20262525 2004-07-26 16:23:22: DEBUG: algorithm.c:326:alg_oakley_hmacdef(): hmac(hmac_md5) 2004-07-26 16:23:22: DEBUG: oakley.c:2178:oakley_skeyid(): SKEYID computed: 2004-07-26 16:23:22: DEBUG: plog.c:193:plogdump(): db29fe9b 5653409a 8fcdf873 bc86a047 2004-07-26 16:23:22: DEBUG: algorithm.c:326:alg_oakley_hmacdef(): hmac(hmac_md5) 2004-07-26 16:23:22: DEBUG: oakley.c:2235:oakley_skeyid_dae(): SKEYID_d computed: 2004-07-26 16:23:22: DEBUG: plog.c:193:plogdump(): 2a646ff0 3bc34de2 25fd5ddf 0757a73e 2004-07-26 16:23:22: DEBUG: algorithm.c:326:alg_oakley_hmacdef(): hmac(hmac_md5) 2004-07-26 16:23:22: DEBUG: oakley.c:2264:oakley_skeyid_dae(): SKEYID_a computed: 2004-07-26 16:23:22: DEBUG: plog.c:193:plogdump(): 7de0c436 ec679d9e db8a7a5d 27d24b5a 2004-07-26 16:23:22: DEBUG: algorithm.c:326:alg_oakley_hmacdef(): hmac(hmac_md5) 2004-07-26 16:23:22: DEBUG: oakley.c:2293:oakley_skeyid_dae(): SKEYID_e computed: 2004-07-26 16:23:22: DEBUG: plog.c:193:plogdump(): db9aa285 c2e8a677 7ccad205 6c715386 2004-07-26 16:23:22: DEBUG: algorithm.c:386:alg_oakley_encdef(): encription(3des) 2004-07-26 16:23:22: DEBUG: algorithm.c:256:alg_oakley_hashdef(): hash(md5) 2004-07-26 16:23:22: DEBUG: oakley.c:2362:oakley_compute_enckey(): len(SKEYID_e) < len(Ka) (16 < 24), generating long key (Ka = K1 | K2 | ...) 2004-07-26 16:23:22: DEBUG: algorithm.c:326:alg_oakley_hmacdef(): hmac(hmac_md5) 2004-07-26 16:23:22: DEBUG: oakley.c:2387:oakley_compute_enckey(): compute intermediate encryption key K1 2004-07-26 16:23:22: DEBUG: plog.c:193:plogdump(): 00 2004-07-26 16:23:22: DEBUG: plog.c:193:plogdump(): 26608024 059a46b0 628febfe 8c7346ef 2004-07-26 16:23:22: DEBUG: algorithm.c:326:alg_oakley_hmacdef(): hmac(hmac_md5) 2004-07-26 16:23:22: DEBUG: oakley.c:2387:oakley_compute_enckey(): compute intermediate encryption key K2 2004-07-26 16:23:22: DEBUG: plog.c:193:plogdump(): 26608024 059a46b0 628febfe 8c7346ef 2004-07-26 16:23:22: DEBUG: plog.c:193:plogdump(): df13ef04 7d56da3e 206d090d afd4883b 2004-07-26 16:23:22: DEBUG: oakley.c:2435:oakley_compute_enckey(): final encryption key computed: 2004-07-26 16:23:22: DEBUG: plog.c:193:plogdump(): 26608024 059a46b0 628febfe 8c7346ef df13ef04 7d56da3e 2004-07-26 16:23:22: DEBUG: algorithm.c:256:alg_oakley_hashdef(): hash(md5) 2004-07-26 16:23:22: DEBUG: algorithm.c:386:alg_oakley_encdef(): encription(3des) 2004-07-26 16:23:22: DEBUG: oakley.c:2546:oakley_newiv(): IV computed: 2004-07-26 16:23:22: DEBUG: plog.c:193:plogdump(): 8ee7499c 701de062 2004-07-26 16:23:22: DEBUG: isakmp.c:233:isakmp_handler(): === 2004-07-26 16:23:22: DEBUG: isakmp.c:234:isakmp_handler(): 92 bytes message received from 2.2.2.2[500] 2004-07-26 16:23:22: DEBUG: plog.c:193:plogdump(): 77260cb1 24e74d13 e352ee14 2f02e4f2 05100201 00000000 0000005c bb8f2217 02104944 c9cfc9d8 49cacdf0 02f41bfa 77bdde66 2366bc28 4d3cd75b b7857b3d 8a00929b 20137047 433a2951 2f560ab3 4e3fa11b 613146f4 eb71529f 2004-07-26 16:23:22: DEBUG: isakmp.c:2295:isakmp_printpacket(): begin. 2004-07-26 16:23:22: DEBUG: oakley.c:2666:oakley_do_decrypt(): begin decryption. 2004-07-26 16:23:22: DEBUG: algorithm.c:386:alg_oakley_encdef(): encription(3des) 2004-07-26 16:23:22: DEBUG: oakley.c:2680:oakley_do_decrypt(): IV was saved for next processing: 2004-07-26 16:23:22: DEBUG: plog.c:193:plogdump(): 613146f4 eb71529f 2004-07-26 16:23:22: DEBUG: algorithm.c:386:alg_oakley_encdef(): encription(3des) 2004-07-26 16:23:22: DEBUG: oakley.c:2705:oakley_do_decrypt(): with key: 2004-07-26 16:23:22: DEBUG: plog.c:193:plogdump(): 26608024 059a46b0 628febfe 8c7346ef df13ef04 7d56da3e 2004-07-26 16:23:22: DEBUG: oakley.c:2713:oakley_do_decrypt(): decrypted payload by IV: 2004-07-26 16:23:22: DEBUG: plog.c:193:plogdump(): 613146f4 eb71529f 2004-07-26 16:23:22: DEBUG: oakley.c:2716:oakley_do_decrypt(): decrypted payload, but not trimed. 2004-07-26 16:23:22: DEBUG: plog.c:193:plogdump(): 2b7aada3 390dbdf3 404a202e 8c926c32 c92b0770 7e02809a 837f454f d8510558 ea21c6cf 684d01f3 ef0bcae9 70838df6 4334ac03 2463bc17 085b87f3 3a1deda7 2004-07-26 16:23:22: DEBUG: oakley.c:2725:oakley_do_decrypt(): padding len=167 2004-07-26 16:23:22: DEBUG: oakley.c:2739:oakley_do_decrypt(): skip to trim padding. 2004-07-26 16:23:22: DEBUG: oakley.c:2754:oakley_do_decrypt(): decrypted. 2004-07-26 16:23:22: DEBUG: plog.c:193:plogdump(): 77260cb1 24e74d13 e352ee14 2f02e4f2 05100201 00000000 0000005c 2b7aada3 390dbdf3 404a202e 8c926c32 c92b0770 7e02809a 837f454f d8510558 ea21c6cf 684d01f3 ef0bcae9 70838df6 4334ac03 2463bc17 085b87f3 3a1deda7 2004-07-26 16:23:22: DEBUG: isakmp.c:2295:isakmp_printpacket(): begin. 2004-07-26 16:23:22: DEBUG: isakmp.c:1122:isakmp_parsewoh(): begin. 2004-07-26 16:23:22: DEBUG: isakmp.c:1149:isakmp_parsewoh(): seen nptype=5(id) 2004-07-26 16:23:22: DEBUG: isakmp.c:1155:isakmp_parsewoh(): invalid length of payload 2004-07-26 16:23:32: DEBUG: isakmp.c:233:isakmp_handler(): === 2004-07-26 16:23:32: DEBUG: isakmp.c:234:isakmp_handler(): 92 bytes message received from 2.2.2.2[500] 2004-07-26 16:23:32: DEBUG: plog.c:193:plogdump(): 77260cb1 24e74d13 e352ee14 2f02e4f2 05100201 00000000 0000005c bb8f2217 02104944 c9cfc9d8 49cacdf0 02f41bfa 77bdde66 2366bc28 4d3cd75b b7857b3d 8a00929b 20137047 433a2951 2f560ab3 4e3fa11b 613146f4 eb71529f 2004-07-26 16:23:32: DEBUG: isakmp.c:2295:isakmp_printpacket(): begin. 2004-07-26 16:23:32: DEBUG: oakley.c:2666:oakley_do_decrypt(): begin decryption. 2004-07-26 16:23:32: DEBUG: algorithm.c:386:alg_oakley_encdef(): encription(3des) 2004-07-26 16:23:32: DEBUG: oakley.c:2680:oakley_do_decrypt(): IV was saved for next processing: 2004-07-26 16:23:32: DEBUG: plog.c:193:plogdump(): 613146f4 eb71529f 2004-07-26 16:23:32: DEBUG: algorithm.c:386:alg_oakley_encdef(): encription(3des) 2004-07-26 16:23:32: DEBUG: oakley.c:2705:oakley_do_decrypt(): with key: 2004-07-26 16:23:32: DEBUG: plog.c:193:plogdump(): 26608024 059a46b0 628febfe 8c7346ef df13ef04 7d56da3e 2004-07-26 16:23:32: DEBUG: oakley.c:2713:oakley_do_decrypt(): decrypted payload by IV: 2004-07-26 16:23:32: DEBUG: plog.c:193:plogdump(): 613146f4 eb71529f 2004-07-26 16:23:32: DEBUG: oakley.c:2716:oakley_do_decrypt(): decrypted payload, but not trimed. 2004-07-26 16:23:32: DEBUG: plog.c:193:plogdump(): c4aca2cb a2610f0e 404a202e 8c926c32 c92b0770 7e02809a 837f454f d8510558 ea21c6cf 684d01f3 ef0bcae9 70838df6 4334ac03 2463bc17 085b87f3 3a1deda7 2004-07-26 16:23:32: DEBUG: oakley.c:2725:oakley_do_decrypt(): padding len=167 2004-07-26 16:23:32: DEBUG: oakley.c:2739:oakley_do_decrypt(): skip to trim padding. 2004-07-26 16:23:32: DEBUG: oakley.c:2754:oakley_do_decrypt(): decrypted. 2004-07-26 16:23:32: DEBUG: plog.c:193:plogdump(): 77260cb1 24e74d13 e352ee14 2f02e4f2 05100201 00000000 0000005c c4aca2cb a2610f0e 404a202e 8c926c32 c92b0770 7e02809a 837f454f d8510558 ea21c6cf 684d01f3 ef0bcae9 70838df6 4334ac03 2463bc17 085b87f3 3a1deda7 2004-07-26 16:23:32: DEBUG: isakmp.c:2295:isakmp_printpacket(): begin. 2004-07-26 16:23:32: DEBUG: isakmp.c:1122:isakmp_parsewoh(): begin. 2004-07-26 16:23:32: DEBUG: isakmp.c:1149:isakmp_parsewoh(): seen nptype=5(id) 2004-07-26 16:23:32: DEBUG: isakmp.c:1155:isakmp_parsewoh(): invalid length of payload 2004-07-26 16:23:42: DEBUG: isakmp.c:233:isakmp_handler(): === 2004-07-26 16:23:42: DEBUG: isakmp.c:234:isakmp_handler(): 92 bytes message received from 2.2.2.2[500] 2004-07-26 16:23:42: DEBUG: plog.c:193:plogdump(): 77260cb1 24e74d13 e352ee14 2f02e4f2 05100201 00000000 0000005c bb8f2217 02104944 c9cfc9d8 49cacdf0 02f41bfa 77bdde66 2366bc28 4d3cd75b b7857b3d 8a00929b 20137047 433a2951 2f560ab3 4e3fa11b 613146f4 eb71529f 2004-07-26 16:23:42: DEBUG: isakmp.c:2295:isakmp_printpacket(): begin. 2004-07-26 16:23:42: DEBUG: oakley.c:2666:oakley_do_decrypt(): begin decryption. 2004-07-26 16:23:42: DEBUG: algorithm.c:386:alg_oakley_encdef(): encription(3des) 2004-07-26 16:23:42: DEBUG: oakley.c:2680:oakley_do_decrypt(): IV was saved for next processing: 2004-07-26 16:23:42: DEBUG: plog.c:193:plogdump(): 613146f4 eb71529f 2004-07-26 16:23:42: DEBUG: algorithm.c:386:alg_oakley_encdef(): encription(3des) 2004-07-26 16:23:42: DEBUG: oakley.c:2705:oakley_do_decrypt(): with key: 2004-07-26 16:23:42: DEBUG: plog.c:193:plogdump(): 26608024 059a46b0 628febfe 8c7346ef df13ef04 7d56da3e 2004-07-26 16:23:42: DEBUG: oakley.c:2713:oakley_do_decrypt(): decrypted payload by IV: 2004-07-26 16:23:42: DEBUG: plog.c:193:plogdump(): 613146f4 eb71529f 2004-07-26 16:23:42: DEBUG: oakley.c:2716:oakley_do_decrypt(): decrypted payload, but not trimed. 2004-07-26 16:23:42: DEBUG: plog.c:193:plogdump(): c4aca2cb a2610f0e 404a202e 8c926c32 c92b0770 7e02809a 837f454f d8510558 ea21c6cf 684d01f3 ef0bcae9 70838df6 4334ac03 2463bc17 085b87f3 3a1deda7 2004-07-26 16:23:42: DEBUG: oakley.c:2725:oakley_do_decrypt(): padding len=167 2004-07-26 16:23:42: DEBUG: oakley.c:2739:oakley_do_decrypt(): skip to trim padding. 2004-07-26 16:23:42: DEBUG: oakley.c:2754:oakley_do_decrypt(): decrypted. 2004-07-26 16:23:42: DEBUG: plog.c:193:plogdump(): 77260cb1 24e74d13 e352ee14 2f02e4f2 05100201 00000000 0000005c c4aca2cb a2610f0e 404a202e 8c926c32 c92b0770 7e02809a 837f454f d8510558 ea21c6cf 684d01f3 ef0bcae9 70838df6 4334ac03 2463bc17 085b87f3 3a1deda7 2004-07-26 16:23:42: DEBUG: isakmp.c:2295:isakmp_printpacket(): begin. 2004-07-26 16:23:42: DEBUG: isakmp.c:1122:isakmp_parsewoh(): begin. 2004-07-26 16:23:42: DEBUG: isakmp.c:1149:isakmp_parsewoh(): seen nptype=5(id) 2004-07-26 16:23:42: DEBUG: isakmp.c:1155:isakmp_parsewoh(): invalid length of payload 2004-07-26 16:23:42: DEBUG: sockmisc.c:421:sendfromto(): sockname 1.1.1.1[500] 2004-07-26 16:23:42: DEBUG: sockmisc.c:423:sendfromto(): send packet from 1.1.1.1[500] 2004-07-26 16:23:42: DEBUG: sockmisc.c:425:sendfromto(): send packet to 2.2.2.2[500] 2004-07-26 16:23:42: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 200 bytes message will be sent to 2.2.2.2[500] 2004-07-26 16:23:42: DEBUG: plog.c:193:plogdump(): 77260cb1 24e74d13 e352ee14 2f02e4f2 04100200 00000000 000000c8 0a000084 5dac51d5 9e392b0c e6498701 05274556 d0c674e7 b348619f 85fb1e81 8580c8ff bc068150 28759450 a7b0d15c 418eb074 85e64c7b fc4eea90 763cdc0c 596a2a4a 730016b9 1e4888aa b7bc8004 a90ffc90 75d22d09 459100d3 42c61c7c e0e28fa6 071c6baa a649db63 6fa65ad7 1f3fe91c aee336f0 ad18dcc5 352a6e0b 22e40dde 0d000014 fcdeb51e a872e9f3 32fb0b9d 20262525 00000014 7003cbc1 097dbe9c 2600ba69 83bc8b35 2004-07-26 16:23:42: DEBUG: isakmp.c:1459:isakmp_ph1resend(): resend phase1 packet 77260cb124e74d13:e352ee142f02e4f2 2004-07-26 16:24:02: DEBUG: sockmisc.c:421:sendfromto(): sockname 1.1.1.1[500] 2004-07-26 16:24:02: DEBUG: sockmisc.c:423:sendfromto(): send packet from 1.1.1.1[500] 2004-07-26 16:24:02: DEBUG: sockmisc.c:425:sendfromto(): send packet to 2.2.2.2[500] 2004-07-26 16:24:02: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 200 bytes message will be sent to 2.2.2.2[500] 2004-07-26 16:24:02: DEBUG: plog.c:193:plogdump(): 77260cb1 24e74d13 e352ee14 2f02e4f2 04100200 00000000 000000c8 0a000084 5dac51d5 9e392b0c e6498701 05274556 d0c674e7 b348619f 85fb1e81 8580c8ff bc068150 28759450 a7b0d15c 418eb074 85e64c7b fc4eea90 763cdc0c 596a2a4a 730016b9 1e4888aa b7bc8004 a90ffc90 75d22d09 459100d3 42c61c7c e0e28fa6 071c6baa a649db63 6fa65ad7 1f3fe91c aee336f0 ad18dcc5 352a6e0b 22e40dde 0d000014 fcdeb51e a872e9f3 32fb0b9d 20262525 00000014 7003cbc1 097dbe9c 2600ba69 83bc8b35 2004-07-26 16:24:02: DEBUG: isakmp.c:1459:isakmp_ph1resend(): resend phase1 packet 77260cb124e74d13:e352ee142f02e4f2 2004-07-26 16:24:03: DEBUG: isakmp.c:233:isakmp_handler(): === 2004-07-26 16:24:03: DEBUG: isakmp.c:234:isakmp_handler(): 92 bytes message received from 2.2.2.2[500] 2004-07-26 16:24:03: DEBUG: plog.c:193:plogdump(): 77260cb1 24e74d13 e352ee14 2f02e4f2 05100201 00000000 0000005c bb8f2217 02104944 c9cfc9d8 49cacdf0 02f41bfa 77bdde66 2366bc28 4d3cd75b b7857b3d 8a00929b 20137047 433a2951 2f560ab3 4e3fa11b 613146f4 eb71529f 2004-07-26 16:24:03: DEBUG: isakmp.c:2295:isakmp_printpacket(): begin. 2004-07-26 16:24:03: DEBUG: oakley.c:2666:oakley_do_decrypt(): begin decryption. 2004-07-26 16:24:03: DEBUG: algorithm.c:386:alg_oakley_encdef(): encription(3des) 2004-07-26 16:24:03: DEBUG: oakley.c:2680:oakley_do_decrypt(): IV was saved for next processing: 2004-07-26 16:24:03: DEBUG: plog.c:193:plogdump(): 613146f4 eb71529f 2004-07-26 16:24:03: DEBUG: algorithm.c:386:alg_oakley_encdef(): encription(3des) 2004-07-26 16:24:03: DEBUG: oakley.c:2705:oakley_do_decrypt(): with key: 2004-07-26 16:24:03: DEBUG: plog.c:193:plogdump(): 26608024 059a46b0 628febfe 8c7346ef df13ef04 7d56da3e 2004-07-26 16:24:03: DEBUG: oakley.c:2713:oakley_do_decrypt(): decrypted payload by IV: 2004-07-26 16:24:03: DEBUG: plog.c:193:plogdump(): 613146f4 eb71529f 2004-07-26 16:24:03: DEBUG: oakley.c:2716:oakley_do_decrypt(): decrypted payload, but not trimed. 2004-07-26 16:24:03: DEBUG: plog.c:193:plogdump(): c4aca2cb a2610f0e 404a202e 8c926c32 c92b0770 7e02809a 837f454f d8510558 ea21c6cf 684d01f3 ef0bcae9 70838df6 4334ac03 2463bc17 085b87f3 3a1deda7 2004-07-26 16:24:03: DEBUG: oakley.c:2725:oakley_do_decrypt(): padding len=167 2004-07-26 16:24:03: DEBUG: oakley.c:2739:oakley_do_decrypt(): skip to trim padding. 2004-07-26 16:24:03: DEBUG: oakley.c:2754:oakley_do_decrypt(): decrypted. 2004-07-26 16:24:03: DEBUG: plog.c:193:plogdump(): 77260cb1 24e74d13 e352ee14 2f02e4f2 05100201 00000000 0000005c c4aca2cb a2610f0e 404a202e 8c926c32 c92b0770 7e02809a 837f454f d8510558 ea21c6cf 684d01f3 ef0bcae9 70838df6 4334ac03 2463bc17 085b87f3 3a1deda7 2004-07-26 16:24:03: DEBUG: isakmp.c:2295:isakmp_printpacket(): begin. 2004-07-26 16:24:03: DEBUG: isakmp.c:1122:isakmp_parsewoh(): begin. 2004-07-26 16:24:03: DEBUG: isakmp.c:1149:isakmp_parsewoh(): seen nptype=5(id) 2004-07-26 16:24:03: DEBUG: isakmp.c:1155:isakmp_parsewoh(): invalid length of payload 2004-07-26 16:24:13: DEBUG: isakmp.c:233:isakmp_handler(): === 2004-07-26 16:24:13: DEBUG: isakmp.c:234:isakmp_handler(): 92 bytes message received from 2.2.2.2[500] 2004-07-26 16:24:13: DEBUG: plog.c:193:plogdump(): 77260cb1 24e74d13 e352ee14 2f02e4f2 05100201 00000000 0000005c bb8f2217 02104944 c9cfc9d8 49cacdf0 02f41bfa 77bdde66 2366bc28 4d3cd75b b7857b3d 8a00929b 20137047 433a2951 2f560ab3 4e3fa11b 613146f4 eb71529f 2004-07-26 16:24:13: DEBUG: isakmp.c:2295:isakmp_printpacket(): begin. 2004-07-26 16:24:13: DEBUG: oakley.c:2666:oakley_do_decrypt(): begin decryption. 2004-07-26 16:24:13: DEBUG: algorithm.c:386:alg_oakley_encdef(): encription(3des) 2004-07-26 16:24:13: DEBUG: oakley.c:2680:oakley_do_decrypt(): IV was saved for next processing: 2004-07-26 16:24:13: DEBUG: plog.c:193:plogdump(): 613146f4 eb71529f 2004-07-26 16:24:13: DEBUG: algorithm.c:386:alg_oakley_encdef(): encription(3des) 2004-07-26 16:24:13: DEBUG: oakley.c:2705:oakley_do_decrypt(): with key: 2004-07-26 16:24:13: DEBUG: plog.c:193:plogdump(): 26608024 059a46b0 628febfe 8c7346ef df13ef04 7d56da3e 2004-07-26 16:24:13: DEBUG: oakley.c:2713:oakley_do_decrypt(): decrypted payload by IV: 2004-07-26 16:24:13: DEBUG: plog.c:193:plogdump(): 613146f4 eb71529f 2004-07-26 16:24:13: DEBUG: oakley.c:2716:oakley_do_decrypt(): decrypted payload, but not trimed. 2004-07-26 16:24:13: DEBUG: plog.c:193:plogdump(): c4aca2cb a2610f0e 404a202e 8c926c32 c92b0770 7e02809a 837f454f d8510558 ea21c6cf 684d01f3 ef0bcae9 70838df6 4334ac03 2463bc17 085b87f3 3a1deda7 2004-07-26 16:24:13: DEBUG: oakley.c:2725:oakley_do_decrypt(): padding len=167 2004-07-26 16:24:13: DEBUG: oakley.c:2739:oakley_do_decrypt(): skip to trim padding. 2004-07-26 16:24:13: DEBUG: oakley.c:2754:oakley_do_decrypt(): decrypted. 2004-07-26 16:24:13: DEBUG: plog.c:193:plogdump(): 77260cb1 24e74d13 e352ee14 2f02e4f2 05100201 00000000 0000005c c4aca2cb a2610f0e 404a202e 8c926c32 c92b0770 7e02809a 837f454f d8510558 ea21c6cf 684d01f3 ef0bcae9 70838df6 4334ac03 2463bc17 085b87f3 3a1deda7 2004-07-26 16:24:13: DEBUG: isakmp.c:2295:isakmp_printpacket(): begin. 2004-07-26 16:24:13: DEBUG: isakmp.c:1122:isakmp_parsewoh(): begin. 2004-07-26 16:24:13: DEBUG: isakmp.c:1149:isakmp_parsewoh(): seen nptype=5(id) 2004-07-26 16:24:13: DEBUG: isakmp.c:1155:isakmp_parsewoh(): invalid length of payload 2004-07-26 16:24:22: DEBUG: sockmisc.c:421:sendfromto(): sockname 1.1.1.1[500] 2004-07-26 16:24:22: DEBUG: sockmisc.c:423:sendfromto(): send packet from 1.1.1.1[500] 2004-07-26 16:24:22: DEBUG: sockmisc.c:425:sendfromto(): send packet to 2.2.2.2[500] 2004-07-26 16:24:22: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 200 bytes message will be sent to 2.2.2.2[500] 2004-07-26 16:24:22: DEBUG: plog.c:193:plogdump(): 77260cb1 24e74d13 e352ee14 2f02e4f2 04100200 00000000 000000c8 0a000084 5dac51d5 9e392b0c e6498701 05274556 d0c674e7 b348619f 85fb1e81 8580c8ff bc068150 28759450 a7b0d15c 418eb074 85e64c7b fc4eea90 763cdc0c 596a2a4a 730016b9 1e4888aa b7bc8004 a90ffc90 75d22d09 459100d3 42c61c7c e0e28fa6 071c6baa a649db63 6fa65ad7 1f3fe91c aee336f0 ad18dcc5 352a6e0b 22e40dde 0d000014 fcdeb51e a872e9f3 32fb0b9d 20262525 00000014 7003cbc1 097dbe9c 2600ba69 83bc8b35 2004-07-26 16:24:22: DEBUG: isakmp.c:1459:isakmp_ph1resend(): resend phase1 packet 77260cb124e74d13:e352ee142f02e4f2 2004-07-26 16:24:42: DEBUG: sockmisc.c:421:sendfromto(): sockname 1.1.1.1[500] 2004-07-26 16:24:42: DEBUG: sockmisc.c:423:sendfromto(): send packet from 1.1.1.1[500] 2004-07-26 16:24:42: DEBUG: sockmisc.c:425:sendfromto(): send packet to 2.2.2.2[500] 2004-07-26 16:24:42: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 200 bytes message will be sent to 2.2.2.2[500] 2004-07-26 16:24:42: DEBUG: plog.c:193:plogdump(): 77260cb1 24e74d13 e352ee14 2f02e4f2 04100200 00000000 000000c8 0a000084 5dac51d5 9e392b0c e6498701 05274556 d0c674e7 b348619f 85fb1e81 8580c8ff bc068150 28759450 a7b0d15c 418eb074 85e64c7b fc4eea90 763cdc0c 596a2a4a 730016b9 1e4888aa b7bc8004 a90ffc90 75d22d09 459100d3 42c61c7c e0e28fa6 071c6baa a649db63 6fa65ad7 1f3fe91c aee336f0 ad18dcc5 352a6e0b 22e40dde 0d000014 fcdeb51e a872e9f3 32fb0b9d 20262525 00000014 7003cbc1 097dbe9c 2600ba69 83bc8b35 2004-07-26 16:24:42: DEBUG: isakmp.c:1459:isakmp_ph1resend(): resend phase1 packet 77260cb124e74d13:e352ee142f02e4f2 2004-07-26 16:25:02: DEBUG: sockmisc.c:421:sendfromto(): sockname 1.1.1.1[500] 2004-07-26 16:25:02: DEBUG: sockmisc.c:423:sendfromto(): send packet from 1.1.1.1[500] 2004-07-26 16:25:02: DEBUG: sockmisc.c:425:sendfromto(): send packet to 2.2.2.2[500] 2004-07-26 16:25:02: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 200 bytes message will be sent to 2.2.2.2[500] 2004-07-26 16:25:02: DEBUG: plog.c:193:plogdump(): 77260cb1 24e74d13 e352ee14 2f02e4f2 04100200 00000000 000000c8 0a000084 5dac51d5 9e392b0c e6498701 05274556 d0c674e7 b348619f 85fb1e81 8580c8ff bc068150 28759450 a7b0d15c 418eb074 85e64c7b fc4eea90 763cdc0c 596a2a4a 730016b9 1e4888aa b7bc8004 a90ffc90 75d22d09 459100d3 42c61c7c e0e28fa6 071c6baa a649db63 6fa65ad7 1f3fe91c aee336f0 ad18dcc5 352a6e0b 22e40dde 0d000014 fcdeb51e a872e9f3 32fb0b9d 20262525 00000014 7003cbc1 097dbe9c 2600ba69 83bc8b35 2004-07-26 16:25:02: DEBUG: isakmp.c:1459:isakmp_ph1resend(): resend phase1 packet 77260cb124e74d13:e352ee142f02e4f2 2004-07-26 16:25:22: ERROR: isakmp.c:1447:isakmp_ph1resend(): phase1 negotiation failed due to time up. 77260cb124e74d13:e352ee142f02e4f2 Cisco log *Mar 1 06:30:02.879: ISAKMP: received ke message (1/1) *Mar 1 06:30:02.879: ISAKMP (0:0): SA request profile is (NULL) *Mar 1 06:30:02.879: ISAKMP: local port 500, remote port 500 *Mar 1 06:30:02.879: ISAKMP: set new node 0 to QM_IDLE *Mar 1 06:30:02.879: ISAKMP: insert sa successfully sa = 818EC56C *Mar 1 06:30:02.879: ISAKMP (0:1): Can not start Aggressive mode, trying Main mode. *Mar 1 06:30:02.879: ISAKMP: Looking for a matching key for 1.1.1.1 in default : success *Mar 1 06:30:02.879: ISAKMP (0:1): found peer pre-shared key matching 1.1.1.1 *Mar 1 06:30:02.879: ISAKMP (0:1): constructed NAT-T vendor-03 ID *Mar 1 06:30:02.879: ISAKMP (0:1): constructed NAT-T vendor-02 ID *Mar 1 06:30:02.879: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM *Mar 1 06:30:02.879: ISAKMP (0:1): Old State = IKE_READY New State = IKE_I_MM1 *Mar 1 06:30:02.883: ISAKMP (0:1): beginning Main Mode exchange *Mar 1 06:30:02.883: ISAKMP (0:1): sending pack bbeameliarouteet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE *Mar 1 06:30:02.899: ISAKMP (0:1): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_NO_STATE *Mar 1 06:30:02.899: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Mar 1 06:30:02.899: ISAKMP (0:1): Old State = IKE_I_MM1 New State = IKE_I_MM2 *Mar 1 06:30:02.899: ISAKMP (0:1): processing SA payload. message ID = 0 *Mar 1 06:30:02.899: ISAKMP (0:1): processing vendor id payload *Mar 1 06:30:02.899: ISAKMP (0:1): vendor ID seems Unity/DPD but major 139 mismatch *Mar 1 06:30:02.899: ISAKMP: Looking for a matching key for 1.1.1.1 in default : success *Mar 1 06:30:02.899: ISAKMP (0:1): found peer pre-shared key matching 1.1.1.1 *Mar 1 06:30:02.899: ISAKMP (0:1) local preshared key found *Mar 1 06:30:02.899: ISAKMP : Scanning profiles for xauth ... *Mar 1 06:30:02.899: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 1 policy *Mar 1 06:30:02.903: ISAKMP: encryption 3DES-CBC *Mar 1 06:30:02.903: ISAKMP: hash MD5 *Mar 1 06:30:02.903: ISAKMP: default group 2 *Mar 1 06:30:02.903: ISAKMP: auth pre-share *Mar 1 06:30:02.903: ISAKMP: life type in seconds *Mar 1 06:30:02.903: ISAKMP: life duration (basic) of 10000 *Mar 1 06:30:02.903: ISAKMP (0:1): atts are acceptable. Next payload is 0 *Mar 1 06:30:03.035: ISAKMP (0:1): processing vendor id payload *Mar 1 06:30:03.035: ISAKMP (0:1): vendor ID seems Unity/DPD but major 139 mismatch *Mar 1 06:30:03.035: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Mar 1 06:30:03.035: ISAKMP (0:1): Old State = IKE_I_MM2 New State = IKE_I_MM2 *Mar 1 06:30:03.039: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_SA_SETUP *Mar 1 06:30:03.039: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Mar 1 06:30:03.039: ISAKMP (0:1): Old State = IKE_I_MM2 New State = IKE_I_MM3 *Mar 1 06:30:03.099: ISAKMP (0:1): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_SA_SETUP *Mar 1 06:30:03.099: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Mar 1 06:30:03.099: ISAKMP (0:1): Old State = IKE_I_MM3 New State = IKE_I_MM4 *Mar 1 06:30:03.103: ISAKMP (0:1): processing KE payload. message ID = 0 *Mar 1 06:30:03.267: ISAKMP (0:1): processing NONCE payload. message ID = 0 *Mar 1 06:30:03.267: ISAKMP: Looking for a matching key for 1.1.1.1 in default : success *Mar 1 06:30:03.267: ISAKMP (0:1): found peer pre-shared key matching 1.1.1.1 *Mar 1 06:30:03.271: ISAKMP (0:1): SKEYID state generated *Mar 1 06:30:03.271: ISAKMP (0:1): processing vendor id payload *Mar 1 06:30:03.271: ISAKMP (0:1): vendor ID seems Unity/DPD but major 139 mismatch *Mar 1 06:30:03.271: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Mar 1 06:30:03.271: ISAKMP (0:1): Old State = IKE_I_MM4 New State = IKE_I_MM4 *Mar 1 06:30:03.271: ISAKMP (0:1): Send initial contact *Mar 1 06:30:03.271: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR *Mar 1 06:30:03.271: ISAKMP (1): ID payload next-payload : 8 type : 1 addr : 2.2.2.2 protocol : 17 port : 500 length : 8 *Mar 1 06:30:03.271: ISAKMP (1): Total payload length: 12 *Mar 1 06:30:03.275: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH *Mar 1 06:30:03.275: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Mar 1 06:30:03.275: ISAKMP (0:1): Old State = IKE_I_MM4 New State = IKE_I_MM5 r# bbeameliarouter# *Mar 1 06:30:13.276: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH... *Mar 1 06:30:13.276: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1 *Mar 1 06:30:13.276: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH *Mar 1 06:30:13.276: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH bbeameliarouter# *Mar 1 06:30:23.276: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH... *Mar 1 06:30:23.276: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1 *Mar 1 06:30:23.276: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH *Mar 1 06:30:23.276: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH *Mar 1 06:30:23.284: ISAKMP (0:1): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH *Mar 1 06:30:23.284: ISAKMP (0:1): phase 1 packet is a duplicate of a previous packet. *Mar 1 06:30:23.284: ISAKMP (0:1): retransmission skipped for phase 1 (time since last transmission 8) bbeameliarouter# *Mar 1 06:30:32.876: ISAKMP: received ke message (1/1) *Mar 1 06:30:32.876: ISAKMP: set new node 0 to QM_IDLE *Mar 1 06:30:32.876: ISAKMP (0:1): SA is still budding. Attached new ipsec request to it. (local 2.2.2.2, remote 1.1.1.1) bbeameliarouter# *Mar 1 06:30:43.293: ISAKMP (0:1): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH *Mar 1 06:30:43.293: ISAKMP (0:1): phase 1 packet is a duplicate of a previous packet. *Mar 1 06:30:43.293: ISAKMP (0:1): retransmitting due to retransmit phase 1 *Mar 1 06:30:43.293: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH... *Mar 1 06:30:43.794: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH... *Mar 1 06:30:43.794: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1 *Mar 1 06:30:43.794: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH bbeameliarouter# *Mar 1 06:30:43.794: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH bbeameliarouter# *Mar 1 06:30:53.794: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH... *Mar 1 06:30:53.794: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1 *Mar 1 06:30:53.794: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH *Mar 1 06:30:53.794: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH bbeameliarouter# *Mar 1 06:31:02.809: ISAKMP (0:1): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH *Mar 1 06:31:02.809: ISAKMP (0:1): phase 1 packet is a duplicate of a previous packet. *Mar 1 06:31:02.809: ISAKMP (0:1): retransmitting due to retransmit phase 1 *Mar 1 06:31:02.809: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH... *Mar 1 06:31:02.877: ISAKMP: received ke message (3/1) *Mar 1 06:31:02.877: ISAKMP (0:1): peer does not do paranoid keepalives. *Mar 1 06:31:02.877: ISAKMP (0:1): deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_KEY_EXCH (peer 1.1.1.1) input queue 0 bbeameliarouter# *Mar 1 06:31:02.877: ISAKMP (0:1): deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_KEY_EXCH (peer 1.1.1.1) input queue 0 *Mar 1 06:31:02.877: ISAKMP (0:1): deleting node -1933861384 error TRUE reason "gen_ipsec_isakmp_delete but doi isakmp" *Mar 1 06:31:02.877: ISAKMP (0:1): deleting node 1271049171 error TRUE reason "gen_ipsec_isakmp_delete but doi isakmp" *Mar 1 06:31:02.877: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL *Mar 1 06:31:02.877: ISAKMP (0:1): Old State = IKE_I_MM5 New State = IKE_DEST_SA bbeameliarouter# *Mar 1 06:31:22.818: ISAKMP (0:1): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_NO_STATE From owner-freebsd-security@FreeBSD.ORG Wed Jul 28 19:36:26 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3622B16A4CE for ; Wed, 28 Jul 2004 19:36:26 +0000 (GMT) Received: from mx1.webspacesolutions.com (ns1.webspacesolutions.com [216.74.11.68]) by mx1.FreeBSD.org (Postfix) with SMTP id CEA9043D2D for ; Wed, 28 Jul 2004 19:36:25 +0000 (GMT) (envelope-from nick@webspacesolutions.com) Received: (qmail 64414 invoked by uid 101); 28 Jul 2004 19:36:01 -0000 Received: from nick@webspacesolutions.com by ws01.webspacesolutions.com by uid 82 with qmail-scanner-1.22 (clamdscan: 0.72. spamassassin: 2.63. Clear:RC:1(66.214.76.81):. Processed in 0.307777 secs); 28 Jul 2004 19:36:01 -0000 Received: from 66-214-76-81.ata-cres.charterpipeline.net (HELO beastie) (66.214.76.81) by mx1.webspacesolutions.com with SMTP; 28 Jul 2004 19:36:00 -0000 From: "Nick Twaddell" To: Date: Wed, 28 Jul 2004 12:36:02 -0700 Organization: Web Space Solutions Message-ID: MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 Thread-Index: AcR02h2cyXIWyRDFSrislgU0zlhFCQ== Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: Ipfw config X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Jul 2004 19:36:26 -0000 If someone has some free time, can you go over my ipfw config. See if I have any problems, or things i should add. Im not an ipfw expert or anything. Here is the config. add 100 allow all from any to any via lo0 add 110 deny log all from any to 127.0.0.0/8 add 120 deny log ip from 127.0.0.0/8 to any add 00200 check-state add 00250 deny all from any to any frag in via bge0 add 00260 deny tcp from any to any established in via bge0 ###### outbound section ###### ## standard http ## add 00300 allow tcp from any to any 80 out via bge0 setup keep-state ## secure https ## add 00301 allow tcp from any to any 443 out via bge0 setup keep-state ## dns ## add 00310 allow tcp from any to any 53 out via bge0 setup keep-state add 00311 allow udp from any to any 53 out via bge0 keep-state ## pop & smtp ## add 00330 allow tcp from any to any 25 out via bge0 setup keep-state add 00331 allow tcp from any to any 110 out via bge0 setup keep-state ## give root all ## add 00340 allow tcp from me to any out via bge0 setup uid root keep-state ## ftp with passive ports ## add 00375 allow tcp from me to any 21 out via bge0 setup keep-state add 00376 allow tcp from me to any 49152-65535 out via bge0 setup keep-state ## ssh ## add 00380 allow tcp from any to any 22 out via bge0 setup keep-state ## ntp ## add 00390 allow tcp from any to any 123 out via bge0 setup keep-state add 00391 allow udp from any to any 123 out via bge0 keep-state ## ident ## add 00400 allow tcp from any to any 113 out via bge0 setup keep-state add 00401 allow udp from any to any 113 out via bge0 keep-state ## whois ## add 00410 allow tcp from any to any 43 out via bge0 setup keep-state ## snmp ## add 00420 allow udp from any to any 161 out via bge0 keep-state ## finger ## add 00430 allow tcp from any to any 79 out via bge0 setup keep-state add 00431 allow udp from any to any 79 out via bge0 keep-state ###### inbound section ####### ## standard http ## add 00600 allow tcp from any to any 80 in via bge0 setup keep-state ## secure https ## add 00601 allow tcp from any to any 443 in via bge0 setup keep-state ## dns ## add 00611 allow udp from any to me 53 in via bge0 keep-state add 00612 allow tcp from any to me dst-port 53 in via bge0 setup keep-state ## pop & smtp ## add 00630 allow tcp from any to me 25 in via bge0 setup keep-state add 00631 allow tcp from any to me 110 in via bge0 setup keep-state ## imap ## add 00635 allow tcp from any to me 143 in via bge0 setup keep-state ## ftp ## add 00640 allow tcp from any to me 21 in via bge0 setup keep-state add 00641 allow tcp from any to me 49152-65535 in via bge0 setup keep-state #add 00641 allow tcp from any 20 to any 1024-49151 out via bge0 setup keep-state ## ssh ## add 00660 allow tcp from any to me 22 in via bge0 setup keep-state ## snmp ## add 00690 allow udp from any to me 161 in via bge0 keep-state ## razor ## add 00695 allow tcp from me to any dst-port 2703 out via bge0 setup keep-state ###### ICMP ###### ## Allow out & in console traceroot command ## add 00700 allow udp from me to any 33435-33500 out via bge0 keep-state add 00701 allow log icmp from any to me icmptype 3,11 in via bge0 limit src-addr 2 ## ping out ## add 00710 allow icmp from any to any out via bge0 keep-state ## ping in ## add 00720 allow log icmp from any to me icmptype 0,8 in via bge0 ## This sends a RESET to all ident packets ## add 00730 reset log tcp from any to me 113 in via bge0 limit src-addr 4 ## Stop & log external redirect requests ## add 00740 deny log icmp from any to any icmptype 5 in via bge0 ## Stop & log spoofing Attack attempts ## add 00750 deny log ip from me to me in via bge0 ## Stop & log ping echo attacks ## add 00760 deny log icmp from any to me icmptype 0,8 in via bge0 ###### Everything Else ##### ## Reject & Log all setup of tcp incoming connections from the outside ## add 00770 deny log tcp from any to any setup in via bge0 ## Reject all port 80 http packets that fall through to here ## add 00780 deny tcp from any to any 80 out via bge0 ## Everything else is denied by default ## add 00790 deny log logamount 500 all from any to any Thanks Nick From owner-freebsd-security@FreeBSD.ORG Wed Jul 28 19:38:55 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2756F16A4CE for ; Wed, 28 Jul 2004 19:38:55 +0000 (GMT) Received: from mx1.webspacesolutions.com (ns1.webspacesolutions.com [216.74.11.68]) by mx1.FreeBSD.org (Postfix) with SMTP id F293C43D2F for ; Wed, 28 Jul 2004 19:38:54 +0000 (GMT) (envelope-from nick@webspacesolutions.com) Received: (qmail 64800 invoked by uid 101); 28 Jul 2004 19:38:54 -0000 Received: from nick@webspacesolutions.com by ws01.webspacesolutions.com by uid 82 with qmail-scanner-1.22 (clamdscan: 0.72. spamassassin: 2.63. Clear:RC:1(66.214.76.81):. Processed in 0.027095 secs); 28 Jul 2004 19:38:54 -0000 Received: from 66-214-76-81.ata-cres.charterpipeline.net (HELO beastie) (66.214.76.81) by mx1.webspacesolutions.com with SMTP; 28 Jul 2004 19:38:54 -0000 From: "Nick Twaddell" To: Date: Wed, 28 Jul 2004 12:38:56 -0700 Organization: Web Space Solutions Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 Thread-Index: AcR02oVEVp82YpagQn6lM/njMu573g== Subject: Ipfw config X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Jul 2004 19:38:55 -0000 That last email got a little garbled, I forgot to take it off of html :) add 100 allow all from any to any via lo0 add 110 deny log all from any to 127.0.0.0/8 add 120 deny log ip from 127.0.0.0/8 to any add 00200 check-state add 00250 deny all from any to any frag in via bge0 add 00260 deny tcp from any to any established in via bge0 ###### outbound section ###### ## standard http ## add 00300 allow tcp from any to any 80 out via bge0 setup keep-state ## secure https ## add 00301 allow tcp from any to any 443 out via bge0 setup keep-state ## dns ## add 00310 allow tcp from any to any 53 out via bge0 setup keep-state add 00311 allow udp from any to any 53 out via bge0 keep-state ## pop & smtp ## add 00330 allow tcp from any to any 25 out via bge0 setup keep-state add 00331 allow tcp from any to any 110 out via bge0 setup keep-state ## give root all ## add 00340 allow tcp from me to any out via bge0 setup uid root keep-state ## ftp with passive ports ## add 00375 allow tcp from me to any 21 out via bge0 setup keep-state add 00376 allow tcp from me to any 49152-65535 out via bge0 setup keep-state ## ssh ## add 00380 allow tcp from any to any 22 out via bge0 setup keep-state ## ntp ## add 00390 allow tcp from any to any 123 out via bge0 setup keep-state add 00391 allow udp from any to any 123 out via bge0 keep-state ## ident ## add 00400 allow tcp from any to any 113 out via bge0 setup keep-state add 00401 allow udp from any to any 113 out via bge0 keep-state ## whois ## add 00410 allow tcp from any to any 43 out via bge0 setup keep-state ## snmp ## add 00420 allow udp from any to any 161 out via bge0 keep-state ## finger ## add 00430 allow tcp from any to any 79 out via bge0 setup keep-state add 00431 allow udp from any to any 79 out via bge0 keep-state ###### inbound section ####### ## standard http ## add 00600 allow tcp from any to any 80 in via bge0 setup keep-state ## secure https ## add 00601 allow tcp from any to any 443 in via bge0 setup keep-state ## dns ## add 00611 allow udp from any to me 53 in via bge0 keep-state add 00612 allow tcp from any to me dst-port 53 in via bge0 setup keep-state ## pop & smtp ## add 00630 allow tcp from any to me 25 in via bge0 setup keep-state add 00631 allow tcp from any to me 110 in via bge0 setup keep-state ## imap ## add 00635 allow tcp from any to me 143 in via bge0 setup keep-state ## ftp ## add 00640 allow tcp from any to me 21 in via bge0 setup keep-state add 00641 allow tcp from any to me 49152-65535 in via bge0 setup keep-state #add 00641 allow tcp from any 20 to any 1024-49151 out via bge0 setup keep-state ## ssh ## add 00660 allow tcp from any to me 22 in via bge0 setup keep-state ## snmp ## add 00690 allow udp from any to me 161 in via bge0 keep-state ## razor ## add 00695 allow tcp from me to any dst-port 2703 out via bge0 setup keep-state ###### ICMP ###### ## Allow out & in console traceroot command ## add 00700 allow udp from me to any 33435-33500 out via bge0 keep-state add 00701 allow log icmp from any to me icmptype 3,11 in via bge0 limit src-addr 2 ## ping out ## add 00710 allow icmp from any to any out via bge0 keep-state ## ping in ## add 00720 allow log icmp from any to me icmptype 0,8 in via bge0 ## This sends a RESET to all ident packets ## add 00730 reset log tcp from any to me 113 in via bge0 limit src-addr 4 ## Stop & log external redirect requests ## add 00740 deny log icmp from any to any icmptype 5 in via bge0 ## Stop & log spoofing Attack attempts ## add 00750 deny log ip from me to me in via bge0 ## Stop & log ping echo attacks ## add 00760 deny log icmp from any to me icmptype 0,8 in via bge0 ###### Everything Else ##### ## Reject & Log all setup of tcp incoming connections from the outside ## add 00770 deny log tcp from any to any setup in via bge0 ## Reject all port 80 http packets that fall through to here ## add 00780 deny tcp from any to any 80 out via bge0 ## Everything else is denied by default ## add 00790 deny log logamount 500 all from any to any This should work From owner-freebsd-security@FreeBSD.ORG Wed Jul 28 19:40:41 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F1BE816A4CE for ; Wed, 28 Jul 2004 19:40:41 +0000 (GMT) Received: from gi.sourcefire.com (gi.sourcefire.com [12.110.105.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7851B43D1D for ; Wed, 28 Jul 2004 19:40:39 +0000 (GMT) (envelope-from nigel@sourcefire.com) Received: from localhost ([10.4.10.172]) (AUTH: PLAIN nhoughton, TLS: TLSv1/SSLv3,168bits,DES-CBC3-SHA) by gi.sourcefire.com with esmtp; Wed, 28 Jul 2004 15:30:36 -0400 Date: Wed, 28 Jul 2004 15:36:51 -0400 From: Nigel Houghton To: freebsd-security@freebsd.org Message-ID: <20040728193651.GA4670@enterprise.sfeng.sourcefire.com> Mail-Followup-To: freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline In-Reply-To: Subject: Re: Ipfw config X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Jul 2004 19:40:42 -0000 Without knowing what the purpose of this machine is, there is nothing to say other than if your syntax is correct or not. Something you will find out when you try to load the rules. Also, this list really isn't meant for asking these types of configuration questions. On 0, Nick Twaddell allegedly wrote: > If someone has some free time, can you go over my ipfw config. See if I > have any problems, or things i should add. Im not an ipfw expert or > anything. Here is the config. > > add 100 allow all from any to any via lo0 > add 110 deny log all from any to 127.0.0.0/8 > add 120 deny log ip from 127.0.0.0/8 to any > > add 00200 check-state > > add 00250 deny all from any to any frag in via bge0 > > add 00260 deny tcp from any to any established in via bge0 > > ###### outbound section ###### > ## standard http ## > add 00300 allow tcp from any to any 80 out via bge0 setup keep-state > ## secure https ## > add 00301 allow tcp from any to any 443 out via bge0 setup keep-state > ## dns ## > add 00310 allow tcp from any to any 53 out via bge0 setup keep-state > add 00311 allow udp from any to any 53 out via bge0 keep-state > ## pop & smtp ## > add 00330 allow tcp from any to any 25 out via bge0 setup keep-state > add 00331 allow tcp from any to any 110 out via bge0 setup keep-state > ## give root all ## > add 00340 allow tcp from me to any out via bge0 setup uid root keep-state > ## ftp with passive ports ## > add 00375 allow tcp from me to any 21 out via bge0 setup keep-state > add 00376 allow tcp from me to any 49152-65535 out via bge0 setup keep-state > ## ssh ## > add 00380 allow tcp from any to any 22 out via bge0 setup keep-state > ## ntp ## > add 00390 allow tcp from any to any 123 out via bge0 setup keep-state > add 00391 allow udp from any to any 123 out via bge0 keep-state > ## ident ## > add 00400 allow tcp from any to any 113 out via bge0 setup keep-state > add 00401 allow udp from any to any 113 out via bge0 keep-state > ## whois ## > add 00410 allow tcp from any to any 43 out via bge0 setup keep-state > ## snmp ## > add 00420 allow udp from any to any 161 out via bge0 keep-state > ## finger ## > add 00430 allow tcp from any to any 79 out via bge0 setup keep-state > add 00431 allow udp from any to any 79 out via bge0 keep-state > > ###### inbound section ####### > ## standard http ## > add 00600 allow tcp from any to any 80 in via bge0 setup keep-state > ## secure https ## > add 00601 allow tcp from any to any 443 in via bge0 setup keep-state > ## dns ## > add 00611 allow udp from any to me 53 in via bge0 keep-state > add 00612 allow tcp from any to me dst-port 53 in via bge0 setup keep-state > ## pop & smtp ## > add 00630 allow tcp from any to me 25 in via bge0 setup keep-state > add 00631 allow tcp from any to me 110 in via bge0 setup keep-state > ## imap ## > add 00635 allow tcp from any to me 143 in via bge0 setup keep-state > ## ftp ## > add 00640 allow tcp from any to me 21 in via bge0 setup keep-state > add 00641 allow tcp from any to me 49152-65535 in via bge0 setup keep-state > #add 00641 allow tcp from any 20 to any 1024-49151 out via bge0 setup > keep-state > ## ssh ## > add 00660 allow tcp from any to me 22 in via bge0 setup keep-state > ## snmp ## > add 00690 allow udp from any to me 161 in via bge0 keep-state > ## razor ## > add 00695 allow tcp from me to any dst-port 2703 out via bge0 setup > keep-state > > ###### ICMP ###### > ## Allow out & in console traceroot command ## > add 00700 allow udp from me to any 33435-33500 out via bge0 keep-state > add 00701 allow log icmp from any to me icmptype 3,11 in via bge0 limit > src-addr 2 > ## ping out ## > add 00710 allow icmp from any to any out via bge0 keep-state > ## ping in ## > add 00720 allow log icmp from any to me icmptype 0,8 in via bge0 > ## This sends a RESET to all ident packets ## > add 00730 reset log tcp from any to me 113 in via bge0 limit src-addr 4 > ## Stop & log external redirect requests ## > add 00740 deny log icmp from any to any icmptype 5 in via bge0 > ## Stop & log spoofing Attack attempts ## > add 00750 deny log ip from me to me in via bge0 > ## Stop & log ping echo attacks ## > add 00760 deny log icmp from any to me icmptype 0,8 in via bge0 > > ###### Everything Else ##### > ## Reject & Log all setup of tcp incoming connections from the outside ## > add 00770 deny log tcp from any to any setup in via bge0 > ## Reject all port 80 http packets that fall through to here ## > add 00780 deny tcp from any to any 80 out via bge0 > ## Everything else is denied by default ## > add 00790 deny log logamount 500 all from any to any > > > Thanks > > Nick > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > ------------------------------------------------------------- Nigel Houghton Research Engineer Sourcefire Inc. Vulnerability Research Team "Dude, dolphins are intelligent and friendly!" -- Wendy "Intelligent and friendly on rye bread, with some mayonaise." -- Cartman From owner-freebsd-security@FreeBSD.ORG Thu Jul 29 00:44:05 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1B21016A4CE for ; Thu, 29 Jul 2004 00:44:05 +0000 (GMT) Received: from mail.star-sw.com (mail.star-sw.com [217.195.82.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 079A443D2F for ; Thu, 29 Jul 2004 00:44:04 +0000 (GMT) (envelope-from nkritsky@internethelp.ru) Received: from exchange.star-sw.com (argon.star-sw.com [217.195.82.10]) by mail.star-sw.com (8.12.11/8.12.11) with ESMTP id i6T0i1L5085301 for ; Thu, 29 Jul 2004 04:44:01 +0400 (MSD) Received: from star-sw.com ([217.195.82.9]) by exchange.star-sw.com with Microsoft SMTPSVC(5.0.2195.5329); Thu, 29 Jul 2004 04:44:01 +0400 Received: from ibmka.star-sw.com ([192.168.32.130]) by star-sw.com with Microsoft SMTPSVC(5.0.2195.5329); Thu, 29 Jul 2004 04:44:00 +0400 Date: Thu, 29 Jul 2004 04:44:01 +0400 From: "Nickolay A. Kritsky" X-Mailer: The Bat! (v1.49) Personal X-Priority: 3 (Normal) Message-ID: <1201164112343.20040729044401@internethelp.ru> To: Lewey Taylor In-reply-To: <1090892097.7219.0.camel@localhost> References: <1090892097.7219.0.camel@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 29 Jul 2004 00:44:00.0888 (UTC) FILETIME=[23C90780:01C47505] cc: freebsd-security@freebsd.org Subject: Re: Cisco IOS and racoon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Nickolay A. Kritsky" List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Jul 2004 00:44:05 -0000 Hello Lewey, First, I am really new to IPSEC, so may be my advices will be no use to you. Second, I have once succeded in setting up FreeBSD<->Cisco IPSec link, so may be my advices will be of some use to you. Tuesday, July 27, 2004, 5:34:58 AM, you wrote: LT> LT> #! /bin/sh LT> #spdadd 1.1.1.1/32[500] 2.2.2.2/32[500] udp -P out none; LT> #spdadd 1.1.1.1/32[500] 2.2.2.2/32[500] udp -P out none; LT> case "$1" in LT> start) LT> setkey -F LT> setkey -FP LT> setkey -c < spdadd 10.0.10.0/24 10.0.3.0/24 ipencap -P out ipsec LT> esp/tunnel/1.1.1.1-2.2.2.2/require; LT> spdadd 10.0.3.0/24 10.0.1.0/24 ipencap -P in ipsec LT> esp/tunnel/2.2.2.2-1.1.1.1/require; LT> EOF LT> ;; LT> stop) LT> setkey -F LT> setkey -FP LT> ;; LT> *) LT> echo "Usage: `basename $0` {start|stop}" >&2 LT> ;; LT> esac LT> exit 0 LT> First advice: change `ipencap' to `any' in your spdadd config. If i am right, you don't need ipencap here since you don't use ipinip on cisco. If i am wrong, `any' should work anyway. Second advice: do not try to understand racoon's logs. This is the last thing to do. Only if nothing else helps, you can try it. And the best way to do it is to build racoon from sources, to have the ability to put there some human-readable debugprintfs. Third advice - what really helps: Make some errors. Change the config file of racoon in strictly wrong way. Use wrong algorithms for encryption and signing, non-matching psk, play with padding, change some weird options like `proposal_check', `situation', `doi', etc... Do the wrong things. _ONE_CHANGE_FOR_ONE_RUN_ . Then take a quick look in the log. If setting psk from to produces no change in logs - ie, everything stops on the same error, then, _maybe_ your is not correct at all. _But_ , _maybe_ things just become broken before anybody cares about your psk. You will need to use your brain. I am sorry, but I don't know about silver bullets on IPSec debugging. Using intentional errors can help you to narrow your search to some specific sections of racoon.conf, and to some specific files/functions in src tree. Otherwise you will be lost in the sea of even possibilities. The most ugly problem I ran into, was that IPSec uses about 50 different parameters that should match on each sides of tunnel, and 1. Most of them are named differently in racoon and cisco (that's called synonym - sounds different, means the same) 2. Some of them can be named the same but mean different (that's called homonym ;) ) 3. Some of them can be hardwired into the system. Different ones on racoon and cisco. Well, I hope that will help you. Good luck! ;------------------------------------------- ; NKritsky ; mailto:nkritsky@internethelp.ru From owner-freebsd-security@FreeBSD.ORG Fri Jul 30 05:37:15 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8AA1216A4CE for ; Fri, 30 Jul 2004 05:37:15 +0000 (GMT) Received: from smtp2.eunet.yu (smtp2.eunet.yu [194.247.192.242]) by mx1.FreeBSD.org (Postfix) with ESMTP id 47CAF43D64 for ; Fri, 30 Jul 2004 05:37:14 +0000 (GMT) (envelope-from kolicz@eunet.yu) Received: from smtp2.EUnet.yu (root@localhost) by smtp2.eunet.yu (8.12.10/8.12.10) with SMTP id i6U5axdU016505 for ; Fri, 30 Jul 2004 07:36:59 +0200 Received: from kolic.net (P-2.18.EUnet.yu [213.240.2.18]) by smtp2.eunet.yu (8.12.10/8.12.10) with ESMTP id i6U5awnc016433 for ; Fri, 30 Jul 2004 07:36:58 +0200 Received: by kolic.net (Postfix, from userid 1001) id C680342AD; Fri, 30 Jul 2004 07:34:54 +0200 (CEST) Date: Fri, 30 Jul 2004 07:34:54 +0200 From: Zoran Kolic To: freebsd-security@freebsd.org Message-ID: <20040730053454.GA689@kolic.net> References: <20040729120437.3AB6C16A5C6@hub.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040729120437.3AB6C16A5C6@hub.freebsd.org> Subject: Re: Ipfw config X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Jul 2004 05:37:15 -0000 Seems that you have everything in this configuration. Do you really need _everything_ ? If server, you will never surf the internet or else. If workstation, close inbound stuff. Best regards ZK