Date: Tue, 11 Dec 2001 11:09:21 +0000 From: freebsd-security-local@insignia.com To: freebsd-security@freebsd.org Subject: Re: Racoon <> VPN Gateway Message-ID: <52qb1u0gfaub5ktcc4nb6rg5ndp9o8g1f5@4ax.com>
next in thread | raw e-mail | index | archive | help
On Tue, 11 Dec 2001 01:37:24 +0900, sakane@kame.net (Shoichi Sakane) wrote: >> I've now got further trying to get racoon talking to a Redcreek >> Ravlin10 VPN gateway, once I realised the gif device is needed >> for tunnel mode. It actually replies to me, though the reply >> isn't what racoon seems to expect. > >basically you don't need the gif device configuration when you want >to use IPsec tunnel mode. Reading the daemonnnews article, they suggest that this is done "to get the routing right in the kernel" and it's nothing to do with the IPSec tunnelling. >> I'm trying to establish an ESP tunnel mode connection between >> 213.208.123.252 (racoon) and 195.74.141.60 (Ravlin). > >> Racoon says: >> >2001-12-06 20:44:02: DEBUG: isakmp.c:394:isakmp_main(): malformed cookie received or the spi expired. OK I found this. On rereading the docs I realised that I had set the pre-shared key incorrectly. It has spaces in it and I had surrounded it with double quotes. I now realise that racoon takes the first non-whitespace character after the IP address as the start of the key. Changing this made the SA come up! Racoon is not 100% happy though: >Dec 10 19:25:17 field racoon: INFO: isakmp.c:816:isakmp_ph1begin_i(): initiate new > phase 1 negotiation: 213.208.123.252[500]<=>195.74.141.60[500] >Dec 10 19:25:17 field racoon: INFO: isakmp.c:821:isakmp_ph1begin_i(): begin Identi >ty Protection mode. >Dec 10 19:25:17 field racoon: INFO: isakmp.c:2453:log_ph1established(): ISAKMP-SA >established 213.208.123.252[500]-195.74.141.60[500] spi:a3aa6711976b7507:2d437c5f3 >fb040d0 >Dec 10 19:25:18 field racoon: WARNING: isakmp_inf.c:1264:isakmp_check_notify(): ig >nore RESPONDER-LIFETIME notification. >Dec 10 19:25:18 field racoon: WARNING: ipsec_doi.c:907:cmp_aproppair_i(): transfor >m number has been modified. >Dec 10 19:25:18 field racoon: ERROR: proposal.c:488:cmpsatrns(): trns_id mismatche >d: my:2 peer:3 >Dec 10 19:25:18 field racoon: ERROR: proposal.c:488:cmpsatrns(): trns_id mismatche >d: my:2 peer:3 >Dec 10 19:25:18 field racoon: INFO: pfkey.c:1107:pk_recvupdate(): IPsec-SA establi >shed: ESP/Tunnel 195.74.141.60->213.208.123.252 spi=185712998(0xb11c166) >Dec 10 19:25:18 field racoon: INFO: pfkey.c:1319:pk_recvadd(): IPsec-SA establishe >d: ESP/Tunnel 213.208.123.252->195.74.141.60 spi=4175081201(0xf8daaef1) However I still can't get a packet to go out and back. If I try a ping and trace packets to the VPN gateway box I see the ESP packet go out but there is no reply, so we press on... Regards, Jim Hatfield To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?52qb1u0gfaub5ktcc4nb6rg5ndp9o8g1f5>