Date: Wed, 10 Jul 2002 19:17:42 -0400 (EDT) From: Dru <dlavigne6@cogeco.ca> To: security@freebsd.org Subject: no phase2 handle found--Solved! Message-ID: <20020710191535.I141-100000@x1-6-00-80-c8-3a-b8-46.kico2.on.cogeco.ca>
next in thread | raw e-mail | index | archive | help
For the archives, this was a missing line in the configs on the PIX, not a racoon error. It _is_ possible to set up a VPN between a PIX and racoon. Thanks to all who took the time to respond and share their configs. Cheers, Dru ---------- Forwarded message ---------- Date: Tue, 9 Jul 2002 19:18:04 -0400 (EDT) From: Dru <dlavigne6@cogeco.ca> To: security@freebsd.org Subject: no phase2 handle found (fwd) Noone willing to give a stab at this? :( I've tried enabling/disabling every feature combination possible in racoon.conf, I've tried transport and tunnel modes, I've read the RFCs and scoured the Net (and learned more about IPSEC than a person should be allowed to know), I've created a bazillion phase one SAs, but nothing I've tried gets me past that "unknown notify message" in phase 2. I'd give my hen's teeth to see a phase 2 SA.... The bit of code the error message refers to deals with a potential of dos attack so it looks like racoon is the one that's baling out and deleting the phase 1 SA. I'm not good enough with C to want to try mucking with the source code. Anyone willing to reply to me off list? I'll buy you a beer if you ever come to Canada :) Dru ---------- Forwarded message ---------- Date: Sat, 6 Jul 2002 10:56:03 -0400 (EDT) From: Dru <dlavigne6@cogeco.ca> To: security@freebsd.org Subject: no phase2 handle found Didn't get any response from questions, so I'll try here. Trying to setup an IPSEC tunnel between a PIX 501 and FreeBSD 4.6 using the latest racoon. Phase 1 is successful and an ethereal analysis shows that both are negotiating the same policy parameters. However, Phase 2 repeats endlessly with this message in /var/log/racoon.conf: ERROR: isakmp_inf.c:776:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. The Phase 2 parameters on the PIX: crypto ipsec transform-set vpn esp-des esp-md5-hmac crypto dynamic-map bsd 100 set transform-set vpn crypto dynamic-map bsd 100 set pfs group2 crypto dynamic-map bsd 100 set security-association lifetime seconds 3600 kilobytes 4608000 and in racoon: pfs_group 2; lifetime time 3600 sec; encryption_algorithm des ; authentication_algorithm hmac_md5; compression_algorithm deflate; I can only guess that negotiations are failing because of the compression algorithm; from what I can gather PIX only supports lzs but I'm unsure if compression is enabled or disabled by default. There are no (documented) knobs in the PIX IOS to enable/disable compression in the transform set. I haven't had any luck getting setkey to use lzs and a google search shows one mailing list query which never received an answer. If I try: add bsd_ip pix_ip 666 -C lzs; I get a syntax error. I've been able to set the SPD to accept this as part of the policy ipcomp/tunnel/pix_ip-bsd_ip/require; but that still doesn't tell it to use lsz. racoon.conf accepts the lsz keyword but that didn't help either. Any suggestions on where to go from here? Also, the manpage for tcpdump has a -E option that works if tcpdump was compiled with cryptography enabled. How do I do this? TIA, Dru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020710191535.I141-100000>