Date: Tue, 27 Aug 2002 11:58:16 -0700 (PDT) From: Y S <sunny_mcl@yahoo.com> To: freebsd-security@FreeBSD.ORG Subject: IPsec tunnel between XP and FreeBSD Message-ID: <20020827185816.91283.qmail@web12903.mail.yahoo.com> In-Reply-To: <OAEOLDPOMIMMJMKEBFHCEEKNDAAA.jps@funeralexchange.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--0-1409106294-1030474696=:90318
Content-Type: text/plain; charset=us-ascii
I am trying to setup an IPsec tunnel between XP client and FreeBSD box.
Seems the Phase 2 Exchange doesn't work.
My setup:
Windows XP (10.10.10.6):
ipseccmd -f 10.10.10.6=* -t 10.10.10.20 -n esp[3des,md5] -a preshare:"xxx" -1s 3des-md5-2 -1p
Freebsd (10.10.10.20):
SPD:
10.10.10.6[any] 0.0.0.0/0[any] any
in ipsec
esp/tunnel/10.10.10.6-10.10.10.20/require
spid=7 seq=1 pid=565
refcnt=1
0.0.0.0/0[any] 10.10.10.6[any] any
out ipsec
esp/tunnel/10.10.10.20-10.10.10.6/require
spid=8 seq=0 pid=565
refcnt=1
racoon conf:
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
# timer for waiting to complete each phase.
phase1 90 sec;
phase2 60 sec;
}
remote anonymous
{
exchange_mode main;
doi ipsec_doi;
situation identity_only;
nonce_size 16;
lifetime time 4 hour; # sec,min,hour
initial_contact on;
support_mip6 on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 2 ;
}
}
sainfo anonymous
{
pfs_group 1;
lifetime time 30 sec;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate ;
}
and the racoon dump file (60K) may be too big for the email. looks like the only ERROR lines are:
---------------------------------------------------------------------
.......
2002-08-26 19:10:26: DEBUG: isakmp.c:1109:isakmp_parsewoh(): begin.
2002-08-26 19:10:26: DEBUG: isakmp.c:1136:isakmp_parsewoh(): seen nptype=8(hash)
2002-08-26 19:10:26: DEBUG: isakmp.c:1136:isakmp_parsewoh(): seen nptype=11(notify)
2002-08-26 19:10:26: DEBUG: isakmp.c:1175:isakmp_parsewoh(): succeed.
2002-08-26 19:10:26: ERROR: isakmp_inf.c:776:isakmp_info_recv_n(): unknown notify message, no phase2 handle found.
2002-08-26 19:10:26: DEBUG: isakmp_inf.c:798:isakmp_info_recv_n(): notification message 18:INVALID-ID-INFORMATION, doi=1 proto_id=3 spi=00000000(size=4).
2002-08-26 19:10:37: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey ACQUIRE message
2002-08-26 19:10:37: DEBUG2: plog.c:193:plogdump():
......
2002-08-26 19:11:20: DEBUG: pfkey.c:1503:pk_recvacquire(): ignore the acquire becuase ph2 found
2002-08-26 19:11:26: ERROR: pfkey.c:738:pfkey_timeover(): 10.10.10.6 give up to get IPsec-SA due to time up to wait.
2002-08-26 19:11:26: DEBUG: schedule.c:210:sched_scrub_param(): an undead schedule has been deleted.
.......
------------------------------------------------------------------------------------
I don't know why windows send an INVALID-ID-INFORMATION.
Looks like that causes the Quick mode SA establishing fails?
Any suggestion?
Thanks a lot!
(btw, transparent mode XP <-> freebsd and tunnel mode freebsd -> freebsd go pretty well)
Sunny
---------------------------------
Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes
--0-1409106294-1030474696=:90318
Content-Type: text/html; charset=us-ascii
<P>I am trying to setup an IPsec tunnel between XP client and FreeBSD box.
<P>Seems the Phase 2 Exchange doesn't work. </P>
<P>My setup:</P>
<P>Windows XP (10.10.10.6):</P>
<P>ipseccmd -f 10.10.10.6=* -t 10.10.10.20 -n esp[3des,md5] -a preshare:"xxx" -1s 3des-md5-2 -1p</P>
<P>Freebsd (10.10.10.20):</P>
<P>SPD:</P>
<P>10.10.10.6[any] 0.0.0.0/0[any] any<BR> in ipsec<BR> esp/tunnel/10.10.10.6-10.10.10.20/require<BR> spid=7 seq=1 pid=565<BR> refcnt=1<BR>0.0.0.0/0[any] 10.10.10.6[any] any<BR> out ipsec<BR> esp/tunnel/10.10.10.20-10.10.10.6/require<BR> spid=8 seq=0 pid=565<BR> refcnt=1<BR></P>
<P>racoon conf:</P>
<P>path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;<BR>padding<BR>{<BR> maximum_length 20; # maximum padding length.<BR> randomize off; # enable randomize length.<BR> strict_check off; # enable strict check.<BR> exclusive_tail off; # extract last one octet.<BR>}</P>
<P>timer<BR>{<BR> # These value can be changed per remote node.<BR> counter 5; # maximum trying count to send.<BR> interval 20 sec; # maximum interval to resend.<BR> persend 1; # the number of packets per a send.</P>
<P> # timer for waiting to complete each phase.<BR> phase1 90 sec;<BR> phase2 60 sec;<BR>}</P>
<P>remote anonymous<BR>{<BR> exchange_mode main;<BR> doi ipsec_doi;<BR> situation identity_only;</P>
<P> nonce_size 16;<BR> lifetime time 4 hour; # sec,min,hour<BR> initial_contact on;<BR> support_mip6 on;<BR> proposal_check obey; # obey, strict or claim</P>
<P> proposal {<BR> encryption_algorithm 3des;<BR> hash_algorithm md5;<BR> authentication_method pre_shared_key;<BR> dh_group 2 ;<BR> }<BR>}</P>
<P>sainfo anonymous<BR>{<BR> pfs_group 1;<BR> lifetime time 30 sec;<BR> encryption_algorithm 3des;<BR> authentication_algorithm hmac_md5;<BR> compression_algorithm deflate ;<BR>}</P>
<P>and the racoon dump file (60K) may be too big for the email. looks like the only ERROR lines are:</P>
<P> </P>
<P>---------------------------------------------------------------------</P>
<P>.......</P>
<P>2002-08-26 19:10:26: DEBUG: isakmp.c:1109:isakmp_parsewoh(): begin.<BR>2002-08-26 19:10:26: DEBUG: isakmp.c:1136:isakmp_parsewoh(): seen nptype=8(hash)<BR>2002-08-26 19:10:26: DEBUG: isakmp.c:1136:isakmp_parsewoh(): seen nptype=11(notify)<BR>2002-08-26 19:10:26: DEBUG: isakmp.c:1175:isakmp_parsewoh(): succeed.<BR>2002-08-26 19:10:26: ERROR: isakmp_inf.c:776:isakmp_info_recv_n(): unknown notify message, no phase2 handle found.<BR>2002-08-26 19:10:26: DEBUG: isakmp_inf.c:798:isakmp_info_recv_n(): notification message 18:INVALID-ID-INFORMATION, doi=1 proto_id=3 spi=00000000(size=4).<BR>2002-08-26 19:10:37: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey ACQUIRE message<BR>2002-08-26 19:10:37: DEBUG2: plog.c:193:plogdump(): </P>
<P>......</P>
<P>2002-08-26 19:11:20: DEBUG: pfkey.c:1503:pk_recvacquire(): ignore the acquire becuase ph2 found<BR>2002-08-26 19:11:26: ERROR: pfkey.c:738:pfkey_timeover(): 10.10.10.6 give up to get IPsec-SA due to time up to wait.<BR>2002-08-26 19:11:26: DEBUG: schedule.c:210:sched_scrub_param(): an undead schedule has been deleted.</P>
<P>.......</P>
<P>------------------------------------------------------------------------------------</P>
<P>I don't know why windows send an INVALID-ID-INFORMATION. </P>
<P>Looks like that causes the Quick mode SA establishing fails? </P>
<P>Any suggestion?</P>
<P>Thanks a lot!</P>
<P>(btw, transparent mode XP <-> freebsd and tunnel mode freebsd -> freebsd go pretty well)</P>
<P> </P>
<P>Sunny</P>
<P> </P><p><br><hr size=1><b>Do You Yahoo!?</b><br>
<a href="http://rd.yahoo.com/finance/mailsig/new/*http://finance.yahoo.com">Yahoo! Finance</a> - Get real-time stock quotes
--0-1409106294-1030474696=:90318--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020827185816.91283.qmail>