From owner-freebsd-security Tue Aug 27 11:58:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6249737B400 for ; Tue, 27 Aug 2002 11:58:19 -0700 (PDT) Received: from web12903.mail.yahoo.com (web12903.mail.yahoo.com [216.136.174.70]) by mx1.FreeBSD.org (Postfix) with SMTP id 25A5643EAF for ; Tue, 27 Aug 2002 11:58:17 -0700 (PDT) (envelope-from sunny_mcl@yahoo.com) Message-ID: <20020827185816.91283.qmail@web12903.mail.yahoo.com> Received: from [216.69.69.220] by web12903.mail.yahoo.com via HTTP; Tue, 27 Aug 2002 11:58:16 PDT Date: Tue, 27 Aug 2002 11:58:16 -0700 (PDT) From: Y S Subject: IPsec tunnel between XP and FreeBSD To: freebsd-security@FreeBSD.ORG In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="0-1409106294-1030474696=:90318" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --0-1409106294-1030474696=:90318 Content-Type: text/plain; charset=us-ascii I am trying to setup an IPsec tunnel between XP client and FreeBSD box. Seems the Phase 2 Exchange doesn't work. My setup: Windows XP (10.10.10.6): ipseccmd -f 10.10.10.6=* -t 10.10.10.20 -n esp[3des,md5] -a preshare:"xxx" -1s 3des-md5-2 -1p Freebsd (10.10.10.20): SPD: 10.10.10.6[any] 0.0.0.0/0[any] any in ipsec esp/tunnel/10.10.10.6-10.10.10.20/require spid=7 seq=1 pid=565 refcnt=1 0.0.0.0/0[any] 10.10.10.6[any] any out ipsec esp/tunnel/10.10.10.20-10.10.10.6/require spid=8 seq=0 pid=565 refcnt=1 racoon conf: path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 90 sec; phase2 60 sec; } remote anonymous { exchange_mode main; doi ipsec_doi; situation identity_only; nonce_size 16; lifetime time 4 hour; # sec,min,hour initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key; dh_group 2 ; } } sainfo anonymous { pfs_group 1; lifetime time 30 sec; encryption_algorithm 3des; authentication_algorithm hmac_md5; compression_algorithm deflate ; } and the racoon dump file (60K) may be too big for the email. looks like the only ERROR lines are: --------------------------------------------------------------------- ....... 2002-08-26 19:10:26: DEBUG: isakmp.c:1109:isakmp_parsewoh(): begin. 2002-08-26 19:10:26: DEBUG: isakmp.c:1136:isakmp_parsewoh(): seen nptype=8(hash) 2002-08-26 19:10:26: DEBUG: isakmp.c:1136:isakmp_parsewoh(): seen nptype=11(notify) 2002-08-26 19:10:26: DEBUG: isakmp.c:1175:isakmp_parsewoh(): succeed. 2002-08-26 19:10:26: ERROR: isakmp_inf.c:776:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. 2002-08-26 19:10:26: DEBUG: isakmp_inf.c:798:isakmp_info_recv_n(): notification message 18:INVALID-ID-INFORMATION, doi=1 proto_id=3 spi=00000000(size=4). 2002-08-26 19:10:37: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey ACQUIRE message 2002-08-26 19:10:37: DEBUG2: plog.c:193:plogdump(): ...... 2002-08-26 19:11:20: DEBUG: pfkey.c:1503:pk_recvacquire(): ignore the acquire becuase ph2 found 2002-08-26 19:11:26: ERROR: pfkey.c:738:pfkey_timeover(): 10.10.10.6 give up to get IPsec-SA due to time up to wait. 2002-08-26 19:11:26: DEBUG: schedule.c:210:sched_scrub_param(): an undead schedule has been deleted. ....... ------------------------------------------------------------------------------------ I don't know why windows send an INVALID-ID-INFORMATION. Looks like that causes the Quick mode SA establishing fails? Any suggestion? Thanks a lot! (btw, transparent mode XP <-> freebsd and tunnel mode freebsd -> freebsd go pretty well) Sunny --------------------------------- Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes --0-1409106294-1030474696=:90318 Content-Type: text/html; charset=us-ascii

I am trying to setup an IPsec tunnel between XP client and FreeBSD box.

Seems the Phase 2 Exchange doesn't work.

My setup:

Windows XP (10.10.10.6):

ipseccmd -f 10.10.10.6=* -t 10.10.10.20 -n esp[3des,md5] -a preshare:"xxx" -1s 3des-md5-2 -1p

Freebsd (10.10.10.20):

SPD:

10.10.10.6[any] 0.0.0.0/0[any] any
        in ipsec
        esp/tunnel/10.10.10.6-10.10.10.20/require
        spid=7 seq=1 pid=565
        refcnt=1
0.0.0.0/0[any] 10.10.10.6[any] any
        out ipsec
        esp/tunnel/10.10.10.20-10.10.10.6/require
        spid=8 seq=0 pid=565
        refcnt=1

racoon conf:

path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
padding
{
 maximum_length 20; # maximum padding length.
 randomize off;  # enable randomize length.
 strict_check off; # enable strict check.
 exclusive_tail off; # extract last one octet.
}

timer
{
 # These value can be changed per remote node.
 counter 5;  # maximum trying count to send.
 interval 20 sec; # maximum interval to resend.
 persend 1;  # the number of packets per a send.

 # timer for waiting to complete each phase.
 phase1 90 sec;
 phase2 60 sec;
}

remote anonymous
{
 exchange_mode main;
 doi ipsec_doi;
 situation identity_only;

 nonce_size 16;
 lifetime time 4 hour; # sec,min,hour
 initial_contact on;
 support_mip6 on;
 proposal_check obey; # obey, strict or claim

 proposal {
  encryption_algorithm 3des;
  hash_algorithm md5;
  authentication_method pre_shared_key;
  dh_group 2 ;
 }
}

sainfo anonymous
{
        pfs_group 1;
        lifetime time 30 sec;
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate ;
}

and the racoon dump file (60K) may be too big for the email. looks like the only ERROR lines are:

 

---------------------------------------------------------------------

.......

2002-08-26 19:10:26: DEBUG: isakmp.c:1109:isakmp_parsewoh(): begin.
2002-08-26 19:10:26: DEBUG: isakmp.c:1136:isakmp_parsewoh(): seen nptype=8(hash)
2002-08-26 19:10:26: DEBUG: isakmp.c:1136:isakmp_parsewoh(): seen nptype=11(notify)
2002-08-26 19:10:26: DEBUG: isakmp.c:1175:isakmp_parsewoh(): succeed.
2002-08-26 19:10:26: ERROR: isakmp_inf.c:776:isakmp_info_recv_n(): unknown notify message, no phase2 handle found.
2002-08-26 19:10:26: DEBUG: isakmp_inf.c:798:isakmp_info_recv_n(): notification message 18:INVALID-ID-INFORMATION, doi=1 proto_id=3 spi=00000000(size=4).
2002-08-26 19:10:37: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey ACQUIRE message
2002-08-26 19:10:37: DEBUG2: plog.c:193:plogdump():

......

2002-08-26 19:11:20: DEBUG: pfkey.c:1503:pk_recvacquire(): ignore the acquire becuase ph2 found
2002-08-26 19:11:26: ERROR: pfkey.c:738:pfkey_timeover(): 10.10.10.6 give up to get IPsec-SA due to time up to wait.
2002-08-26 19:11:26: DEBUG: schedule.c:210:sched_scrub_param(): an undead schedule has been deleted.

.......

------------------------------------------------------------------------------------

I don't know why windows send an INVALID-ID-INFORMATION.

Looks like that causes the Quick mode SA establishing fails?

Any suggestion?

Thanks a lot!

(btw, transparent mode XP <-> freebsd and tunnel mode freebsd -> freebsd go pretty well)

 

Sunny

 


Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes --0-1409106294-1030474696=:90318-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message