Date: Thu, 22 Jan 2004 11:10:35 +0300 From: Antony Pyatkov <antony@icbcher.ru> To: questions@FreeBSD.org Subject: ipsec in transport mode Message-ID: <400F857B.1090800@icbcher.ru>
next in thread | raw e-mail | index | archive | help
Hi!
I'm trying to establish ipsec communication between FreeBSD 5.1 server
and Win2k client.
I've recompiled kernel to support ipsec, installed racoon and spd using
setkey.
Here is my config files:
---------------------------
ipsec.conf:
spdadd 194.186.33.213/32 24.81.230.61/32 any -P in ipsec
esp/transport//require;
spdadd 24.81.230.61/32 194.186.33.213/32 any -P out ipsec
esp/transport//require;
---------------------------
racoon.conf:
# $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $
#
# search this file for pre_shared_key with various ID key.
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
# racoon will look for certificate file in the directory,
# if the certificate/certificate request payload is received.
#path certificate "/usr/local/etc/cert" ;
# "log" specifies logging level. It is followed by either "notify", "debug"
# or "debug2".
log debug2;
# "padding" defines some parameter of padding. You should not touch these.
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
# if no listen directive is specified, racoon will listen to all
# available interface addresses.
listen
{
#isakmp ::1 [7000];
#isakmp 202.249.11.124 [500];
#admin [7002]; # administrative's port by kmpstat.
#strict_address; # required all addresses must be bound.
}
# Specification of default various timer.
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
# timer for waiting to complete each phase.
phase1 30 sec;
phase2 15 sec;
}
remote anonymous
{
exchange_mode main,aggressive,base;
#doi ipsec_doi;
#situation identity_only;
#nonce_size 16;
#lifetime time 30 min; # sec,min,hour
#initial_contact on;
#support_mip6 on;
#proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm des;
hash_algorithm md5;
authentication_method pre_shared_key ;
dh_group 1 ;
}
}
sainfo anonymous
{
pfs_group 1;
#lifetime time 36000 sec;
encryption_algorithm 3des,des,cast128,blowfish;
authentication_algorithm non_auth,hmac_sha1,hmac_md5;
compression_algorithm deflate ;
}
--------------------
While connecting racoon says the following:
2004-01-22 00:04:36: DEBUG: isakmp.c:221:isakmp_handler(): ===
2004-01-22 00:04:36: DEBUG: isakmp.c:222:isakmp_handler(): 216 bytes
message received from 194.186.33.213[500]
2004-01-22 00:04:36: DEBUG: plog.c:193:plogdump():
9df7e197 e3040472 00000000 00000000 01100200 00000000 000000d8 0d0000a4
00000001 00000001 00000098 01010004 03000024 01010000 80010005 80020002
80040002 80030001 800b0001 000c0004 00007080 03000024 02010000 80010005
80020001 80040002 80030001 800b0001 000c0004 00007080 03000024 03010000
80010001 80020002 80040001 80030001 800b0001 000c0004 00007080 00000024
04010000 80010001 80020001 80040001 80030001 800b0001 000c0004 00007080
00000018 1e2b5169 05991c7d 7c96fcbf b587e461 00000002
2004-01-22 00:04:36: DEBUG: isakmp.c:2248:isakmp_printpacket(): begin.
04:36.449884 194.186.33.213:500 -> 24.81.230.61:500: isakmp 1.0 msgid
00000000 cookie 9df7e197e3040472->0000000000000000: phase 1 I ident:
(sa: doi=ipsec situation=identity
(p: #1 protoid=isakmp transform=4
(t: #1 id=ike (type=enc value=3des)(type=hash
value=sha1)(type=group desc value=modp1024)(type=auth
value=preshared)(type=lifetype value=sec)(type=lifeduration len=4
value=00007080))
(t: #2 id=ike (type=enc value=3des)(type=hash
value=md5)(type=group desc value=modp1024)(type=auth
value=preshared)(type=lifetype value=sec)(type=lifeduration len=4
value=00007080))
(t: #3 id=ike (type=enc value=1des)(type=hash
value=sha1)(type=group desc value=modp768)(type=auth
value=preshared)(type=lifetype value=sec)(type=lifeduration len=4
value=00007080))
(t: #4 id=ike (type=enc value=1des)(type=hash
value=md5)(type=group desc value=modp768)(type=auth
value=preshared)(type=lifetype value=sec)(type=lifeduration len=4
value=00007080))))
(vid: len=20)
2004-01-22 00:04:36: DEBUG: remoteconf.c:129:getrmconf(): anonymous
configuration selected for 194.186.33.213[500].
2004-01-22 00:04:36: DEBUG: isakmp.c:889:isakmp_ph1begin_r(): ===
2004-01-22 00:04:36: INFO: isakmp.c:894:isakmp_ph1begin_r(): respond new
phase 1 negotiation: 24.81.230.61[500]<=>194.186.33.213[500]
2004-01-22 00:04:36: INFO: isakmp.c:899:isakmp_ph1begin_r(): begin
Identity Protection mode.
2004-01-22 00:04:36: DEBUG: isakmp.c:1112:isakmp_parsewoh(): begin.
2004-01-22 00:04:36: DEBUG: isakmp.c:1139:isakmp_parsewoh(): seen
nptype=1(sa)
2004-01-22 00:04:36: DEBUG: isakmp.c:1139:isakmp_parsewoh(): seen
nptype=13(vid)
2004-01-22 00:04:36: DEBUG: isakmp.c:1178:isakmp_parsewoh(): succeed.
2004-01-22 00:04:36: INFO: vendorid.c:128:check_vendorid(): received
Vendor ID: MS NT5 ISAKMPOAKLEY
2004-01-22 00:04:36: DEBUG: ipsec_doi.c:1117:get_proppair(): total SA
len=160
2004-01-22 00:04:36: DEBUG: plog.c:193:plogdump():
00000001 00000001 00000098 01010004 03000024 01010000 80010005 80020002
80040002 80030001 800b0001 000c0004 00007080 03000024 02010000 80010005
80020001 80040002 80030001 800b0001 000c0004 00007080 03000024 03010000
80010001 80020002 80040001 80030001 800b0001 000c0004 00007080 00000024
04010000 80010001 80020001 80040001 80030001 800b0001 000c0004 00007080
2004-01-22 00:04:36: DEBUG: isakmp.c:1112:isakmp_parsewoh(): begin.
2004-01-22 00:04:36: DEBUG: isakmp.c:1139:isakmp_parsewoh(): seen
nptype=2(prop)
2004-01-22 00:04:36: DEBUG: isakmp.c:1178:isakmp_parsewoh(): succeed.
2004-01-22 00:04:36: DEBUG: ipsec_doi.c:1178:get_proppair(): proposal #1
len=152
2004-01-22 00:04:36: DEBUG: isakmp.c:1112:isakmp_parsewoh(): begin.
2004-01-22 00:04:36: DEBUG: isakmp.c:1139:isakmp_parsewoh(): seen
nptype=3(trns)
2004-01-22 00:04:36: DEBUG: isakmp.c:1139:isakmp_parsewoh(): seen
nptype=3(trns)
2004-01-22 00:04:36: DEBUG: isakmp.c:1139:isakmp_parsewoh(): seen
nptype=3(trns)
2004-01-22 00:04:36: DEBUG: isakmp.c:1139:isakmp_parsewoh(): seen
nptype=3(trns)
2004-01-22 00:04:36: DEBUG: isakmp.c:1178:isakmp_parsewoh(): succeed.
2004-01-22 00:04:36: DEBUG: ipsec_doi.c:1327:get_transform(): transform
#1 len=36
2004-01-22 00:04:36: DEBUG: ipsec_doi.c:1886:check_attr_isakmp():
type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
2004-01-22 00:04:36: DEBUG: algorithm.c:386:alg_oakley_encdef():
encription(3des)
2004-01-22 00:04:36: DEBUG: ipsec_doi.c:1886:check_attr_isakmp():
type=Hash Algorithm, flag=0x8000, lorv=SHA
2004-01-22 00:04:36: DEBUG: algorithm.c:256:alg_oakley_hashdef(): hash(sha1)
2004-01-22 00:04:36: DEBUG: ipsec_doi.c:1886:check_attr_isakmp():
type=Group Description, flag=0x8000, lorv=1024-bit MODP group
2004-01-22 00:04:36: DEBUG: algorithm.c:614:alg_oakley_dhdef():
hmac(modp1024)
2004-01-22 00:04:36: DEBUG: ipsec_doi.c:1886:check_attr_isakmp():
type=Authentication Method, flag=0x8000, lorv=pre-shared key
2004-01-22 00:04:36: DEBUG: ipsec_doi.c:1886:check_attr_isakmp():
type=Life Type, flag=0x8000, lorv=seconds
2004-01-22 00:04:36: DEBUG: ipsec_doi.c:1886:check_attr_isakmp():
type=Life Duration, flag=0x0000, lorv=4
2004-01-22 00:04:36: ERROR: ipsec_doi.c:1318:get_transform(): Only a
single transform payload is allowed during phase 1 processing.
2004-01-22 00:04:36: DEBUG: ipsec_doi.c:1221:get_proppair(): pair 1:
2004-01-22 00:04:36: DEBUG: proposal.c:895:print_proppair0():
0x80a7df0: next=0x0 tnext=0x0
2004-01-22 00:04:36: DEBUG: ipsec_doi.c:1256:get_proppair(): proposal
#1: 1 transform
2004-01-22 00:04:36: DEBUG: ipsec_doi.c:322:get_ph1approvalx(): prop#=1,
prot-id=ISAKMP, spi-size=0, #trns=4
2004-01-22 00:04:36: DEBUG: ipsec_doi.c:327:get_ph1approvalx(): trns#=1,
trns-id=IKE
2004-01-22 00:04:36: DEBUG: ipsec_doi.c:491:t2isakmpsa():
type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
2004-01-22 00:04:36: DEBUG: ipsec_doi.c:491:t2isakmpsa(): type=Hash
Algorithm, flag=0x8000, lorv=SHA
2004-01-22 00:04:36: DEBUG: ipsec_doi.c:491:t2isakmpsa(): type=Group
Description, flag=0x8000, lorv=1024-bit MODP group
2004-01-22 00:04:36: DEBUG: ipsec_doi.c:491:t2isakmpsa():
type=Authentication Method, flag=0x8000, lorv=pre-shared key
2004-01-22 00:04:36: DEBUG: ipsec_doi.c:491:t2isakmpsa(): type=Life
Type, flag=0x8000, lorv=seconds
2004-01-22 00:04:36: DEBUG: ipsec_doi.c:491:t2isakmpsa(): type=Life
Duration, flag=0x0000, lorv=4
2004-01-22 00:04:36: DEBUG: ipsec_doi.c:338:get_ph1approvalx():
Compared: DB:Peer
2004-01-22 00:04:36: DEBUG: ipsec_doi.c:339:get_ph1approvalx():
(lifetime = 28800:28800)
2004-01-22 00:04:36: DEBUG: ipsec_doi.c:341:get_ph1approvalx():
(lifebyte = 0:0)
2004-01-22 00:04:36: DEBUG: ipsec_doi.c:343:get_ph1approvalx(): enctype
= DES-CBC:3DES-CBC
2004-01-22 00:04:36: DEBUG: ipsec_doi.c:348:get_ph1approvalx(): (encklen
= 0:0)
2004-01-22 00:04:36: DEBUG: ipsec_doi.c:350:get_ph1approvalx(): hashtype
= MD5:SHA
2004-01-22 00:04:36: DEBUG: ipsec_doi.c:355:get_ph1approvalx():
authmethod = pre-shared key:pre-shared key
2004-01-22 00:04:36: DEBUG: ipsec_doi.c:360:get_ph1approvalx(): dh_group
= 768-bit MODP group:1024-bit MODP group
2004-01-22 00:04:36: DEBUG: ipsec_doi.c:491:t2isakmpsa():
type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
2004-01-22 00:04:36: DEBUG: ipsec_doi.c:491:t2isakmpsa(): type=Hash
Algorithm, flag=0x8000, lorv=SHA
2004-01-22 00:04:36: DEBUG: ipsec_doi.c:491:t2isakmpsa(): type=Group
Description, flag=0x8000, lorv=1024-bit MODP group
2004-01-22 00:04:36: DEBUG: ipsec_doi.c:491:t2isakmpsa():
type=Authentication Method, flag=0x8000, lorv=pre-shared key
2004-01-22 00:04:36: DEBUG: ipsec_doi.c:491:t2isakmpsa(): type=Life
Type, flag=0x8000, lorv=seconds
2004-01-22 00:04:36: DEBUG: ipsec_doi.c:491:t2isakmpsa(): type=Life
Duration, flag=0x0000, lorv=4
2004-01-22 00:04:36: ERROR: ipsec_doi.c:404:print_ph1mismatched():
rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#1) = DES-CBC:3DES-CBC
2004-01-22 00:04:36: ERROR: ipsec_doi.c:428:print_ph1mismatched():
rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#1) = MD5:SHA
2004-01-22 00:04:36: ERROR: ipsec_doi.c:440:print_ph1mismatched():
rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#1) = 768-bit MODP
group:1024-bit MODP group
2004-01-22 00:04:36: ERROR: ipsec_doi.c:243:get_ph1approval(): no
suitable proposal found.
2004-01-22 00:04:36: ERROR: isakmp_ident.c:782:ident_r1recv(): failed to
get valid proposal.
2004-01-22 00:04:36: ERROR: isakmp.c:913:isakmp_ph1begin_r(): failed to
process packet.
------------------------------------------------
High encryption pack is installed on Win2k client. Any ideas?
Sincerely yours, Pyatkov Antony
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?400F857B.1090800>