Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 18 Jan 2004 22:16:47 +0100
From:      "Branko F." =?iso-8859-2?Q?Gra=E8nar?= <bfg@noviforum.si>
To:        freebsd-current@freebsd.org
Subject:   5.2 IPSec problems & crash
Message-ID:  <1074460582.1353.39.camel@mordor.lucky.si>
next in thread | raw e-mail | index | archive | help 

--=-s4e657TeHuYoomDm8ycz
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Hi.

I'm having big troubles with IPSec after upgrading from 5.1 to 5.2.
IPSec tunnels stoped working after upgrade of the base system (i didn't
change racoon or setkey configuration) I'm using the latest racoon.

# pkg_info | grep racoon
racoon-20040114a    KAME racoon IKE daemon

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

# cat /etc/ipsec.conf
# flush old stuff first
flush;
spdflush;

# VPN tunnel
spdadd 192.168.200.0/24 192.168.2.0/24 any -P out ipsec
esp/tunnel/a.b.c.d-e.f.g.h/require;

spdadd 192.168.2.0/24 192.168.200.0/24 any -P out ipsec
esp/tunnel/e.f.g.h-a.b.c.d/require;

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

a.b.c.d is my internet address, e.f.g.h is remote router internet
address (it's linux 2.4 with freeswan 1.9.x)


=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

# cat /usr/local/etc/racoon/racoon.conf
#
path include "/usr/local/etc/racoon" ;
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
path certificate "/usr/local/etc/racoon/cert" ;

log notify;
padding {
        maximum_length 20;      # maximum padding length.
        randomize off;          # enable randomize length.
        strict_check off;       # enable strict check.
        exclusive_tail off;     # extract last one octet.
}

# if no listen directive is specified, racoon will listen to all
# available interface addresses.
listen {
        isakmp a.b.c.d [500];
}

# Specification of default various timer.
timer
{
        # These value can be changed per remote node.
        counter 5;              # maximum trying count to send.
        interval 20 sec;        # maximum interval to resend.
        persend 1;              # the number of packets per a send.

        # timer for waiting to complete each phase.
        phase1 30 sec;
        phase2 15 sec;
}

# vpn tunnel
remote e.f.g.h {
        exchange_mode main;
        doi ipsec_doi;
        situation identity_only;
        my_identifier address;
        lifetime time 6 hour;
        proposal_check obey;

        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2;
        }
}
sainfo anonymous {
        pfs_group 2;
        lifetime time 6 hour;
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
}

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

racoon debug output

# racoon -F -d
Foreground mode.
2004-01-18 22:12:45: INFO: main.c:172:main(): @(#)package version
freebsd-20040114a
2004-01-18 22:12:45: INFO: main.c:174:main(): @(#)internal version
20001216 sakane@kame.net
2004-01-18 22:12:45: INFO: main.c:175:main(): @(#)This product linked
OpenSSL 0.9.7c 30 Sep 2003 (http://www.openssl.org/)
2004-01-18 22:12:45: DEBUG: pfkey.c:434:pfkey_init(): call
pfkey_send_register for AH
2004-01-18 22:12:45: DEBUG: pfkey.c:434:pfkey_init(): call
pfkey_send_register for ESP
2004-01-18 22:12:45: DEBUG: pfkey.c:434:pfkey_init(): call
pfkey_send_register for IPCOMP
2004-01-18 22:12:45: DEBUG: cftoken.l:578:yycf_set_buffer(): reading
config file /usr/local/etc/racoon/racoon.conf
2004-01-18 22:12:45: DEBUG: pfkey.c:2379:pk_checkalg(): compression
algorithm can not be checked because sadb message doesn't support it.
2004-01-18 22:12:45: INFO: isakmp.c:1356:isakmp_open(): a.b.c.d[500]
used as isakmp port (fd=3D5)
2004-01-18 22:12:45: DEBUG: pfkey.c:197:pfkey_handler(): get pfkey
X_SPDDUMP message
2004-01-18 22:12:45: DEBUG: pfkey.c:197:pfkey_handler(): get pfkey
X_SPDDUMP message
2004-01-18 22:12:45: DEBUG: policy.c:184:cmpspidxstrict():
sub:0xbfbfe9d0: 192.168.2.0/24[0] 192.168.200.0/24[0] proto=3Dany dir=3Dout
2004-01-18 22:12:45: DEBUG: policy.c:185:cmpspidxstrict(): db
:0x80a1c08: 192.168.200.0/24[0] 192.168.2.0/24[0] proto=3Dany dir=3Dout
2004-01-18 22:12:57: DEBUG: pfkey.c:197:pfkey_handler(): get pfkey
ACQUIRE message
2004-01-18 22:12:57: DEBUG: pfkey.c:1620:pk_recvacquire(): suitable
outbound SP found: 192.168.200.0/24[0] 192.168.2.0/24[0] proto=3Dany
dir=3Dout.
2004-01-18 22:12:57: DEBUG: policy.c:184:cmpspidxstrict():
sub:0xbfbfe9b0: 192.168.2.0/24[0] 192.168.200.0/24[0] proto=3Dany dir=3Din
2004-01-18 22:12:57: DEBUG: policy.c:185:cmpspidxstrict(): db
:0x80a1c08: 192.168.200.0/24[0] 192.168.2.0/24[0] proto=3Dany dir=3Dout
2004-01-18 22:12:57: DEBUG: policy.c:184:cmpspidxstrict():
sub:0xbfbfe9b0: 192.168.2.0/24[0] 192.168.200.0/24[0] proto=3Dany dir=3Din
2004-01-18 22:12:57: DEBUG: policy.c:185:cmpspidxstrict(): db
:0x80ac008: 192.168.2.0/24[0] 192.168.200.0/24[0] proto=3Dany dir=3Dout
2004-01-18 22:12:57: NOTIFY: pfkey.c:1640:pk_recvacquire(): no in-bound
policy found: 192.168.2.0/24[0] 192.168.200.0/24[0] proto=3Dany dir=3Din
2004-01-18 22:12:57: DEBUG: pfkey.c:1675:pk_recvacquire(): new acquire
192.168.200.0/24[0] 192.168.2.0/24[0] proto=3Dany dir=3Dout
2004-01-18 22:12:57: DEBUG: sainfo.c:112:getsainfo(): anonymous sainfo
selected.
2004-01-18 22:12:57: DEBUG: proposal.c:828:printsaproto():=20
(proto_id=3DESP spisize=3D4 spi=3D00000000 spi_p=3D00000000 encmode=3DTunne=
l
reqid=3D0:0)
2004-01-18 22:12:57: DEBUG: proposal.c:862:printsatrns(): =20
(trns_id=3D3DES encklen=3D0 authtype=3Dhmac-sha)
2004-01-18 22:12:57: DEBUG: remoteconf.c:118:getrmconf(): configuration
found for e.f.g.h.
2004-01-18 22:12:57: INFO: isakmp.c:1682:isakmp_post_acquire(): IPsec-SA
request for e.f.g.h queued due to no phase1 found.
2004-01-18 22:12:57: DEBUG: isakmp.c:791:isakmp_ph1begin_i(): =3D=3D=3D
2004-01-18 22:12:57: INFO: isakmp.c:796:isakmp_ph1begin_i(): initiate
new phase 1 negotiation: a.b.c.d[500]<=3D>e.f.g.h[500]
2004-01-18 22:12:57: INFO: isakmp.c:801:isakmp_ph1begin_i(): begin
Identity Protection mode.
2004-01-18 22:12:57: DEBUG: isakmp.c:1994:isakmp_newcookie(): new
cookie:
074dda08a6707937
2004-01-18 22:12:57: DEBUG: isakmp.c:2111:set_isakmp_payload(): add
payload of len 48, next type 0
2004-01-18 22:12:57: DEBUG: isakmp.c:2246:isakmp_printpacket(): begin.
12:57.271958 a.b.c.d:500 -> e.f.g.h:500: isakmp 1.0 msgid 00000000:
phase 1 I ident:
    (sa: doi=3Dipsec situation=3Didentity
        (p: #1 protoid=3Disakmp transform=3D1
            (t: #1 id=3Dike (type=3Dlifetype value=3Dsec)(type=3Dlifedurati=
on
value=3D5460)(type=3Denc value=3D3des)(type=3Dauth value=3Dpreshared)(type=
=3Dhash
value=3Dsha1)(type=3Dgroup desc value=3Dmodp1024))))
2004-01-18 22:12:57: DEBUG: sockmisc.c:421:sendfromto(): sockname
a.b.c.d[500]
2004-01-18 22:12:57: DEBUG: sockmisc.c:423:sendfromto(): send packet
from a.b.c.d[500]
2004-01-18 22:12:57: DEBUG: sockmisc.c:425:sendfromto(): send packet to
e.f.g.h[500]
2004-01-18 22:12:57: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 80
bytes message will be sent to e.f.g.h[500]
2004-01-18 22:12:57: DEBUG: plog.c:193:plogdump():
074dda08 a6707937 00000000 00000000 01100200 00000000 00000050 00000034
00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c5460
80010005 80030001 80020002 80040002
2004-01-18 22:12:57: DEBUG: isakmp.c:1447:isakmp_ph1resend(): resend
phase1 packet 074dda08a6707937:0000000000000000
2004-01-18 22:13:17: DEBUG: sockmisc.c:421:sendfromto(): sockname
a.b.c.d[500]
2004-01-18 22:13:17: DEBUG: sockmisc.c:423:sendfromto(): send packet
from a.b.c.d[500]
2004-01-18 22:13:17: DEBUG: sockmisc.c:425:sendfromto(): send packet to
e.f.g.h[500]
2004-01-18 22:13:17: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 80
bytes message will be sent to e.f.g.h[500]
2004-01-18 22:13:17: DEBUG: plog.c:193:plogdump():
074dda08 a6707937 00000000 00000000 01100200 00000000 00000050 00000034
00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c5460
80010005 80030001 80020002 80040002
2004-01-18 22:13:17: DEBUG: isakmp.c:1447:isakmp_ph1resend(): resend
phase1 packet 074dda08a6707937:0000000000000000
2004-01-18 22:14:57: ERROR: isakmp.c:1435:isakmp_ph1resend(): phase1
negotiation failed due to time up. 074dda08a6707937:0000000000000000


=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

My kernel config includes:

options         IPSEC
options         IPSEC_ESP
options         IPSEC_DEBUG


Ideas?

Brane

--=-s4e657TeHuYoomDm8ycz
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----

iD8DBQBACvemfiC/E+t8hPcRAhJZAJ93Cr1jr4QMYLfvUgSVYqpDEmjggACgkwLh
FV+Kgt8Y7MuKIL8OFotndkE=
=TTsU
-----END PGP SIGNATURE-----

--=-s4e657TeHuYoomDm8ycz--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1074460582.1353.39.camel>