Date: Mon, 5 Aug 2002 09:19:26 -0700 (PDT) From: Hector Villalvazo <hvillalvazo@yahoo.com> To: questions@freebsd.org Subject: racoon Message-ID: <20020805161926.17009.qmail@web11607.mail.yahoo.com>
next in thread | raw e-mail | index | archive | help
--0-1133668583-1028564366=:16943 Content-Type: text/plain; charset=us-ascii hi. i have a big problem: my racoon configuration does not work. can you help me? Here are my racoon.conf, psk.txt, the debug of racoon and my setkey configuration: Node A: setkey: spdadd 3ffe:8070:100d:2:203:47ff:fea8:8dee[any] 3ffe:8070:100d:2:203:47ff:fe68:2efe[any] any -P in ipsec esp/transport//require; spdadd 3ffe:8070:100d:2:203:47ff:fe68:2efe[any] 3ffe:8070:100d:2:203:47ff:fea8:8dee[any] any -P out ipsec esp/transport//require; racoon.conf # $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $ # "path" must be placed before it should be used. # You can overwrite which you defined, but it should not use due to confusing. path include "/usr/local/etc/racoon" ; #include "remote.conf" ; # search this file for pre_shared_key with various ID key. path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; # racoon will look for certificate file in the directory, # if the certificate/certificate request payload is received. #path certificate "/usr/local/etc/cert" ; # "log" specifies logging level. It is followed by either "notify", "debug" # or "debug2". log notify; # "padding" defines some parameter of padding. You should not touch these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # if no listen directive is specified, racoon will listen to all # available interface addresses. listen { isakmp 3ffe:8070:100d:2:203:47ff:fe68:2efe [7000]; #isakmp 202.249.11.124 [500]; #admin [7002]; # administrative's port by kmpstat. #strict_address; # required all addresses must be bound. } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 15 sec; } remote anonymous { #exchange_mode main,aggressive; exchange_mode aggressive,main; doi ipsec_doi; situation identity_only; #my_identifier address; #my_identifier user_fqdn "sakane@kame.net"; #peers_identifier user_fqdn "sakane@kame.net"; #certificate_type x509 "mycert" "mypriv"; nonce_size 16; lifetime time 1 min; # sec,min,hour initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } remote 3ffe:8070:100d:2:203:47ff:fea8:8dee [8000] { #exchange_mode main,aggressive; exchange_mode aggressive,main; doi ipsec_doi; situation identity_only; #my_identifier user_fqdn "sakane@kame.net"; #peers_identifier user_fqdn "sakane@kame.net"; #certificate_type x509 "mycert" "mypriv"; nonce_size 16; lifetime time 1 min; # sec,min,hour proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } sainfo anonymous { pfs_group 1; lifetime time 30 sec; encryption_algorithm 3des ; authentication_algorithm hmac_sha1; compression_algorithm deflate ; } sainfo address 203.178.141.209 any address 203.178.141.218 any { pfs_group 1; lifetime time 30 sec; encryption_algorithm des ; authentication_algorithm hmac_md5; compression_algorithm deflate ; } sainfo address 3ffe:8070:100d:2:203:47ff:fe68:2efe any address 3ffe:8070:100d:2:203:47ff:fea8:8dee { pfs_group 1; lifetime time 60 sec; encryption_algorithm 3des ; authentication_algorithm hmac_sha1 ; compression_algorithm deflate ; } psk.txt 3ffe:8070:100d:2:203:47ff:fea8:8dee wolverine Node B: setkey: spdadd 3ffe:8070:100d:2:203:47ff:fe68:2efe[any] 3ffe:8070:100d:2:203:47ff:fea8:8dee[any] any -P in ipsec esp/transport//require; spdadd 3ffe:8070:100d:2:203:47ff:fea8:8dee[any] 3ffe:8070:100d:2:203:47ff:fe68:2efe[any] any -P out ipsec esp/transport//require; racoon.conf: # $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $ # "path" must be placed before it should be used. # You can overwrite which you defined, but it should not use due to confusing. path include "/usr/local/etc/racoon" ; #include "remote.conf" ; # search this file for pre_shared_key with various ID key. path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; # racoon will look for certificate file in the directory, # if the certificate/certificate request payload is received. #path certificate "/usr/local/etc/cert" ; # "log" specifies logging level. It is followed by either "notify", "debug" # or "debug2". log notify; # "padding" defines some parameter of padding. You should not touch these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # if no listen directive is specified, racoon will listen to all # available interface addresses. listen { isakmp 3ffe:8070:100d:2:203:47ff:fea8:8dee [7000]; #isakmp 202.249.11.124 [500]; #admin [7002]; # administrative's port by kmpstat. #strict_address; # required all addresses must be bound. } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 15 sec; } remote anonymous { #exchange_mode main,aggressive; exchange_mode aggressive,main; doi ipsec_doi; situation identity_only; #my_identifier address; #my_identifier user_fqdn "sakane@kame.net"; # peers_identifier user_fqdn "sakane@kame.net"; #certificate_type x509 "mycert" "mypriv"; nonce_size 16; lifetime time 1 min; # sec,min,hour initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } remote 3ffe:8070:100d:2:203:47ff:fe68:2efe [8000] { #exchange_mode main,aggressive; exchange_mode aggressive,main; doi ipsec_doi; situation identity_only; # my_identifier user_fqdn "sakane@kame.net"; #peers_identifier user_fqdn "sakane@kame.net"; #certificate_type x509 "mycert" "mypriv"; nonce_size 16; lifetime time 1 min; # sec,min,hour proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } sainfo anonymous { pfs_group 1; lifetime time 30 sec; encryption_algorithm 3des ; authentication_algorithm hmac_sha1; compression_algorithm deflate ; } sainfo address 203.178.141.209 any address 203.178.141.218 any { pfs_group 1; lifetime time 30 sec; encryption_algorithm des ; authentication_algorithm hmac_md5; compression_algorithm deflate ; } sainfo address 3ffe:8070:100d:2:203:47ff:fea8:8dee any address 3ffe:8070:100d:2:203:47ff:fe68:2efe { pfs_group 1; lifetime time 60 sec; encryption_algorithm 3des ; authentication_algorithm hmac_sha1 ; compression_algorithm deflate ; } psk.txt: 3ffe:8070:100d:2:203:47ff:fe68:2efe wolverine 1) in Node A i write: /usr/local/sbin/racoon -Fd -f /usr/local/etc/racoon/racoon.conf 2) in Node B: /usr/local/sbin/racoon -f /usr/local/etc/racoon/racoon.conf the next file is the output when i make ping from B to A: Foreground mode. 2002-08-05 05:14:39: INFO: main.c:163:main(): @(#)package version 20010831a 2002-08-05 05:14:39: INFO: main.c:165:main(): @(#)internal version 20001216 sakane@ydc.co.jp 2002-08-05 05:14:39: INFO: main.c:166:main(): @(#)This product linked OpenSSL 0.9.6a 5 Apr 2001 (http://www.openssl.org/) 2002-08-05 05:14:39: DEBUG: pfkey.c:368:pfkey_init(): call pfkey_send_register for AH 2002-08-05 05:14:39: DEBUG: pfkey.c:368:pfkey_init(): call pfkey_send_register for ESP 2002-08-05 05:14:39: DEBUG: pfkey.c:368:pfkey_init(): call pfkey_send_register for IPCOMP 2002-08-05 05:14:39: DEBUG: algorithm.c:608:alg_oakley_dhdef(): hmac(modp1024) 2002-08-05 05:14:39: DEBUG: pfkey.c:2230:pk_checkalg(): compression algorithm can not be checked because sadb message doesn't support it. 2002-08-05 05:14:39: DEBUG: pfkey.c:2230:pk_checkalg(): compression algorithm can not be checked because sadb message doesn't support it. 2002-08-05 05:14:39: DEBUG: sainfo.c:99:getsainfo(): anonymous sainfo selected. 2002-08-05 05:14:39: DEBUG: pfkey.c:2230:pk_checkalg(): compression algorithm can not be checked because sadb message doesn't support it. 2002-08-05 05:14:39: DEBUG: sainfo.c:99:getsainfo(): anonymous sainfo selected. 2002-08-05 05:14:39: INFO: isakmp.c:1387:isakmp_open(): 3ffe:8070:100d:2:203:47ff:fe68:2efe[7000] used as isakmp port (fd=6) 2002-08-05 05:14:39: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey X_SPDDUMP message 2002-08-05 05:14:39: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey X_SPDDUMP message 2002-08-05 05:14:39: DEBUG: policy.c:213:cmpspidxstrict(): sub:0xbfbff980: 3ffe:8070:100d:2:203:47ff:fe68:2efe/128[0] 3ffe:8070:100d:2:203:47ff:fea8:8dee/128[0] proto=any dir=out 2002-08-05 05:14:39: DEBUG: policy.c:214:cmpspidxstrict(): db :0x80a3a08: 3ffe:8070:100d:2:203:47ff:fea8:8dee/128[0] 3ffe:8070:100d:2:203:47ff:fe68:2efe/128[0] proto=any dir=in 2002-08-05 05:14:45: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey ACQUIRE message 2002-08-05 05:14:45: DEBUG: policy.c:245:cmpspidxwild(): sub:0xbfbff96c: 3ffe:8070:100d:2:203:47ff:fea8:8dee/128[0] 3ffe:8070:100d:2:203:47ff:fe68:2efe/128[0] proto=any dir=in 2002-08-05 05:14:45: DEBUG: policy.c:246:cmpspidxwild(): db: 0x80a3a08: 3ffe:8070:100d:2:203:47ff:fea8:8dee/128[0] 3ffe:8070:100d:2:203:47ff:fe68:2efe/128[0] proto=any dir=in 2002-08-05 05:14:45: DEBUG: policy.c:274:cmpspidxwild(): 0xbfbff96c masked with /128: 3ffe:8070:100d:2:203:47ff:fea8:8dee[0] 2002-08-05 05:14:45: DEBUG: policy.c:276:cmpspidxwild(): 0x80a3a08 masked with /128: 3ffe:8070:100d:2:203:47ff:fea8:8dee[0] 2002-08-05 05:14:45: DEBUG: policy.c:290:cmpspidxwild(): 0xbfbff96c masked with /128: 3ffe:8070:100d:2:203:47ff:fe68:2efe[0] 2002-08-05 05:14:45: DEBUG: policy.c:292:cmpspidxwild(): 0x80a3a08 masked with /128: 3ffe:8070:100d:2:203:47ff:fe68:2efe[0] 2002-08-05 05:14:45: DEBUG: pfkey.c:1539:pk_recvacquire(): suitable outbound SP found: 3ffe:8070:100d:2:203:47ff:fe68:2efe/128[0] 3ffe:8070:100d:2:203:47ff:fea8:8dee/128[0] proto=any dir=out. 2002-08-05 05:14:45: DEBUG: pfkey.c:1541:pk_recvacquire(): suitable inbound SP found: 3ffe:8070:100d:2:203:47ff:fea8:8dee/128[0] 3ffe:8070:100d:2:203:47ff:fe68:2efe/128[0] proto=any dir=in. 2002-08-05 05:14:45: DEBUG: pfkey.c:1573:pk_recvacquire(): new acquire 3ffe:8070:100d:2:203:47ff:fe68:2efe/128[0] 3ffe:8070:100d:2:203:47ff:fea8:8dee/128[0] proto=any dir=out 2002-08-05 05:14:45: DEBUG: proposal.c:824:printsaproto(): (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Transport reqid=0:0) 2002-08-05 05:14:45: DEBUG: proposal.c:858:printsatrns(): (trns_id=3DES encklen=0 authtype=2) 2002-08-05 05:14:45: DEBUG: remoteconf.c:118:getrmconf(): configuration found for 3ffe:8070:100d:2:203:47ff:fea8:8dee. 2002-08-05 05:14:45: INFO: isakmp.c:1734:isakmp_post_acquire(): IPsec-SA request for 3ffe:8070:100d:2:203:47ff:fea8:8dee queued due to no phase1 found. 2002-08-05 05:14:45: DEBUG: isakmp.c:819:isakmp_ph1begin_i(): === 2002-08-05 05:14:45: INFO: isakmp.c:824:isakmp_ph1begin_i(): initiate new phase 1 negotiation: 3ffe:8070:100d:2:203:47ff:fe68:2efe[7000]<=>3ffe:8070:100d:2:203:47ff:fea8:8dee[8000] 2002-08-05 05:14:45: INFO: isakmp.c:829:isakmp_ph1begin_i(): begin Identity Protection mode. 2002-08-05 05:14:45: DEBUG: isakmp.c:2046:isakmp_newcookie(): new cookie: 40646eeddb80df45 2002-08-05 05:14:45: DEBUG: isakmp.c:2163:set_isakmp_payload(): add payload of len 48, next type 0 2002-08-05 05:14:45: DEBUG: isakmp.c:2298:isakmp_printpacket(): begin. 14:45.999926 3ffe:8070:100d:2:203:47ff:fe68:2efe:7000 -> 3ffe:8070:100d:2:203:47ff:fea8:8dee:8000: isakmp 1.0 msgid 00000000: phase 1 I ident: (sa: doi=ipsec situation=identity (p: #1 protoid=isakmp transform=1 (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=003c)(type=enc value=3des)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024)))) 2002-08-05 05:14:46: DEBUG: sockmisc.c:419:sendfromto(): sockname 3ffe:8070:100d:2:203:47ff:fe68:2efe[7000] 2002-08-05 05:14:46: DEBUG: sockmisc.c:421:sendfromto(): send packet from 3ffe:8070:100d:2:203:47ff:fe68:2efe[7000] 2002-08-05 05:14:46: DEBUG: sockmisc.c:423:sendfromto(): send packet to 3ffe:8070:100d:2:203:47ff:fea8:8dee[8000] 2002-08-05 05:14:46: DEBUG: sockmisc.c:479:sendfromto(): src6 3ffe:8070:100d:2:203:47ff:fe68:2efe[7000] 0 2002-08-05 05:14:46: DEBUG: sockmisc.c:483:sendfromto(): dst6 3ffe:8070:100d:2:203:47ff:fea8:8dee[8000] 0 2002-08-05 05:14:46: DEBUG: isakmp.c:1470:isakmp_send(): 1 times of 80 bytes message will be sent. 2002-08-05 05:14:46: DEBUG: plog.c:209:plogdump(): 40646eed db80df45 00000000 00000000 01100200 00000000 00000050 00000034 00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c003c 80010005 80030001 80020002 80040002 2002-08-05 05:15:06: DEBUG: isakmp.c:1490:isakmp_ph1resend(): resend phase1 packet 40646eeddb80df45:0000000000000000 2002-08-05 05:15:06: DEBUG: sockmisc.c:419:sendfromto(): sockname 3ffe:8070:100d:2:203:47ff:fe68:2efe[7000] 2002-08-05 05:15:06: DEBUG: sockmisc.c:421:sendfromto(): send packet from 3ffe:8070:100d:2:203:47ff:fe68:2efe[7000] 2002-08-05 05:15:06: DEBUG: sockmisc.c:423:sendfromto(): send packet to 3ffe:8070:100d:2:203:47ff:fea8:8dee[8000] 2002-08-05 05:15:06: DEBUG: sockmisc.c:479:sendfromto(): src6 3ffe:8070:100d:2:203:47ff:fe68:2efe[7000] 0 2002-08-05 05:15:06: DEBUG: sockmisc.c:483:sendfromto(): dst6 3ffe:8070:100d:2:203:47ff:fea8:8dee[8000] 0 2002-08-05 05:15:06: DEBUG: isakmp.c:1470:isakmp_send(): 1 times of 80 bytes message will be sent. 2002-08-05 05:15:06: DEBUG: plog.c:209:plogdump(): 40646eed db80df45 00000000 00000000 01100200 00000000 00000050 00000034 00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c003c 80010005 80030001 80020002 80040002 2002-08-05 05:15:06: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey ACQUIRE message 2002-08-05 05:15:06: DEBUG: pfkey.c:1503:pk_recvacquire(): ignore the acquire becuase ph2 found 2002-08-05 05:15:17: ERROR: isakmp.c:1826:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 3ffe:8070:100d:2:203:47ff:fea8:8dee->3ffe:8070:100d:2:203:47ff:fe68:2efe 2002-08-05 05:15:17: INFO: isakmp.c:1831:isakmp_chkph1there(): delete phase 2 handler. 2002-08-05 05:15:18: INFO: session.c:276:check_sigreq(): caught signal 2 2002-08-05 05:15:18: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey FLUSH message 2002-08-05 05:15:19: DEBUG: pfkey.c:268:pfkey_dump_sadb(): call pfkey_send_dump 2002-08-05 05:15:19: INFO: session.c:180:close_session(): racoon shutdown Thanks H.V. --------------------------------- Do You Yahoo!? Yahoo! Health - Feel better, live better --0-1133668583-1028564366=:16943 Content-Type: text/html; charset=us-ascii <P>hi.</P> <P>i have a big problem:</P> <P>my racoon configuration does not work.</P> <P>can you help me?</P> <P>Here are my racoon.conf, psk.txt, the debug of racoon and my setkey configuration:</P> <P>Node A:</P> <P>setkey:</P> <P>spdadd 3ffe:8070:100d:2:203:47ff:fea8:8dee[any]<BR>3ffe:8070:100d:2:203:47ff:fe68:2efe[any] any<BR>-P in ipsec esp/transport//require; </P> <P>spdadd 3ffe:8070:100d:2:203:47ff:fe68:2efe[any]<BR>3ffe:8070:100d:2:203:47ff:fea8:8dee[any] any<BR>-P out ipsec esp/transport//require;<BR></P> <P>racoon.conf</P> <P># $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $</P> <P># "path" must be placed before it should be used.<BR># You can overwrite which you defined, but it should not use due to confusing.<BR>path include "/usr/local/etc/racoon" ;<BR>#include "remote.conf" ;</P> <P># search this file for pre_shared_key with various ID key.<BR>path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;</P> <P># racoon will look for certificate file in the directory,<BR># if the certificate/certificate request payload is received.<BR>#path certificate "/usr/local/etc/cert" ;</P> <P># "log" specifies logging level. It is followed by either "notify", "debug"<BR># or "debug2".<BR>log notify;</P> <P># "padding" defines some parameter of padding. You should not touch these.<BR>padding<BR>{<BR> maximum_length 20; # maximum padding length.<BR> randomize off; # enable randomize length.<BR> strict_check off; # enable strict check.<BR> exclusive_tail off; # extract last one octet.<BR>}</P> <P># if no listen directive is specified, racoon will listen to all<BR># available interface addresses.<BR>listen<BR>{<BR> isakmp 3ffe:8070:100d:2:203:47ff:fe68:2efe [7000];<BR> #isakmp 202.249.11.124 [500];<BR> #admin [7002]; # administrative's port by kmpstat.<BR> #strict_address; # required all addresses must be bound.<BR>}</P> <P># Specification of default various timer.<BR>timer<BR>{<BR> # These value can be changed per remote node.<BR> counter 5; # maximum trying count to send.<BR> interval 20 sec; # maximum interval to resend.<BR> persend 1; # the number of packets per a send.</P> <P> # timer for waiting to complete each phase.<BR> phase1 30 sec;<BR> phase2 15 sec;<BR>}</P> <P>remote anonymous<BR>{<BR> #exchange_mode main,aggressive;<BR> exchange_mode aggressive,main;<BR> doi ipsec_doi;<BR> situation identity_only;</P> <P> #my_identifier address;<BR> #my_identifier user_fqdn "<A href="mailto:sakane@kame.net">sakane@kame.net</A>";<BR> #peers_identifier user_fqdn "<A href="mailto:sakane@kame.net">sakane@kame.net</A>";<BR> #certificate_type x509 "mycert" "mypriv";</P> <P> nonce_size 16;<BR> lifetime time 1 min; # sec,min,hour<BR> initial_contact on;<BR> support_mip6 on;<BR> proposal_check obey; # obey, strict or claim</P> <P> proposal {<BR> encryption_algorithm 3des;<BR> hash_algorithm sha1;<BR> authentication_method pre_shared_key ;<BR> dh_group 2 ;<BR> }<BR>}</P> <P>remote 3ffe:8070:100d:2:203:47ff:fea8:8dee [8000]<BR>{<BR> #exchange_mode main,aggressive;<BR> exchange_mode aggressive,main;<BR> doi ipsec_doi;<BR> situation identity_only;</P> <P> #my_identifier user_fqdn "<A href="mailto:sakane@kame.net">sakane@kame.net</A>";<BR> #peers_identifier user_fqdn "<A href="mailto:sakane@kame.net">sakane@kame.net</A>";<BR> #certificate_type x509 "mycert" "mypriv";</P> <P> nonce_size 16;<BR> lifetime time 1 min; # sec,min,hour</P> <P> proposal {<BR> encryption_algorithm 3des;<BR> hash_algorithm sha1;<BR> authentication_method pre_shared_key ;<BR> dh_group 2 ;<BR> }<BR>}</P> <P>sainfo anonymous<BR>{<BR> pfs_group 1;<BR> lifetime time 30 sec;<BR> encryption_algorithm 3des ;<BR> authentication_algorithm hmac_sha1;<BR> compression_algorithm deflate ;<BR>}</P> <P>sainfo address 203.178.141.209 any address 203.178.141.218 any<BR>{<BR> pfs_group 1;<BR> lifetime time 30 sec;<BR> encryption_algorithm des ;<BR> authentication_algorithm hmac_md5;<BR> compression_algorithm deflate ;<BR>}</P> <P>sainfo address 3ffe:8070:100d:2:203:47ff:fe68:2efe any address 3ffe:8070:100d:2:203:47ff:fea8:8dee<BR>{<BR> pfs_group 1;<BR> lifetime time 60 sec;<BR> encryption_algorithm 3des ;<BR> authentication_algorithm hmac_sha1 ;<BR> compression_algorithm deflate ;<BR>}</P> <P>psk.txt</P> <P>3ffe:8070:100d:2:203:47ff:fea8:8dee wolverine</P> <P> </P> <P>Node B:</P> <P>setkey:</P> <P>spdadd 3ffe:8070:100d:2:203:47ff:fe68:2efe[any]<BR>3ffe:8070:100d:2:203:47ff:fea8:8dee[any] any<BR>-P in ipsec esp/transport//require;</P> <P>spdadd 3ffe:8070:100d:2:203:47ff:fea8:8dee[any]<BR>3ffe:8070:100d:2:203:47ff:fe68:2efe[any] any<BR>-P out ipsec esp/transport//require;<BR></P> <P>racoon.conf:</P> <P># $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $</P> <P># "path" must be placed before it should be used.<BR># You can overwrite which you defined, but it should not use due to confusing.<BR>path include "/usr/local/etc/racoon" ;<BR>#include "remote.conf" ;</P> <P># search this file for pre_shared_key with various ID key.<BR>path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;</P> <P># racoon will look for certificate file in the directory,<BR># if the certificate/certificate request payload is received.<BR>#path certificate "/usr/local/etc/cert" ;</P> <P># "log" specifies logging level. It is followed by either "notify", "debug"<BR># or "debug2".<BR>log notify;</P> <P># "padding" defines some parameter of padding. You should not touch these.<BR>padding<BR>{<BR> maximum_length 20; # maximum padding length.<BR> randomize off; # enable randomize length.<BR> strict_check off; # enable strict check.<BR> exclusive_tail off; # extract last one octet.<BR>}</P> <P># if no listen directive is specified, racoon will listen to all<BR># available interface addresses.<BR>listen<BR>{<BR> isakmp 3ffe:8070:100d:2:203:47ff:fea8:8dee [7000];<BR> #isakmp 202.249.11.124 [500];<BR> #admin [7002]; # administrative's port by kmpstat.<BR> #strict_address; # required all addresses must be bound.<BR>}</P> <P># Specification of default various timer.<BR>timer<BR>{<BR> # These value can be changed per remote node.<BR> counter 5; # maximum trying count to send.<BR> interval 20 sec; # maximum interval to resend.<BR> persend 1; # the number of packets per a send.</P> <P> # timer for waiting to complete each phase.<BR> phase1 30 sec;<BR> phase2 15 sec;<BR>}</P> <P>remote anonymous<BR>{<BR> #exchange_mode main,aggressive;<BR> exchange_mode aggressive,main;<BR> doi ipsec_doi;<BR> situation identity_only;</P> <P> #my_identifier address;<BR> #my_identifier user_fqdn "<A href="mailto:sakane@kame.net">sakane@kame.net</A>";<BR># peers_identifier user_fqdn "<A href="mailto:sakane@kame.net">sakane@kame.net</A>";<BR> #certificate_type x509 "mycert" "mypriv";</P> <P> nonce_size 16;<BR> lifetime time 1 min; # sec,min,hour<BR> initial_contact on;<BR> support_mip6 on;<BR> proposal_check obey; # obey, strict or claim</P> <P> proposal {<BR> encryption_algorithm 3des;<BR> hash_algorithm sha1;<BR> authentication_method pre_shared_key ;<BR> dh_group 2 ;<BR> }<BR>}</P> <P>remote 3ffe:8070:100d:2:203:47ff:fe68:2efe [8000]<BR>{<BR> #exchange_mode main,aggressive;<BR> exchange_mode aggressive,main;<BR> doi ipsec_doi;<BR> situation identity_only;</P> <P># my_identifier user_fqdn "<A href="mailto:sakane@kame.net">sakane@kame.net</A>";<BR> #peers_identifier user_fqdn "<A href="mailto:sakane@kame.net">sakane@kame.net</A>";<BR> #certificate_type x509 "mycert" "mypriv";</P> <P> nonce_size 16;<BR> lifetime time 1 min; # sec,min,hour</P> <P> proposal {<BR> encryption_algorithm 3des;<BR> hash_algorithm sha1;<BR> authentication_method pre_shared_key ;<BR> dh_group 2 ;<BR> }<BR>}</P> <P>sainfo anonymous<BR>{<BR> pfs_group 1;<BR> lifetime time 30 sec;<BR> encryption_algorithm 3des ;<BR> authentication_algorithm hmac_sha1;<BR> compression_algorithm deflate ;<BR>}</P> <P>sainfo address 203.178.141.209 any address 203.178.141.218 any<BR>{<BR> pfs_group 1;<BR> lifetime time 30 sec;<BR> encryption_algorithm des ;<BR> authentication_algorithm hmac_md5;<BR> compression_algorithm deflate ;<BR>}</P> <P>sainfo address 3ffe:8070:100d:2:203:47ff:fea8:8dee any address 3ffe:8070:100d:2:203:47ff:fe68:2efe<BR>{<BR> pfs_group 1;<BR> lifetime time 60 sec;<BR> encryption_algorithm 3des ;<BR> authentication_algorithm hmac_sha1 ;<BR> compression_algorithm deflate ;<BR>}</P> <P> </P> <P>psk.txt:</P> <P>3ffe:8070:100d:2:203:47ff:fe68:2efe wolverine</P> <P> </P> <P>1) in Node A i write: /usr/local/sbin/racoon -Fd -f /usr/local/etc/racoon/racoon.conf</P> <P>2) in Node B: /usr/local/sbin/racoon -f /usr/local/etc/racoon/racoon.conf</P> <P>the next file is the output when i make ping from B to A:</P> <P>Foreground mode.<BR>2002-08-05 05:14:39: INFO: main.c:163:main(): @(#)package version 20010831a<BR>2002-08-05 05:14:39: INFO: main.c:165:main(): @(#)internal version 20001216 <A href="mailto:sakane@ydc.co.jp">sakane@ydc.co.jp</A><BR>2002-08-05 05:14:39: INFO: main.c:166:main(): @(#)This product linked OpenSSL 0.9.6a 5 Apr 2001 (<A href="http://www.openssl.org/">http://www.openssl.org/</A>)<BR>2002-08-05 05:14:39: DEBUG: pfkey.c:368:pfkey_init(): call pfkey_send_register for AH<BR>2002-08-05 05:14:39: DEBUG: pfkey.c:368:pfkey_init(): call pfkey_send_register for ESP<BR>2002-08-05 05:14:39: DEBUG: pfkey.c:368:pfkey_init(): call pfkey_send_register for IPCOMP<BR>2002-08-05 05:14:39: DEBUG: algorithm.c:608:alg_oakley_dhdef(): hmac(modp1024)<BR>2002-08-05 05:14:39: DEBUG: pfkey.c:2230:pk_checkalg(): compression algorithm can not be checked because sadb message doesn't support it.<BR>2002-08-05 05:14:39: DEBUG: pfkey.c:2230:pk_checkalg(): compression algorithm can not be checked because sadb message doesn't support it.<BR>2002-08-05 05:14:39: DEBUG: sainfo.c:99:getsainfo(): anonymous sainfo selected.<BR>2002-08-05 05:14:39: DEBUG: pfkey.c:2230:pk_checkalg(): compression algorithm can not be checked because sadb message doesn't support it.<BR>2002-08-05 05:14:39: DEBUG: sainfo.c:99:getsainfo(): anonymous sainfo selected.<BR>2002-08-05 05:14:39: INFO: isakmp.c:1387:isakmp_open(): 3ffe:8070:100d:2:203:47ff:fe68:2efe[7000] used as isakmp port (fd=6)<BR>2002-08-05 05:14:39: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey X_SPDDUMP message<BR>2002-08-05 05:14:39: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey X_SPDDUMP message<BR>2002-08-05 05:14:39: DEBUG: policy.c:213:cmpspidxstrict(): sub:0xbfbff980: 3ffe:8070:100d:2:203:47ff:fe68:2efe/128[0] 3ffe:8070:100d:2:203:47ff:fea8:8dee/128[0] proto=any dir=out<BR>2002-08-05 05:14:39: DEBUG: policy.c:214:cmpspidxstrict(): db :0x80a3a08: 3ffe:8070:100d:2:203:47ff:fea8:8dee/128[0] 3ffe:8070:100d:2:203:47ff:fe68:2ef e/128[0] proto=any dir=in<BR>2002-08-05 05:14:45: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey ACQUIRE message<BR>2002-08-05 05:14:45: DEBUG: policy.c:245:cmpspidxwild(): sub:0xbfbff96c: 3ffe:8070:100d:2:203:47ff:fea8:8dee/128[0] 3ffe:8070:100d:2:203:47ff:fe68:2efe/128[0] proto=any dir=in<BR>2002-08-05 05:14:45: DEBUG: policy.c:246:cmpspidxwild(): db: 0x80a3a08: 3ffe:8070:100d:2:203:47ff:fea8:8dee/128[0] 3ffe:8070:100d:2:203:47ff:fe68:2efe/128[0] proto=any dir=in<BR>2002-08-05 05:14:45: DEBUG: policy.c:274:cmpspidxwild(): 0xbfbff96c masked with /128: 3ffe:8070:100d:2:203:47ff:fea8:8dee[0]<BR>2002-08-05 05:14:45: DEBUG: policy.c:276:cmpspidxwild(): 0x80a3a08 masked with /128: 3ffe:8070:100d:2:203:47ff:fea8:8dee[0]<BR>2002-08-05 05:14:45: DEBUG: policy.c:290:cmpspidxwild(): 0xbfbff96c masked with /128: 3ffe:8070:100d:2:203:47ff:fe68:2efe[0]<BR>2002-08-05 05:14:45: DEBUG: policy.c:292:cmpspidxwild(): 0x80a3a08 masked with /128: 3ffe:8070:100d:2:203:47ff:fe68:2efe[0]<BR>2002-08 -05 05:14:45: DEBUG: pfkey.c:1539:pk_recvacquire(): suitable outbound SP found: 3ffe:8070:100d:2:203:47ff:fe68:2efe/128[0] 3ffe:8070:100d:2:203:47ff:fea8:8dee/128[0] proto=any dir=out.<BR>2002-08-05 05:14:45: DEBUG: pfkey.c:1541:pk_recvacquire(): suitable inbound SP found: 3ffe:8070:100d:2:203:47ff:fea8:8dee/128[0] 3ffe:8070:100d:2:203:47ff:fe68:2efe/128[0] proto=any dir=in.<BR>2002-08-05 05:14:45: DEBUG: pfkey.c:1573:pk_recvacquire(): new acquire 3ffe:8070:100d:2:203:47ff:fe68:2efe/128[0] 3ffe:8070:100d:2:203:47ff:fea8:8dee/128[0] proto=any dir=out<BR>2002-08-05 05:14:45: DEBUG: proposal.c:824:printsaproto(): (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Transport reqid=0:0)<BR>2002-08-05 05:14:45: DEBUG: proposal.c:858:printsatrns(): (trns_id=3DES encklen=0 authtype=2)<BR>2002-08-05 05:14:45: DEBUG: remoteconf.c:118:getrmconf(): configuration found for 3ffe:8070:100d:2:203:47ff:fea8:8dee.<BR>2002-08-05 05:14:45: INFO: isakmp.c:1734:isakmp_po st_acquire(): <STRONG>IPsec-SA request for 3ffe:8070:100d:2:203:47ff:fea8:8dee queued due to no phase1 found.<BR></STRONG>2002-08-05 05:14:45: DEBUG: isakmp.c:819:isakmp_ph1begin_i(): ===<BR>2002-08-05 05:14:45: INFO: isakmp.c:824:isakmp_ph1begin_i(): initiate new phase 1 negotiation: 3ffe:8070:100d:2:203:47ff:fe68:2efe[7000]<=>3ffe:8070:100d:2:203:47ff:fea8:8dee[8000]<BR>2002-08-05 05:14:45: INFO: isakmp.c:829:isakmp_ph1begin_i(): begin Identity Protection mode.<BR>2002-08-05 05:14:45: DEBUG: isakmp.c:2046:isakmp_newcookie(): new cookie:<BR>40646eeddb80df45 <BR>2002-08-05 05:14:45: DEBUG: isakmp.c:2163:set_isakmp_payload(): add payload of len 48, next type 0<BR>2002-08-05 05:14:45: DEBUG: isakmp.c:2298:isakmp_printpacket(): begin.<BR>14:45.999926 3ffe:8070:100d:2:203:47ff:fe68:2efe:7000 -> 3ffe:8070:100d:2:203:47ff:fea8:8dee:8000: isakmp 1.0 msgid 00000000: phase 1 I ident:<BR> (sa: doi=ipsec situation=identity<BR> &nb sp; (p: #1 protoid=isakmp transform=1<BR> (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=003c)(type=enc value=3des)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024))))<BR>2002-08-05 05:14:46: DEBUG: sockmisc.c:419:sendfromto(): sockname 3ffe:8070:100d:2:203:47ff:fe68:2efe[7000]<BR>2002-08-05 05:14:46: DEBUG: sockmisc.c:421:sendfromto(): send packet from 3ffe:8070:100d:2:203:47ff:fe68:2efe[7000]<BR>2002-08-05 05:14:46: DEBUG: sockmisc.c:423:sendfromto(): send packet to 3ffe:8070:100d:2:203:47ff:fea8:8dee[8000]<BR>2002-08-05 05:14:46: DEBUG: sockmisc.c:479:sendfromto(): src6 3ffe:8070:100d:2:203:47ff:fe68:2efe[7000] 0<BR>2002-08-05 05:14:46: DEBUG: sockmisc.c:483:sendfromto(): dst6 3ffe:8070:100d:2:203:47ff:fea8:8dee[8000] 0<BR>2002-08-05 05:14:46: DEBUG: isakmp.c:1470:isakmp_send(): 1 times of 80 bytes message will be sent.<BR>2002-08-05 05:14:46: DEBUG: pl og.c:209:plogdump(): <BR>40646eed db80df45 00000000 00000000 01100200 00000000 00000050 00000034<BR>00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c003c<BR>80010005 80030001 80020002 80040002<BR>2002-08-05 05:15:06: DEBUG: isakmp.c:1490:isakmp_ph1resend(): resend phase1 packet 40646eeddb80df45:0000000000000000<BR>2002-08-05 05:15:06: DEBUG: sockmisc.c:419:sendfromto(): sockname 3ffe:8070:100d:2:203:47ff:fe68:2efe[7000]<BR>2002-08-05 05:15:06: DEBUG: sockmisc.c:421:sendfromto(): send packet from 3ffe:8070:100d:2:203:47ff:fe68:2efe[7000]<BR>2002-08-05 05:15:06: DEBUG: sockmisc.c:423:sendfromto(): send packet to 3ffe:8070:100d:2:203:47ff:fea8:8dee[8000]<BR>2002-08-05 05:15:06: DEBUG: sockmisc.c:479:sendfromto(): src6 3ffe:8070:100d:2:203:47ff:fe68:2efe[7000] 0<BR>2002-08-05 05:15:06: DEBUG: sockmisc.c:483:sendfromto(): dst6 3ffe:8070:100d:2:203:47ff:fea8:8dee[8000] 0<BR>2002-08-05 05:15:06: DEBUG: isakmp.c:1470:isakmp_send(): 1 times of 80 bytes message will be sent.<BR>2002-08-05 05:15:06: DEBUG: plog.c:209:plogdump(): <BR>40646eed db80df45 00000000 00000000 01100200 00000000 00000050 00000034<BR>00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c003c<BR>80010005 80030001 80020002 80040002<BR>2002-08-05 05:15:06: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey ACQUIRE message<BR>2002-08-05 05:15:06: DEBUG: pfkey.c:1503:pk_recvacquire(): ignore the acquire becuase ph2 found<BR>2002-08-05 05:15:17: ERROR: isakmp.c:1826:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 3ffe:8070:100d:2:203:47ff:fea8:8dee->3ffe:8070:100d:2:203:47ff:fe68:2efe <BR>2002-08-05 05:15:17: INFO: isakmp.c:1831:isakmp_chkph1there(): delete phase 2 handler.<BR>2002-08-05 05:15:18: INFO: session.c:276:check_sigreq(): caught signal 2<BR>2002-08-05 05:15:18: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey FLUSH message<BR>2002-08-05 05:15:19: DEBUG: pfkey.c:268:pfkey_dump_sadb(): call pfkey_send_dump<BR>2002-0 8-05 05:15:19: INFO: session.c:180:close_session(): racoon shutdown<BR></P> <P>Thanks</P> <P>H.V.</P><p><br><hr size=1><b>Do You Yahoo!?</b><br> <a href="http://health.yahoo.com/">Yahoo! Health</a> - Feel better, live better --0-1133668583-1028564366=:16943-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020805161926.17009.qmail>