Date: Fri, 16 Nov 2001 12:25:12 +1000 From: Nick Slager <ns@BlueSkyFrog.COM> To: Shoichi Sakane <sakane@kame.net> Cc: freebsd-security@freebsd.org Subject: Re: KAME IPsec <--> Cisco Message-ID: <20011116122512.A24232@BlueSkyFrog.COM> In-Reply-To: <20011116110930M.sakane@kame.net>; from sakane@kame.net on Fri, Nov 16, 2001 at 11:09:30AM %2B0900 References: <20011116115417.F22136@BlueSkyFrog.COM> <20011116110930M.sakane@kame.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Thus spake Shoichi Sakane (sakane@kame.net):
> > 2001-11-16 11:45:03: ERROR: isakmp_inf.c:792:isakmp_info_recv_n(): invalid spi_size in notification payload.
>
> umm, could you show me what the packet is sent by the cisco ?
> there is a part of the hex dump of the packet in the racoon logs.
Sorry, I should have posted the entire log first time:
2001-11-16 12:13:20: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey ACQUIRE message
2001-11-16 12:13:20: DEBUG: pfkey.c:1519:pk_recvacquire(): suitable outbound SP found: 203.y.y.y/32[0] 203.x.x.x/32[0] proto=any dir=out.
2001-11-16 12:13:20: DEBUG: policy.c:183:cmpspidxstrict(): sub:0xbfbff8ac: 203.x.x.x/32[0] 203.y.y.y/32[0] proto=any dir=in
2001-11-16 12:13:20: DEBUG: policy.c:184:cmpspidxstrict(): db :0x80a3a08: 203.x.x.x/32[0] 203.y.y.y/32[0] proto=any dir=in
2001-11-16 12:13:20: DEBUG: pfkey.c:1535:pk_recvacquire(): suitable inbound SP found: 203.x.x.x/32[0] 203.y.y.y/32[0] proto=any dir=in.
2001-11-16 12:13:20: DEBUG: pfkey.c:1574:pk_recvacquire(): new acquire 203.y.y.y/32[0] 203.x.x.x/32[0] proto=any dir=out
2001-11-16 12:13:20: DEBUG: sainfo.c:99:getsainfo(): anonymous sainfo selected.
2001-11-16 12:13:20: DEBUG: proposal.c:822:printsaproto(): (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0)
2001-11-16 12:13:20: DEBUG: proposal.c:856:printsatrns(): (trns_id=3DES encklen=0 authtype=2)
2001-11-16 12:13:20: DEBUG: remoteconf.c:118:getrmconf(): configuration found for 203.x.x.x.
2001-11-16 12:13:20: INFO: isakmp.c:1726:isakmp_post_acquire(): IPsec-SA request for 203.x.x.x queued due to no phase1 found.
2001-11-16 12:13:20: DEBUG: isakmp.c:811:isakmp_ph1begin_i(): ===
2001-11-16 12:13:20: INFO: isakmp.c:816:isakmp_ph1begin_i(): initiate new phase 1 negotiation: 203.y.y.y[500]<=>203.x.x.x[500]
2001-11-16 12:13:20: INFO: isakmp.c:821:isakmp_ph1begin_i(): begin Aggressive mode.
2001-11-16 12:13:20: DEBUG: isakmp.c:2038:isakmp_newcookie(): new cookie:
016acbfeb84acd55
2001-11-16 12:13:20: DEBUG: ipsec_doi.c:3181:ipsecdoi_setid1(): use ID type of IPv4_address
2001-11-16 12:13:20: DEBUG: oakley.c:250:oakley_dh_generate(): compute DH's private.
2001-11-16 12:13:20: DEBUG: plog.c:193:plogdump():
dc71c8e9 7a12697d 4ddc032b 97a9ec96 83d4bcb4 8b19294e b67e098a bb982993
cec2a674 e0508cf6 3ef1d89e de726edb 3005ef09 de8f4474 0a3e1f84 a519b0a5
bf441c6a 1061816a 95fe8269 e2eb142b 03110fd2 dde3ed7e c21b1d9f 53e3d0cf
2001-11-16 12:13:20: DEBUG: oakley.c:252:oakley_dh_generate(): compute DH's public.
2001-11-16 12:13:20: DEBUG: plog.c:193:plogdump():
b4b2ea06 c8018285 dac6da9a ceebb01f bf4f804f f77eb508 e2f81cf9 8ead353a
9af1aa03 2c0d0c12 858f7acf 59228fd4 6e8bb08c 4045596d 12233acb 7b58b3d0
624c6b73 cfba70f7 e4824152 d6dd33cd 09248853 cc9f8cd6 276c72b3 97d72bd4
2001-11-16 12:13:20: DEBUG: isakmp_agg.c:157:agg_i1send(): authmethod is pre-shared key
2001-11-16 12:13:20: DEBUG: isakmp.c:2155:set_isakmp_payload(): add payload of len 52, next type 4
2001-11-16 12:13:20: DEBUG: isakmp.c:2155:set_isakmp_payload(): add payload of len 96, next type 10
2001-11-16 12:13:20: DEBUG: isakmp.c:2155:set_isakmp_payload(): add payload of len 96, next type 5
2001-11-16 12:13:20: DEBUG: isakmp.c:2155:set_isakmp_payload(): add payload of len 8, next type 0
2001-11-16 12:13:20: DEBUG: isakmp.c:2290:isakmp_printpacket(): begin.
2001-11-16 12:13:20: DEBUG: sockmisc.c:424:sendfromto(): sockname 203.y.y.y[500]
2001-11-16 12:13:20: DEBUG: sockmisc.c:426:sendfromto(): send packet from 203.y.y.y[500]
2001-11-16 12:13:20: DEBUG: sockmisc.c:428:sendfromto(): send packet to 203.x.x.x[500]
2001-11-16 12:13:20: DEBUG: isakmp.c:1462:isakmp_send(): 1 times of 296 bytes message will be sent.
2001-11-16 12:13:20: DEBUG: plog.c:193:plogdump():
016acbfe b84acd55 00000000 00000000 01100400 00000000 00000128 04000038
00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 000c0004
00015180 80010001 80030001 80020001 80040001 0a000064 b4b2ea06 c8018285
dac6da9a ceebb01f bf4f804f f77eb508 e2f81cf9 8ead353a 9af1aa03 2c0d0c12
858f7acf 59228fd4 6e8bb08c 4045596d 12233acb 7b58b3d0 624c6b73 cfba70f7
e4824152 d6dd33cd 09248853 cc9f8cd6 276c72b3 97d72bd4 05000064 98a8c643
cb5527b2 7a983c45 7ee0caa6 d05c4e18 a3e9e042 6a0b103d 9660092a b2bee2ad
b4eda3a9 98a3a6c8 bc20b204 e6f05da6 40613a81 8b378f76 fd9144e6 315ce547
082b1f95 cb5c9f61 603f745d 336fa671 fb842610 621a6c39 0801ae49 0000000c
011101f4 cbb9df13
2001-11-16 12:13:20: DEBUG: isakmp.c:233:isakmp_handler(): ===
2001-11-16 12:13:20: DEBUG: isakmp.c:234:isakmp_handler(): 96 bytes message received from 203.x.x.x[500]
2001-11-16 12:13:20: DEBUG: plog.c:193:plogdump():
016acbfe b84acd55 19e865f5 2b05b309 0b100500 00000000 00000060 00000044
00000001 0100000e 04000038 00000001 00000001 323b59e8 00000004 00000000
6225c09c 611cf22c 00000001 00000000 612ccc00 00000000 01000000 00000000
2001-11-16 12:13:20: DEBUG: isakmp.c:2290:isakmp_printpacket(): begin.
2001-11-16 12:13:20: DEBUG: isakmp_inf.c:114:isakmp_info_recv(): receive Information.
2001-11-16 12:13:20: DEBUG: isakmp.c:1133:isakmp_parsewoh(): begin.
2001-11-16 12:13:20: DEBUG: isakmp.c:1160:isakmp_parsewoh(): seen nptype=11(notify)
2001-11-16 12:13:20: DEBUG: isakmp.c:1198:isakmp_parsewoh(): succeed.
2001-11-16 12:13:20: ERROR: isakmp_inf.c:769:isakmp_info_recv_n(): delete phase1 handle.
2001-11-16 12:13:20: ERROR: schedule.c:210:sched_scrub_param(): insanity schedule found.
2001-11-16 12:13:20: ERROR: isakmp_inf.c:792:isakmp_info_recv_n(): invalid spi_size in notification payload.
2001-11-16 12:13:20: DEBUG: isakmp_inf.c:797:isakmp_info_recv_n(): notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=1 spi=(size=0).
2001-11-16 12:13:51: ERROR: isakmp.c:1818:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 203.x.x.x->203.y.y.y
2001-11-16 12:13:51: INFO: isakmp.c:1823:isakmp_chkph1there(): delete phase 2 handler.
> > 2001-11-16 11:45:03: DEBUG: isakmp_inf.c:797:isakmp_info_recv_n(): notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=1 spi=(size=0).
>
> the cisco complained about the proposal racoon sent. i'm not sure what
> the phase was. check if the phase 1 established, and then the proposal
> if these are same.
I haven't actually seen the Cisco config, but they tell me the router is
set to use DES encryption with an MD5 hash.
> > sainfo address 203.x.x.x any address 203.y.y.y any
> > {
> > pfs_group 1;
> > lifetime time 30 sec;
> > encryption_algorithm des ;
> > authentication_algorithm hmac_md5;
> > compression_algorithm deflate ;
> > }
>
> does the cisco support PFS ? and can the cisco accept the lifetime of
> 30 seconds ?
People at the other end tell me the Cisco will support pfs_group 1 or 2.
I have also omitted it altogether, with the same result.
Regards,
Nick
--
Excuse of the day:
NOTICE: alloc: /dev/null: filesystem full
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011116122512.A24232>