From owner-freebsd-security Sun Mar 18 0:38:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from relay.butya.kz (butya-gw.butya.kz [212.154.129.94]) by hub.freebsd.org (Postfix) with ESMTP id 62D8437B719; Sun, 18 Mar 2001 00:38:43 -0800 (PST) (envelope-from bp@butya.kz) Received: by relay.butya.kz (Postfix, from userid 1000) id 952D5288DD; Sun, 18 Mar 2001 14:38:37 +0600 (ALMT) Received: from localhost (localhost [127.0.0.1]) by relay.butya.kz (Postfix) with ESMTP id 8E43F2878C; Sun, 18 Mar 2001 14:38:37 +0600 (ALMT) Date: Sun, 18 Mar 2001 14:38:37 +0600 (ALMT) From: Boris Popov To: Sergey Babkin Cc: security@freebsd.org, Wes Peters , Robert Watson , fs@freebsd.org Subject: Re: about common group & user ID space (PR kern/14584) In-Reply-To: <3AB3FC38.94711FFF@bellatlantic.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 17 Mar 2001, Sergey Babkin wrote: > I want to commit PR kern/14584. I've been told that it's good > to discuss it in -arch, -security and -fs. (It has been sort of > discussed on -hackers already, there were not much replies). Well, the idea looks good. It doesn't break any existing command except that the one need a (simple) tool to control required pseudo flat UID/GID space. However, I'm more liked it, if it will be possible to enable such behavior on a per-mount basis (but I guess we're out of spare mount options). -- Boris Popov http://www.butya.kz/~bp/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 18 4:50:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from scully.madbovine.com (dsl081-135-233.nyc1.dsl.speakeasy.net [64.81.135.233]) by hub.freebsd.org (Postfix) with ESMTP id 7506C37B718; Sun, 18 Mar 2001 04:50:30 -0800 (PST) (envelope-from asmo@scully.madbovine.com) Received: (from asmo@localhost) by scully.madbovine.com (8.11.3/8.11.3) id f2ICi1604114; Sun, 18 Mar 2001 07:44:01 -0500 (EST) (envelope-from asmo) Date: Sun, 18 Mar 2001 07:44:01 -0500 From: Justin To: freebsd-questions@freebsd.org, freebsd-security@freebsd.org Subject: Strange Message when using telnet to connect to other machines/routers... Message-ID: <20010318074401.A4097@scully.madbovine.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, I recently just installed the 4.0 release ISO on to my machine, I then CVSupd the latest sources and completed the upgrading process, by making world, complining and installing a new kernel. At this point I have not installed SSH, OpenSSH, or any other Security related App. This is what confuses me I had 4.2 Stable on this same machine about 1 week ago and never encountered this problem before..granted its not a big deal but its annoying and I would like to know a little more about this. Anyways this started when I cvsupd to 4.3stable(BETA) and has not stopped. This is what happens when I try telneting into a Cisco Router at Work (7500 Series) bash-2.03$ telnet 233.23.3.0 Trying 233.23.3.0... Connected to betxx.xxx.com. Escape character is '^]'. User Access Verification Password: Kerberos: No default realm defined for Kerberos! <-----What is this??? This message is also new, and I have not seen this before 4.3 either.. This here is a FreeBSD machine that is running 4.3BETA also and this machine gets the same message as mine does when telnetting to other routers. bash-2.03$ telnet 20.1.5.1 Trying 20.1.5.1... Connected to 20.1.5.1. Escape character is '^]'. Trying SRA secure login: User (asmo): Password: [ SRA accepts you ] Does anyone have any clues? The SRA thing is fine, I assume that is something new...but the message above confuses me, Why is it now prompting that error message? And BTW ... What is SRA? Thanks SO MUCH in Advance! Justin Please Reply to asmo@madbovine.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 18 6:52: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 5C6B637B718; Sun, 18 Mar 2001 06:51:54 -0800 (PST) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id GAA03707; Sun, 18 Mar 2001 06:48:21 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda03705; Sun Mar 18 06:48:09 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f2IEm0D17167; Sun, 18 Mar 2001 06:48:00 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdb17165; Sun Mar 18 06:47:45 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.3/8.9.1) id f2IElef41927; Sun, 18 Mar 2001 06:47:40 -0800 (PST) Message-Id: <200103181447.f2IElef41927@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdF41921; Sun Mar 18 06:47:18 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Sergey Babkin Cc: security@FreeBSD.ORG, Wes Peters , Robert Watson , fs@FreeBSD.ORG Subject: Re: about common group & user ID space (PR kern/14584) In-reply-to: Your message of "Sat, 17 Mar 2001 19:07:20 EST." <3AB3FC38.94711FFF@bellatlantic.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sun, 18 Mar 2001 06:47:17 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <3AB3FC38.94711FFF@bellatlantic.net>, Sergey Babkin writes: > All, > > I want to commit PR kern/14584. I've been told that it's good From an operational standpoint I see one problem. Some sites use UID 0-999 and 65000-65535 for use by special accounts, such as www, ftp, oracle, etc. In some cases this policy is dictated by a desire to have some kind of commonality across various vendor platforms, some of which reserve some odd UID's and GID's for vendor supplied software or purposes. The only suggestion I would make is that a range could be specified. For example instead of vfs.commonid, vfs.commonid.low and vfs.commonid.high, allowing a site to, for example, reserve UID/GID's 10000-19999 or any other range as common ID's. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 18 11:48:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 5201537B719; Sun, 18 Mar 2001 11:48:29 -0800 (PST) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id MAA01358; Sun, 18 Mar 2001 12:42:26 -0700 (MST) Message-Id: <4.3.2.7.2.20010318123759.00d9dd10@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Sun, 18 Mar 2001 12:42:17 -0700 To: Terry Lambert , babkin@bellatlantic.net (Sergey Babkin) From: Brett Glass Subject: Re: about common group & user ID space (PR kern/14584) Cc: security@FreeBSD.ORG, wes@softweyr.com (Wes Peters), rwatson@FreeBSD.ORG (Robert Watson), fs@FreeBSD.ORG In-Reply-To: <200103180738.AAA03250@usr05.primenet.com> References: <3AB3FC38.94711FFF@bellatlantic.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 12:38 AM 3/18/2001, Terry Lambert wrote: >The benefits in not having the grovel through the FS contents, or >do a more complex ID space transformations, and the moving of the >majority of changes to user space, combined with the fact that if >you turn it off, the ownership doesn't need to be reverted, are >all plusses. At the same time, it'd be nice to eliminate the arbitrary limitations on (a) the number of groups of which a user can be a member and (b) the number of members in a group. Both of these limitations often bite administrators who, for example, want most users of a system to be members of a particular group or want to implement group-based access control schemes with a moderate degree of granularity. Classes won't cut it for this purpose, alas, because they're not built into file system security. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 18 11:57:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from hex.databits.net (hex.databits.net [207.29.192.16]) by hub.freebsd.org (Postfix) with SMTP id 9D8B837B718 for ; Sun, 18 Mar 2001 11:57:11 -0800 (PST) (envelope-from petef@hex.databits.net) Received: (qmail 9842 invoked by uid 1001); 18 Mar 2001 19:57:11 -0000 Date: Sun, 18 Mar 2001 14:57:11 -0500 From: Pete Fritchman To: Spades Cc: freebsd-security@freebsd.org Subject: Re: passwd problem Message-ID: <20010318145711.D9528@databits.net> References: <3.0.32.20010318144200.006c4098@smtp.magix.com.sg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3.0.32.20010318144200.006c4098@smtp.magix.com.sg>; from spades@galaxynet.org on Sun, Mar 18, 2001 at 02:42:00PM +0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org tol [73] % strings /usr/bin/passwd | grep "Unable to update EPS password." tol [74] % [ assuming you're running RELENG_4 ] Try 'which passwd' to make sure you're running the system's passwd. If you are running the system passwd, get this error message, and didn't replace /usr/bin/passwd yourself, you might want to reinstall or at least take the machine offline and do an installworld with fresh sources. -pete ++ 18/03/01 14:42 +0800 - Spades: ># passwd > Warning: configuration file missing; please run 'tconf' > Unable to update EPS password. > Password changed. > >How do i reinstall passwd or fix this? > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message -- Pete Fritchman Databits Network Services, Inc. finger petef@databits.net for PGP key To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 18 12: 4:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.port.ru (mx1.port.ru [194.67.23.32]) by hub.freebsd.org (Postfix) with ESMTP id 01AF137B719 for ; Sun, 18 Mar 2001 12:04:31 -0800 (PST) (envelope-from admin128@mail.ru) Received: from ts6-a48.dial.sovam.com ([195.239.0.176]) by smtp1.port.ru with esmtp (Exim 3.14 #43) id 14ejPe-000BMi-00 for security@FreeBSD.ORG; Sun, 18 Mar 2001 23:04:29 +0300 Date: Sun, 18 Mar 2001 23:03:53 +0300 From: Anton Vladimirov X-Mailer: The Bat! (v1.47 Halloween Edition) Reply-To: Anton Vladimirov Organization: FBSD Administration Center X-Priority: 3 (Normal) Message-ID: <174114006789.20010318230353@mail.ru> To: security@FreeBSD.ORG Subject: Timecounter "TSC" frequency Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello people Today I received some strange message from my security check output, which I've never received before: ============== my.hostname.com kernel log messages: > Timecounter "TSC" frequency 367501498 Hz ============== "my.hostname.com is the name of my host (changed just in case of security holes) What does it mean? By the way, one day before this I received the following: > icmp-response bandwidth limit 677/200 pps > icmp-response bandwidth limit 245/200 pps -- Best regards, Anton mailto:admin128@mail.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 18 13: 6:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 4DF3137B71F for ; Sun, 18 Mar 2001 13:05:54 -0800 (PST) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.3/8.11.3) with ESMTP id f2IL4j361743; Sun, 18 Mar 2001 16:05:16 -0500 (EST) (envelope-from rsimmons@wlcg.com) Date: Sun, 18 Mar 2001 16:04:41 -0500 (EST) From: Rob Simmons To: Anton Vladimirov Cc: Subject: Re: Timecounter "TSC" frequency In-Reply-To: <174114006789.20010318230353@mail.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Are you running ntpd? If so, then that was it setting the system date/time. The message you had the day before looks like a port scan of some sort, maybe nmap. Its not unusual to be portscanned. Robert Simmons Systems Administrator http://www.wlcg.com/ On Sun, 18 Mar 2001, Anton Vladimirov wrote: > Hello people > > Today I received some strange message from > my security check output, which I've never > received before: > > ============== > my.hostname.com kernel log messages: > > Timecounter "TSC" frequency 367501498 Hz > ============== > > "my.hostname.com is the name of my host > (changed just in case of security holes) > > What does it mean? > > By the way, one day before this > I received the following: > > icmp-response bandwidth limit 677/200 pps > > icmp-response bandwidth limit 245/200 pps > > > -- > Best regards, > Anton mailto:admin128@mail.ru > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6tSLtv8Bofna59hYRAlsWAJ4+URnop/lWpdc36lKQTpEl14GVfQCggQbf DRPByqutENNGdNy6vJ8MUlo= =EKhe -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 18 14: 8:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from yang.earlham.edu (yang.earlham.edu [159.28.1.1]) by hub.freebsd.org (Postfix) with ESMTP id 3138D37B719 for ; Sun, 18 Mar 2001 14:08:13 -0800 (PST) (envelope-from marouni@earlham.edu) Received: from earlham.edu (IDENT:odysseus@tropical.student.earlham.edu [159.28.163.208]) by yang.earlham.edu (8.9.3/8.9.3) with ESMTP id QAA27806 for ; Sun, 18 Mar 2001 16:40:59 -0500 Message-ID: <3AB52B88.A09A4003@earlham.edu> Date: Sun, 18 Mar 2001 16:41:28 -0500 From: Nicholas Marouf Reply-To: marouni@earlham.edu Organization: http://www.RamallahOnline.com X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.17-21mdk i686) X-Accept-Language: en MIME-Version: 1.0 To: "security FreeBSD.ORG" Subject: Blocking an IP addrress Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Greetings, We've been getting many sendmail connections from 199.45.164.216 and is causing sendmail to stop. This looks like a DOS however the admin of that server says that sendmail on their side is sending mail out in bacthes, and that they are taking a look into it. But either way we would like to block it. I've added deny all in hosts.allow for that ip Also added in the access file REJECT for that ip address. Those two still do not make a difference since connections keep on opening up. I've been trying to get ipfw to block it. but I get this error message. Any advice would be much appreciated. su-2.04# ps ax | grep sendmail 16180 ?? Ss 0:00.02 sendmail: accepting connections (sendmail) 16250 ?? S 0:00.03 sendmail: startup with 199.45.164.216 (sendmail) 16337 ?? I 0:00.00 sendmail: startup with 199.45.164.216 (sendmail) 16344 p2 R+ 0:00.00 grep sendmail Thanks again.. Nick -- Nicholas Marouf || Student System Administrator http://www.ramallahonline.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 18 14:34:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id 50FDA37B718 for ; Sun, 18 Mar 2001 14:34:55 -0800 (PST) (envelope-from anderson@centtech.com) Received: (from smap@localhost) by proxy.centtech.com (8.8.4/8.6.9) id QAA26435; Sun, 18 Mar 2001 16:34:51 -0600 (CST) Received: from sprint.centtech.com(10.177.173.31) by proxy.centtech.com via smap (V2.0/2.1+anti-relay+anti-spam) id xma026433; Sun, 18 Mar 01 16:34:46 -0600 Received: from centtech.com (blowfish [204.177.173.37]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id QAA05112; Sun, 18 Mar 2001 16:34:45 -0600 (CST) Message-ID: <3AB5391F.41D51664@centtech.com> Date: Sun, 18 Mar 2001 16:39:27 -0600 From: Eric Anderson X-Mailer: Mozilla 4.73 [en] (X11; I; FreeBSD 4.2-BETA i386) X-Accept-Language: en MIME-Version: 1.0 To: Anton Vladimirov Cc: security@freebsd.org Subject: Re: Timecounter "TSC" frequency References: <174114006789.20010318230353@mail.ru> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > By the way, one day before this > I received the following: > > icmp-response bandwidth limit 677/200 pps > > icmp-response bandwidth limit 245/200 pps This looks like a port scan (with something like nmap -Ss hostname.dom ) Not sure what the other message is though.. Eric Anderson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 18 15: 0:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id BFB9C37B719 for ; Sun, 18 Mar 2001 15:00:46 -0800 (PST) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id QAA02619; Sun, 18 Mar 2001 16:00:34 -0700 (MST) Message-Id: <4.3.2.7.2.20010318155909.00e21530@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Sun, 18 Mar 2001 16:00:19 -0700 To: marouni@earlham.edu, "security FreeBSD.ORG" From: Brett Glass Subject: Re: Blocking an IP addrress In-Reply-To: <3AB52B88.A09A4003@earlham.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Why not add a blackhole host route to that IP? --Brett At 02:41 PM 3/18/2001, Nicholas Marouf wrote: >Greetings, > We've been getting many sendmail connections from 199.45.164.216 and >is causing sendmail to stop. This looks like a DOS however the admin of >that server says that sendmail on their side is sending mail out in >bacthes, and that they are taking a look into it. > >But either way we would like to block it. > >I've added deny all in hosts.allow for that ip >Also added in the access file REJECT for that ip address. > >Those two still do not make a difference since connections keep on >opening up. > >I've been trying to get ipfw to block it. but I get this error message. >Any advice would be much appreciated. > >su-2.04# ps ax | grep sendmail >16180 ?? Ss 0:00.02 sendmail: accepting connections (sendmail) >16250 ?? S 0:00.03 sendmail: startup with 199.45.164.216 >(sendmail) >16337 ?? I 0:00.00 sendmail: startup with 199.45.164.216 >(sendmail) >16344 p2 R+ 0:00.00 grep sendmail > > >Thanks again.. > >Nick > > >-- >Nicholas Marouf || Student System Administrator >http://www.ramallahonline.com > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 18 15: 5:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp015.mail.yahoo.com (smtp015.mail.yahoo.com [216.136.173.59]) by hub.freebsd.org (Postfix) with SMTP id BFDAB37B71B for ; Sun, 18 Mar 2001 15:05:14 -0800 (PST) (envelope-from neve_ripe@yahoo.com) Received: from f2f.tsua.net (HELO never) (212.40.34.58) by smtp.mail.vip.sc5.yahoo.com with SMTP; 18 Mar 2001 23:05:13 -0000 X-Apparently-From: Date: Mon, 19 Mar 2001 01:05:07 +0200 From: Alexandr Kovalenko X-Mailer: The Bat! (v1.49) UNREG / CD5BF9353B3B7091 Reply-To: Alexandr Kovalenko Organization: UIC Group X-Priority: 3 (Normal) Message-ID: <1346107739.20010319010507@yahoo.com> To: Nicholas Marouf Cc: "security FreeBSD.ORG" Subject: Re: Blocking an IP addrress In-reply-To: <3AB52B88.A09A4003@earlham.edu> References: <3AB52B88.A09A4003@earlham.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello Nicholas, Sunday, March 18, 2001, 11:41:28 PM, you wrote: NM> Those two still do not make a difference since connections keep on NM> opening up. NM> I've been trying to get ipfw to block it. but I get this error message. NM> Any advice would be much appreciated. just add rule to your ipfw: "deny tcp from 199.45.164.216 to any 25" NM> su-2.04# ps ax | grep sendmail NM> 16180 ?? Ss 0:00.02 sendmail: accepting connections (sendmail) NM> 16250 ?? S 0:00.03 sendmail: startup with 199.45.164.216 NM> (sendmail) NM> 16337 ?? I 0:00.00 sendmail: startup with 199.45.164.216 NM> (sendmail) NM> 16344 p2 R+ 0:00.00 grep sendmail -- Best regards, Alexandr mailto:neve_ripe@yahoo.com _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 18 15:39:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp10.phx.gblx.net (smtp10.phx.gblx.net [206.165.6.140]) by hub.freebsd.org (Postfix) with ESMTP id 92FD937B71A; Sun, 18 Mar 2001 15:39:32 -0800 (PST) (envelope-from tlambert@usr05.primenet.com) Received: (from daemon@localhost) by smtp10.phx.gblx.net (8.9.3/8.9.3) id QAA15412; Sun, 18 Mar 2001 16:39:14 -0700 Received: from usr05.primenet.com(206.165.6.205) via SMTP by smtp10.phx.gblx.net, id smtpd7updia; Sun Mar 18 16:39:12 2001 Received: (from tlambert@localhost) by usr05.primenet.com (8.8.5/8.8.5) id QAA18696; Sun, 18 Mar 2001 16:39:21 -0700 (MST) From: Terry Lambert Message-Id: <200103182339.QAA18696@usr05.primenet.com> Subject: Re: about common group & user ID space (PR kern/14584) To: brett@lariat.org (Brett Glass) Date: Sun, 18 Mar 2001 23:39:21 +0000 (GMT) Cc: tlambert@primenet.com (Terry Lambert), babkin@bellatlantic.net (Sergey Babkin), security@FreeBSD.ORG, wes@softweyr.com (Wes Peters), rwatson@FreeBSD.ORG (Robert Watson), fs@FreeBSD.ORG In-Reply-To: <4.3.2.7.2.20010318123759.00d9dd10@localhost> from "Brett Glass" at Mar 18, 2001 12:42:17 PM X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > At the same time, it'd be nice to eliminate the arbitrary limitations > on (a) the number of groups of which a user can be a member and (b) the > number of members in a group. Both of these limitations often bite > administrators who, for example, want most users of a system to be > members of a particular group or want to implement group-based access > control schemes with a moderate degree of granularity. Classes won't > cut it for this purpose, alas, because they're not built into file > system security. I think that you will run into the limitations inherent in the quota record storage format and NFSv2 UID/GID, well before you face that limit. I think that trying to make a user a member of 50,000 groups is probably a mistake, and it's not "arbitrary" to prevent this. There is really no limit on the number of members permitted in a group, I believe. If you are talking about line length, I'd say you should consider getting rid of "pico" and using a real editor. I think there are patches floating around to allow repeats of group lines in order to set up larger lists of members, in any case (they may already be integrated into FreeBSD; they aren't in BSDI, from looking at the BSDI system I have access to). I think the workaround for the "I want groups to be more than groups and act more like classes, but I'm too lazy to implement classes properly" problem is pretty simple: write an SGID program that gets you a shell. Alternately, write a program that lets you add a group (and spawn a subshell) that's SUID root, and does a check against the group password field. Give the password to the users you want to have access to the group. Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 18 22:58:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 09B2537B718; Sun, 18 Mar 2001 22:58:47 -0800 (PST) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id XAA06450; Sun, 18 Mar 2001 23:54:49 -0700 (MST) Message-Id: <4.3.2.7.2.20010318234944.00e3a620@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Sun, 18 Mar 2001 23:54:30 -0700 To: Terry Lambert From: Brett Glass Subject: Re: about common group & user ID space (PR kern/14584) Cc: tlambert@primenet.com (Terry Lambert), babkin@bellatlantic.net (Sergey Babkin), security@FreeBSD.ORG, wes@softweyr.com (Wes Peters), rwatson@FreeBSD.ORG (Robert Watson), fs@FreeBSD.ORG In-Reply-To: <200103182339.QAA18696@usr05.primenet.com> References: <4.3.2.7.2.20010318123759.00d9dd10@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 04:39 PM 3/18/2001, Terry Lambert wrote: >I think that trying to make a user a member of 50,000 groups is >probably a mistake, and it's not "arbitrary" to prevent this. On the other hand, the current limit is quite low. >There is really no limit on the number of members permitted in a >group, I believe. I recently had to help out a client who hit that limit. He ran a graphic arts house and wanted his customers to be able to FTP jobs in. So, he added them. One day, after about two years, the system croaked because the group was too large. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 19 1:20:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.86.163]) by hub.freebsd.org (Postfix) with ESMTP id 73D5437B71A for ; Mon, 19 Mar 2001 01:20:38 -0800 (PST) (envelope-from phk@critter.freebsd.dk) Received: from critter (localhost [127.0.0.1]) by critter.freebsd.dk (8.11.3/8.11.3) with ESMTP id f2J9KX149991 for ; Mon, 19 Mar 2001 10:20:33 +0100 (CET) (envelope-from phk@critter.freebsd.dk) To: security@freebsd.org Subject: sendmail listening on port 587 ??!! From: Poul-Henning Kamp Date: Mon, 19 Mar 2001 10:20:33 +0100 Message-ID: <49989.984993633@critter> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I just found out that sendmail listens to port 587 in addition to port 25 now. What is the story behind this ? Does it have an impact on firewalls ? -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 19 1:56: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from axis.tdd.lt (axis.tdd.lt [193.219.211.5]) by hub.freebsd.org (Postfix) with ESMTP id D065737B740; Mon, 19 Mar 2001 01:55:58 -0800 (PST) (envelope-from domas.mituzas@delfi.lt) Received: from localhost (midom@localhost) by axis.tdd.lt (8.11.1/8.11.1) with ESMTP id f2J9tsm07076; Mon, 19 Mar 2001 11:55:55 +0200 (EET) Date: Mon, 19 Mar 2001 11:55:54 +0200 (EET) From: Domas Mituzas X-Sender: midom@axis.tdd.lt To: Poul-Henning Kamp Cc: security@FreeBSD.ORG Subject: Re: sendmail listening on port 587 ??!! In-Reply-To: <49989.984993633@critter> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I just found out that sendmail listens to port 587 in addition to > port 25 now. from 8.10.0 changelog: sendmail implements RFC 2476 (Message Submission), e.g., it can now listen on several different ports. Use: O DaemonPortOptions=Name=MSA, Port=587, M=E to run a Message Submission Agent (MSA); this is turned on by default in m4-generated .cf files; it can be turned off with FEATURE(`no_default_msa'). As far as I understand, if you don't firewall 25 you don't have any need to firewall this, as it speaks smtp. In fact, message submission was desingned to be a gateway between all message transfer system and mail user agent, thus by eliminating some checks in whole transfer layer. As it is proposed standard, firewall configurations need to be ajusted to that. Cheers, Domas Mituzas DELFI Internet, UAB To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 19 2:11:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.staffs.ac.uk (mail.staffs.ac.uk [193.60.4.62]) by hub.freebsd.org (Postfix) with ESMTP id 78F6637B719 for ; Mon, 19 Mar 2001 02:11:16 -0800 (PST) (envelope-from goaty@buddhist.com) Received: from celtart (bsp102.soc.staffs.ac.uk [193.61.121.102]) by mail.staffs.ac.uk (8.9.1/8.9.1) with SMTP id KAA25322 for ; Mon, 19 Mar 2001 10:11:11 GMT Message-ID: <002c01c0b05c$778441d0$66793dc1@soc.staffs.ac.uk> From: "Goaty" To: Subject: Netstat Question Date: Mon, 19 Mar 2001 10:07:54 -0000 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0029_01C0B05C.77427DE0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0029_01C0B05C.77427DE0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi=20 can anyone tell if this is a legit output for my DNS server, as I have a = lot of these in my netstat -a output ? Thanks in advance S.R.Q ------=_NextPart_000_0029_01C0B05C.77427DE0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hi
 
can anyone tell if this = is a legit=20 output for my DNS server, as I have a lot of these in my netstat -a = output=20 ?
 
Thanks in = advance
 
S.R.Q
------=_NextPart_000_0029_01C0B05C.77427DE0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 19 2:36:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from swan.prod.itd.earthlink.net (swan.prod.itd.earthlink.net [207.217.120.123]) by hub.freebsd.org (Postfix) with ESMTP id EFBE437B719 for ; Mon, 19 Mar 2001 02:36:48 -0800 (PST) (envelope-from dhagan@colltech.com) Received: from colltech.com (1Cust219.tnt2.clarksburg.wv.da.uu.net [63.21.115.219]) by swan.prod.itd.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id CAA26717; Mon, 19 Mar 2001 02:36:13 -0800 (PST) Message-ID: <3AB5E1D5.7DC38C31@colltech.com> Date: Mon, 19 Mar 2001 05:39:17 -0500 From: Daniel Hagan X-Mailer: Mozilla 4.73 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Goaty Cc: security@FreeBSD.ORG Subject: Re: Netstat Question References: <002c01c0b05c$778441d0$66793dc1@soc.staffs.ac.uk> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It doesn't look like you included any output... > Goaty wrote: > > Hi > > can anyone tell if this is a legit output for my DNS server, as I have > a lot of these in my netstat -a output ? > > Thanks in advance > > S.R.Q To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 19 2:52:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 4F09D37B71A for ; Mon, 19 Mar 2001 02:52:49 -0800 (PST) (envelope-from roam@orbitel.bg) Received: (qmail 1232 invoked by uid 1000); 19 Mar 2001 10:26:11 -0000 Date: Mon, 19 Mar 2001 12:26:11 +0200 From: Peter Pentchev To: Goaty Cc: security@freeBSD.ORG Subject: Re: Netstat Question Message-ID: <20010319122611.C515@ringworld.oblivion.bg> Mail-Followup-To: Goaty , security@freeBSD.ORG References: <002c01c0b05c$778441d0$66793dc1@soc.staffs.ac.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <002c01c0b05c$778441d0$66793dc1@soc.staffs.ac.uk>; from goaty@buddhist.com on Mon, Mar 19, 2001 at 10:07:54AM -0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Mar 19, 2001 at 10:07:54AM -0000, Goaty wrote: > Hi > > can anyone tell if this is a legit output for my DNS server, as I have a lot of these in my netstat -a output ? Did you forget to paste/attach something in that mail? G'luck, Peter -- This sentence was in the past tense. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 19 9:29:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from mine.kame.net (kame195.kame.net [203.178.141.195]) by hub.freebsd.org (Postfix) with ESMTP id 5FADE37B71A for ; Mon, 19 Mar 2001 09:29:44 -0800 (PST) (envelope-from sakane@ydc.co.jp) Received: from localhost ([3ffe:507:1ff:2:260:1dff:fe21:f766]) by mine.kame.net (8.11.1/3.7W) with ESMTP id f2JHViY96126; Tue, 20 Mar 2001 02:31:44 +0900 (JST) To: kris@obsecurity.org Cc: freebsd-security@FreeBSD.ORG Subject: Re: What's vunerable? In-Reply-To: Your message of "Fri, 16 Mar 2001 12:23:26 -0800" <20010316122326.A98524@mollari.cthul.hu> References: <20010316122326.A98524@mollari.cthul.hu> X-Mailer: Cue version 0.6 (010224-1625/sakane) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Message-Id: <20010320022922E.sakane@ydc.co.jp> Date: Tue, 20 Mar 2001 02:29:22 +0900 From: Shoichi Sakane X-Dispatcher: imput version 20000228(IM140) Lines: 24 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > The version of OpenSSH in the ports tree is not plain 2.2.0, but 2.2.0 > > 'port revision' 2. The 'port revision' was bumped twice to indicate > > important security fixes. The 'some vulnerability' you are referring to > > is probably the Bleichenbacher attack, which affected nearly all SSH > > servers at the time; a fix was prompty added to the FreeBSD port. > The above is correct, as is noted in the relevant FreeBSD advisory on OpenSSH :- ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:24.ssh.asc I couldn't find the word, "Bleichenbacher" in this advisory. Thank you, I understand that the port version is not vulnerable. I compiled and installed 2.2.0 'port revision' 2, and I connected to the ssh port number 22 on localhost. the sshd said, shoichi:~] telnet localhost 22 Trying ::1... Connected to localhost. Escape character is '^]'. SSH-1.99-OpenSSH_2.2.0 I just thought the version was vulnerable. So I think the version should be "SSH-1.99-OpenSSH_2.2.0-port_revision_2" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 19 10:43:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (ppp-227-164.usc.edu [128.125.227.164]) by hub.freebsd.org (Postfix) with ESMTP id B7BD437B718 for ; Mon, 19 Mar 2001 10:43:45 -0800 (PST) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 75CF066E9C; Mon, 19 Mar 2001 10:43:43 -0800 (PST) Date: Mon, 19 Mar 2001 10:43:43 -0800 From: Kris Kennaway To: Shoichi Sakane Cc: kris@obsecurity.org, freebsd-security@FreeBSD.ORG, markus@OpenBSD.org Subject: Reporting OpenSSH version (Re: What's vunerable?) Message-ID: <20010319104343.A3941@xor.obsecurity.org> References: <20010316122326.A98524@mollari.cthul.hu> <20010320022922E.sakane@ydc.co.jp> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="6TrnltStXW4iwmi0" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010320022922E.sakane@ydc.co.jp>; from sakane@ydc.co.jp on Tue, Mar 20, 2001 at 02:29:22AM +0900 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --6TrnltStXW4iwmi0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Mar 20, 2001 at 02:29:22AM +0900, Shoichi Sakane wrote: > I compiled and installed 2.2.0 'port revision' 2, and I connected > to the ssh port number 22 on localhost. the sshd said, >=20 > shoichi:~] telnet localhost 22 > Trying ::1... > Connected to localhost. > Escape character is '^]'. > SSH-1.99-OpenSSH_2.2.0 >=20 > I just thought the version was vulnerable. So I think the version > should be "SSH-1.99-OpenSSH_2.2.0-port_revision_2" You're probably right - something along these lines should be done to distinguish the version reported by scanners like scanssh. I'd prefer SSH-1.99-OpenSSH_2.2.0_2 myself to be consistent with the naming of the port itself, but I'm not sure if this is allowable syntax. Markus, can you comment? Kris --6TrnltStXW4iwmi0 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6tlNeWry0BWjoQKURAt+5AJ0ef0/jNT0OHdAoLUF5gH+liaULGQCg89e8 OCR4AxeIeA8Jm4kqDmqIo68= =AAIj -----END PGP SIGNATURE----- --6TrnltStXW4iwmi0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 19 12:16:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from coconut.itojun.org (coconut.itojun.org [210.160.95.97]) by hub.freebsd.org (Postfix) with ESMTP id A172F37B71B for ; Mon, 19 Mar 2001 12:16:39 -0800 (PST) (envelope-from itojun@itojun.org) Received: from kiwi.itojun.org (localhost.itojun.org [127.0.0.1]) by coconut.itojun.org (8.9.3+3.2W/3.7W) with ESMTP id FAA09944; Tue, 20 Mar 2001 05:16:27 +0900 (JST) To: Kris Kennaway Cc: Shoichi Sakane , freebsd-security@FreeBSD.ORG, markus@OpenBSD.org In-reply-to: kris's message of Mon, 19 Mar 2001 10:43:43 PST. <20010319104343.A3941@xor.obsecurity.org> X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 Subject: Re: Reporting OpenSSH version (Re: What's vunerable?) From: itojun@iijlab.net Date: Tue, 20 Mar 2001 05:16:27 +0900 Message-ID: <9942.985032987@coconut.itojun.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> I compiled and installed 2.2.0 'port revision' 2, and I connected >> to the ssh port number 22 on localhost. the sshd said, >>=20 >> shoichi:~] telnet localhost 22 >> Trying ::1... >> Connected to localhost. >> Escape character is '^]'. >> SSH-1.99-OpenSSH_2.2.0 >>=20 >> I just thought the version was vulnerable. So I think the version >> should be "SSH-1.99-OpenSSH_2.2.0-port_revision_2" > >You're probably right - something along these lines should be done to >distinguish the version reported by scanners like scanssh. I'd prefer >SSH-1.99-OpenSSH_2.2.0_2 myself to be consistent with the naming of >the port itself, but I'm not sure if this is allowable syntax. >Markus, can you comment? never play with openssh version number. the version number string is used as protocol backward compatibility handling. if you import 2.5.1, report that it is 2.5.1. the only way we are allowed to add extra thing is to add it after a space - like SSH-1.99-OpenSSH_2.5.1 foo bar baz see NetBSD src/crypto/dist/ssh/version.h. itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 19 13: 0:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-28.dsl.lsan03.pacbell.net [64.165.226.28]) by hub.freebsd.org (Postfix) with ESMTP id 080BD37B727 for ; Mon, 19 Mar 2001 13:00:42 -0800 (PST) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id CBFF766BDE; Mon, 19 Mar 2001 13:00:40 -0800 (PST) Date: Mon, 19 Mar 2001 13:00:40 -0800 From: Kris Kennaway To: itojun@iijlab.net Cc: Shoichi Sakane , freebsd-security@FreeBSD.ORG, markus@OpenBSD.org Subject: Re: Reporting OpenSSH version (Re: What's vunerable?) Message-ID: <20010319130039.A1577@xor.obsecurity.org> References: <"20010319104343.A3941"@xor.obsecurity.org> <9942.985032987@coconut.itojun.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="EVF5PPMfhYS0aIcm" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <9942.985032987@coconut.itojun.org>; from itojun@iijlab.net on Tue, Mar 20, 2001 at 05:16:27AM +0900 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --EVF5PPMfhYS0aIcm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Mar 20, 2001 at 05:16:27AM +0900, itojun@iijlab.net wrote: > never play with openssh version number. the version number > string is used as protocol backward compatibility handling. if you > import 2.5.1, report that it is 2.5.1. >=20 > the only way we are allowed to add extra thing is to add it > after a space - like > SSH-1.99-OpenSSH_2.5.1 foo bar baz >=20 > see NetBSD src/crypto/dist/ssh/version.h. Thanks, that's what I was looking for. Kris --EVF5PPMfhYS0aIcm Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6tnN3Wry0BWjoQKURAjn+AKCWVsLepC1w3N+t/KEcgcPsuSBkcgCcDZNA mjc4gNk9PfcM/oYI/uZDYJg= =bIJx -----END PGP SIGNATURE----- --EVF5PPMfhYS0aIcm-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 19 16:56:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 50A1D37B735 for ; Mon, 19 Mar 2001 16:56:39 -0800 (PST) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id RAA16800 for ; Mon, 19 Mar 2001 17:55:12 -0700 (MST) Message-Id: <4.3.2.7.2.20010319172800.00cf9c60@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Mon, 19 Mar 2001 17:54:51 -0700 To: security@freebsd.org From: Brett Glass Subject: Odd event -- possible security hole or DoS? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org A fellow I know just stopped me as I walked past his office to say that his FreeBSD system was acting strangely. I stopped in to take a look for him. It's running FreeBSD 2.8 with security patches -- a WAY old release. (I got him to agree to let me upgrade it to 4.3-RELEASE for him if it's a good release.) In any event, I ran netstat on his machine and discovered that there was a huge backlog of open TCP connections, some of them stuck in states such as CLOSING, FIN_WAIT_1 and FIN_WAIT_2. Also, POP clients couldn't get through; it looked as if sockets were being opened but the daemons weren't being spawned. I was just about to reboot the server when it occured to me that this might erase any evidence of what was going wrong. So, I considered for a bit and realized that the behavior I was seeing just might happen if inetd somehow messed up. I decided to try sending a HUP to inetd, just to see what would happen. Immediately, the system sprang back to life and cleared the old connections. And the following appeared in the log: Mar 19 17:27:12 victim fingerd[16439]: query from 208.59.253.87: `root ' Mar 19 17:27:12 victim fingerd[16437]: query from 208.59.253.87: ` ' Interesting. Someone with a cable modem playing games. Probably should identify the culprit, but I'm more interested in knowing how he managed to cause the system to malfunction. In case it helps, here's a bit more about the system configuration. The finger daemon had been set, via the -p option, to return a message saying that finger requests were being denied. The line in inetd.conf looked like this: finger stream tcp nowait nobody /usr/libexec/fingerd fingerd -s -l -p /usr/local/bin/nonetfinger "nonetfinger" is a program that my friend grabbed from my BSDCon paper and compiled. It simply outputs a message to standard output. It doesn't even look at its arguments. Hmmm. So, what's going on here? Was someone trying to execute a DoS or remote root exploit here, perhaps by trying to feed something quoted to fingerd and/or the program it invoked? Why did it hang things up so badly? Does this hint at a security flaw in inetd or fingerd that needs attention (or has gotten some since that old version of FreeBSD)? --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 19 16:57: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp02.teb1.iconnet.net (smtp02.teb1.iconnet.net [209.3.218.43]) by hub.freebsd.org (Postfix) with ESMTP id 8642637B71E; Mon, 19 Mar 2001 16:56:34 -0800 (PST) (envelope-from babkin@bellatlantic.net) Received: from bellatlantic.net (client-151-198-135-36.nnj.dialup.bellatlantic.net [151.198.135.36]) by smtp02.teb1.iconnet.net (8.9.1/8.9.1) with ESMTP id TAA23200; Mon, 19 Mar 2001 19:55:05 -0500 (EST) Message-ID: <3AB6AA65.1B6ED19E@bellatlantic.net> Date: Mon, 19 Mar 2001 19:55:01 -0500 From: Sergey Babkin X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 4.0-19990626-CURRENT i386) X-Accept-Language: en, ru MIME-Version: 1.0 To: Terry Lambert Cc: security@FreeBSD.ORG, Wes Peters , Robert Watson , fs@FreeBSD.ORG, arch@FreeBSD.ORG Subject: Re: about common group & user ID space (PR kern/14584) References: <200103180738.AAA03250@usr05.primenet.com> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Terry Lambert wrote: > > > I want to commit PR kern/14584. I've been told that it's good > > to discuss it in -arch, -security and -fs. (It has been sort of > > discussed on -hackers already, there were not much replies). > > So I've posted a message on -arch, and now on -security and -fs. > > I've also discussed this idea shortly with Kirk McKusick at > > Usenix-2000 at the BSD BOF and he generally liked it and suggested > > to review further. > > You could do this a bit more cleanly by just stealing the sign > bit, and setting if the uid field contained a group ID. > > There would be no conversion problem for an existing system. That was my original idea but some thinking and experimentation has shown that it creates too many incompatibilities, such as: - programs displaying the owner by name would break, and that includes both the standard programs and random applications - when exported by nfs, the same problem would stand for the clients - chown will have to be changed - both the program and system call, as you mention later and possibly other sorts of breakages. > This changes the check to a one line change, conditional on > the high bit being set. No, the change would be the same, just wrapped into a condition check for this bit. > Note that this change is really necessary in the user space code > anyway: even if you make the UID and GID numeric values not > intersect, there is still the possibility of a group and user > having the same name, so a set-by-name needs a seperate flag > (thing "chown bin.bin foo", for example). In the way I propose it, the sysadmins are supposed to create a pseudo-user with the same name and ID as each group. That automagically makes all commands, such as chown and ls, work properly. Of course, that means that no real users and groups must have the same name, but the common namespace looks natural with the common ID space. Because the traditional users ang groups with low IDs do have overlapping names, and IDs, the sysctl sets the lowest ID from which the common ID space starts. If the sysctl sets this value to below 100 (traditional range for the system IDs), then the common ID code is disabled altogether. The value of 100 is set by a kernel config option and may be changed. > The benefits in not having the grovel through the FS contents, or > do a more complex ID space transformations, and the moving of the > majority of changes to user space, combined with the fact that if > you turn it off, the ownership doesn't need to be reverted, are > all plusses. This is not quite so. My patch requires only one little change in the kernel and no usel-level space changes at all. It has some expectations for the assignment of user and group IDs and names, but these expectations are justified to make the common ID space look reasonable. The downside is that it's slightly slower (for each file owner ID in the common space it has to be checked agains all process'es groups). I'm not sure yet if it allows more complex transformations and whether it does it comparable to your proposal. -SB To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 19 16:58:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp02.teb1.iconnet.net (smtp02.teb1.iconnet.net [209.3.218.43]) by hub.freebsd.org (Postfix) with ESMTP id DFF4E37B735; Mon, 19 Mar 2001 16:58:32 -0800 (PST) (envelope-from babkin@bellatlantic.net) Received: from bellatlantic.net (client-151-198-135-36.nnj.dialup.bellatlantic.net [151.198.135.36]) by smtp02.teb1.iconnet.net (8.9.1/8.9.1) with ESMTP id TAA23220; Mon, 19 Mar 2001 19:57:46 -0500 (EST) Message-ID: <3AB6AB09.1D43B872@bellatlantic.net> Date: Mon, 19 Mar 2001 19:57:45 -0500 From: Sergey Babkin X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 4.0-19990626-CURRENT i386) X-Accept-Language: en, ru MIME-Version: 1.0 To: Boris Popov Cc: security@freebsd.org, Wes Peters , Robert Watson , fs@freebsd.org, arch@bellatlantic.net Subject: Re: about common group & user ID space (PR kern/14584) References: Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Boris Popov wrote: > > On Sat, 17 Mar 2001, Sergey Babkin wrote: > > > I want to commit PR kern/14584. I've been told that it's good > > to discuss it in -arch, -security and -fs. (It has been sort of > > discussed on -hackers already, there were not much replies). > > However, I'm more liked it, if it will be possible to enable such > behavior on a per-mount basis (but I guess we're out of spare mount > options). Eh, I should have cc-ed it to all the lists at once. I've already answered this in -arch: I think that this should be a system-wide option: the /etc/passwd ang /etc/group files are common for the whole OS, and this option describes their contents. So setting this value per filesystem makes no sense and may cause unobvious errors when different filesystems get mounted by mistake with different values of common ID. -SB To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 19 17: 1:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp02.teb1.iconnet.net (smtp02.teb1.iconnet.net [209.3.218.43]) by hub.freebsd.org (Postfix) with ESMTP id 0AF7537B737; Mon, 19 Mar 2001 17:01:39 -0800 (PST) (envelope-from babkin@bellatlantic.net) Received: from bellatlantic.net (client-151-198-135-36.nnj.dialup.bellatlantic.net [151.198.135.36]) by smtp02.teb1.iconnet.net (8.9.1/8.9.1) with ESMTP id UAA23273; Mon, 19 Mar 2001 20:00:40 -0500 (EST) Message-ID: <3AB6ABB7.A208EECE@bellatlantic.net> Date: Mon, 19 Mar 2001 20:00:39 -0500 From: Sergey Babkin X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 4.0-19990626-CURRENT i386) X-Accept-Language: en, ru MIME-Version: 1.0 To: Cy Schubert - ITSD Open Systems Group Cc: security@FreeBSD.ORG, Wes Peters , Robert Watson , fs@FreeBSD.ORG, arch@FreeBSD.ORG Subject: Re: about common group & user ID space (PR kern/14584) References: <200103181447.f2IElef41927@cwsys.cwsent.com> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Cy Schubert - ITSD Open Systems Group wrote: > > In message <3AB3FC38.94711FFF@bellatlantic.net>, Sergey Babkin writes: > > All, > > > > I want to commit PR kern/14584. I've been told that it's good > > >From an operational standpoint I see one problem. Some sites use UID > 0-999 and 65000-65535 for use by special accounts, such as www, ftp, > oracle, etc. In some cases this policy is dictated by a desire to have > some kind of commonality across various vendor platforms, some of which > reserve some odd UID's and GID's for vendor supplied software or > purposes. The only suggestion I would make is that a range could be > specified. For example instead of vfs.commonid, vfs.commonid.low and > vfs.commonid.high, allowing a site to, for example, reserve UID/GID's > 10000-19999 or any other range as common ID's. I'm not sure if it's so important: probably, normally the IDs around 65535 are used for things like nobody/nogroup. But since it's easy to implement, I guess it would not hurt. So I agree with this proposal. -SB To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 19 17:16:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp02.teb1.iconnet.net (smtp02.teb1.iconnet.net [209.3.218.43]) by hub.freebsd.org (Postfix) with ESMTP id 2458537B740; Mon, 19 Mar 2001 17:16:31 -0800 (PST) (envelope-from babkin@bellatlantic.net) Received: from bellatlantic.net (client-151-198-135-36.nnj.dialup.bellatlantic.net [151.198.135.36]) by smtp02.teb1.iconnet.net (8.9.1/8.9.1) with ESMTP id UAA23373; Mon, 19 Mar 2001 20:15:12 -0500 (EST) Message-ID: <3AB6AF1F.9452E231@bellatlantic.net> Date: Mon, 19 Mar 2001 20:15:11 -0500 From: Sergey Babkin X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 4.0-19990626-CURRENT i386) X-Accept-Language: en, ru MIME-Version: 1.0 To: Terry Lambert Cc: Brett Glass , security@FreeBSD.ORG, Wes Peters , Robert Watson , fs@FreeBSD.ORG, arch@FreeBSD.ORG Subject: Re: about common group & user ID space (PR kern/14584) References: <200103182339.QAA18696@usr05.primenet.com> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Terry Lambert wrote: > > > At the same time, it'd be nice to eliminate the arbitrary limitations These things are not really related to the common ID space. I definitely would not like to do them in the same patch, just to keep things separate. > > on (a) the number of groups of which a user can be a member and (b) the For this there is some macro (can't remember the name) which can be defined in the kernel config file as an option with a higher value. Setting it higher means higher system overhead but since the memory size has increased significantly over the last few years, I think that a higher default value makes sense. > > number of members in a group. Both of these limitations often bite > > administrators who, for example, want most users of a system to be > > members of a particular group or want to implement group-based access > > control schemes with a moderate degree of granularity. Classes won't > > cut it for this purpose, alas, because they're not built into file > > system security. > > I think that you will run into the limitations inherent in the > quota record storage format and NFSv2 UID/GID, well before you > face that limit. > > There is really no limit on the number of members permitted in a > group, I believe. If you are talking about line length, I'd say I think there is such a limit. Or at least it was in the 2.0.5 days. I'm not sure about the line length limit. I remember that there was such a limit in SVR4.2, so if a group line grew past some size, getgrent() and friends went crazy. > you should consider getting rid of "pico" and using a real editor. The common workaround it to split a group record into multiple lines in /etc/group, like: staff:*:20:root staff:*:20:babkin Keep no more than about ~50 users per line. This may break things like adduser but it's not a big loss. The important things, such as setting process permissions on login, work fine. > I think there are patches floating around to allow repeats of > group lines in order to set up larger lists of members, in any > case (they may already be integrated into FreeBSD; they aren't in > BSDI, from looking at the BSDI system I have access to). No patches are really required. If you discount the secondary stuff like useradd/adduser, repeated lines just work out of the box on all the Unix systems where I tried: FreeBSD, Linux, HP-UX, UnixWare, SCO OpenServer, ICL DRS/NX (old SVR4.2). -SB To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 19 20: 1:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id D745937B73C; Mon, 19 Mar 2001 20:01:23 -0800 (PST) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.1/8.11.1) with SMTP id f2K40Ih69662; Mon, 19 Mar 2001 23:00:19 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Mon, 19 Mar 2001 23:00:18 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: Sergey Babkin Cc: security@freebsd.org, Wes Peters , fs@freebsd.org Subject: Re: about common group & user ID space (PR kern/14584) In-Reply-To: <3AB3FC38.94711FFF@bellatlantic.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Sergey, Sorry for my long delay in getting back to you with regards to your proposed changes. Let me start by saying I had a number of reactions at various levels (gut, technical, ...) and that one of the interesting aspects about the suggested changes is that they're remarkably self-consistent: most security "extensions" I've seen contain relatively easy-to-find inconsistencies that render them useless against a qualified attacker. My gut reaction to the changes is one of concern: it strikes me that while the changes have a number of nice properties (not least of which is the consistency of them, and that they don't require underlying file system changes), fundamentally there are a few objections that can be made. First, it's a hack, in that it will not be consistently applied across file systems, or even across boots depending on the kernel used. Second, it changes the semantics of well-defined interfaces and primitives such that they are more open than they used to be (a certain class of subject credentials will have a strict superset of the rights they previously had) without providing the application any way to determine if the feature is in effect (no pathconf(), so that leaves direct experimentation, etc). Third, your patches include no attempt to uniformly update documentation referring to users/groups to bring them in sync with the new implementation. Fourth, many applications exist that make strong assumptions about the UNIX protection mechanisms that will no longer hold true (this is related to (3), although not quite identical). Fifth, the resulting system is highly non-portable, in that neither users nor administrators with expectations from other systems (or even from FreeBSD) will be able to apply their knowledge and experience with the mechanism in place, and safety assumptions may no longer hold. Sixth, applications that assume that preserving permissions across certain types of file system operations will no longer behave correctly (for example, when you tar on UFS and untar on NFS). Seventh, it (as you point out explicitly, and by design) intersects two namespaces that have traditionally not been combined in the kernel. Userland code has often made assumptions about mapping uid and gid values, but that has never been a property of the kernel policy. Eighth, it introduces additional hard-coded uid/gid values into the kernel, something we've been trying to move away from (in theory, only two constant values should be relevant, leaving aside default device permissions: uid 0 and the uid used to represent NOVAL in vop_setattr() (which is evil also :-)). Now, none of these is a reason to completely reject the idea. In fact, there's precedent for conditionally compiled divergent security hacks in UFS, in the form of SUIDDIR, which adopts a modified file ownership/creation/inheritence model making for easier use of Samba on closed file servers (it represents a substantial security risk if not on a closee system). Ok, so that was the "gut reaction" and the "why the gut reaction doesn't rule out adding this feature". Let me go onto various other relevant responses. My first response on initial concern that this policy would introduce an "inconsistency". That is to say, based on this modified kernel policy and common uses of it in the userland policy environment, easily exploitable inconsistencies could be found and used to gain privilege. In my initial glance, I was unable to identify such an inconsistency -- that isn't to say it doesn't exist, just that on a quick initial analysis I didn't find one. Hence my comment above on this being relatively unusual :-). On determining that I didn't find any vulnerabilites off-hand, I was interested, as this is both unusual, and the changes bring some nice new system properties. As I said above, there is some precedent for this type of conditionally compiled feature (read: "hack"), and as long as it were clearly documented as such, my reaction is again not a rejection :-). I should take a moment also to respond to your comments on ACLs. In my view, they all apply. ACLs are a pain to deal with, because they increase the already high administrative overhead of managing per-file permissions. Personally, I'm a fan of the AFS ACL model, where protections are present only on directories, hard links are prohibited, and sub-directories inherit protections on creation. I even had an implementation of this on FreeBSD at one point, although it's quite dated now. However, ACLs have a number of things going for them: 1) They are portable. POSIX.1e pretty much defines everything you need to know (not quite) to implement a portable DAC mechanism. Many operating systems implement POSIX.1e with a high degree of compliance. Many applications know about, or are learning about, POSIX.1e. For example, Samba's new ACL support will speak POSIX.1e. 2) They provide compatibility with file modes: if you don't know about ACLs, all the mode commands "just work". This goes for users and for applications. You might not end up with the permissions you expect, but you'll end up with conservative and safe permissions according to the permission model. Applications and users won't make assumptions about UNIX mode compatibility and be wrong, failing open. The result was an even uglier ACL model, but the argument that this was desirable was a strong one. 3) They're widely used and fairly well inspected by a fair number of security types. So while I don't like POSIX.1e ACLs, I decided to implement them because these all seemed to be strong properties that were hard to ignore. Cutting "yet another discretionary access control mechanism" was really out of the question from these perspectives. In a few days, I'll be committing options UFS_ACL to the -CURRENT tree, and the result will be a fairly complete POSIX.1e/POSIX.2c implementation. Some userland tools, such as mv, cp, backup stuff, mtree, will need to be updated, and we have a few more bits of the ACL editing library to finish so as to support applications such as Samba. Other than to strongly caution against using your feature in most situations (especially where portability and safety involving multiple file systems, machines, operating systems, etc), I won't stop you from committing it (especially if you use it locally and with success). I will say that I think divergent and non-portable security models are likely to be more trouble than they are worth, and make my job substantially more complicated (we'll be starting work on a FreeBSD Security Architecture document at some point, and each time a random hack is added, we have to deal with the consequences :-). Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 19 20:46:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id B62C937B71B; Mon, 19 Mar 2001 20:46:17 -0800 (PST) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.1/8.11.1) with SMTP id f2K4ehh69973; Mon, 19 Mar 2001 23:40:43 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Mon, 19 Mar 2001 23:40:43 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: Sergey Babkin Cc: security@freebsd.org, Wes Peters , fs@freebsd.org Subject: Re: about common group & user ID space (PR kern/14584) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 19 Mar 2001, Robert Watson wrote: > Personally, I'm a fan of the AFS ACL model, where protections are present > only on directories, hard links are prohibited, and sub-directories > inherit protections on creation. I even had an implementation of this on > FreeBSD at one point, although it's quite dated now. However, ACLs have > a number of things going for them: Just as an aside, btw, AFS uses a common numeric namespace for both users and groups, as well as for remote users from other cells. Users can also allocate and manage groups on demand. The single numeric namespace makes things a lot more consistent :-). (although I think it allocates negative values to groups, and positive ones to users..) Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 19 22:36:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-28.dsl.lsan03.pacbell.net [64.165.226.28]) by hub.freebsd.org (Postfix) with ESMTP id 761D637B72C for ; Mon, 19 Mar 2001 22:36:16 -0800 (PST) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id F168B66BDE; Mon, 19 Mar 2001 22:36:15 -0800 (PST) Date: Mon, 19 Mar 2001 22:36:15 -0800 From: Kris Kennaway To: Brett Glass Cc: security@freebsd.org Subject: Re: Odd event -- possible security hole or DoS? Message-ID: <20010319223615.B14837@xor.obsecurity.org> References: <4.3.2.7.2.20010319172800.00cf9c60@localhost> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="i9LlY+UWpKt15+FH" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <4.3.2.7.2.20010319172800.00cf9c60@localhost>; from brett@lariat.org on Mon, Mar 19, 2001 at 05:54:51PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --i9LlY+UWpKt15+FH Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Mon, Mar 19, 2001 at 05:54:51PM -0700, Brett Glass wrote: > So, what's going on here? I can't even begin to remember all of the TCP, kernel and application bugs fixed in the 2 1/2 years since 2.2.8. There are probably a number of ways someone could have caused something like this. Kris --i9LlY+UWpKt15+FH Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6tvpfWry0BWjoQKURAhN2AKC53KUmUydUCeXLzyuHiCbYv1lpygCg3VnQ PzrtZkj1oeyasVS1Ak9dPG8= =Q7tn -----END PGP SIGNATURE----- --i9LlY+UWpKt15+FH-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 19 23:22:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id B085237B719 for ; Mon, 19 Mar 2001 23:22:20 -0800 (PST) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id AAA20030; Tue, 20 Mar 2001 00:19:34 -0700 (MST) Message-Id: <4.3.2.7.2.20010320001710.00d88950@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 20 Mar 2001 00:19:15 -0700 To: Kris Kennaway From: Brett Glass Subject: Re: Odd event -- possible security hole or DoS? Cc: security@freebsd.org In-Reply-To: <20010319223615.B14837@xor.obsecurity.org> References: <4.3.2.7.2.20010319172800.00cf9c60@localhost> <4.3.2.7.2.20010319172800.00cf9c60@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 11:36 PM 3/19/2001, Kris Kennaway wrote: >I can't even begin to remember all of the TCP, kernel and application >bugs fixed in the 2 1/2 years since 2.2.8. There are probably a >number of ways someone could have caused something like this. I guess what I'm concerned about is that I don't know if it's an intentional DoS and/or if it's present in current versions. I'll try to do some testing to see if I can lock up inetd on that system again via finger. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 19 23:29:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id A6DDF37B718; Mon, 19 Mar 2001 23:29:18 -0800 (PST) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id AAA20088; Tue, 20 Mar 2001 00:25:56 -0700 (MST) Message-Id: <4.3.2.7.2.20010320002008.00d12b50@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 20 Mar 2001 00:25:37 -0700 To: Sergey Babkin , Terry Lambert From: Brett Glass Subject: Re: about common group & user ID space (PR kern/14584) Cc: security@FreeBSD.ORG, Wes Peters , Robert Watson , fs@FreeBSD.ORG, arch@FreeBSD.ORG In-Reply-To: <3AB6AF1F.9452E231@bellatlantic.net> References: <200103182339.QAA18696@usr05.primenet.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 06:15 PM 3/19/2001, Sergey Babkin wrote: >> > on (a) the number of groups of which a user can be a member and (b) the > >For this there is some macro (can't remember the name) which >can be defined in the kernel config file as an option with >a higher value. Setting it higher means higher system overhead >but since the memory size has increased significantly over >the last few years, I think that a higher default value makes >sense. I do too. Could you submit this as a patch? >I think there is such a limit. Or at least it was in the 2.0.5 days. >I'm not sure about the line length limit. I remember that there >was such a limit in SVR4.2, so if a group line grew past some size, >getgrent() and friends went crazy. I believe that it was between 100 and 130 when it lost it. Don't know if it was the number of characters or the number of users. >The common workaround it to split a group record into multiple >lines in /etc/group, like: > >staff:*:20:root >staff:*:20:babkin > >Keep no more than about ~50 users per line. >This may break things like adduser but it's not a big loss. Breaking adduser WOULD be a loss. If one of our sysadmins-in-training was adding users to the system, he or she wouldn't know what to do next. And those of us who COULD wouldn't want to take the time. Perhaps adduser ought to be patched to deal with this... say, by understanding multiple lines and limiting the number of users on any one line. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 19 23:35:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-28.dsl.lsan03.pacbell.net [64.165.226.28]) by hub.freebsd.org (Postfix) with ESMTP id 7CE4637B719 for ; Mon, 19 Mar 2001 23:35:25 -0800 (PST) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 84D6766C4F; Mon, 19 Mar 2001 23:34:08 -0800 (PST) Date: Mon, 19 Mar 2001 23:34:08 -0800 From: Kris Kennaway To: Brett Glass Cc: security@freebsd.org Subject: Re: Odd event -- possible security hole or DoS? Message-ID: <20010319233408.A15890@xor.obsecurity.org> References: <4.3.2.7.2.20010319172800.00cf9c60@localhost> <4.3.2.7.2.20010319172800.00cf9c60@localhost> <20010319223615.B14837@xor.obsecurity.org> <4.3.2.7.2.20010320001710.00d88950@localhost> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="mYCpIKhGyMATD0i+" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <4.3.2.7.2.20010320001710.00d88950@localhost>; from brett@lariat.org on Tue, Mar 20, 2001 at 12:19:15AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --mYCpIKhGyMATD0i+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Mar 20, 2001 at 12:19:15AM -0700, Brett Glass wrote: > At 11:36 PM 3/19/2001, Kris Kennaway wrote: >=20 > >I can't even begin to remember all of the TCP, kernel and application > >bugs fixed in the 2 1/2 years since 2.2.8. There are probably a > >number of ways someone could have caused something like this. >=20 > I guess what I'm concerned about is that I don't know if it's > an intentional DoS and/or if it's present in current versions. > I'll try to do some testing to see if I can lock up inetd > on that system again via finger. Reproducing this on a properly-configured version of 4.2-STABLE would probably be a minimum for this to be a useful lead. Kris --mYCpIKhGyMATD0i+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6twfwWry0BWjoQKURAv+aAKCHqCqY7EgPnat+keG0Ahvj5+v2eQCfUfDy Fjrkt4KE9/4u71ZPHuRj1iI= =qPUC -----END PGP SIGNATURE----- --mYCpIKhGyMATD0i+-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 20 2:45:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from baerenklau.de.freebsd.org (baerenklau.de.freebsd.org [195.185.195.14]) by hub.freebsd.org (Postfix) with ESMTP id 956D837B718; Tue, 20 Mar 2001 02:45:23 -0800 (PST) (envelope-from w@panke.de.freebsd.org) Received: (from uucp@localhost) by baerenklau.de.freebsd.org (8.8.8/8.8.8) with UUCP id LAA15220; Tue, 20 Mar 2001 11:43:56 +0100 (CET) (envelope-from w@panke.de.freebsd.org) Received: (from w@localhost) by paula.panke.de.freebsd.org (8.9.3/8.8.8) id LAA01232; Tue, 20 Mar 2001 11:30:52 +0100 (CET) (envelope-from w) Date: Tue, 20 Mar 2001 11:30:52 +0100 From: Wolfram Schneider To: Brett Glass Cc: Terry Lambert , Sergey Babkin , security@FreeBSD.ORG, Wes Peters , Robert Watson , fs@FreeBSD.ORG Subject: Re: about common group & user ID space (PR kern/14584) Message-ID: <20010320113052.A1141@paula.panke.de.freebsd.org> References: <3AB3FC38.94711FFF@bellatlantic.net> <200103180738.AAA03250@usr05.primenet.com> <4.3.2.7.2.20010318123759.00d9dd10@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <4.3.2.7.2.20010318123759.00d9dd10@localhost>; from brett@lariat.org on Sun, Mar 18, 2001 at 12:42:17PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 2001-03-18 12:42:17 -0700, Brett Glass wrote: > At the same time, it'd be nice to eliminate the arbitrary limitations > on (a) the number of groups of which a user can be a member and (b) the > number of members in a group. Both of these limitations often bite > administrators who, for example, want most users of a system to be > members of a particular group or want to implement group-based access > control schemes with a moderate degree of granularity. The current length limit for a line in /etc/groups is 256KByte, which should be enough for 65536 users in one group ;-) Please keep in mind that other OS has lower limits, eg. Solaris had a limit of 1024 characters (~200 user per group) and NIS/YP may not work with lines longer 1024 characters. You can increase the limit if you want and recompile your libc. See src/lib/libc/gen/getgrent.c,v for more details. The support for long lines was added in Dec 1996. -Wolfram -- Wolfram Schneider http://wolfram.schneider.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 20 2:51:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from closed-networks.com (shady.org [195.153.248.241]) by hub.freebsd.org (Postfix) with SMTP id 3044537B719 for ; Tue, 20 Mar 2001 02:51:38 -0800 (PST) (envelope-from marcr@closed-networks.com) Received: (qmail 15197 invoked by uid 1000); 20 Mar 2001 10:52:14 -0000 Date: Tue, 20 Mar 2001 10:52:14 +0000 From: Marc Rogers To: freebsd-security@freebsd.org Subject: Re: Odd event -- possible security hole or DoS? Message-ID: <20010320105214.J10016@shady.org> References: <4.3.2.7.2.20010319172800.00cf9c60@localhost> <4.3.2.7.2.20010319172800.00cf9c60@localhost> <20010319223615.B14837@xor.obsecurity.org> <4.3.2.7.2.20010320001710.00d88950@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: <4.3.2.7.2.20010320001710.00d88950@localhost>; from brett@lariat.org on Tue, Mar 20, 2001 at 12:19:15AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You mentioned that the box was a popmail server? what popmail system, and was it running through in inetd? In my past I had to maintain some fairly heavy load 2.2.8 boxes with qualcomms qpopper running from inetd, and i saw some very similar behaviour. In the end this was why I eventualy moved that particular client away from running stuff out of inetd and towards using tcpserver. Without seeing process logs and in depth netstat output I suspect that it will be impossible for anyone to absolutely quantify this. Perhaps the kid was using octopus.c in the future I would suggest that you install something like snort and or iplog. Keep lsof handy too. Then if you really want to sit and wait for it to happen, you can give us all some meaty logs to work with :) I would suggest not worrying about it though and just upgrading that system to 4.2-STABLE before the kid (if it wasnt just a naturally occurring inetd cockup) finds some old exploits and roots you. Marc Rogers Head of Network Operations & Security EDC Group On Tue, Mar 20, 2001 at 12:19:15AM -0700, Brett Glass wrote: > At 11:36 PM 3/19/2001, Kris Kennaway wrote: > > >I can't even begin to remember all of the TCP, kernel and application > >bugs fixed in the 2 1/2 years since 2.2.8. There are probably a > >number of ways someone could have caused something like this. > > I guess what I'm concerned about is that I don't know if it's > an intentional DoS and/or if it's present in current versions. > I'll try to do some testing to see if I can lock up inetd > on that system again via finger. > > --Brett > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 20 4: 1:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from cliff.mfn.org (cliff.mfn.org [204.238.179.8]) by hub.freebsd.org (Postfix) with ESMTP id A6FCF37B719 for ; Tue, 20 Mar 2001 04:01:42 -0800 (PST) (envelope-from measl@mfn.org) Received: from greeves.mfn.org (greeves.mfn.org [204.238.179.3]) by cliff.mfn.org (8.11.1/8.9.3) with ESMTP id f2KBvNj15839 for ; Tue, 20 Mar 2001 05:57:24 -0600 (CST) (envelope-from measl@mfn.org) Date: Tue, 20 Mar 2001 05:57:23 -0600 (CST) From: "J.A. Terranson" To: security@freebsd.org Subject: chflags/symlinks Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Good Morning/Afternoon/Etc., I believe there is an issue WRT the above pair. Background: all our FBSD boxen run under securelevel 3; our main news server (inn 2.3.1) takes in a full feed (200gb+ daily); in order to keep up with this feed, it is necessary to distribute IO load as much as is humanly possible. Due to an internal kludge, it is necessary (temporarily, while a real fix is being engineered) for us to use symlinks to force certain files to certain filesystems. Problem: There is no way to secure (schg, etc) the link. I can secure the files to which they point, but not the links themselves. Theoretically, an attack can be launched by deleting the symlinks and creating new ones, rather than altering the files directly (as they are safe under securelevel 3). For us, the issue has been nighty cleanup routines killing the symlinks, and thereby breaking *everything* :-( I there is something I have missed here, I would *love* to know... -- Yours, J.A. Terranson sysadmin@mfn.org If Governments really want us to behave like civilized human beings, they should give serious consideration towards setting a better example: Ruling by force, rather than consensus; the unrestrained application of unjust laws (which the victim-populations were never allowed input on in the first place); the State policy of justice only for the rich and elected; the intentional abuse and occassionally destruction of entire populations merely to distract an already apathetic and numb electorate... This type of demogoguery must surely wipe out the fascist United States as surely as it wiped out the fascist Union of Soviet Socialist Republics. The views expressed here are mine, and NOT those of my employers, associates, or others. Besides, if it *were* the opinion of all of those people, I doubt there would be a problem to bitch about in the first place... -------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 20 6:13:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from muddywaters.muzak.com (relay.muzak.com [12.19.54.250]) by hub.freebsd.org (Postfix) with SMTP id BE02F37B723; Tue, 20 Mar 2001 06:12:37 -0800 (PST) (envelope-from helpdesk5@golfmail.com) Received: from 10.1.1.8 by muddywaters.muzak.com (InterScan E-Mail VirusWall NT); Sun, 18 Mar 2001 16:00:34 -0500 (Eastern Standard Time) Received: from muddywaters.muzak.com (MUDDYWATERS [10.144.40.16]) by marley.muzak.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id GFR2WFQ8; Sun, 18 Mar 2001 16:00:34 -0500 Received: from 209.208.45.16 by muddywaters.muzak.com (InterScan E-Mail VirusWall NT); Sun, 18 Mar 2001 16:00:30 -0500 (Eastern Standard Time) To: hungryjack@republic.com Date: Sun, 18 Mar 01 15:47:38 EST From: helpdesk5@golfmail.com Subject: toner supplies Message-Id: <20010320141237.BE02F37B723@hub.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org PLEASE FORWARD TO THE PERSON RESPONSIBLE FOR PURCHASING YOUR LASER PRINTER SUPPLIES **** VORTEX SUPPLIES **** -SPECIALS OF THE DAY ON LASER TONER SUPPLIES AT DISCOUNT PRICES-- LASER PRINTER TONER CARTRIDGES COPIER AND FAX CARTRIDGES WE ARE -->THE<-- PLACE TO BUY YOUR TONER CARTRIDGES BECAUSE YOU SAVE UP TO 30% FROM OFFICE DEPOT'S, QUILL'S OR OFFICE MAX'S EVERY DAY LOW PRICES ORDER BY PHONE:1-888-288-9043 ORDER BY FAX: 1-888-977-1577 CUSTOMER SERVICE: 1-888-248-2015 E-MAIL REMOVAL LINE: 1-888-248-4930 UNIVERSITY AND/OR SCHOOL PURCHASE ORDERS WELCOME. (NO CREDIT APPROVAL REQUIRED) ALL OTHER PURCHASE ORDER REQUESTS REQUIRE CREDIT APPROVAL. PAY BY CHECK (C.O.D), CREDIT CARD OR PURCHASE ORDER (NET 30 DAYS). IF YOUR ORDER IS BY CREDIT CARD PLEASE LEAVE YOUR CREDIT CARD # PLUS EXPIRATION DATE. IF YOUR ORDER IS BY PURCHASE ORDER LEAVE YOUR SHIPPING/BILLING ADDRESSES AND YOUR P.O. NUMBER NO SHIPPING CHARGES FOR ORDERS $49 OR OVER ADD $4.75 FOR ORDERS UNDER $49. C.O.D. ORDERS ADD $4.5 TO SHIPPING CHARGES. FOR THOSE OF YOU WHO REQUIRE MORE INFORMATION ABOUT OUR COMPANY INCUDING FEDERAL TAX ID NUMBER, CLOSEST SHIPPING OR CORPORATE ADDRESS IN THE CONTINENTAL U.S. OR FOR CATALOG REQUESTS PLEASE CALL OUR CUSTOMER SERVICE LINE 1-888-248-2015 OUR NEW , LASER PRINTER TONER CARTRIDGE, PRICES ARE AS FOLLOWS: (PLEASE ORDER BY PAGE NUMBER AND/OR ITEM NUMBER) HEWLETT PACKARD: (ON PAGE 2) ITEM #1 LASERJET SERIES 4L,4P (74A)------------------------$44 ITEM #2 LASERJET SERIES 1100 (92A)-------------------------$44 ITEM #3 LASERJET SERIES 2 (95A)-------------------------------$39 ITEM #4 LASERJET SERIES 2P (75A)-----------------------------$54 ITEM #5 LASERJET SERIES 5P,6P,5MP, 6MP (3903A)--$44 ITEM #6 LASERJET SERIES 5SI, 5000 (29A)------------------$95 ITEM #7 LASERJET SERIES 2100 (96A)-------------------------$74 ITEM #8 LASERJET SERIES 8100 (82X)-----------------------$145 ITEM #9 LASERJET SERIES 5L/6L (3906A0------------------$35 ITEM #10 LASERJET SERIES 4V-------------------------------------$95 ITEM #11 LASERJET SERIES 4000 (27X)-------------------------$72 ITEM #12 LASERJET SERIES 3SI/4SI (91A)--------------------$54 ITEM #13 LASERJET SERIES 4, 4M, 5,5M-----------------------$49 HEWLETT PACKARD FAX (ON PAGE 2) ITEM #14 LASERFAX 500, 700 (FX1)----------$49 ITEM #15 LASERFAX 5000,7000 (FX2)------$54 ITEM #16 LASERFAX (FX3)------------------------$59 ITEM #17 LASERFAX (FX4)------------------------$54 LEXMARK/IBM (ON PAGE 3) OPTRA 4019, 4029 HIGH YIELD---------------$89 OPTRA R, 4039, 4049 HIGH YIELD---------$105 OPTRA E----------------------------------------------------$59 OPTRA N--------------------------------------------------$115 OPTRA S--------------------------------------------------$165 - EPSON (ON PAGE 4) ACTION LASER 7000,7500,8000,9000-------$105 ACTION LASER 1000,1500-------------------------$105 CANON PRINTERS (ON PAGE 5) PLEASE CALL FOR MODELS AND UPDATED PRICES FOR CANON PRINTER CARTRIDGES PANASONIC (0N PAGE 7) NEC SERIES 2 MODELS 90 AND 95----------$105 APPLE (0N PAGE 8) LASER WRITER PRO 600 or 16/600------------$49 LASER WRITER SELECT 300,320,360---------$74 LASER WRITER 300 AND 320----------------------$54 LASER WRITER NT, 2NT------------------------------$54 LASER WRITER 12/640--------------------------------$79 CANON FAX (ON PAGE 9) LASERCLASS 4000 (FX3)---------------------------$59 LASERCLASS 5000,6000,7000 (FX2)---------$54 LASERFAX 5000,7000 (FX2)----------------------$54 LASERFAX 8500,9000 (FX4)----------------------$54 CANON COPIERS (PAGE 10) PC 3, 6RE, 7 AND 11 (A30)---------------------$69 PC 300,320,700,720 and 760 (E-40)--------$89 IF YOUR CARTRIDGE IS NOT LISTED CALL CUSTOMER SERVICE AT 1-888-248-2015 90 DAY UNLIMITED WARRANTY INCLUDED ON ALL PRODUCTS. ALL TRADEMARKS AND BRAND NAMES LISTED ABOVE ARE PROPERTY OF THE RESPECTIVE HOLDERS AND USED FOR DESCRIPTIVE PURPOSES ONLY. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 20 10:10:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 5C37837B73F for ; Tue, 20 Mar 2001 10:10:09 -0800 (PST) (envelope-from nate@yogotech.com) Received: from nomad.yogotech.com (yogotech.nokia.com [4.22.66.156]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id LAA07382; Tue, 20 Mar 2001 11:07:56 -0700 (MST) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id LAA06683; Tue, 20 Mar 2001 11:07:44 -0700 (MST) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15031.40047.731987.194238@nomad.yogotech.com> Date: Tue, 20 Mar 2001 11:07:43 -0700 (MST) To: Brett Glass Cc: Kris Kennaway , security@FreeBSD.ORG Subject: Re: Odd event -- possible security hole or DoS? In-Reply-To: <4.3.2.7.2.20010320001710.00d88950@localhost> References: <4.3.2.7.2.20010319172800.00cf9c60@localhost> <4.3.2.7.2.20010320001710.00d88950@localhost> X-Mailer: VM 6.75 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > >I can't even begin to remember all of the TCP, kernel and application > >bugs fixed in the 2 1/2 years since 2.2.8. There are probably a > >number of ways someone could have caused something like this. > > I guess what I'm concerned about is that I don't know if it's > an intentional DoS and/or if it's present in current versions. There were at least 3 remote vulnerabilities in 2.2.8 TCP/IP stack, and 2-3 vulnerabilities in the shipped software. Fixes to the stack were merged into the code-base a long time back, although the shipped software (BIND and SENDMAIL were two of the them) require you back-porting the software to the box. (Trivial to do). Inetd may have had problems as well, but I believe they were DOS types, related to local users and not remote users. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 20 17:23: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from beagle.epooch.com (beagle.epooch.com [216.127.154.19]) by hub.freebsd.org (Postfix) with ESMTP id B3A8037B735 for ; Tue, 20 Mar 2001 17:23:04 -0800 (PST) (envelope-from mschroebel@epooch.com) Received: from kimba (lab.epooch.com [216.127.154.26]) by beagle.epooch.com (8.11.1/8.11.1) with SMTP id f2L1Mkd00468 for ; Tue, 20 Mar 2001 20:22:47 -0500 (EST) (envelope-from mschroebel@epooch.com) Message-ID: <001001c0b245$9f596f60$069aa8c0@epooch.com> From: "Matthew Schroebel" To: Subject: Date: Wed, 21 Mar 2001 15:29:25 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org subscribe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 20 17:44:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from VL-MS-MR001.sc1.videotron.ca (relais.videotron.ca [24.201.245.36]) by hub.freebsd.org (Postfix) with ESMTP id 5D99E37B73D for ; Tue, 20 Mar 2001 17:44:07 -0800 (PST) (envelope-from bmilekic@technokratis.com) Received: from jehovah ([24.201.100.133]) by VL-MS-MR001.sc1.videotron.ca (Netscape Messaging Server 4.15) with SMTP id GAIY0F05.8LF; Tue, 20 Mar 2001 20:41:03 -0500 Message-ID: <004a01c0b1a8$6444dab0$8564c918@jehovah> From: "Bosko Milekic" To: , "Brett Glass" References: <4.3.2.7.2.20010319172800.00cf9c60@localhost> Subject: Re: Odd event -- possible security hole or DoS? Date: Tue, 20 Mar 2001 20:43:55 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brett Glass wrote: > A fellow I know just stopped me as I walked past his office to > say that his FreeBSD system was acting strangely. I stopped > in to take a look for him. It's running FreeBSD 2.8 with > security patches -- a WAY old release. (I got him to agree > to let me upgrade it to 4.3-RELEASE for him if it's a good > release.) > > In any event, I ran netstat on his machine and discovered that > there was a huge backlog of open TCP connections, some of them > stuck in states such as CLOSING, FIN_WAIT_1 and FIN_WAIT_2. > Also, POP clients couldn't get through; it looked as if sockets > were being opened but the daemons weren't being spawned. A system that old likely suffers from the same problems we found and fixed in 3.x and 4.x. Basically, there was one particular problem of this nature that I specifically remember jlemon fixing some while back. > I was just about to reboot the server when it occured to me > that this might erase any evidence of what was going wrong. > So, I considered for a bit and realized that the behavior > I was seeing just might happen if inetd somehow messed up. > I decided to try sending a HUP to inetd, just to see > what would happen. > > Immediately, the system sprang back to life and cleared the > old connections. And the following appeared in the log: > > Mar 19 17:27:12 victim fingerd[16439]: query from 208.59.253.87: `root ' > Mar 19 17:27:12 victim fingerd[16437]: query from 208.59.253.87: ` ' > > Interesting. Someone with a cable modem playing games. Probably > should identify the culprit, but I'm more interested in knowing > how he managed to cause the system to malfunction. > > In case it helps, here's a bit more about the system configuration. > > The finger daemon had been set, via the -p option, to return a > message saying that finger requests were being denied. The line > in inetd.conf looked like this: > > finger stream tcp nowait nobody /usr/libexec/fingerd fingerd -s -l -p /usr/local/bin/nonetfinger > > "nonetfinger" is a program that my friend grabbed from my BSDCon > paper and compiled. It simply outputs a message to standard output. > It doesn't even look at its arguments. > > Hmmm. > > So, what's going on here? > > Was someone trying to execute a DoS or remote root exploit > here, perhaps by trying to feed something quoted to fingerd and/or > the program it invoked? Why did it hang things up so badly? Does > this hint at a security flaw in inetd or fingerd that needs > attention (or has gotten some since that old version of FreeBSD)? > > --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 20 18:25:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from ego.mind.net (ego.mind.net [206.99.66.9]) by hub.freebsd.org (Postfix) with ESMTP id 2AD9E37B71C; Tue, 20 Mar 2001 18:25:36 -0800 (PST) (envelope-from takhus@takhus.mind.net) Received: from takhus.dyn.mind.net (AFN-Dyn-2084622070.pc.ashlandfiber.net [208.46.220.70]) by ego.mind.net (8.9.3/8.9.3) with ESMTP id SAA19471; Tue, 20 Mar 2001 18:15:19 -0800 Received: from localhost (fleisher@localhost) by takhus.dyn.mind.net (8.11.3/8.11.3) with ESMTP id f2L2FJp18281; Tue, 20 Mar 2001 18:15:19 -0800 (PST) (envelope-from takhus@takhus.mind.net) X-Authentication-Warning: takhus.dyn.mind.net: fleisher owned process doing -bs Date: Tue, 20 Mar 2001 18:15:19 -0800 (PST) From: Tony Fleisher X-Sender: fleisher@takhus.dyn.mind.net To: Brett Glass Cc: Sergey Babkin , security@FreeBSD.ORG, fs@FreeBSD.ORG, arch@FreeBSD.ORG Subject: Re: about common group & user ID space (PR kern/14584) In-Reply-To: <4.3.2.7.2.20010320002008.00d12b50@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 20 Mar 2001, Brett Glass wrote: > At 06:15 PM 3/19/2001, Sergey Babkin wrote: > > >> > on (a) the number of groups of which a user can be a member and (b) the > > > >For this there is some macro (can't remember the name) which > >can be defined in the kernel config file as an option with > >a higher value. Setting it higher means higher system overhead > >but since the memory size has increased significantly over > >the last few years, I think that a higher default value makes > >sense. > > I do too. Could you submit this as a patch? > > >I think there is such a limit. Or at least it was in the 2.0.5 days. > >I'm not sure about the line length limit. I remember that there > >was such a limit in SVR4.2, so if a group line grew past some size, > >getgrent() and friends went crazy. > > I believe that it was between 100 and 130 when it lost it. Don't > know if it was the number of characters or the number of users. > > [details about a workaround and adduser breakage removed] I believe that the limit on the length of a line in the group file was removed prior to 3.0-RELEASE. See revision 1.14 of src/lib/libc/gen/getgrent.c by wosch. http://www.FreeBSD.org/cgi/cvsweb.cgi/src/lib/libc/gen/getgrent.c Regards, Tony. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 20 20: 3:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from web13205.mail.yahoo.com (web13205.mail.yahoo.com [216.136.174.190]) by hub.freebsd.org (Postfix) with SMTP id E9AC237B727 for ; Tue, 20 Mar 2001 20:03:27 -0800 (PST) (envelope-from lipshitz909@yahoo.com) Message-ID: <20010321004845.17826.qmail@web13205.mail.yahoo.com> Received: from [209.168.57.140] by web13205.mail.yahoo.com; Tue, 20 Mar 2001 16:48:45 PST Date: Tue, 20 Mar 2001 16:48:45 -0800 (PST) From: Larry Librettez Subject: 4.3-BETA: cannot su root in console window in X To: freebsd-bugs@freebsd.org Cc: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org After upgrading to 4.3-BETA, I now cannot do an su root login in a console window (xterm, rxvt) while in X. I did make buildworld, make installworld, built the new kernel and installed it, did mergemaster, and MAKEDEV on all my devices. I tried adding 'secure' to /etc/ttys after the ttyp* entries, even tried chmod 666 the /dev/ttyp* entries, and nothing works. I even re-made the /dev/ttyp* devices specifically. I cvsup'd on 3 different days from 3 different sites, and the problem still occurs. I verified my root password by typing it in the console (in X) to ensure the characters come out correctly, and they do. The strange thing is, I can su to root in a regular console out of X windows, but when I go into X, I cannot su to root. Is this a bug? Is this a DoS? Is this a kernel problem? Also, as an experiment I compiled and installed the older kernel (4.2-STABLE) but left the 4.3-BETA userland in place, and guess what . . . the problem went away. I was able to su to root in X, in both rxvt and xterm! So what's the problem here with 4.3-BETA? Can anyone help me? __________________________________________________ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 21 6:19:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from freebsd.org.ru (sweet.etrust.ru [194.84.67.5]) by hub.freebsd.org (Postfix) with ESMTP id B3FBC37B72D; Wed, 21 Mar 2001 06:19:54 -0800 (PST) (envelope-from osa@freebsd.org.ru) Received: by freebsd.org.ru (Postfix, from userid 1000) id DEC46218; Wed, 21 Mar 2001 17:19:50 +0300 (MSK) Date: Wed, 21 Mar 2001 17:19:50 +0300 From: "Sergey A. Osokin" To: Poul-Henning Kamp Cc: security@FreeBSD.org Subject: Re: sendmail listening on port 587 ??!! Message-ID: <20010321171950.A90452@freebsd.org.ru> References: <49989.984993633@critter> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <49989.984993633@critter>; from phk@freebsd.org on Mon, Mar 19, 2001 at 10:20:33AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Mar 19, 2001 at 10:20:33AM +0100, Poul-Henning Kamp wrote: > > I just found out that sendmail listens to port 587 in addition to > port 25 now. > > What is the story behind this ? From /usr/src/UPDATING .... 20000827: sendmail has been updated from 8.9.3 to 8.11.0. Some of the more visible changes that may immediately affect your configuration include: - New default file locations from src/contrib/sendmail/cf/README - newaliases limited to root and trusted users - MSA port (587) turned on by default ^^^^^ -- Rgdz, /"\ Sergey Osokin aka oZZ, \ / ASCII RIBBON CAMPAIGN osa@freebsd.org.ru X AGAINST HTML MAIL http://freebsd.org.ru/~osa/ / \ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 21 8:16:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from relay.ioffe.rssi.ru (relay.ioffe.rssi.ru [194.85.224.33]) by hub.freebsd.org (Postfix) with ESMTP id D340F37B73D for ; Wed, 21 Mar 2001 08:16:43 -0800 (PST) (envelope-from kopts@astro.ioffe.rssi.ru) Received: from astro.ioffe.rssi.ru (astro.ioffe.rssi.ru [194.85.229.130]) by relay.ioffe.rssi.ru (8.9.1/8.9.1) with ESMTP id TAA17877; Wed, 21 Mar 2001 19:15:00 +0300 (MSK) Received: by astro.ioffe.rssi.ru (8.9.3/Clnt-2.14-AS-eef) id TAA16762; Wed, 21 Mar 2001 19:14:54 +0300 (MSK) Date: Wed, 21 Mar 2001 19:14:54 +0300 (MSK) From: Alexey Koptsevich To: "Crist J . Clark" Cc: security@freebsd.org Subject: Re: Disabling xhost(1) Access Control In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi Christ, I also think about disabling xhost and wonder which solution have you chosen -- modifying Xserver source offered later in the thread? Actually, "-nolisten tcp" is a nice idea, but I would like X to run from the server on all "Xterminals", and of course "X -query" fails that way... Thanks, Alex > I want users to use user-level X access controls, that is, xauth(1) > and the magic cookies. I do NOT want people using xhost(1) access > controls. > > FreeBSD's XFree86 (unlike so many other X dists) defaults to enabling > xauth. The problem is, it does not prevent lusers from still doing > things like put 'xhost +' in their .login and defeating the > system. (Grrrr...) > > I've been searching and cannot find a way to disable xhost(1) level > access. And I mean disabling as in defaulting to everything locked out > as opposed to defaulting to wide open. If a user were to 'xhost +' it > would not open things up. > > Is there such a way to do this (aside 'rm /usr/bin/xhost' and setting > all user writable filesystems noexec)? This is for xdm(1) setups and > not necessarily xinit(1). > -- > Crist J. Clark cjclark@alum.mit.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 21 8:18:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from bootp-20-219.bootp.virginia.edu (bootp-20-219.bootp.Virginia.EDU [128.143.20.219]) by hub.freebsd.org (Postfix) with ESMTP id 3355E37B71F for ; Wed, 21 Mar 2001 08:18:22 -0800 (PST) (envelope-from mipam@virginia.edu) Received: by bootp-20-219.bootp.virginia.edu (Postfix) id EF63F1D001; Wed, 21 Mar 2001 11:20:04 -0500 (EST) Date: Wed, 21 Mar 2001 11:20:04 -0500 From: Mipam To: security@freebsd.org Subject: nat/ipfw/ipsec interaction Message-ID: <20010321112004.D1687@bootp-20-219.bootp.virginia.edu> Reply-To: mipam@ibb.net Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i X-Operating-System: BSD Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, Yesterday i tried to setup an ipsec connection from me to a friend of mine, most simple case: just esp, transport mode, manual passwords. I didnt use ipf/nat or anything and things went well on this side (i wasnt even using freebsd). Tcpdump rocks sometimes :) On the other side nat was done, and on that same box as jail was run to host telnet in and the plan was to make an ipsec telnet session to that nat machine in which the jail for telnet was running. Normal telnet went fine :) Applying ipsec transport mode with just esp didnt work out. Running tcpdump on that box turned out, that the outside interface received the packages with the correct key number etc ... but it send a plain reset back as if we were talking to a closed port. And yes, the firewall let telnet through, for else normal telnet wouldnt have worked at all. Finally we tried it on a machine behind the nat machine to create a transport mode with just esp and manual keys. Still didnt work out. host ----internet--- freebsd nat/ipfw -- host I didnt administer the freebsd nat/ipfw machine, but i was told what he saw. In this case the traffic even didnt arrive on the internal interface from the nat box he said. Normal traffic worked fine, but it seems that natd/ipfw doesnt work to well with ipsec, even not when a machine behind the nat machine does ipsec and not the nat box itself. And i dont get that case nat should just change the ip hdr in case of an ipsec (esp transport) packet comming in. In this case i didnt receive anything back at all, and tcpdump and the nat machine showed again that it receives the packet but what happens after i dont know. So when not using ipsec to do telnet session and other session for which services are running on machines behind the freebsd nat box works all fine. As soon as were applying ipsec from these machines to eachother it wont work. The problem clearly is on the nat box, for when doing ipsec, the machine behind the nat box doesnt receive any traffic at all. Does anyone have such situation running which is actually working? Are any bugs known concerning these issues? Any suggestions? Bye, Mipam. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 21 8:38:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from johnson.mail.mindspring.net (johnson.mail.mindspring.net [207.69.200.177]) by hub.freebsd.org (Postfix) with ESMTP id 4DC4637B71A for ; Wed, 21 Mar 2001 08:38:09 -0800 (PST) (envelope-from mvh@ix.netcom.com) Received: from netcom1.netcom.com (lai-ca4a-189.ix.netcom.com [209.110.244.189]) by johnson.mail.mindspring.net (8.9.3/8.8.5) with ESMTP id LAA10830 for ; Wed, 21 Mar 2001 11:37:00 -0500 (EST) Received: by netcom1.netcom.com (Postfix, from userid 1000) id D0333113CB1; Wed, 21 Mar 2001 08:36:57 -0800 (PST) From: Mike Harding To: freebsd-security@freebsd.org Subject: IPSEC/VPN/NAT and filtering Message-Id: <20010321163657.D0333113CB1@netcom1.netcom.com> Date: Wed, 21 Mar 2001 08:36:57 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It's possible to use IPSEC on a box with NAT, but you don't want to NAT the ipsec tunnel. What worked for me was to create an ESP tunnel and then route traffic to the remote net to lo0. It then gets encapsulated and sent out the external interface. NAT is not invoked because the traffic no longer looks like your internal network. IPSEC does _not_ play happy with packed filters on the same box... here's an extract from a recent e-mail to kris... I would like to see all of this fixed and working, I'll write a handbook entry and do coding as well.... - Mike Harding (extracted from a letter to kris...) I have seen your name on a few exchanges and you seem to be a likely person to discuss this with. The issue is using IPSEC and ipfilter (or ipfw) together on the same box. I think I have a relatively simple way to deal with getting this to work properly. The current problem is that if you use ESP tunnel mode, or transport mode for that matter, the KAME code rewrites the packet contents, and then requeues the packet for further routing. See line 398 in esp_input.c for -STABLE. It does NOT change the interface, so you can't tell this packet from one that comes in via the hardware device. Apparently there is a bit flipped indicating that this is a ipsec'd packet, but the current packet filters don't appear to take advantage of it. My modest proposal would be to have a sysctl variable to indicate an alternate interface to reinject the decrypted packets (like a local loopback, the default or maybe a new one, lo1). Then you know that anything coming in that interface was inserted by the KAME stack and you can apply filtering to it. This would allow firewall and IPSEC gateway functionality to be put into the same box. You can use the 'gif' device for tunnelling, but we are trying to interoperate with a cisco box (politics). There is also pipsecd, which would work, but there is no IKE daemon for it. I think we will work around this by putting another packet filter in front of the IPSEC box, but this would be very useful in general I think... How does this proposal sound? I know the OpenBSD folk put some effort into getting ipfilter and IPSEC to 'play nice'... it would be a shame to have to use 2 boxes or switch OSes to support this. I am willing to write a section in the handbook on this once I have it set up correctly, a box with NAT, VPN, and ipfilter (and alternately IPFW). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 21 9:57:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from zeta.qmw.ac.uk (zeta.qmw.ac.uk [138.37.6.6]) by hub.freebsd.org (Postfix) with ESMTP id 3217E37B73F for ; Wed, 21 Mar 2001 09:57:16 -0800 (PST) (envelope-from d.m.pick@qmw.ac.uk) Received: from xi.css.qmw.ac.uk ([138.37.8.11]) by zeta.qmw.ac.uk with esmtp (Exim 3.16 #1) id 14fmoy-0005yg-00 for security@freebsd.org; Wed, 21 Mar 2001 17:54:56 +0000 Received: from cgaa180 by xi.css.qmw.ac.uk with local (Exim 1.92 #1) for security@freebsd.org id 14fmoz-0001CG-00; Wed, 21 Mar 2001 17:54:57 +0000 X-Mailer: exmh version 2.0.2 2/24/98 To: security@freebsd.org Subject: Re: Disabling xhost(1) Access Control In-reply-to: Your message of "Wed, 21 Mar 2001 19:14:54 +0300." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 21 Mar 2001 17:54:57 +0000 From: David Pick Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I also think about disabling xhost and wonder which solution have you > chosen -- modifying Xserver source offered later in the thread? Actually, > "-nolisten tcp" is a nice idea, but I would like X to run from the server > on all "Xterminals", and of course "X -query" fails that way... I actually run two copies of "xdm": one (with "-nolisten tcp") for the local display which also has the XDMCP port set to zero to disable remore X displays using XDMCP; and the other copy of "xdm" with no X servers at all, just listening for XDMCP on port 177. Makes it much easier to control the availability of XMDCP without editing files as such. I use this on a laptop which wants just the local display in most connections, but I want to allow the use of an X terminal when I'm at home with a trusted desktop and 17" monitor. -- David Pick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 21 11:41:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from coconut.itojun.org (coconut.itojun.org [210.160.95.97]) by hub.freebsd.org (Postfix) with ESMTP id B22DD37B77E for ; Wed, 21 Mar 2001 11:41:03 -0800 (PST) (envelope-from itojun@itojun.org) Received: from kiwi.itojun.org (localhost.itojun.org [127.0.0.1]) by coconut.itojun.org (8.9.3+3.2W/3.7W) with ESMTP id EAA10520; Thu, 22 Mar 2001 04:10:30 +0900 (JST) To: Mike Harding Cc: freebsd-security@freebsd.org In-reply-to: mvh's message of Wed, 21 Mar 2001 08:36:57 PST. <20010321163657.D0333113CB1@netcom1.netcom.com> X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 Subject: Re: IPSEC/VPN/NAT and filtering From: itojun@iijlab.net Date: Thu, 22 Mar 2001 04:10:29 +0900 Message-ID: <10518.985201829@coconut.itojun.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >My modest proposal would be to have a sysctl variable to indicate an >alternate interface to reinject the decrypted packets (like a local >loopback, the default or maybe a new one, lo1). Then you know that >anything coming in that interface was inserted by the KAME stack and >you can apply filtering to it. This would allow firewall and IPSEC >gateway functionality to be put into the same box. strong no to changing m->m_pkthdr.rcvif on IPsec tunnel operations. that behavior will kill scoped addresses, as well as recently- discussed-to-death strong host model node. see latest NetBSD source code tree, and the following URL, on how we handled it (now ipfilter looks at wire format packet only). i have no environment/time to do the same on freebsd, but i can say that the foundations are there in kame and netbsd tree. (you can check if the packet went throught ip sec on inbound, by using ipsec_gethist()) http://www.netbsd.org/Documentation/network/ipsec/#ipf-interaction itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 21 11:41:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from coconut.itojun.org (coconut.itojun.org [210.160.95.97]) by hub.freebsd.org (Postfix) with ESMTP id AB59537B72B for ; Wed, 21 Mar 2001 11:41:00 -0800 (PST) (envelope-from itojun@itojun.org) Received: from kiwi.itojun.org (localhost.itojun.org [127.0.0.1]) by coconut.itojun.org (8.9.3+3.2W/3.7W) with ESMTP id EAA10690; Thu, 22 Mar 2001 04:18:00 +0900 (JST) To: Mike Harding , freebsd-security@freebsd.org In-reply-to: itojun's message of Thu, 22 Mar 2001 04:10:29 JST. <10518.985201829@coconut.itojun.org> X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 Subject: Re: IPSEC/VPN/NAT and filtering From: itojun@iijlab.net Date: Thu, 22 Mar 2001 04:18:00 +0900 Message-ID: <10688.985202280@coconut.itojun.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > see latest NetBSD source code tree, and the following URL, on how > we handled it (now ipfilter looks at wire format packet only). i have > no environment/time to do the same on freebsd, but i can > say that the foundations are there in kame and netbsd tree. > (you can check if the packet went throught ip sec on inbound, > by using ipsec_gethist()) > http://www.netbsd.org/Documentation/network/ipsec/#ipf-interaction i'm not sure what should be done for stream came in from divert socket. itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 21 11:53:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 7C76137B730 for ; Wed, 21 Mar 2001 11:53:22 -0800 (PST) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id LAA17828; Wed, 21 Mar 2001 11:52:44 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda17826; Wed Mar 21 11:52:29 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f2LJqOK41572; Wed, 21 Mar 2001 11:52:24 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdx41558; Wed Mar 21 11:52:10 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.3/8.9.1) id f2LJqAi08753; Wed, 21 Mar 2001 11:52:10 -0800 (PST) Message-Id: <200103211952.f2LJqAi08753@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdOh8742; Wed Mar 21 11:51:27 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: David Pick Cc: security@FreeBSD.ORG Subject: Re: Disabling xhost(1) Access Control In-reply-to: Your message of "Wed, 21 Mar 2001 17:54:57 GMT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 21 Mar 2001 11:51:27 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , David Pick writes: > > > I also think about disabling xhost and wonder which solution have you > > chosen -- modifying Xserver source offered later in the thread? Actually, > > "-nolisten tcp" is a nice idea, but I would like X to run from the server > > on all "Xterminals", and of course "X -query" fails that way... > > I actually run two copies of "xdm": one (with "-nolisten tcp") for the > local display which also has the XDMCP port set to zero to disable > remore X displays using XDMCP; and the other copy of "xdm" with no > X servers at all, just listening for XDMCP on port 177. > > Makes it much easier to control the availability of XMDCP without > editing files as such. I use this on a laptop which wants just the > local display in most connections, but I want to allow the use of > an X terminal when I'm at home with a trusted desktop and 17" monitor. I use a locally modified version of Xforward (ftp://crl.dec.com:/pub/DEC /xforward.tar.Z). Xforward is designed to proxy X sessions through a firewall. Before proxying a session (allowing the connection), it will pop up a window asking whether the connection should be allowed. I can click on "Yes" or "No" to allow/disallow the connection. I then block all access to my X server's port (6000) using IP Filter or IPFW, only allowing Xforward running on my desktop to talk to port 6000. The drawback to Xforward is that it does not support MIT cookies or any other authentication mechanism, so xhost must be done. This is a problem on multi-user systems, however personal desktop systems, e.g. my workstation, where I am the only user using (or allowed to use) the system, this is not a problem, as the firewall will protect the perimeter. This breaks the concept of security through depth, however when running remote X clients, this is probably the lesser of the two evils. Xroute, another X proxy, can be manipulated to do the same. I'm not sure where I got Xroute from. Creation of Xforward and Xroute ports for the ports collection are in my queue of things to get done, so you should see them shortly (after I've completed the Tripwire 2.3.1 port). Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 21 13:41: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from web13204.mail.yahoo.com (web13204.mail.yahoo.com [216.136.174.189]) by hub.freebsd.org (Postfix) with SMTP id 558EA37B71C for ; Wed, 21 Mar 2001 13:41:03 -0800 (PST) (envelope-from lipshitz909@yahoo.com) Message-ID: <20010321160143.26738.qmail@web13204.mail.yahoo.com> Received: from [213.167.135.253] by web13204.mail.yahoo.com; Wed, 21 Mar 2001 08:01:43 PST Date: Wed, 21 Mar 2001 08:01:43 -0800 (PST) From: Larry Librettez Subject: Cannot su to root in X terminal with 4.3-BETA To: freebsd-security@freebsd.org Cc: freebsd-stable@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org After upgrading to 4.3-BETA, I find I cannot su to root in a terminal window (rxvt, xterm) in X (XFree86-3.3.6 with either GNOME or KDE). Even if I enter the correct password, the su login gets rejected (and yes, user is member of wheel group). The logs report `BAD SU LIPSHITZ to root on ttyp0`. However, in a plain terminal (not in X), I CAN su to root as a regular user. Prior to upgrading to 4.3-BETA (kernel + userland), I was able to su to root in X in 4.2-STABLE. I tried adding `secure´ after the ttyp entries in /etc/ttys but that didn´t help. I did both mergemaster and MAKEDEV all during my rebuild. I specifically re-made the ttyp* devices. I even typed out the su password on the terminal to make sure it shows correctly and it does. On a separate box using 4.2-STABLE I upgraded only the kernel to 4.3-BETA (same 4.2-STABLE userland), and the problem still occurred - couldn´t su to root in an X terminal. Is the problem in the kernel? A bug? A DoS? I cvsup´d 3 times and rebuilded 3 times with no change in this problem. How do I fix this? __________________________________________________ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 21 18:17:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from coconut.itojun.org (coconut.itojun.org [210.160.95.97]) by hub.freebsd.org (Postfix) with ESMTP id A339137B719 for ; Wed, 21 Mar 2001 18:17:48 -0800 (PST) (envelope-from itojun@itojun.org) Received: from kiwi.itojun.org (localhost.itojun.org [127.0.0.1]) by coconut.itojun.org (8.9.3+3.2W/3.7W) with ESMTP id LAA19244 for ; Thu, 22 Mar 2001 11:17:42 +0900 (JST) To: freebsd-security@freebsd.org In-reply-to: itojun's message of Thu, 22 Mar 2001 04:10:29 JST. <10518.985201829@coconut.itojun.org> X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 Subject: Re: IPSEC/VPN/NAT and filtering From: itojun@iijlab.net Date: Thu, 22 Mar 2001 11:17:42 +0900 Message-ID: <19242.985227462@coconut.itojun.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > see latest NetBSD source code tree, and the following URL, on how > we handled it (now ipfilter looks at wire format packet only). i have > no environment/time to do the same on freebsd, but i can > say that the foundations are there in kame and netbsd tree. > (you can check if the packet went throught ip sec on inbound, > by using ipsec_gethist()) > http://www.netbsd.org/Documentation/network/ipsec/#ipf-interaction not sure if it works, but anyway, here it is. http://orange.kame.net/dev/cvsweb.cgi/kame/freebsd4/sys/netinet/ip_input.c.diff?r1=1.16&r2=1.17 (based on 4.2-RELEASE) itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 21 18:22:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from coconut.itojun.org (coconut.itojun.org [210.160.95.97]) by hub.freebsd.org (Postfix) with ESMTP id A650537B71B for ; Wed, 21 Mar 2001 18:22:23 -0800 (PST) (envelope-from itojun@itojun.org) Received: from kiwi.itojun.org (localhost.itojun.org [127.0.0.1]) by coconut.itojun.org (8.9.3+3.2W/3.7W) with ESMTP id LAA19326 for ; Thu, 22 Mar 2001 11:22:22 +0900 (JST) To: freebsd-security@freebsd.org In-reply-to: itojun's message of Thu, 22 Mar 2001 11:17:42 JST. <19242.985227462@coconut.itojun.org> X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 Subject: Re: IPSEC/VPN/NAT and filtering From: itojun@iijlab.net Date: Thu, 22 Mar 2001 11:22:22 +0900 Message-ID: <19324.985227742@coconut.itojun.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > not sure if it works, but anyway, here it is. > http://orange.kame.net/dev/cvsweb.cgi/kame/freebsd4/sys/netinet/ip_input.c.diff?r1=1.16&r2=1.17 > (based on 4.2-RELEASE) NOTE: it will need latest kame ipsec tree/backend. itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 21 20:14:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp02.teb1.iconnet.net (smtp02.teb1.iconnet.net [209.3.218.43]) by hub.freebsd.org (Postfix) with ESMTP id 4168437B71C for ; Wed, 21 Mar 2001 20:14:37 -0800 (PST) (envelope-from babkin@bellatlantic.net) Received: from bellatlantic.net (client-151-198-117-202.nnj.dialup.bellatlantic.net [151.198.117.202]) by smtp02.teb1.iconnet.net (8.9.1/8.9.1) with ESMTP id XAA12183; Wed, 21 Mar 2001 23:14:27 -0500 (EST) Message-ID: <3AB97C22.BA09EC06@bellatlantic.net> Date: Wed, 21 Mar 2001 23:14:26 -0500 From: Sergey Babkin X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 4.0-19990626-CURRENT i386) X-Accept-Language: en, ru MIME-Version: 1.0 To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: about common group & user ID space (PR kern/14584) References: <200103182339.QAA18696@usr05.primenet.com> <4.3.2.7.2.20010320002008.00d12b50@localhost> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brett Glass wrote: > > At 06:15 PM 3/19/2001, Sergey Babkin wrote: > > >> > on (a) the number of groups of which a user can be a member and (b) the > > > >For this there is some macro (can't remember the name) which > >can be defined in the kernel config file as an option with > >a higher value. Setting it higher means higher system overhead > >but since the memory size has increased significantly over > >the last few years, I think that a higher default value makes > >sense. > > I do too. Could you submit this as a patch? I've looked at it and found that it's already made into a sysctl variable kern.ngroups. -SB To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 21 20:56:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailsvr.comsatnet.com.br (mailsvr.comsatweb.com.br [200.219.160.135]) by hub.freebsd.org (Postfix) with ESMTP id D5B0437B719 for ; Wed, 21 Mar 2001 20:56:28 -0800 (PST) (envelope-from sunny_three@usa.com) Received: from mail.comsatweb.com.br ([200.219.160.156]) by mailsvr.comsatnet.com.br with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id HMTGG5X1; Thu, 22 Mar 2001 01:56:02 -0300 Received: from yahoo.com (38.29.228.63) by mail.comsatweb.com.br (NPlex 5.5.015) id 3AA7D57C0000244A; Thu, 22 Mar 2001 02:01:36 -0300 From: sunny_three@canada.com X-Mailer: fastmail [version 2.4 PL24] Content-Type: text/html; charset="iso-8859-1" Date: Wed, 21 Mar 2001 20:54:49 -0800 Message-Id: To: sunny_three@verizonmail.com Subject: The Best Online Loan Source! Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: Quoted-Printable MIME-Version: 1.0 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Untitled Document
Home Owners Network
=93Home of America's Most Liberal=20 Lenders=94

Interest Rates are the LOWEST they've been in 8 years!

- Shop 100's of Lenders with just ONE CLICK=20 -

Good Credit / Bad Credit -- We have Special Programs for any type of=20 credit history
Approval in Minutes - No Upfront Fees - No Hidden Fees - Get Cash=20 Fast

What= ever your needs... we can help. It's easy to qualify and your loan rev= iew=20 is FREE=85

With our loan programs you can get cash for...
* Debt Consolidation * 2nd= =20 Mortgage * = Refinance * Credit Repair *
* Hom= e=20 Improvement * Dream Vacation * = College Tuition * A New Business *

= Many of our NEW Loan Programs offer Home-Owners the ability
to consolidate bills into ONE low monthly payment.

Additional benefits for Home-Owners include tax advantages and=20 interest savings.
=
Applying is easy.   Click Here to learn more. There is no=20 obligation

To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 21 23:34:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 6427C37B71E for ; Wed, 21 Mar 2001 23:34:39 -0800 (PST) (envelope-from cjc@rfx-216-196-73-168.users.reflexcom.com) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Wed, 21 Mar 2001 23:32:35 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.3/8.11.1) id f2M7YWX58258; Wed, 21 Mar 2001 23:34:32 -0800 (PST) (envelope-from cjc) Date: Wed, 21 Mar 2001 23:34:31 -0800 From: "Crist J. Clark" To: "J.A. Terranson" Cc: security@FreeBSD.ORG Subject: Re: chflags/symlinks Message-ID: <20010321233431.C574@cjc-desktop.users.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from measl@mfn.org on Tue, Mar 20, 2001 at 05:57:23AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Mar 20, 2001 at 05:57:23AM -0600, J.A. Terranson wrote: > > Good Morning/Afternoon/Etc., > > I believe there is an issue WRT the above pair. The chflags(1) manpage says, Symbolic links do not have flags, so unless the -H or -L option is set, chflags on a symbolic link always succeeds and has no effect. > Problem: There is no way to secure (schg, etc) the link. I can > secure the files to which they point, but not the links > themselves. Theoretically, an attack can be launched by deleting the > symlinks and creating new ones, rather than altering the files directly > (as they are safe under securelevel 3). > > For us, the issue has been nighty cleanup routines killing the > symlinks, and thereby breaking *everything* :-( > > > I there is something I have missed here, I would *love* to know... You can schg the directory in which the symlinks are in. That of course may or may not be practical for you. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 22 0: 7:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from hell.branda.to (61-216-80-11.HINET-IP.hinet.net [61.216.80.11]) by hub.freebsd.org (Postfix) with ESMTP id B9DBA37B71E for ; Thu, 22 Mar 2001 00:07:40 -0800 (PST) (envelope-from thinker@branda.to) Received: from localhost (localhost [127.0.0.1]) (uid 1000) by hell.branda.to with local; Thu, 22 Mar 2001 16:10:21 +0000 Date: Thu, 22 Mar 2001 16:10:21 +0000 From: thinker To: freebsd-security@freebsd.org Subject: Hang forever at LAST_ACK Message-ID: <20010322161021.A45575@hell.branda.to> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, Few days ago, my friend has a FreeBSD 4.2-stable server be hanged totally for socket being exhausted. He found there are many sockets stay at LAST_ACK state and never been dropped. We don't know whether it is a DDoS attack, but it could be a DDoS way. I don't know whether there is people to fix it up, and I make a patch file for it following. It seems work fine. Kernel patch is following. --------- begin patch file of sys/netinet/tcp_usrreq.c ---------- --- tcp_usrreq.c.orig Thu Mar 22 14:59:45 2001 +++ tcp_usrreq.c Thu Mar 22 15:04:49 2001 @@ -1139,13 +1139,15 @@ tp->t_state = TCPS_LAST_ACK; break; } - if (tp && tp->t_state >= TCPS_FIN_WAIT_2) { + if (tp && tp->t_state >= TCPS_FIN_WAIT_2) soisdisconnected(tp->t_inpcb->inp_socket); - /* To prevent the connection hanging in FIN_WAIT_2 forever. */ - if (tp->t_state == TCPS_FIN_WAIT_2) - callout_reset(tp->tt_2msl, tcp_maxidle, - tcp_timer_2msl, tp); - } + /* + * To prevent the connection hanging in FIN_WAIT_2 & + * TCPS_LAST_ACK forever. + */ + if (tp->t_state == TCPS_FIN_WAIT_2 || tp->t_state == TCPS_LAST_ACK) + callout_reset(tp->tt_2msl, tcp_maxidle, + tcp_timer_2msl, tp); return (tp); } --------- end patch file of sys/netinet/tcp_usrreq.c ------------ -- thinker@branda.to Branda Open Site (BOS) thinker.bbs@bbs.yzu.edu.tw http://www.branda.to/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 22 0:33:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailman.zeta.org.au (mailman.zeta.org.au [203.26.10.16]) by hub.freebsd.org (Postfix) with ESMTP id 04DB537B720 for ; Thu, 22 Mar 2001 00:33:41 -0800 (PST) (envelope-from bde@zeta.org.au) Received: from bde.zeta.org.au (bde.zeta.org.au [203.2.228.102]) by mailman.zeta.org.au (8.9.3/8.8.7) with ESMTP id TAA26651; Thu, 22 Mar 2001 19:33:18 +1100 Date: Thu, 22 Mar 2001 19:32:29 +1100 (EST) From: Bruce Evans X-Sender: bde@besplex.bde.org To: cjclark@alum.mit.edu Cc: "J.A. Terranson" , security@FreeBSD.ORG Subject: Re: chflags/symlinks In-Reply-To: <20010321233431.C574@cjc-desktop.users.reflexcom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 21 Mar 2001, Crist J. Clark wrote: > On Tue, Mar 20, 2001 at 05:57:23AM -0600, J.A. Terranson wrote: > > Problem: There is no way to secure (schg, etc) the link. I can > > secure the files to which they point, but not the links > > themselves. Theoretically, an attack can be launched by deleting the > > symlinks and creating new ones, rather than altering the files directly > > (as they are safe under securelevel 3). > > > > For us, the issue has been nighty cleanup routines killing the > > symlinks, and thereby breaking *everything* :-( > > > > I there is something I have missed here, I would *love* to know... I think lchflags(2) should exist someday. I first learned of this problem if private followup of PR25018 (the followup was mostly about utilities not yet actually using the new 'l' calls). > > You can schg the directory in which the symlinks are in. That of > course may or may not be practical for you. Bruce To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 22 4:32:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from hall.mail.mindspring.net (hall.mail.mindspring.net [207.69.200.60]) by hub.freebsd.org (Postfix) with ESMTP id 8C91E37B71F for ; Thu, 22 Mar 2001 04:32:23 -0800 (PST) (envelope-from mvh@ix.netcom.com) Received: from netcom1.netcom.com (lai-ca3a-201.ix.netcom.com [209.110.240.201]) by hall.mail.mindspring.net (8.9.3/8.8.5) with ESMTP id HAA25337; Thu, 22 Mar 2001 07:32:20 -0500 (EST) Received: by netcom1.netcom.com (Postfix, from userid 1000) id 742C2114132; Thu, 22 Mar 2001 04:32:18 -0800 (PST) From: Mike Harding To: itojun@iijlab.net Cc: freebsd-security@freebsd.org In-reply-to: <10518.985201829@coconut.itojun.org> Subject: Re: IPSEC/VPN/NAT and filtering References: <10518.985201829@coconut.itojun.org> Message-Id: <20010322123218.742C2114132@netcom1.netcom.com> Date: Thu, 22 Mar 2001 04:32:18 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The referenced function ipsec_gethist() does not appear to exist in the FreeBSD tree. Could the modified mbuf flags M_DECRYPTED, M_AUTHIPHDR, etc used to determine packets reinjected by ipsec? If so, then something like #ifdef IPSEC + if (m->m_flags & (M_DECRYPTED | M_AUTHIPHDR)) + goto pass; +#endif would do what I need if applied against the current code base. This would make packets processed by ipsec skip the packet filter on the second pass through ip_input.c. I am sorry if I am using the flags improperly but I didn't find documentation on them after looking around a bit. Would this in general work? Seems fairly clean... - Mike H. > not sure if it works, but anyway, here it is. > http://orange.kame.net/dev/cvsweb.cgi/kame/freebsd4/sys/netinet/ip_input.c.diff?r1=1.16&r2=1.17 > (based on 4.2-RELEASE) NOTE: it will need latest kame ipsec tree/backend. itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 22 5: 5:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from joe.halenet.com.au (joe.halenet.com.au [203.37.141.114]) by hub.freebsd.org (Postfix) with ESMTP id 1BDC537B722 for ; Thu, 22 Mar 2001 05:05:31 -0800 (PST) (envelope-from timbo@halenet.com.au) Received: from temp19 (modem-71-st.halenet.com.au [203.55.33.71]) by joe.halenet.com.au (8.9.1/8.9.1) with SMTP id WAA22663 for ; Thu, 22 Mar 2001 22:59:46 +1000 (EST) (envelope-from timbo@halenet.com.au) Message-ID: <00dc01c0b2d0$f95346e0$6500a8c0@halenet.com.au> From: "Tim McCullagh" To: Subject: Pam Authentication Date: Thu, 22 Mar 2001 23:06:54 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi Can anyone point me in the right direction as to where I will / can find any information on configuring PAM on FreeBSD. I have a freeBSD 4.2 Release system that I am trying to get pam to work on. I have configured the pam.conf file as per the default and are trying to get pam authentication going using a web browser. I have configured my http.conf and it seems to be working fine. Each time I try to login I get a message in my /var/log/messages like this Mar 22 09:15:39 mailsat httpsd: unable to dlopen(/usr/lib/pam_unix.so) Mar 22 09:15:39 mailsat httpsd: [dlerror: /usr/lib/pam_unix.so: Undefined symbol "pam_get_item"] Mar 22 09:15:39 mailsat httpsd: adding faulty module: /usr/lib/pam_unix.so I did see a message in the archives which suggested >>Maybe the runtime linker is confused > > using a dlopened module from another dlopened module. > > Try running httpd with the environment `LD_PRELOAD' set > > to `/usr/lib/libpam.so.1' and let me know the results. How would I do this? Has anyone come across this and been able to solve it? Thanks in advance Tim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 22 6:20:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 272ED37B719 for ; Thu, 22 Mar 2001 06:20:18 -0800 (PST) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.3/8.11.3) with ESMTP id f2MEK1790455; Thu, 22 Mar 2001 09:20:01 -0500 (EST) (envelope-from rsimmons@wlcg.com) Date: Thu, 22 Mar 2001 09:19:56 -0500 (EST) From: Rob Simmons To: Tim McCullagh Cc: Subject: Re: Pam Authentication In-Reply-To: <00dc01c0b2d0$f95346e0$6500a8c0@halenet.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 man 8 pam Robert Simmons Systems Administrator http://www.wlcg.com/ On Thu, 22 Mar 2001, Tim McCullagh wrote: > Hi > > Can anyone point me in the right direction as to where I will / can find any > information on configuring PAM on FreeBSD. I have a freeBSD 4.2 Release > system that I am trying to get pam to work on. I have configured the > pam.conf file as per the default and are trying to get pam authentication > going using a web browser. I have configured my http.conf and it seems to > be working fine. > > Each time I try to login I get a message in my /var/log/messages like this > > Mar 22 09:15:39 mailsat httpsd: unable to dlopen(/usr/lib/pam_unix.so) > Mar 22 09:15:39 mailsat httpsd: [dlerror: /usr/lib/pam_unix.so: Undefined > symbol "pam_get_item"] > Mar 22 09:15:39 mailsat httpsd: adding faulty module: /usr/lib/pam_unix.so > > I did see a message in the archives which suggested > > > >>Maybe the runtime linker is confused > > > using a dlopened module from another dlopened module. > > > Try running httpd with the environment `LD_PRELOAD' set > > > to `/usr/lib/libpam.so.1' and let me know the results. > > How would I do this? > > > Has anyone come across this and been able to solve it? > > Thanks in advance > > Tim > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6ugoQv8Bofna59hYRAvcAAJwOgKphSa6BhUzXyqIrDmQL/E055gCgv1EX CfpdF3z5sXap+sG9qA1xC2M= =/ZnA -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 22 6:20:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from news.lucky.net (news.lucky.net [193.193.193.102]) by hub.freebsd.org (Postfix) with ESMTP id 2956C37B71D for ; Thu, 22 Mar 2001 06:20:33 -0800 (PST) (envelope-from ostap@ukrpost.net) Received: (from mail@localhost) by news.lucky.net (8.Who.Cares/8.Who.Cares) id QHW31494 for freebsd-security@freebsd.org; Thu, 22 Mar 2001 16:20:29 +0200 (envelope-from ostap@ukrpost.net) From: ostap To: freebsd-security@freebsd.org Subject: DoS attack - advice needed Date: Thu, 22 Mar 2001 16:19:12 +0200 Organization: Unknown Message-ID: <3ABA09E0.141711C9@ukrpost.net> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit X-Trace: news.lucky.net 985270734 31360 193.193.192.142 (22 Mar 2001 14:18:54 GMT) X-Complaints-To: usenet@news.lucky.net X-Mailer: Mozilla 4.75 [en] (Win95; U) X-Accept-Language: en Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It looks as I had an icmp DoS attack recently on my freebsd 3.3-release server. the box was totally frozen and another machine plugged into the same switch (freebsd 4.1) showed a lot of 'icmp bandwidth limit' messages, the switch showed about 80% load ( against 10% normal), and all computers connected to it were totally blocked out. this was done from internal network (this server is a gateway), and i don't have any filter rules/blocks for outgoing traffic. i'm interested in the ways how this can be done, and what is needeed to prevent such attacks on 3.x freebsd, without blocking all icmp traffic. thanks in advance To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 22 6:26:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (adam042-060.resnet.wisc.edu [146.151.42.60]) by hub.freebsd.org (Postfix) with ESMTP id 7C6A837B719 for ; Thu, 22 Mar 2001 06:26:32 -0800 (PST) (envelope-from silby@silby.com) Received: (qmail 21543 invoked by uid 1000); 22 Mar 2001 14:26:26 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 22 Mar 2001 14:26:26 -0000 Date: Thu, 22 Mar 2001 08:26:26 -0600 (CST) From: Mike Silbersack To: ostap Cc: Subject: Re: DoS attack - advice needed In-Reply-To: <3ABA09E0.141711C9@ukrpost.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 22 Mar 2001, ostap wrote: > It looks as I had an icmp DoS attack recently > on my freebsd 3.3-release server. > the box was totally frozen and another machine plugged into the same > switch (freebsd 4.1) showed a lot of 'icmp bandwidth limit' messages, > the switch showed about 80% load ( against 10% normal), and all > computers > connected to it were totally blocked out. > this was done from internal network (this server is a gateway), and i > don't have any filter rules/blocks for outgoing traffic. > i'm interested in the ways how this can be done, and what is needeed > to prevent such attacks on 3.x freebsd, without blocking all icmp > traffic. > > thanks in advance The icmp-response messages can be caused by many different things, all of which are _not_ incoming icmp. Don't try to block icmp, it will not solve your problem one bit. If you're interested in making your boxes more resiliant to attack, you should upgrade to at least 3.5-stable, and preferrably 4.3-stable. 3.3 is old, and many networking bugs have been fixed since. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 22 6:36:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from mx.nsu.ru (mx.nsu.ru [193.124.215.71]) by hub.freebsd.org (Postfix) with ESMTP id 2CE0F37B724 for ; Thu, 22 Mar 2001 06:36:00 -0800 (PST) (envelope-from fjoe@iclub.nsu.ru) Received: from iclub.nsu.ru (root@iclub.nsu.ru [193.124.222.66]) by mx.nsu.ru (8.9.1/8.9.0) with ESMTP id UAA06945; Thu, 22 Mar 2001 20:33:51 +0600 (NOVT) Received: from localhost (fjoe@localhost) by iclub.nsu.ru (8.11.2/8.11.2) with ESMTP id f2MEXNi94056; Thu, 22 Mar 2001 20:33:46 +0600 (NS) (envelope-from fjoe@iclub.nsu.ru) Date: Thu, 22 Mar 2001 20:33:23 +0600 (NS) From: Max Khon To: Sergey Babkin Cc: Brett Glass , security@FreeBSD.ORG Subject: Re: about common group & user ID space (PR kern/14584) In-Reply-To: <3AB97C22.BA09EC06@bellatlantic.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org hi, there! On Wed, 21 Mar 2001, Sergey Babkin wrote: > > >> > on (a) the number of groups of which a user can be a member and (b) the > > > > > >For this there is some macro (can't remember the name) which > > >can be defined in the kernel config file as an option with > > >a higher value. Setting it higher means higher system overhead > > >but since the memory size has increased significantly over > > >the last few years, I think that a higher default value makes > > >sense. > > > > I do too. Could you submit this as a patch? > > I've looked at it and found that it's already made into a sysctl > variable kern.ngroups. it is read-only however (at least on my 4.2-STABLE system) /fjoe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 22 6:43:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from closed-networks.com (shady.org [195.153.248.241]) by hub.freebsd.org (Postfix) with SMTP id 43A6F37B71E for ; Thu, 22 Mar 2001 06:43:14 -0800 (PST) (envelope-from marcr@closed-networks.com) Received: (qmail 27536 invoked by uid 1000); 22 Mar 2001 14:46:34 -0000 Date: Thu, 22 Mar 2001 14:46:34 +0000 From: Marc Rogers To: freebsd-security@freebsd.org Subject: Re: DoS attack - advice needed Message-ID: <20010322144634.V10016@shady.org> References: <3ABA09E0.141711C9@ukrpost.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: <3ABA09E0.141711C9@ukrpost.net>; from ostap@ukrpost.net on Thu, Mar 22, 2001 at 04:19:12PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hiya First thing you need to do is work out what they are throwing at you. You need to find out if the icmp was inward bound or outward. Outward bound (which to be honest is much more likely) is often a symptom of something that involves a large number of source addresses. A DDOS attack will generate a huge amount of outward bound icmp, as will something that involves spoofed source addresses. Blocking icmp in cases such as these will only cure the symptom, not the disease. In addition you score an own goal, as by blocking that kind of traffic withing your own network, the attackers still get to saturate your line(s) and you are less likely to see some of the "clues" that can help you identify the perpetrator. Take a snapshot of your network traffic (just tcpdump on some of the affected machines will do) and either mail it to me or send it to this list, and I and various others will look at it for you. Each diffrerent attack family will require a different countermeasure. By the comment you have made that this attack has caused FreeBSD machines to hang, I would suggest you are looking at something along the lines of a fragmented packet attack, (which if they were using an often changing spoofed source address, would explain the large amounts of icmp). Something I have noticed recently (and I will be making a separate post to this list on this matter) is that although our beloved OS has been hardened against attacks such as this, there are a number of well known software packages that are affected dramatically by these attacks, and more often than not it is their behaviour that causes up to date boxes to hang. Hope this helps, Marc Rogers Head of Network Operations & Security EDC Group To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 22 7: 0: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from starfruit.itojun.org (ipv6host1.laptops.meeting.ietf.org [135.222.63.249]) by hub.freebsd.org (Postfix) with ESMTP id 9D72837B71E for ; Thu, 22 Mar 2001 07:00:06 -0800 (PST) (envelope-from itojun@itojun.org) Received: from itojun.org (localhost [127.0.0.1]) by starfruit.itojun.org (Postfix) with ESMTP id 42FF27E75; Thu, 22 Mar 2001 23:59:47 +0900 (JST) To: Mike Harding Cc: freebsd-security@freebsd.org In-reply-to: mvh's message of Thu, 22 Mar 2001 04:32:18 PST. <20010322123218.742C2114132@netcom1.netcom.com> X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 Subject: Re: IPSEC/VPN/NAT and filtering From: Jun-ichiro itojun Hagino Date: Thu, 22 Mar 2001 23:59:47 +0900 Message-Id: <20010322145947.42FF27E75@starfruit.itojun.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >The referenced function ipsec_gethist() does not appear to exist in >the FreeBSD tree. yeah, this was introduced into kame tree recently. >Could the modified mbuf flags M_DECRYPTED, >M_AUTHIPHDR, etc used to determine packets reinjected by ipsec? If >so, then something like >#ifdef IPSEC >+ if (m->m_flags & (M_DECRYPTED | M_AUTHIPHDR)) >+ goto pass; >+#endif >would do what I need if applied against the current code base. This >would make packets processed by ipsec skip the packet filter on the >second pass through ip_input.c. I am sorry if I am using the flags >improperly but I didn't find documentation on them after looking >around a bit. >Would this in general work? Seems fairly clean... better than now, but not perfect. with the above, tunnelled AH packet will go through again into ip packet filter. more exactly, when ip_input looks at the following packet, the packet will go through ip packet filter twice (one for IP1, one for IP2). IP1 AH IP2 payload if you take the route (i'm okay with it) i guess you want to put some notes into documents. itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 22 7:21:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from barry.mail.mindspring.net (barry.mail.mindspring.net [207.69.200.25]) by hub.freebsd.org (Postfix) with ESMTP id 3478337B719 for ; Thu, 22 Mar 2001 07:21:14 -0800 (PST) (envelope-from mvh@ix.netcom.com) Received: from netcom1.netcom.com (lai-ca3a-201.ix.netcom.com [209.110.240.201]) by barry.mail.mindspring.net (8.9.3/8.8.5) with ESMTP id KAA15722; Thu, 22 Mar 2001 10:20:53 -0500 (EST) Received: by netcom1.netcom.com (Postfix, from userid 1000) id 1996C1142A7; Thu, 22 Mar 2001 07:20:26 -0800 (PST) From: Mike Harding To: itojun@iijlab.net Cc: freebsd-security@freebsd.org In-reply-to: <20010322145947.42FF27E75@starfruit.itojun.org> (message from Jun-ichiro itojun Hagino on Thu, 22 Mar 2001 23:59:47 +0900) Subject: Re: IPSEC/VPN/NAT and filtering References: <20010322145947.42FF27E75@starfruit.itojun.org> Message-Id: <20010322152026.1996C1142A7@netcom1.netcom.com> Date: Thu, 22 Mar 2001 07:20:26 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Itojun - I am not part of the FreeBSD team, but I would like to do a little work to incorporate this functionality and ideally I can present it to the right folks and get it folded in. Of course if you are merging your code back in then that would be fine as well... One more question, could you tell me what the following flags mean? #define M_LOOP M_PROTO4 #define M_AUTHIPDGM M_PROTO5 I assume that M_AUTHIPDGM is _always_ set for good packets, esp and ah, and thus is a good check for skipping the packet filter for packet input. I think that packet output doesn't need any special processing, but I will check into it. - Mike Harding Cc: freebsd-security@freebsd.org X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 From: Jun-ichiro itojun Hagino Date: Thu, 22 Mar 2001 23:59:47 +0900 Sender: itojun@itojun.org X-SpamBouncer: 1.3 (1/18/00) X-SBClass: OK >The referenced function ipsec_gethist() does not appear to exist in >the FreeBSD tree. yeah, this was introduced into kame tree recently. >Could the modified mbuf flags M_DECRYPTED, >M_AUTHIPHDR, etc used to determine packets reinjected by ipsec? If >so, then something like >#ifdef IPSEC >+ if (m->m_flags & (M_DECRYPTED | M_AUTHIPHDR)) >+ goto pass; >+#endif >would do what I need if applied against the current code base. This >would make packets processed by ipsec skip the packet filter on the >second pass through ip_input.c. I am sorry if I am using the flags >improperly but I didn't find documentation on them after looking >around a bit. >Would this in general work? Seems fairly clean... better than now, but not perfect. with the above, tunnelled AH packet will go through again into ip packet filter. more exactly, when ip_input looks at the following packet, the packet will go through ip packet filter twice (one for IP1, one for IP2). IP1 AH IP2 payload if you take the route (i'm okay with it) i guess you want to put some notes into documents. itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 22 7:34:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from starfruit.itojun.org (ipv6host1.laptops.meeting.ietf.org [135.222.63.249]) by hub.freebsd.org (Postfix) with ESMTP id DEE1137B71A for ; Thu, 22 Mar 2001 07:34:15 -0800 (PST) (envelope-from itojun@itojun.org) Received: from itojun.org (localhost [127.0.0.1]) by starfruit.itojun.org (Postfix) with ESMTP id 839F17E75; Fri, 23 Mar 2001 00:33:54 +0900 (JST) To: Mike Harding Cc: freebsd-security@freebsd.org In-reply-to: mvh's message of Thu, 22 Mar 2001 07:20:26 PST. <20010322152026.1996C1142A7@netcom1.netcom.com> X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 Subject: Re: IPSEC/VPN/NAT and filtering From: Jun-ichiro itojun Hagino Date: Fri, 23 Mar 2001 00:33:54 +0900 Message-Id: <20010322153354.839F17E75@starfruit.itojun.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >I am not part of the FreeBSD team, but I would like to do a little >work to incorporate this functionality and ideally I can present it to >the right folks and get it folded in. Of course if you are merging >your code back in then that would be fine as well... > >One more question, could you tell me what the following flags mean? > >#define M_LOOP M_PROTO4 >#define M_AUTHIPDGM M_PROTO5 these flags are basically for inbound processing, and has the following meanings: M_AUTHIPDGM: IP payload portion went through AH validation, or ESP checksum M_AUTHIPHDR: IP header portion went through AH validation M_DECRYPTED: IP payload was encrypted by ESP and decrypted note that M_AUTHxx will be ripped off when tunnel decapsulation happens, as with the following packet, AH authenticates the outer packet not the inner (IP2 could have been injected by a bad guy). IP1 AH IP2 payload also, these flags are used to avoid leaking secret information on icmp responses (we don't want to attach decyrpted packet into icmp responses, so we don't attach it if flags are raised). >I assume that M_AUTHIPDGM is _always_ set for good packets, esp and >ah, and thus is a good check for skipping the packet filter for packet >input. I think that packet output doesn't need any special >processing, but I will check into it. the issue here is not about "bypass the packet filters if the packet carries AH", doing so may not meet local policy. some cases we want to filter packets with AH out, like based on TCP header or whatever. it is about "do not let tunnelled packets go through ip packet filter twice". in this sense, checking like below is a bit confusing. need some comment lines here. > >#ifdef IPSEC > >+ if (m->m_flags & (M_DECRYPTED | M_AUTHIPHDR)) > >+ goto pass; > >+#endif itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 22 7:35:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from news.lucky.net (news.lucky.net [193.193.193.102]) by hub.freebsd.org (Postfix) with ESMTP id E632137B71A for ; Thu, 22 Mar 2001 07:35:20 -0800 (PST) (envelope-from ostap@ukrpost.net) Received: (from mail@localhost) by news.lucky.net (8.Who.Cares/8.Who.Cares) id RNO01350 for freebsd-security@freebsd.org; Thu, 22 Mar 2001 17:35:15 +0200 (envelope-from ostap@ukrpost.net) From: ostap To: freebsd-security@freebsd.org Subject: Re: DoS attack - advice needed Date: Thu, 22 Mar 2001 17:33:30 +0200 Organization: Unknown Message-ID: <3ABA1B4A.9301775D@ukrpost.net> References: <3ABA09E0.141711C9@ukrpost.net> <20010322144634.V10016@shady.org> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit X-Trace: news.lucky.net 985275191 1276 193.193.192.142 (22 Mar 2001 15:33:11 GMT) X-Complaints-To: usenet@news.lucky.net X-Mailer: Mozilla 4.75 [en] (Win95; U) X-Accept-Language: en Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thank you for your help, unfortunately i can't analyze it that deep, 'cos it was a one-time attack. i came there late in the evening, saw the problem, rebooted and everything was fine. so, no trafic snapshots unfortunately. looks like the guy issued one command, and the box went mad. i guess this wasn't that sophisticated, logs show traces of a usual portscanning software, it was ran twice or so, and then whole the thing started. it seems like the guy wasn't very experienced and was just playing around with some soft, exploiting some general hack, and then went home. i know that 3.3release is quite old, and should be ugraded of course, but i never thought it could be broken in such an easy way, without efforts, just using some standard tool. any ideas? Marc Rogers wrote: > > Hiya > > First thing you need to do is work out what they are throwing at you. > > You need to find out if the icmp was inward bound or outward. Outward bound > (which to be honest is much more likely) is often a symptom of something > that involves a large number of source addresses. A DDOS attack will generate > a huge amount of outward bound icmp, as will something that involves spoofed > source addresses. > > Blocking icmp in cases such as these will only cure the symptom, not the > disease. In addition you score an own goal, as by blocking that kind of traffic > withing your own network, the attackers still get to saturate your line(s) and > you are less likely to see some of the "clues" that can help you identify the > perpetrator. > > Take a snapshot of your network traffic (just tcpdump on some of the affected > machines will do) and either mail it to me or send it to this list, and I > and various others will look at it for you. Each diffrerent attack family > will require a different countermeasure. > > By the comment you have made that this attack has caused FreeBSD machines to > hang, I would suggest you are looking at something along the lines of a > fragmented packet attack, (which if they were using an often changing spoofed > source address, would explain the large amounts of icmp). > > Something I have noticed recently (and I will be making a separate post to this > list on this matter) is that although our beloved OS has been hardened against > attacks such as this, there are a number of well known software packages that > are affected dramatically by these attacks, and more often than not it is their > behaviour that causes up to date boxes to hang. > > Hope this helps, > > Marc Rogers > Head of Network Operations & Security > EDC Group > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 22 8:29:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from sasami.jurai.net (sasami.jurai.net [64.0.106.45]) by hub.freebsd.org (Postfix) with ESMTP id BABFC37B71B for ; Thu, 22 Mar 2001 08:29:45 -0800 (PST) (envelope-from scanner@jurai.net) Received: from localhost (scanner@localhost) by sasami.jurai.net (8.9.3/8.8.7) with ESMTP id LAA61246; Thu, 22 Mar 2001 11:29:36 -0500 (EST) Date: Thu, 22 Mar 2001 11:29:36 -0500 (EST) From: To: Marc Rogers Cc: freebsd-security@FreeBSD.ORG Subject: Re: DoS attack - advice needed In-Reply-To: <20010322144634.V10016@shady.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Blocking icmp in cases such as these will only cure the symptom, not the > disease. In addition you score an own goal, as by blocking that kind of traffic > withing your own network, the attackers still get to saturate your line(s) and > you are less likely to see some of the "clues" that can help you identify the > perpetrator. Do *NOT* block ICMP point blank at ALL. If you need to filter certain type's and code's, fine. But NEVER slap an embargo on the entire ICMP protocol. The mentality to do this blows me away every time I hear it uttered from people. ============================================================================= -Chris Watson (316) 326-3862 | FreeBSD Consultant, FreeBSD Geek Work: scanner@jurai.net | Open Systems Inc., Wellington, Kansas Home: scanner@deceptively.shady.org | http://open-systems.net ============================================================================= WINDOWS: "Where do you want to go today?" LINUX: "Where do you want to go tomorrow?" BSD: "Are you guys coming or what?" ============================================================================= irc.openprojects.net #FreeBSD -Join the revolution! ICQ: 20016186 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 22 8:58:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from aes.thinksec.com (aes.thinksec.com [193.212.248.16]) by hub.freebsd.org (Postfix) with ESMTP id 000E837B722 for ; Thu, 22 Mar 2001 08:58:09 -0800 (PST) (envelope-from des@thinksec.com) Received: (from des@localhost) by aes.thinksec.com (8.11.3/8.11.3) id f2MGvAE20721; Thu, 22 Mar 2001 17:57:10 +0100 (CET) (envelope-from des@thinksec.com) X-Authentication-Warning: aes.thinksec.com: des set sender to des@thinksec.com using -f X-URL: http://www.ofug.org/~des/ To: Cc: Marc Rogers , freebsd-security@FreeBSD.ORG Subject: Re: DoS attack - advice needed References: From: Dag-Erling Smorgrav Date: 22 Mar 2001 17:57:09 +0100 In-Reply-To: 's message of "Thu, 22 Mar 2001 11:29:36 -0500 (EST)" Message-ID: Lines: 12 User-Agent: Gnus/5.0807 (Gnus v5.8.7) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org writes: > Do *NOT* block ICMP point blank at ALL. If you need to filter certain > type's and code's, fine. But NEVER slap an embargo on the entire ICMP > protocol. The mentality to do this blows me away every time I hear it > uttered from people. You can get away with blocking all ICMP traffic except types 0, 3, 8 and 11 (and optionally placing restrictions on 0 and 8). DES --=20 Dag-Erling Sm=F8rgrav - des@thinksec.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 22 9:19:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from awww.jeah.net (awww.jeah.net [216.111.239.130]) by hub.freebsd.org (Postfix) with ESMTP id 1963937B71C for ; Thu, 22 Mar 2001 09:19:15 -0800 (PST) (envelope-from chris@jeah.net) Received: from localhost (chris@localhost) by awww.jeah.net (8.11.1/8.11.0) with ESMTP id f2MHJA509563; Thu, 22 Mar 2001 11:19:10 -0600 (CST) (envelope-from chris@jeah.net) Date: Thu, 22 Mar 2001 11:19:09 -0600 (CST) From: Chris Byrnes To: ostap Cc: Subject: Re: DoS attack - advice needed In-Reply-To: <3ABA1B4A.9301775D@ukrpost.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Thank you for your help, > unfortunately i can't analyze it that deep, > 'cos it was a one-time attack. i came there late in the > evening, saw the problem, rebooted and everything was fine. > so, no trafic snapshots unfortunately. > looks like the guy issued one command, and the box went mad. > i guess this wasn't that sophisticated, > logs show traces of a usual portscanning software, > it was ran twice or so, and then whole the thing started. > it seems like the guy wasn't very experienced and was just > playing around with some soft, exploiting some general hack, > and then went home. > i know that 3.3release is quite old, and should be ugraded of course, > but i never thought it could be broken in such an easy way, without > efforts, > just using some standard tool. > any ideas? I run a few servers that are very high profile, and very succeptable to DOS attacks, both on the local lan and on the internet. I'd definitely upgrade to 4.2-STABLE (well, it's 4.3-BETA atm). And, while we're on the subject, who needs ICMP? I haven't found a valid use for it. + Chris Byrnes, chris@JEAH.net + JEAH Communications + 1-866-AWW-JEAH (Toll-Free) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 22 9:22:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from awww.jeah.net (awww.jeah.net [216.111.239.130]) by hub.freebsd.org (Postfix) with ESMTP id 3C9E337B71C for ; Thu, 22 Mar 2001 09:22:50 -0800 (PST) (envelope-from chris@jeah.net) Received: from localhost (chris@localhost) by awww.jeah.net (8.11.1/8.11.0) with ESMTP id f2MHMQl09987; Thu, 22 Mar 2001 11:22:27 -0600 (CST) (envelope-from chris@jeah.net) Date: Thu, 22 Mar 2001 11:22:26 -0600 (CST) From: Chris Byrnes To: Cc: Marc Rogers , Subject: Re: DoS attack - advice needed In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Do *NOT* block ICMP point blank at ALL. If you need to filter certain > type's and code's, fine. But NEVER slap an embargo on the entire ICMP > protocol. The mentality to do this blows me away every time I hear it > uttered from people. Why? If you have idiots running ping -f yourserver.com from 150 ISPs around the world, you're going to want to filter ICMP. That's what I did awhile back. And I haven't found a valid reason to re-enable it. + Chris Byrnes, chris@JEAH.net + JEAH Communications + 1-866-AWW-JEAH (Toll-Free) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 22 9:24:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from poontang.schulte.org (poontang.schulte.org [209.134.156.197]) by hub.freebsd.org (Postfix) with ESMTP id 50C5637B71C for ; Thu, 22 Mar 2001 09:24:30 -0800 (PST) (envelope-from christopher@schulte.org) Received: from schulte-laptop.schulte.org (nb-105.netbriefings.com [204.72.185.105]) by poontang.schulte.org (8.9.3/8.9.3) with ESMTP id LAA16124; Thu, 22 Mar 2001 11:24:26 -0600 (CST) (envelope-from christopher@schulte.org) Message-Id: <5.0.2.1.0.20010322112050.02d2ed78@pop.schulte.org> X-Sender: schulte@pop.schulte.org X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Thu, 22 Mar 2001 11:24:08 -0600 To: Chris Byrnes , ostap From: Christopher Schulte Subject: Re: DoS attack - advice needed Cc: In-Reply-To: References: <3ABA1B4A.9301775D@ukrpost.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 11:19 AM 3/22/2001 -0600, Chris Byrnes wrote: >And, while we're on the subject, who needs ICMP? I haven't found a valid >use for it. Last time I checked, IP still needed access to parts of ICMP to do its job correctly.... there's more to ICMP than ping. >+ Chris Byrnes, chris@JEAH.net > + JEAH Communications > + 1-866-AWW-JEAH (Toll-Free) -- Christopher Schulte http://noc.schulte.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 22 9:24:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from borja.sarenet.es (borja.sarenet.es [192.148.167.77]) by hub.freebsd.org (Postfix) with ESMTP id 8453237B71C for ; Thu, 22 Mar 2001 09:24:42 -0800 (PST) (envelope-from borjamar@sarenet.es) Received: from sarenet.es (localhost [127.0.0.1]) by borja.sarenet.es (8.11.1/8.11.1) with ESMTP id f2MHOYq81573 for ; Thu, 22 Mar 2001 18:24:35 +0100 (CET) (envelope-from borjamar@sarenet.es) Message-ID: <3ABA3552.A2860E41@sarenet.es> Date: Thu, 22 Mar 2001 18:24:34 +0100 From: Borja Marcos X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.2-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: DoS attack - advice needed References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Chris Byrnes wrote: > And, while we're on the subject, who needs ICMP? I haven't found a valid > use for it. You are right. Why bother to know that a packet hasn't got through a network because the size was to big? (to mention one of the typical problems caused by indiscriminate ICMP filtering). Borja. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 22 9:31: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from unity.agava.ru (unity.agava.ru [213.59.3.227]) by hub.freebsd.org (Postfix) with ESMTP id 9C16237B71F for ; Thu, 22 Mar 2001 09:30:57 -0800 (PST) (envelope-from m_ilya@agava.com) Received: from relay2.agava.net.ru (unknown [193.125.142.2]) by unity.agava.ru (Postfix) with ESMTP id 9A1DC27E999; Thu, 22 Mar 2001 20:30:55 +0300 (MSK) Received: from gw.office.agava.ru (2.oivt.mipt.ru [193.125.142.2]) by relay2.agava.net.ru (Postfix) with ESMTP id BB54943822; Thu, 22 Mar 2001 20:30:19 +0300 (MSK) Received: from juil.domain (juil.domain [192.168.1.50]) by gw.office.agava.ru (Postfix) with ESMTP id 6D8CA5EC9; Thu, 22 Mar 2001 20:30:19 +0300 (MSK) Received: by juil.domain (Postfix, from userid 1001) id 2C0BD314; Thu, 22 Mar 2001 20:29:44 +0300 (MSK) To: Chris Byrnes Cc: ostap , Subject: Re: DoS attack - advice needed References: From: Ilya Martynov Date: 22 Mar 2001 20:29:43 +0300 In-Reply-To: Message-ID: <86wv9hpv94.fsf@juil.domain> Lines: 29 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> "CB" == Chris Byrnes writes: CB> And, while we're on the subject, who needs ICMP? I haven't CB> found a valid use for it. ping uses type 0 and 8 traceroute uses 11 type 3 is required for TCP/UDP traffic Here cite from Linux IPCHAINS-HOWTO that describes why you should not block type 3 (destination-unreachable): A worse problem is the role of ICMP packets in MTU discovery. All good TCP implementations (Linux included) use MTU discovery to try to figure out what the largest packet that can get to a destination without being fragmented (fragmentation slows performance, especially when occasional fragments are lost). MTU discovery works by sending packets with the "Don't Fragment" bit set, and then sending smaller packets if it gets an ICMP packet indicating "Fragmentation needed but DF set" (`fragmentation-needed'). This is a type of `destination-unreachable' packet, and if it is never received, the local host will not reduce MTU, and performance will be abysmal or non-existent. -- Ilya Martynov AGAVA Software Company, http://www.agava.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 22 9:38:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from awww.jeah.net (awww.jeah.net [216.111.239.130]) by hub.freebsd.org (Postfix) with ESMTP id 8BA5A37B718 for ; Thu, 22 Mar 2001 09:38:04 -0800 (PST) (envelope-from chris@jeah.net) Received: from localhost (chris@localhost) by awww.jeah.net (8.11.1/8.11.0) with ESMTP id f2MHc5h11109 for ; Thu, 22 Mar 2001 11:38:05 -0600 (CST) (envelope-from chris@jeah.net) Date: Thu, 22 Mar 2001 11:38:04 -0600 (CST) From: Chris Byrnes To: Subject: Re: DoS attack - advice needed In-Reply-To: <86wv9hpv94.fsf@juil.domain> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > ping uses type 0 and 8 > > traceroute uses 11 Who needs it. > type 3 is required for TCP/UDP traffic Hrm. + Chris Byrnes, chris@JEAH.net + JEAH Communications + 1-866-AWW-JEAH (Toll-Free) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 22 9:43:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from thompson.lcmi.ufsc.br (thompson.lcmi.ufsc.br [150.162.14.19]) by hub.freebsd.org (Postfix) with ESMTP id 53B6B37B71A for ; Thu, 22 Mar 2001 09:43:47 -0800 (PST) (envelope-from esms@lcmi.ufsc.br) Received: from localhost (esms@localhost) by thompson.lcmi.ufsc.br (8.9.3/8.9.3) with SMTP id OAA90617; Thu, 22 Mar 2001 14:41:44 -0300 (EST) (envelope-from esms@lcmi.ufsc.br) X-Authentication-Warning: thompson.lcmi.ufsc.br: esms owned process doing -bs Date: Thu, 22 Mar 2001 14:41:44 -0300 (EST) From: Eduardo Souza Machado da Silva Reply-To: Eduardo Souza Machado da Silva To: Chris Byrnes Cc: scanner@jurai.net, Marc Rogers , freebsd-security@FreeBSD.ORG Subject: Re: DoS attack - advice needed In-Reply-To: Message-ID: X-PGP: Public Key available at web site X-URL: http://www.lcmi.ufsc.br/~esms MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 22 Mar 2001, Chris Byrnes wrote: > > Do *NOT* block ICMP point blank at ALL. If you need to filter certain > > type's and code's, fine. But NEVER slap an embargo on the entire ICMP > > protocol. The mentality to do this blows me away every time I hear it > > uttered from people. > > Why? If you have idiots running ping -f yourserver.com from 150 ISPs > around the world, you're going to want to filter ICMP. That's what I did > awhile back. > > And I haven't found a valid reason to re-enable it. you should read RFC1122 "Requirements for Internet hosts - communication layers". R.T. Braden. Oct-01-1989 (Also STD0003) (Status: STANDARD): ICMP is a control protocol that is considered to be an integral part of IP, although it is architecturally layered upon IP, i.e., it uses IP to carry its data end- to-end just as a transport protocol like TCP or UDP does. ICMP provides error reporting, congestion reporting, and first-hop gateway redirection. and also RFC1191, "Path MTU discovery". J.C. Mogul, S.E. Deering. Nov-01-1990. (Status: DRAFT STANDARD) esms > > > > + Chris Byrnes, chris@JEAH.net > + JEAH Communications > + 1-866-AWW-JEAH (Toll-Free) > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 22 9:44:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (adam042-060.resnet.wisc.edu [146.151.42.60]) by hub.freebsd.org (Postfix) with ESMTP id 43D6437B71B for ; Thu, 22 Mar 2001 09:44:53 -0800 (PST) (envelope-from silby@silby.com) Received: (qmail 21873 invoked by uid 1000); 22 Mar 2001 17:44:52 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 22 Mar 2001 17:44:52 -0000 Date: Thu, 22 Mar 2001 11:44:52 -0600 (CST) From: Mike Silbersack To: Chris Byrnes Cc: , Marc Rogers , Subject: Re: DoS attack - advice needed In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 22 Mar 2001, Chris Byrnes wrote: > Why? If you have idiots running ping -f yourserver.com from 150 ISPs > around the world, you're going to want to filter ICMP. That's what I did > awhile back. > > And I haven't found a valid reason to re-enable it. The ratelimiting in 4.3 handles that now, so it's not necessary to block it anymore. (Though if you're being pung constantly, I can understand the desire to block it.) Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 22 9:49:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from sasami.jurai.net (sasami.jurai.net [64.0.106.45]) by hub.freebsd.org (Postfix) with ESMTP id C37B237B718 for ; Thu, 22 Mar 2001 09:49:43 -0800 (PST) (envelope-from scanner@jurai.net) Received: from localhost (scanner@localhost) by sasami.jurai.net (8.9.3/8.8.7) with ESMTP id MAA63155; Thu, 22 Mar 2001 12:49:39 -0500 (EST) Date: Thu, 22 Mar 2001 12:49:38 -0500 (EST) From: To: Chris Byrnes Cc: Marc Rogers , freebsd-security@FreeBSD.ORG Subject: Re: DoS attack - advice needed In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 22 Mar 2001, Chris Byrnes wrote: > > Do *NOT* block ICMP point blank at ALL. If you need to filter certain > > type's and code's, fine. But NEVER slap an embargo on the entire ICMP > > protocol. The mentality to do this blows me away every time I hear it > > uttered from people. > > Why? If you have idiots running ping -f yourserver.com from 150 ISPs > around the world, you're going to want to filter ICMP. That's what I did > awhile back. Idiots is a subjective term. Anyway. Ill tell you why you can't just *flip off* ICMP. It's an integral part of IP. http://users.worldgate.com/~marcs/mtu/ Alot of people need to take some "Protocol 101" classes. If you dont like how ICMP works. I dont care. It's your broken network not mine. But the fact is you can't filter the entire protocol without consequences. If you choose to ignore said consequences well again it's your broken network not mine. I dont care. > And I haven't found a valid reason to re-enable it. See Above URL. ============================================================================= -Chris Watson (316) 326-3862 | FreeBSD Consultant, FreeBSD Geek Work: scanner@jurai.net | Open Systems Inc., Wellington, Kansas Home: scanner@deceptively.shady.org | http://open-systems.net ============================================================================= WINDOWS: "Where do you want to go today?" LINUX: "Where do you want to go tomorrow?" BSD: "Are you guys coming or what?" ============================================================================= irc.openprojects.net #FreeBSD -Join the revolution! ICQ: 20016186 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 22 9:50:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from unity.agava.ru (unity.agava.ru [213.59.3.227]) by hub.freebsd.org (Postfix) with ESMTP id 3B3C837B71A for ; Thu, 22 Mar 2001 09:50:18 -0800 (PST) (envelope-from m_ilya@agava.com) Received: from relay2.agava.net.ru (unknown [193.125.142.2]) by unity.agava.ru (Postfix) with ESMTP id 7914327E997; Thu, 22 Mar 2001 20:50:16 +0300 (MSK) Received: from gw.office.agava.ru (2.oivt.mipt.ru [193.125.142.2]) by relay2.agava.net.ru (Postfix) with ESMTP id E80DA43821; Thu, 22 Mar 2001 20:49:00 +0300 (MSK) Received: from juil.domain (juil.domain [192.168.1.50]) by gw.office.agava.ru (Postfix) with ESMTP id A627D5EBC; Thu, 22 Mar 2001 20:49:00 +0300 (MSK) Received: by juil.domain (Postfix, from userid 1001) id 35684314; Thu, 22 Mar 2001 20:48:39 +0300 (MSK) To: Chris Byrnes Cc: Subject: Re: DoS attack - advice needed References: From: Ilya Martynov Date: 22 Mar 2001 20:48:39 +0300 In-Reply-To: Message-ID: <86snk5pudk.fsf@juil.domain> Lines: 25 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> "CB" == Chris Byrnes writes: >> ping uses type 0 and 8 >> >> traceroute uses 11 CB> Who needs it. Who knows? Probably nobody :) I remeber one case when my client have asked me why he can't ping his server. I was administring that server and I've configured firewall there not pass its ICPM packets. My client asked me to configure it to allow ping. >> type 3 is required for TCP/UDP traffic CB> Hrm. I'm sorry. But what means 'Hrm'? It seems I don't know English good enough :( -- Ilya Martynov AGAVA Software Company, http://www.agava.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 22 9:52: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from radix.cryptio.net (radix.cryptio.net [199.181.107.213]) by hub.freebsd.org (Postfix) with ESMTP id 1FBF537B71B for ; Thu, 22 Mar 2001 09:52:05 -0800 (PST) (envelope-from emechler@radix.cryptio.net) Received: (from emechler@localhost) by radix.cryptio.net (8.11.0/8.11.0) id f2MHq2Y60579; Thu, 22 Mar 2001 09:52:02 -0800 (PST) Date: Thu, 22 Mar 2001 09:52:02 -0800 From: Erick Mechler To: Chris Byrnes Cc: freebsd-security@FreeBSD.ORG Subject: Re: DoS attack - advice needed Message-ID: <20010322095202.D59996@techometer.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from Chris Byrnes on Thu, Mar 22, 2001 at 11:22:26AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :: Why? If you have idiots running ping -f yourserver.com from 150 ISPs :: around the world, you're going to want to filter ICMP. That's what I did :: awhile back. :: :: And I haven't found a valid reason to re-enable it. Maybe this document will give you the reason you're looking for... http://users.worldgate.com/~marcs/mtu/ --Erick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 22 9:53:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from awww.jeah.net (awww.jeah.net [216.111.239.130]) by hub.freebsd.org (Postfix) with ESMTP id DE7FB37B719 for ; Thu, 22 Mar 2001 09:53:20 -0800 (PST) (envelope-from chris@jeah.net) Received: from localhost (chris@localhost) by awww.jeah.net (8.11.1/8.11.0) with ESMTP id f2MHrGt12395; Thu, 22 Mar 2001 11:53:16 -0600 (CST) (envelope-from chris@jeah.net) Date: Thu, 22 Mar 2001 11:53:15 -0600 (CST) From: Chris Byrnes To: Mike Silbersack Cc: , Marc Rogers , Subject: Re: DoS attack - advice needed In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Why? If you have idiots running ping -f yourserver.com from 150 ISPs > > around the world, you're going to want to filter ICMP. That's what I did > > awhile back. > > > > And I haven't found a valid reason to re-enable it. > > The ratelimiting in 4.3 handles that now, so it's not necessary to block > it anymore. (Though if you're being pung constantly, I can understand the > desire to block it.) Erm. 450mbps in 45 minutes? ;) We filtered it upstream on the edge routers, because it was killing the T1s, obviously. -Chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 22 9:54:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from awww.jeah.net (awww.jeah.net [216.111.239.130]) by hub.freebsd.org (Postfix) with ESMTP id C679F37B71B for ; Thu, 22 Mar 2001 09:54:32 -0800 (PST) (envelope-from chris@jeah.net) Received: from localhost (chris@localhost) by awww.jeah.net (8.11.1/8.11.0) with ESMTP id f2MHsVH12446; Thu, 22 Mar 2001 11:54:31 -0600 (CST) (envelope-from chris@jeah.net) Date: Thu, 22 Mar 2001 11:54:25 -0600 (CST) From: Chris Byrnes To: Cc: Marc Rogers , Subject: Re: DoS attack - advice needed In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Idiots is a subjective term. Anyway. Ill tell you why you can't just *flip > off* ICMP. It's an integral part of IP. http://users.worldgate.com/~marcs/mtu/ > Alot of people need to take some "Protocol 101" classes. If you dont like > how ICMP works. I dont care. It's your broken network not mine. But the > fact is you can't filter the entire protocol without consequences. If you > choose to ignore said consequences well again it's your broken network not > mine. I dont care. Wow, buddy. Seriously, come on. You don't have to get personal about it. I asked a valid question, and people gave me some valid answers. You, however, seem personally insulted by the fact that I don't want ICMP turned on. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 22 9:58:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from awww.jeah.net (awww.jeah.net [216.111.239.130]) by hub.freebsd.org (Postfix) with ESMTP id 1850537B722 for ; Thu, 22 Mar 2001 09:58:19 -0800 (PST) (envelope-from chris@jeah.net) Received: from localhost (chris@localhost) by awww.jeah.net (8.11.1/8.11.0) with ESMTP id f2MHvoO12658; Thu, 22 Mar 2001 11:57:51 -0600 (CST) (envelope-from chris@jeah.net) Date: Thu, 22 Mar 2001 11:57:50 -0600 (CST) From: Chris Byrnes To: Ilya Martynov Cc: Subject: Re: DoS attack - advice needed In-Reply-To: <86snk5pudk.fsf@juil.domain> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > >> type 3 is required for TCP/UDP traffic > > CB> Hrm. > > I'm sorry. But what means 'Hrm'? It seems I don't know English good > enough :( I think we can move this thread to personal e-mail, because some people are getting offended that I don't want ICMP traffic. "Hrm" means that I was just pondering what you had stated. I didn't know exactly how ICMP was required for UDP and TCP traffic. We actually have UDP except for port 53 filtered, as well, because of attacks. Thanks for your help everyone. -Chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 22 9:58:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (adam042-060.resnet.wisc.edu [146.151.42.60]) by hub.freebsd.org (Postfix) with ESMTP id B4A0E37B725 for ; Thu, 22 Mar 2001 09:58:22 -0800 (PST) (envelope-from silby@silby.com) Received: (qmail 21921 invoked by uid 1000); 22 Mar 2001 17:58:22 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 22 Mar 2001 17:58:22 -0000 Date: Thu, 22 Mar 2001 11:58:22 -0600 (CST) From: Mike Silbersack To: Chris Byrnes Cc: , Marc Rogers , Subject: Re: DoS attack - advice needed In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 22 Mar 2001, Chris Byrnes wrote: > > The ratelimiting in 4.3 handles that now, so it's not necessary to block > > it anymore. (Though if you're being pung constantly, I can understand the > > desire to block it.) > > Erm. 450mbps in 45 minutes? ;) > > We filtered it upstream on the edge routers, because it was killing > the T1s, obviously. > > -Chris Heh, yeah, that might affect the box, even with ratelimiting of responses. :) Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 22 10: 1:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from joe.pythonvideo.com (joe.pythonvideo.com [209.226.29.94]) by hub.freebsd.org (Postfix) with ESMTP id A04D437B718 for ; Thu, 22 Mar 2001 10:01:23 -0800 (PST) (envelope-from joe@advancewebhosting.com) Received: from joe.pythonvideo.com (joe@localhost.pythonvideo.com [127.0.0.1]) by joe.pythonvideo.com (8.11.3/8.11.0) with ESMTP id f2MI1fY58829; Thu, 22 Mar 2001 13:01:41 -0500 (EST) (envelope-from joe@advancewebhosting.com) Date: Thu, 22 Mar 2001 13:01:41 -0500 (EST) Message-Id: <200103221801.f2MI1fY58829@joe.pythonvideo.com> To: chris@jeah.net, freebsd-security@FreeBSD.ORG From: Joe Oliveiro Reply-To: joe@advancewebhosting.com Subject: Re: DoS attack - advice needed X-Mailer: Pygmy (v0.5.2) In-Reply-To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org i drop all icmp traffic regardless of what it is, well, to the outside world anyways so i can still ping it locally. On Thu, 22 Mar 2001 11:38:04 -0600 (CST), Chris Byrnes wrote: > > ping uses type 0 and 8 > > > > traceroute uses 11 > > Who needs it. > > > type 3 is required for TCP/UDP traffic > > Hrm. > > > > + Chris Byrnes, chris@JEAH.net > + JEAH Communications > + 1-866-AWW-JEAH (Toll-Free) > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 22 10: 2:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from borja.sarenet.es (borja.sarenet.es [192.148.167.77]) by hub.freebsd.org (Postfix) with ESMTP id 40FB637B718 for ; Thu, 22 Mar 2001 10:02:29 -0800 (PST) (envelope-from borjamar@sarenet.es) Received: from sarenet.es (localhost [127.0.0.1]) by borja.sarenet.es (8.11.1/8.11.1) with ESMTP id f2MI2Rq81644 for ; Thu, 22 Mar 2001 19:02:28 +0100 (CET) (envelope-from borjamar@sarenet.es) Message-ID: <3ABA3E33.A58E4811@sarenet.es> Date: Thu, 22 Mar 2001 19:02:27 +0100 From: Borja Marcos X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.2-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: Re: DoS attack - advice needed References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Chris Byrnes wrote: > > > >> type 3 is required for TCP/UDP traffic > > > > CB> Hrm. > > > > I'm sorry. But what means 'Hrm'? It seems I don't know English good > > enough :( > > I think we can move this thread to personal e-mail, because some people > are getting offended that I don't want ICMP traffic. ;-) ICMP filtering is bad for everyone who accesses your website, as it can cause malfunction. One of the typical problems is the "freezing" of the http connections when you are viewing a webpage. The problem? The "ICMP need fragment" messages are not reaching your web server. Borja. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 22 11:11:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 5AB6F37B725 for ; Thu, 22 Mar 2001 11:11:25 -0800 (PST) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id MAA00632; Thu, 22 Mar 2001 12:10:44 -0700 (MST) Message-Id: <4.3.2.7.2.20010322121002.046634e0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 22 Mar 2001 12:10:36 -0700 To: Mike Silbersack , Chris Byrnes From: Brett Glass Subject: Re: DoS attack - advice needed Cc: , Marc Rogers , In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 10:44 AM 3/22/2001, Mike Silbersack wrote: >The ratelimiting in 4.3 handles that now, so it's not necessary to block >it anymore. (Though if you're being pung constantly, I can understand the >desire to block it.) "Pung?" This gets my vote for neologism of the week. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 22 11:46:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from mls.gtonet.net (mls.gtonet.net [216.112.90.195]) by hub.freebsd.org (Postfix) with ESMTP id 7C22237B71D for ; Thu, 22 Mar 2001 11:46:54 -0800 (PST) (envelope-from oldfart@gtonet.net) Received: from pld (pld.gtonet.net [216.112.90.200]) by mls.gtonet.net (8.11.3/8.11.3) with SMTP id f2MJkpR10732 for ; Thu, 22 Mar 2001 11:46:52 -0800 (PST) (envelope-from oldfart@gtonet.net) Reply-To: From: "oldfart@gtonet" To: Subject: RE: DoS attack - advice needed Date: Thu, 22 Mar 2001 11:46:49 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-reply-to: <4.3.2.7.2.20010322121002.046634e0@localhost> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I filter ICMP, at my router, too. I only allow incomming ICMP from source ports 0, 3 & 11 and I allow all outgoing ICMP. I just do it to help security not as a stop-gap measure. To get back on the original poster's questions, It might not have been a DoS attack if it only happend once and rebooting helped it. It was more likely, some network problem. Just my 2 cents on an already long thread, OF > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Brett Glass > Sent: Thursday, March 22, 2001 11:11 AM > To: Mike Silbersack; Chris Byrnes > Cc: scanner@jurai.net; Marc Rogers; freebsd-security@FreeBSD.ORG > Subject: Re: DoS attack - advice needed > > > At 10:44 AM 3/22/2001, Mike Silbersack wrote: > > >The ratelimiting in 4.3 handles that now, so it's not necessary to block > >it anymore. (Though if you're being pung constantly, I can > understand the > >desire to block it.) > > "Pung?" > > This gets my vote for neologism of the week. > > --Brett > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 22 12:18:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from www3.infolink.com.br (www3.infolink.com.br [200.255.108.4]) by hub.freebsd.org (Postfix) with ESMTP id C1EF237B71D for ; Thu, 22 Mar 2001 12:18:25 -0800 (PST) (envelope-from apina@infolink.com.br) Received: from diala11 (unverified [200.255.108.11]) by www3.infolink.com.br (Vircom SMTPRS 4.2.181) with SMTP id for ; Thu, 22 Mar 2001 17:18:22 -0300 Message-ID: <004601c0b30d$3e718e30$0b6cffc8@infolink.com.br> Reply-To: "Antonio Carlos Pina" From: "Antonio Carlos Pina" To: References: Subject: Re: DoS attack - advice needed Date: Thu, 22 Mar 2001 17:18:22 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4029.2901 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4029.2901 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello Chris, I will give you just one reason: Path-mtu discovery. Unless you have such type of icmp enabled, some networks won't access your site. Best Regards, Cordialmente, Antonio Carlos Pina Diretor de Tecnologia INFOLINK Internet http://www.infolink.com.br ----- Original Message ----- From: "Chris Byrnes" To: Cc: "Marc Rogers" ; Sent: Thursday, March 22, 2001 2:22 PM Subject: Re: DoS attack - advice needed > > Do *NOT* block ICMP point blank at ALL. If you need to filter certain > > type's and code's, fine. But NEVER slap an embargo on the entire ICMP > > protocol. The mentality to do this blows me away every time I hear it > > uttered from people. > > Why? If you have idiots running ping -f yourserver.com from 150 ISPs > around the world, you're going to want to filter ICMP. That's what I did > awhile back. > > And I haven't found a valid reason to re-enable it. > > > > + Chris Byrnes, chris@JEAH.net > + JEAH Communications > + 1-866-AWW-JEAH (Toll-Free) > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 22 12:32:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from salseiros.melim.com.br (salseiros.melim.com.br [200.215.110.23]) by hub.freebsd.org (Postfix) with ESMTP id C24C537B762 for ; Thu, 22 Mar 2001 12:32:15 -0800 (PST) (envelope-from ronan@melim.com.br) Received: from fazendinha (fazendinha.melim.com.br [192.168.168.42]) by salseiros.melim.com.br (8.9.3/8.9.3) with SMTP id RAA44975 for ; Thu, 22 Mar 2001 17:24:59 -0300 (EST) (envelope-from ronan@melim.com.br) Message-ID: <003d01c0b30f$35aebfa0$2aa8a8c0@melim.com.br> From: "Ronan Lucio" To: Subject: Re: DoS attack - advice needed Date: Thu, 22 Mar 2001 17:32:26 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Chris Byrnes wrote: > > > > > >> type 3 is required for TCP/UDP traffic > > > > > > CB> Hrm. > > > > > > I'm sorry. But what means 'Hrm'? It seems I don't know English good > > > enough :( > > > > I think we can move this thread to personal e-mail, because some people > > are getting offended that I don't want ICMP traffic. > > ;-) ICMP filtering is bad for everyone who accesses your > website, as it can cause malfunction. One of the typical problems > is the "freezing" of the http connections when you are viewing a > webpage. The problem? The "ICMP need fragment" messages are > not reaching your web server. If I add a rules: ipfw add pass icmp from any to my.ip.adress icmptypes 3 ipfw add deny icmp from any to mu.ip.adress Will it resolve the problem of fragmented packets? Ronan Lucio To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 22 12:32:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp.matrix.com.br (c8ca1107.matrix.com.br [200.202.17.7]) by hub.freebsd.org (Postfix) with ESMTP id 6508E37B780 for ; Thu, 22 Mar 2001 12:32:16 -0800 (PST) (envelope-from speed@x-ray.matrix.com.br) Received: from x-ray.matrix.com.br (x-ray.matrix.com.br [200.196.0.241]) by smtp.matrix.com.br (Postfix) with ESMTP id B5CA272F78; Thu, 22 Mar 2001 17:32:08 -0300 (EST) Received: (from speed@localhost) by x-ray.matrix.com.br (8.11.1/8.11.1) id f2MKVvm06050; Thu, 22 Mar 2001 17:31:57 -0300 (BRT) (envelope-from speed) Date: Thu, 22 Mar 2001 17:31:57 -0300 From: Rodrigo Campos To: Ilya Martynov Cc: Chris Byrnes , freebsd-security@FreeBSD.ORG Subject: Re: DoS attack - advice needed Message-ID: <20010322173157.C5678@x-ray.matrix.com.br> References: <86snk5pudk.fsf@juil.domain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <86snk5pudk.fsf@juil.domain>; from m_ilya@agava.com on Thu, Mar 22, 2001 at 08:48:39PM +0300 X-Operating-System: FreeBSD i386 X-Organization: Matrix Internet - but not speaking for X-URL: http://www.br-unix.org/users/campos/index.html Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Mar 22, 2001 at 08:48:39PM +0300, Ilya Martynov wrote: > >>>>> "CB" == Chris Byrnes writes: > > >> ping uses type 0 and 8 > >> > >> traceroute uses 11 > > CB> Who needs it. > > Who knows? Probably nobody :) That's not true at all. Filtering all ICMP traffic can result in very odd connectivity problems due to Path MTU discovery issues. There's a very good white paper about it that can be found at http://www.worldgate.com/~marcs/mtu/ Regards, -- Rodrigo Campos Matrix Internet S.A. - NOC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 22 12:45:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from salseiros.melim.com.br (salseiros.melim.com.br [200.215.110.23]) by hub.freebsd.org (Postfix) with ESMTP id 6FD9B37B71E for ; Thu, 22 Mar 2001 12:45:26 -0800 (PST) (envelope-from ronan@melim.com.br) Received: from fazendinha (fazendinha.melim.com.br [192.168.168.42]) by salseiros.melim.com.br (8.9.3/8.9.3) with SMTP id RAA46878 for ; Thu, 22 Mar 2001 17:38:10 -0300 (EST) (envelope-from ronan@melim.com.br) Message-ID: <007101c0b311$0d67db60$2aa8a8c0@melim.com.br> From: "Ronan Lucio" To: Subject: Re: DoS attack - advice needed Date: Thu, 22 Mar 2001 17:45:37 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Sorry, I´d like say to allow the follow icmptypes: 3 (destination unreachable) 4 (source quench) 11 (ttl exceeded) 12 (ip header bad) I think it´s enough to cause no problem to the system and block ping packets Ronan Lucio > If I add a rules: > > ipfw add pass icmp from any to my.ip.adress icmptypes 3 > ipfw add deny icmp from any to mu.ip.adress > > Will it resolve the problem of fragmented packets? > > Ronan Lucio To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 22 12:49:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from www3.infolink.com.br (www3.infolink.com.br [200.255.108.4]) by hub.freebsd.org (Postfix) with ESMTP id 4E0A437B718 for ; Thu, 22 Mar 2001 12:49:52 -0800 (PST) (envelope-from apina@infolink.com.br) Received: from diala11 (unverified [200.255.108.11]) by www3.infolink.com.br (Vircom SMTPRS 4.2.181) with SMTP id for ; Thu, 22 Mar 2001 17:49:48 -0300 Message-ID: <019101c0b311$a2844fd0$0b6cffc8@infolink.com.br> Reply-To: "Antonio Carlos Pina" From: "Antonio Carlos Pina" To: References: <007101c0b311$0d67db60$2aa8a8c0@melim.com.br> Subject: Re: DoS attack - advice needed Date: Thu, 22 Mar 2001 17:49:48 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4029.2901 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4029.2901 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Source quench is supposed to be needed but is bad (big security risks). You should avoid it. Regards, Cordialmente, Antonio Carlos Pina Diretor de Tecnologia INFOLINK Internet http://www.infolink.com.br ----- Original Message ----- From: "Ronan Lucio" To: Sent: Thursday, March 22, 2001 5:45 PM Subject: Re: DoS attack - advice needed > Sorry, > > I´d like say to allow the follow icmptypes: > > 3 (destination unreachable) > 4 (source quench) > 11 (ttl exceeded) > 12 (ip header bad) > > I think it´s enough to cause no problem to the system and > block ping packets > > Ronan Lucio > > > If I add a rules: > > > > ipfw add pass icmp from any to my.ip.adress icmptypes 3 > > ipfw add deny icmp from any to mu.ip.adress > > > > Will it resolve the problem of fragmented packets? > > > > Ronan Lucio > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 22 13:12:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from theshell.com (arsenic.theshell.com [63.236.138.5]) by hub.freebsd.org (Postfix) with SMTP id AAECB37B718 for ; Thu, 22 Mar 2001 13:12:30 -0800 (PST) (envelope-from pavalos@theshell.com) Received: (qmail 8935 invoked from network); 22 Mar 2001 21:12:31 -0000 Received: from arsenic.theshell.com (HELO tequila) (root@63.236.138.5) by arsenic.theshell.com with SMTP; 22 Mar 2001 21:12:31 -0000 From: "Peter Avalos" To: Subject: RE: Multiple vendors FTP denial of service Date: Thu, 22 Mar 2001 15:14:53 -0600 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20010317174640.F20830@speedy.gsinet> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > The reality that only a select few daemons use /etc/login.conf > > is admittedly counter-intuitive. Perhaps this is more of a job Does cron use login.conf? > Until there's an aggreed upon and clean solution, would a comment > at the top of /etc/login.conf raise attention? Maybe with If cron does use login.conf, how about a short statement in the man page about it? --Pete To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 22 13:12:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 0978C37B71A; Thu, 22 Mar 2001 13:12:32 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f2MLCW214896; Thu, 22 Mar 2001 13:12:32 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Date: Thu, 22 Mar 2001 13:12:32 -0800 (PST) Message-Id: <200103222112.f2MLCW214896@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:30.ufs-ext2fs Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:30 Security Advisory FreeBSD, Inc. Topic: UFS/EXT2FS allows disclosure of deleted data Category: kernel Module: ufs/ext2fs Announced: 2001-03-22 Credits: Sven Berkvens , Marc Olzheim Affects: All released versions of FreeBSD 3.x, 4.x. FreeBSD 3.5-STABLE prior to the correction date. FreeBSD 4.2-STABLE prior to the correction date. Corrected: 2000-12-22 (FreeBSD 3.5-STABLE) 2000-12-22 (FreeBSD 4.2-STABLE) FreeBSD only: NO I. Background UFS is the Unix File System, used by default on FreeBSD systems and many other UNIX variants. EXT2FS is a filesystem used by default on many Linux systems, which is also available on FreeBSD. II. Problem Description There exists a data consistency race condition which allows users to obtain access to areas of the filesystem containing data from deleted files. The filesystem code is supposed to ensure that all filesystem blocks are zeroed before becoming available to user processes, but in a certain specific case this zeroing does not occur, and unzeroed blocks are passed to the user with their previous contents intact. Thus, if the block contains data which used to be part of a file or directory to which the user did not have access, the operation results in unauthorized access of data. All versions of FreeBSD 3.x and 4.x prior to the correction date including 3.5.1-RELEASE and 4.2-RELEASE are vulnerable to this problem. This problem is not specific to FreeBSD systems and is believed to exist on many filesystems. This problem was corrected prior to the forthcoming release of FreeBSD 4.3. III. Impact Unprivileged users may obtain access to data which was part of deleted files. IV. Workaround None appropriate. V. Solution Upgrade your vulnerable FreeBSD system to 3.5-STABLE or 4.2-STABLE after the respective correction dates. To patch your present system: download the relevant patch from the below location, and execute the following commands as root: # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:30/fs.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:30/fs.patch.asc Verify the detached PGP signature using your PGP utility. This patch has been verified to apply against FreeBSD 3.5.1-RELEASE, FreeBSD 4.1.1-RELEASE and FreeBSD 4.2-RELEASE. It may or may not apply to older, unsupported releases. # cd /usr/src # patch -p < /path/to/patch Rebuild and reinstall your kernel as described in the FreeBSD handbook at the following URL: http://www.freebsd.org/handbook/kernelconfig.html and reboot for the changes to take effect. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOrpp2lUuHi5z0oilAQEXFwQAjIKJPtcwJOW2nyLkkIl9Ma59xpuOWEHL gZr7KQ6xi2KVH8D6Jztt8gaF+Qb3HRyq8BQUzqL20f+O8yfr8IyX0w5OWu1VkEYu ctKKwhMRtd+Cc4L9Y56Ck3DhK5CgDwCVUlThNShR8/omKFd+pWulYcaIdKwTzZIe aCnSgvTvAHU= =Jn5m -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 22 14:27: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from mr200.netcologne.de (mr200.netcologne.de [194.8.194.109]) by hub.freebsd.org (Postfix) with ESMTP id 5352637B71D for ; Thu, 22 Mar 2001 14:26:57 -0800 (PST) (envelope-from pherman@frenchfries.net) Received: from husten.security.at12.de (dial-213-168-96-54.netcologne.de [213.168.96.54]) by mr200.netcologne.de (Mirapoint) with ESMTP id ACW48244; Thu, 22 Mar 2001 23:26:52 +0100 (CET) Received: from localhost (localhost.security.at12.de [127.0.0.1]) by husten.security.at12.de (8.11.3/8.11.2) with ESMTP id f2MMQgE98334; Thu, 22 Mar 2001 23:26:42 +0100 (CET) (envelope-from pherman@frenchfries.net) Date: Thu, 22 Mar 2001 23:26:42 +0100 (CET) From: Paul Herman To: Peter Avalos Cc: Subject: RE: Multiple vendors FTP denial of service In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 22 Mar 2001, Peter Avalos wrote: > > > The reality that only a select few daemons use /etc/login.conf > > > is admittedly counter-intuitive. Perhaps this is more of a job > > Does cron use login.conf? Yep. It's one good reason to stick with the good ol' BSD standbys in the base system (ftpd, cron, inetd, etc...) rather than port replacements which are not natively LOGIN_CAP aware. There are exceptions. The "user [username]" option in hosts.allow *doesn't* switch login classes. In fact, most (all?) programs in /usr/src/contrib are not LOGIN_CAP aware. sendmail is an exception. -Paul. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 22 17: 1:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp02.teb1.iconnet.net (smtp02.teb1.iconnet.net [209.3.218.43]) by hub.freebsd.org (Postfix) with ESMTP id D154737B71F for ; Thu, 22 Mar 2001 17:01:14 -0800 (PST) (envelope-from babkin@bellatlantic.net) Received: from bellatlantic.net (client-151-198-135-105.nnj.dialup.bellatlantic.net [151.198.135.105]) by smtp02.teb1.iconnet.net (8.9.1/8.9.1) with ESMTP id TAA04049; Thu, 22 Mar 2001 19:57:36 -0500 (EST) Message-ID: <3ABA9F7F.53F8980A@bellatlantic.net> Date: Thu, 22 Mar 2001 19:57:35 -0500 From: Sergey Babkin X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 4.0-19990626-CURRENT i386) X-Accept-Language: en, ru MIME-Version: 1.0 To: Max Khon Cc: Brett Glass , security@FreeBSD.ORG Subject: Re: about common group & user ID space (PR kern/14584) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Max Khon wrote: > > hi, there! > > On Wed, 21 Mar 2001, Sergey Babkin wrote: > > > > >> > on (a) the number of groups of which a user can be a member and (b) the > > > > > > > >For this there is some macro (can't remember the name) which > > > >can be defined in the kernel config file as an option with > > > >a higher value. Setting it higher means higher system overhead > > > >but since the memory size has increased significantly over > > > >the last few years, I think that a higher default value makes > > > >sense. > > > > > > I do too. Could you submit this as a patch? > > > > I've looked at it and found that it's already made into a sysctl > > variable kern.ngroups. > > it is read-only however (at least on my 4.2-STABLE system) It's NGROUPS_MAX defined in in sys/limits.h. I've thought that it's surrounded by #ifdef NGROUPS_MAX but looks like in reality it is not. -SB To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 22 17:11:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from cs4.cs.ait.ac.th (cs4.cs.ait.ac.th [192.41.170.16]) by hub.freebsd.org (Postfix) with ESMTP id 98A0F37B71F for ; Thu, 22 Mar 2001 17:11:49 -0800 (PST) (envelope-from on@cs.ait.ac.th) Received: from banyan.cs.ait.ac.th (on@banyan.cs.ait.ac.th [192.41.170.5]) by cs4.cs.ait.ac.th (8.9.3/8.9.3) with ESMTP id IAA25591; Fri, 23 Mar 2001 08:11:12 +0700 (GMT+0700) Received: (from on@localhost) by banyan.cs.ait.ac.th (8.8.5/8.8.5) id IAA07068; Fri, 23 Mar 2001 08:11:44 +0700 (ICT) Date: Fri, 23 Mar 2001 08:11:44 +0700 (ICT) Message-Id: <200103230111.IAA07068@banyan.cs.ait.ac.th> X-Authentication-Warning: banyan.cs.ait.ac.th: on set sender to on@banyan.cs.ait.ac.th using -f From: Olivier Nicole To: ostap@ukrpost.net Cc: freebsd-security@FreeBSD.ORG In-reply-to: <3ABA09E0.141711C9@ukrpost.net> (message from ostap on Thu, 22 Mar 2001 16:19:12 +0200) Subject: Re: DoS attack - advice needed References: <3ABA09E0.141711C9@ukrpost.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >i'm interested in the ways how this can be done, and what is needeed >to prevent such attacks on 3.x freebsd, without blocking all icmp >traffic. One solution I heard about is to limit the bandwidth available for ICMP (say 5% of your total bandwidth). Of course during a DoS attack no valid ICMP will get through but at least your network will still be working. Regards, Olivier To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 22 17:32:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from cs4.cs.ait.ac.th (cs4.cs.ait.ac.th [192.41.170.16]) by hub.freebsd.org (Postfix) with ESMTP id D870037B71B for ; Thu, 22 Mar 2001 17:32:53 -0800 (PST) (envelope-from on@cs.ait.ac.th) Received: from banyan.cs.ait.ac.th (on@banyan.cs.ait.ac.th [192.41.170.5]) by cs4.cs.ait.ac.th (8.9.3/8.9.3) with ESMTP id IAA25667 for ; Fri, 23 Mar 2001 08:32:19 +0700 (GMT+0700) Received: (from on@localhost) by banyan.cs.ait.ac.th (8.8.5/8.8.5) id IAA07082; Fri, 23 Mar 2001 08:32:50 +0700 (ICT) Date: Fri, 23 Mar 2001 08:32:50 +0700 (ICT) Message-Id: <200103230132.IAA07082@banyan.cs.ait.ac.th> X-Authentication-Warning: banyan.cs.ait.ac.th: on set sender to on@banyan.cs.ait.ac.th using -f From: Olivier Nicole Cc: freebsd-security@FreeBSD.ORG In-reply-to: Subject: Re: DoS attack - advice needed References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >I filter ICMP, at my router, too. I only allow incomming ICMP from source >ports 0, 3 & 11 and I allow all outgoing ICMP. I just do it to help security >not as a stop-gap measure. To get back on the original poster's questions, Why not filtering the same outgoing ports as the incoming ones? That would help the global Internet security/performance, by making sure no attack can be launched from your network. As about why ICMP is needed, basics tools used by network people are based on ICMP. As long as you are connected to only one provider, that is OK, but if not, then you DO need traceroute... If only to know where your packets are going and if they are going in the right direction. Olivier To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 23 4:28:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from borja.sarenet.es (borja.sarenet.es [192.148.167.77]) by hub.freebsd.org (Postfix) with ESMTP id F0BA237B71D for ; Fri, 23 Mar 2001 04:28:06 -0800 (PST) (envelope-from borjamar@sarenet.es) Received: from sarenet.es (localhost [127.0.0.1]) by borja.sarenet.es (8.11.1/8.11.1) with ESMTP id f2NCS4q83389 for ; Fri, 23 Mar 2001 13:28:06 +0100 (CET) (envelope-from borjamar@sarenet.es) Message-ID: <3ABB4154.CAE7535D@sarenet.es> Date: Fri, 23 Mar 2001 13:28:04 +0100 From: Borja Marcos X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.2-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: DoS attack - advice needed References: <200103230132.IAA07082@banyan.cs.ait.ac.th> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Olivier Nicole wrote: > > >I filter ICMP, at my router, too. I only allow incomming ICMP from source > >ports 0, 3 & 11 and I allow all outgoing ICMP. I just do it to help security > >not as a stop-gap measure. To get back on the original poster's questions, > > Why not filtering the same outgoing ports as the incoming ones? That > would help the global Internet security/performance, by making sure no > attack can be launched from your network. In this case, the most important filters are those which prevent address spoofing, making sure that every packet leaving your networks has a source address belonging to your network. Borja. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 23 8:20: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from roble.com (mx0.roble.com [206.40.34.14]) by hub.freebsd.org (Postfix) with ESMTP id CE43E37B753 for ; Fri, 23 Mar 2001 08:19:43 -0800 (PST) (envelope-from marquis@roble.com) Received: from localhost (marquis@localhost) by roble.com with ESMTP id f2NGJh284398 for ; Fri, 23 Mar 2001 08:19:43 -0800 (PST) Date: Fri, 23 Mar 2001 08:19:42 -0800 (PST) From: Roger Marquis To: security@FreeBSD.ORG Subject: Re: DoS attack - advice needed Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Antonio Carlos Pina" wrote: >Source quench is supposed to be needed but is bad (big security risks). Yo= u >should avoid it. Source quench is bad? Could you elaborate? Also, what is the difference between an ICMP flood and a TCP or UDP flood? This topic comes up in comp.protocols.tcp-ip from time to time and the common wisdom recommends allowing icmptypes 0,3,4,8, and 11. I have not yet seen a good reason not to allow these icmptypes yet posted to this forum. --=20 Roger Marquis Roble Systems Consulting http://www.roble.com/ >> I=B4d like say to allow the follow icmptypes: >> >> 3 (destination unreachable) >> 4 (source quench) >> 11 (ttl exceeded) >> 12 (ip header bad) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 23 10:43:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhub.airlinksys.com (mailhub.airlinksys.com [216.70.12.6]) by hub.freebsd.org (Postfix) with ESMTP id 55BF637B71B for ; Fri, 23 Mar 2001 10:43:40 -0800 (PST) (envelope-from sjohn@airlinksys.com) Received: from ns2.airlinksys.com (ns2.airlinksys.com [216.70.12.3]) by mailhub.airlinksys.com (Postfix) with ESMTP id AD2A453501 for ; Fri, 23 Mar 2001 12:43:34 -0600 (CST) Received: by ns2.airlinksys.com (Postfix, from userid 1000) id 08C925E47; Fri, 23 Mar 2001 12:43:34 -0600 (CST) Date: Fri, 23 Mar 2001 12:43:33 -0600 From: Scott Johnson To: freebsd-security@freebsd.org Subject: Re: DoS attack - advice needed Message-ID: <20010323124333.A65189@ns2.airlinksys.com> Reply-To: Scott Johnson Mail-Followup-To: freebsd-security@freebsd.org References: <007101c0b311$0d67db60$2aa8a8c0@melim.com.br> <019101c0b311$a2844fd0$0b6cffc8@infolink.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <019101c0b311$a2844fd0$0b6cffc8@infolink.com.br>; from apina@infolink.com.br on Thu, Mar 22, 2001 at 05:49:48PM -0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Quoth Antonio Carlos Pina on Thu, Mar 22, 2001 at 05:49:48PM -0300: > Source quench is supposed to be needed but is bad (big security risks). You > should avoid it. RFC 792 defines ICMP type 4: The source quench message is a request to the host to cut back the rate at which it is sending traffic to the internet destination. The gateway may send a source quench message for every message that it discards. On receipt of a source quench message, the source host should cut back the rate at which it is sending traffic to the specified destination until it no longer receives source quench messages from the gateway. The source host can then gradually increase the rate at which it sends traffic to the destination until it again receives source quench messages. The gateway or host may send the source quench message when it approaches its capacity limit rather than waiting until the capacity is exceeded. This means that the data datagram which triggered the source quench message may be delivered. All of which seems to be a good thing, except that source quench messages can be used for DoS attacks. However, to pull it off you need to send a message for every TCP stream you wish to disrupt, and each message must contain the IP header + 64 bits of a real packet in the transmission. (Well, it doesn't have to be an exact copy, but some values, like src and dst ports and addresses, and the sequence numbers, must be correct.) Joe script kiddie probably doesn't have access to enough traffic to use this effectively or on a large scale. Correct me if I'm wrong, but this seems low risk. You can just compare the risk to the benefits of congestion control. At any rate, it wouldn't hurt to let source quench out. The current Internet Standards for gateways and hosts say: RFC 1009 (gateway requirements): All gateways must contain code for sending ICMP Source Quench messages when they are forced to drop IP datagrams due to congestion. Although the Source Quench mechanism is known to be an imperfect means for Internet congestion control, and research towards more effective means is in progress, Source Quench is considered to be too valuable to omit from production gateways. RFC 1122 (host requirements): A host MAY send a Source Quench message if it is approaching, or has reached, the point at which it is forced to discard incoming datagrams due to a shortage of reassembly buffers or other resources. See Section 2.2.3 of [INTRO:2] for suggestions on when to send Source Quench. If a Source Quench message is received, the IP layer MUST report it to the transport layer (or ICMP processing). In general, the transport or application layer SHOULD implement a mechanism to respond to Source Quench for any protocol that can send a sequence of datagrams to the same destination and which can reasonably be expected to maintain enough state information to make this feasible. DISCUSSION: A Source Quench may be generated by the target host or by some gateway in the path of a datagram. The host receiving a Source Quench should throttle itself back for a period of time, then gradually increase the transmission rate again. The mechanism to respond to Source Quench may be in the transport layer (for connection-oriented protocols like TCP) or in the application layer (for protocols that are built on top of UDP). While "in general" the transport layer SHOULD respond to source quench, in particular TCP and UDP MUST. RFC 1122 again, regarding TCP: TCP MUST react to a Source Quench by slowing transmission on the connection. The RECOMMENDED procedure is for a Source Quench to trigger a "slow start," as if a retransmission timeout had occurred. and UDP: UDP MUST pass to the application layer all ICMP error messages that it receives from the IP layer. Conceptually at least, this may be accomplished with an upcall to the ERROR_REPORT routine (see Section 4.2.4.1). -- Scott Johnson System/Network Administrator Airlink Systems To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 23 20:53: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from demai05.mw.mediaone.net (demai05.mw.mediaone.net [24.131.1.56]) by hub.freebsd.org (Postfix) with ESMTP id EA5EE37B719 for ; Fri, 23 Mar 2001 20:51:40 -0800 (PST) (envelope-from jerkart@mw.mediaone.net) Received: from jose (nic-131-c88-24.mw.mediaone.net [24.131.88.24]) by demai05.mw.mediaone.net (8.11.1/8.11.1) with SMTP id f2O4pba19924 for ; Fri, 23 Mar 2001 23:51:38 -0500 (EST) Message-ID: <05ae01c0b41e$1f82ac90$0200a8c0@jose> From: "Jeremy Karteczka" To: Subject: Trying to set up an IKE vpn between FreeBSD and Checkpoint FW-1 Date: Fri, 23 Mar 2001 23:51:38 -0500 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_05AB_01C0B3F4.339FD9C0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_05AB_01C0B3F4.339FD9C0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Greetings, I am trying to get an IKE vpn going between a 4.2-RELEASE machine (using racoon for key exchange) and a Checkpoint firewall (v4.1 SP3). I have tried both sha1 and md5. Every time I try to establish a connection phase 1 negotiation succeeds and phase 2 says it succeeds in the racoon log file, but then I get this message at the bottom of /var/log/messages: When using md5: key_mature: invalid AH key length 128 (160-160 allowed) with sha1: key_mature: invalid AH key length 160 (128-128 allowed) I was able to speak with Checkpoint Tech support on this and they did confirm that Firewall-1 uses a 128-bit key for md5 and a 160-bit key for sha1. I have looked for RFCs to find out which is the accepted standard but could not find one that specifically states how long the key should be for each hash method. Can anyone point me to the proper RFCs and/or tell me if there is a way I can reverse the expected key lenght on the FreeBSD side? The Checkpoint tech I spoke with stated that Firewall-1 is compliant with RFCs 2408 and 2409 but I see no mention of AH key length for hash methods. I have attached a copy of the racoon log (the external IPs have been cleansed) and the conf used for an attempt to connect while using sha1. Thanks in advance, Jeremy ------=_NextPart_000_05AB_01C0B3F4.339FD9C0 Content-Type: application/octet-stream; name="racoon.conf" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="racoon.conf" # "log" specifies logging level. It is followed by either "notify", "debug" # or "debug2". log debug2; #log notify; remote anonymous { exchange_mode aggressive,main,base; lifetime time 10080 min ; # sec,min,hour # phase 1 proposal (for ISAKMP SA) proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } # the configuration makes racoon (as a responder) to obey the # initiator's lifetime and PFS group proposal. # this makes testing so much easier. proposal_check obey; } # phase 2 proposal (for IPsec SA). # actual phase 2 proposal will obey the following items: # - kernel IPsec policy configuration (like "esp/transport//use) # - permutation of the crypto/hash/compression algorithms presented below sainfo anonymous { pfs_group 2; lifetime time 1 hour ; encryption_algorithm 3des ; authentication_algorithm hmac_sha1 ; compression_algorithm deflate ; } ------=_NextPart_000_05AB_01C0B3F4.339FD9C0 Content-Type: application/octet-stream; name="racoon.log" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="racoon.log" 2001-03-22 23:25:08: INFO: main.c:146:main(): @(#)racoon 20001216 = sakane@ydc.co.jp 2001-03-22 23:25:08: INFO: main.c:147:main(): @(#)This product linked = software developed by the OpenSSL Project for use in the OpenSSL = Toolkit. (http://www.openssl.org/) 2001-03-22 23:25:08: DEBUG2: cftoken.l:477:yylex(): <3>#log notify; 2001-03-22 23:25:08: DEBUG2: cftoken.l:258:yylex(): begin <33>remote 2001-03-22 23:25:08: DEBUG2: cftoken.l:259:yylex(): <33>anonymous 2001-03-22 23:25:08: DEBUG2: cftoken.l:477:yylex(): <35>#exchange_mode = main,aggressive,base; 2001-03-22 23:25:08: DEBUG2: cftoken.l:263:yylex(): <35>exchange_mode 2001-03-22 23:25:08: DEBUG2: cftoken.l:267:yylex(): <35>aggressive 2001-03-22 23:25:08: DEBUG2: cftoken.l:264:yylex(): <35>, 2001-03-22 23:25:08: DEBUG2: cftoken.l:266:yylex(): <35>main 2001-03-22 23:25:08: DEBUG2: cftoken.l:264:yylex(): <35>, 2001-03-22 23:25:08: DEBUG2: cftoken.l:265:yylex(): <35>base 2001-03-22 23:25:08: DEBUG2: cftoken.l:477:yylex(): <35>#my_identifier = fqdn "server.kame.net"; 2001-03-22 23:25:08: DEBUG2: cftoken.l:477:yylex(): = <35>#certificate_type x509 "foo@kame.net.cert" "foo@kame.net.priv" ; 2001-03-22 23:25:08: DEBUG2: cftoken.l:294:yylex(): <35>lifetime 2001-03-22 23:25:08: DEBUG2: cftoken.l:295:yylex(): <35>time 2001-03-22 23:25:08: DEBUG2: cftoken.l:408:yylex(): <35>10080 2001-03-22 23:25:08: DEBUG2: cftoken.l:398:yylex(): <35>min 2001-03-22 23:25:08: DEBUG2: cftoken.l:477:yylex(): <35># sec,min,hour 2001-03-22 23:25:08: DEBUG2: cftoken.l:477:yylex(): <35>#initial_contact = off 2001-03-22 23:25:08: DEBUG2: cftoken.l:477:yylex(): <35># phase 1 = proposal (for ISAKMP SA) 2001-03-22 23:25:08: DEBUG2: cftoken.l:298:yylex(): begin <37>proposal 2001-03-22 23:25:08: DEBUG2: cftoken.l:308:yylex(): = <37>encryption_algorithm 2001-03-22 23:25:08: DEBUG2: cftoken.l:349:yylex(): <37>3des 2001-03-22 23:25:08: DEBUG2: cftoken.l:310:yylex(): <37>hash_algorithm 2001-03-22 23:25:08: DEBUG2: cftoken.l:366:yylex(): <37>sha1 2001-03-22 23:25:08: DEBUG2: cftoken.l:309:yylex(): = <37>authentication_method 2001-03-22 23:25:08: DEBUG2: cftoken.l:376:yylex(): <37>pre_shared_key 2001-03-22 23:25:08: DEBUG2: cftoken.l:311:yylex(): <37>dh_group 2001-03-22 23:25:08: DEBUG2: cftoken.l:408:yylex(): <37>2 2001-03-22 23:25:08: DEBUG2: cftoken.l:477:yylex(): <35># the = configuration makes racoon (as a responder) to obey the 2001-03-22 23:25:08: DEBUG2: cftoken.l:477:yylex(): <35># initiator's = lifetime and PFS group proposal. 2001-03-22 23:25:08: DEBUG2: cftoken.l:477:yylex(): <35># this makes = testing so much easier. 2001-03-22 23:25:08: DEBUG2: cftoken.l:288:yylex(): <35>proposal_check 2001-03-22 23:25:08: DEBUG2: cftoken.l:289:yylex(): <35>obey 2001-03-22 23:25:08: DEBUG2: cfparse.y:1414:set_isakmp_proposal(): = lifetime =3D 604800 2001-03-22 23:25:08: DEBUG2: cfparse.y:1417:set_isakmp_proposal(): = lifebyte =3D 0 2001-03-22 23:25:08: DEBUG2: cfparse.y:1420:set_isakmp_proposal(): = strength=3Dextra high 2001-03-22 23:25:08: DEBUG2: cfparse.y:1422:set_isakmp_proposal(): = encklen=3D0 2001-03-22 23:25:08: DEBUG2: cfparse.y:1483:expand_isakmpspec(): p:1 t:1 = 2001-03-22 23:25:08: DEBUG2: cfparse.y:1487:expand_isakmpspec(): = 3DES-CBC(5) 2001-03-22 23:25:08: DEBUG2: = cfparse.y:1487:expand_isakmpspec(): SHA(2)=20 2001-03-22 23:25:08: DEBUG2: cfparse.y:1487:expand_isakmpspec(): = 1024-bit MODP group(2) 2001-03-22 23:25:08: DEBUG2: = cfparse.y:1487:expand_isakmpspec(): pre-shared key(1)=20 2001-03-22 23:25:08: DEBUG2: cfparse.y:1494:expand_isakmpspec():=20 2001-03-22 23:25:08: DEBUG2: cftoken.l:477:yylex(): <3># phase 2 = proposal (for IPsec SA). 2001-03-22 23:25:08: DEBUG2: cftoken.l:477:yylex(): <3># actual phase 2 = proposal will obey the following items: 2001-03-22 23:25:08: DEBUG2: cftoken.l:477:yylex(): <3># - kernel IPsec = policy configuration (like "esp/transport//use) 2001-03-22 23:25:08: DEBUG2: cftoken.l:477:yylex(): <3># - permutation = of the crypto/hash/compression algorithms presented below 2001-03-22 23:25:08: DEBUG2: cftoken.l:238:yylex(): begin <29>sainfo 2001-03-22 23:25:08: DEBUG2: cftoken.l:239:yylex(): <29>anonymous 2001-03-22 23:25:08: DEBUG2: cftoken.l:246:yylex(): <31>pfs_group 2001-03-22 23:25:08: DEBUG2: cftoken.l:408:yylex(): <31>2 2001-03-22 23:25:08: DEBUG2: cftoken.l:249:yylex(): <31>lifetime 2001-03-22 23:25:08: DEBUG2: cftoken.l:250:yylex(): <31>time 2001-03-22 23:25:08: DEBUG2: cftoken.l:408:yylex(): <31>1 2001-03-22 23:25:08: DEBUG2: cftoken.l:399:yylex(): <31>hour 2001-03-22 23:25:08: DEBUG2: cftoken.l:477:yylex(): <31># lifetime = byte 50 MB ; 2001-03-22 23:25:08: DEBUG2: cftoken.l:252:yylex(): = <31>encryption_algorithm 2001-03-22 23:25:08: DEBUG2: cftoken.l:349:yylex(): <31>3des 2001-03-22 23:25:08: DEBUG2: cftoken.l:253:yylex(): = <31>authentication_algorithm 2001-03-22 23:25:08: DEBUG2: cftoken.l:362:yylex(): <31>hmac_sha1 2001-03-22 23:25:08: DEBUG2: cftoken.l:254:yylex(): = <31>compression_algorithm 2001-03-22 23:25:08: DEBUG2: cftoken.l:369:yylex(): <31>deflate 2001-03-22 23:25:08: WARNING: pfkey.c:1942:pk_checkalg(): compression = algorithm can not be checked. 2001-03-22 23:25:08: DEBUG2: cfparse.y:1576:cfparse(): parse successed. 2001-03-22 23:25:08: DEBUG: grabmyaddr.c:324:grab_myaddrs(): my = interface: (fxp0) 2001-03-22 23:25:08: DEBUG: grabmyaddr.c:324:grab_myaddrs(): my = interface: 192.168.0.1 (xl0) 2001-03-22 23:25:08: DEBUG: grabmyaddr.c:324:grab_myaddrs(): my = interface: 192.168.0.1 (gif0) 2001-03-22 23:25:08: DEBUG: grabmyaddr.c:324:grab_myaddrs(): my = interface: 127.0.0.1 (lo0) 2001-03-22 23:25:08: DEBUG: grabmyaddr.c:476:autoconf_myaddrsport(): = configuring default isakmp port. 2001-03-22 23:25:08: DEBUG: grabmyaddr.c:498:autoconf_myaddrsport(): 4 = addrs are configured successfully 2001-03-22 23:25:08: INFO: isakmp.c:1266:isakmp_open(): 127.0.0.1[500] = used as isakmp port (fd=3D6) 2001-03-22 23:25:08: INFO: isakmp.c:1266:isakmp_open(): 192.168.0.1[500] = used as isakmp port (fd=3D7) 2001-03-22 23:25:08: ERROR: isakmp.c:1258:isakmp_open(): failed to bind = (Address already in use). 2001-03-22 23:25:08: INFO: isakmp.c:1266:isakmp_open(): = [500] used as isakmp port (fd=3D8) 2001-03-22 23:25:08: DEBUG: pfkey.c:191:pfkey_handler(): get pfkey = X_SPDDUMP message 2001-03-22 23:25:08: DEBUG: plog.c:204:plogdump():=20 02120000 0f000100 01000000 0e430000 03000500 ff180000 10020000 c0a86400 00000000 00000000 03000600 ff180000 10020000 c0a80000 00000000 00000000 07001200 02000100 02000000 00000000 28003200 02020000 10020000 cfe7963e 00000000 00000000 10020000 18835818 00000000 00000000 2001-03-22 23:25:08: DEBUG: pfkey.c:191:pfkey_handler(): get pfkey = X_SPDDUMP message 2001-03-22 23:25:08: DEBUG: plog.c:204:plogdump():=20 02120000 0f000100 00000000 0e430000 03000500 ff180000 10020000 c0a80000 00000000 00000000 03000600 ff180000 10020000 c0a86400 00000000 00000000 07001200 02000200 01000000 00000000 28003200 02020000 10020000 18835818 00000000 00000000 10020000 cfe7963e 00000000 00000000 2001-03-22 23:25:08: DEBUG: policy.c:182:cmpspidx(): sub:0xbfbff978: = 192.168.0.0/24[0] 192.168.100.0/24[0] proto=3Dany dir=3Dout 2001-03-22 23:25:08: DEBUG: policy.c:183:cmpspidx(): db :0x80a7208: = 192.168.100.0/24[0] 192.168.0.0/24[0] proto=3Dany dir=3Din 2001-03-22 23:25:27: DEBUG: pfkey.c:191:pfkey_handler(): get pfkey = ACQUIRE message 2001-03-22 23:25:27: DEBUG: plog.c:204:plogdump():=20 02060003 26000000 79000000 00000000 03000500 ff800000 10020000 18835818 00000000 00000000 03000600 ff800000 10020000 cfe7963e 00000000 00000000 02001200 02000200 01000000 00000000 1c000d00 20000000 00030000 00000000 00010008 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00040000 00000000 0001c001 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00060000 00000000 0001f807 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 2001-03-22 23:25:27: DEBUG: policy.c:212:cmpspidx_wild(): = sub:0xbfbff964: 192.168.100.0/24[0] 192.168.0.0/24[0] proto=3Dany = dir=3Din 2001-03-22 23:25:27: DEBUG: policy.c:213:cmpspidx_wild(): db: 0x80a7208: = 192.168.100.0/24[0] 192.168.0.0/24[0] proto=3Dany dir=3Din 2001-03-22 23:25:27: DEBUG: policy.c:240:cmpspidx_wild(): 0xbfbff964 = masked with /24: 192.168.100.0[0] 2001-03-22 23:25:27: DEBUG: policy.c:242:cmpspidx_wild(): 0x80a7208 = masked with /24: 192.168.100.0[0] 2001-03-22 23:25:27: DEBUG: policy.c:256:cmpspidx_wild(): 0xbfbff964 = masked with /24: 192.168.0.0[0] 2001-03-22 23:25:27: DEBUG: policy.c:258:cmpspidx_wild(): 0x80a7208 = masked with /24: 192.168.0.0[0] 2001-03-22 23:25:27: DEBUG: pfkey.c:1526:pk_recvacquire(): suitable SP = found: 192.168.0.0/24[0] 192.168.100.0/24[0] proto=3Dany dir=3Dout. 2001-03-22 23:25:27: DEBUG: pfkey.c:1558:pk_recvacquire(): new acquire = 192.168.0.0/24[0] 192.168.100.0/24[0] proto=3Dany dir=3Dout 2001-03-22 23:25:27: DEBUG: sainfo.c:98:getsainfo(): anonymous sainfo = selected. 2001-03-22 23:25:27: DEBUG: remoteconf.c:127:getrmconf(): anonymous = configuration selected for . 2001-03-22 23:25:27: INFO: isakmp.c:1596:isakmp_post_acquire(): IPsec-SA = request for queued due to no phase1 found. 2001-03-22 23:25:27: DEBUG: isakmp.c:766:isakmp_ph1begin_i(): =3D=3D=3D 2001-03-22 23:25:27: INFO: isakmp.c:771:isakmp_ph1begin_i(): initiate = new phase 1 negotiation: [500]<=3D>[500] 2001-03-22 23:25:27: INFO: isakmp.c:776:isakmp_ph1begin_i(): begin = Aggressive mode. 2001-03-22 23:25:27: DEBUG: isakmp.c:1899:isakmp_newcookie(): new = cookie: 22995282a09bc7c6=20 2001-03-22 23:25:27: DEBUG: ipsec_doi.c:3161:ipsecdoi_setid1(): use ID = type of IPv4_address 2001-03-22 23:25:27: DEBUG: oakley.c:228:oakley_dh_generate(): compute = DH's private. 2001-03-22 23:25:27: DEBUG: plog.c:204:plogdump():=20 7f3549bd 32563f03 36806a8f 36b5ffb6 1d899b33 c89ff9f6 319a9bf8 a785d30f 0c6bc5b1 321b073b 5931f0cb e8bb5dae 71fc815c 7a2fa1b3 5510e0ec 37346562 6951c3fa 52dd69e3 a4433dab 0a18f0c9 2d9e6ac5 47445b22 7ad78ac2 6ffc5311 b92d67f0 383f8ef7 4e9db949 e6563b1c 7038834a b5687e23 2e29bba1 94b56007 2001-03-22 23:25:27: DEBUG: oakley.c:230:oakley_dh_generate(): compute = DH's public. 2001-03-22 23:25:27: DEBUG: plog.c:204:plogdump():=20 3abbb763 ed32b193 3641ee47 4fa1a2cd 8268de70 ed189da4 0fa51954 8943222c 11ecff2d 7e4daa36 c0fb7cab 6cb1534f 5147c51b c058a93c 0d03a7c5 f51baf2f e00b73e0 8426c854 fed128f9 cfdce559 b45bf58a c9f197ed a6c939e0 754ed305 1361a1c6 930b7ce1 355463a8 3205c538 f936eb02 8336fa11 0d2f00aa 2a0e6f33 2001-03-22 23:25:27: DEBUG: isakmp_agg.c:157:agg_i1send(): authmethod is = pre-shared key 2001-03-22 23:25:27: DEBUG: isakmp.c:2012:set_isakmp_payload(): add = payload of len 52, next type 4 2001-03-22 23:25:27: DEBUG: isakmp.c:2012:set_isakmp_payload(): add = payload of len 128, next type 10 2001-03-22 23:25:27: DEBUG: isakmp.c:2012:set_isakmp_payload(): add = payload of len 16, next type 5 2001-03-22 23:25:27: DEBUG: isakmp.c:2012:set_isakmp_payload(): add = payload of len 8, next type 0 2001-03-22 23:25:27: DEBUG: isakmp.c:2147:isakmp_printpacket(): begin. 25:27.740849 :500 -> :500: isakmp 1.0 = msgid 00000000: phase 1 I agg: (sa: doi=3Dipsec situation=3Didentity (p: #1 protoid=3Disakmp transform=3D1 (t: #1 id=3Dike (type=3Dlifetype = value=3Dsec)(type=3Dlifeduration len=3D4 value=3D00093a80)(type=3Denc = value=3D3des)(type=3Dauth value=3Dpreshared)(type=3Dhash = value=3Dsha1)(type=3Dgroup desc value=3Dmodp1024)))) (ke: key len=3D128) (nonce: n len=3D16) (id: idtype=3DIPv4 protoid=3Dudp port=3D500 len=3D4 ) 2001-03-22 23:25:27: DEBUG: sockmisc.c:357:sendfromto(): sockname = [500] 2001-03-22 23:25:27: DEBUG: sockmisc.c:359:sendfromto(): send packet = from [500] 2001-03-22 23:25:27: DEBUG: sockmisc.c:361:sendfromto(): send packet to = [500] 2001-03-22 23:25:27: DEBUG: isakmp.c:1349:isakmp_send(): 1 times of 248 = bytes message will be sent. 2001-03-22 23:25:27: DEBUG: plog.c:204:plogdump():=20 22995282 a09bc7c6 00000000 00000000 01100400 00000000 000000f8 04000038 00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 000c0004 00093a80 80010005 80030001 80020002 80040002 0a000084 3abbb763 ed32b193 3641ee47 4fa1a2cd 8268de70 ed189da4 0fa51954 8943222c 11ecff2d 7e4daa36 c0fb7cab 6cb1534f 5147c51b c058a93c 0d03a7c5 f51baf2f e00b73e0 8426c854 fed128f9 cfdce559 b45bf58a c9f197ed a6c939e0 754ed305 1361a1c6 930b7ce1 355463a8 3205c538 f936eb02 8336fa11 0d2f00aa 2a0e6f33 05000014 b2dc8303 fd56bcea b3692603 e97bbc67 0000000c 011101f4 18835818 2001-03-22 23:25:30: DEBUG: isakmp.c:232:isakmp_handler(): =3D=3D=3D 2001-03-22 23:25:30: DEBUG: isakmp.c:233:isakmp_handler(): 276 bytes = message received from [500] 2001-03-22 23:25:30: DEBUG: plog.c:204:plogdump():=20 22995282 a09bc7c6 16db15fd 70dfe9a6 01100400 00000000 00000114 04000038 00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 000c0004 00093a80 80010005 80030001 80020002 80040002 0a000084 dcdf9439 0bfec643 be14eb51 7e18935e 3d98aed4 9065d511 4c09d332 279fbcbd 7cd528ae 39a5dc54 968386d4 f4e53aa0 646af999 345a7d64 79f4ceea e4b33d72 69f610a9 8cab284f a88415cf d0264063 130bf429 eced13ff 8b757247 d83e293a 6f91d177 295a96e7 d81079d0 054a1c18 4c51d75c 962ac9d6 ed3f0fbf b643912e 05000018 f1333b59 71a73bcd 0713c4c3 9c95a95b b620874b 0800000c 01000000 cfe7963e 00000018 10e89a7f 3b87ade3 09940bdf 75e18f13 85fc9844 2001-03-22 23:25:30: DEBUG: isakmp.c:2147:isakmp_printpacket(): begin. 25:30.717998 :500 -> :500: isakmp 1.0 = msgid 00000000: phase 1 ? agg: (sa: doi=3Dipsec situation=3Didentity (p: #1 protoid=3Disakmp transform=3D1 (t: #1 id=3Dike (type=3Dlifetype = value=3Dsec)(type=3Dlifeduration len=3D4 value=3D00093a80)(type=3Denc = value=3D3des)(type=3Dauth value=3Dpreshared)(type=3Dhash = value=3Dsha1)(type=3Dgroup desc value=3Dmodp1024)))) (ke: key len=3D128) (nonce: n len=3D20) (id: idtype=3DIPv4 protoid=3D0 port=3D0 len=3D4 ) (hash: len=3D20) 2001-03-22 23:25:30: DEBUG: isakmp.c:1023:isakmp_parsewoh(): begin. 2001-03-22 23:25:30: DEBUG: isakmp.c:1050:isakmp_parsewoh(): seen = nptype=3D1(sa) 2001-03-22 23:25:30: DEBUG: isakmp.c:1050:isakmp_parsewoh(): seen = nptype=3D4(ke) 2001-03-22 23:25:30: DEBUG: isakmp.c:1050:isakmp_parsewoh(): seen = nptype=3D10(nonce) 2001-03-22 23:25:30: DEBUG: isakmp.c:1050:isakmp_parsewoh(): seen = nptype=3D5(id) 2001-03-22 23:25:30: DEBUG: isakmp.c:1050:isakmp_parsewoh(): seen = nptype=3D8(hash) 2001-03-22 23:25:30: DEBUG: isakmp.c:1088:isakmp_parsewoh(): succeed. 2001-03-22 23:25:30: DEBUG: ipsec_doi.c:1055:get_proppair(): total SA = len=3D52 2001-03-22 23:25:30: DEBUG: plog.c:204:plogdump():=20 00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 000c0004 00093a80 80010005 80030001 80020002 80040002 2001-03-22 23:25:30: DEBUG: isakmp.c:1023:isakmp_parsewoh(): begin. 2001-03-22 23:25:30: DEBUG: isakmp.c:1050:isakmp_parsewoh(): seen = nptype=3D2(prop) 2001-03-22 23:25:30: DEBUG: isakmp.c:1088:isakmp_parsewoh(): succeed. 2001-03-22 23:25:30: DEBUG: ipsec_doi.c:1108:get_proppair(): proposal #1 = len=3D44 2001-03-22 23:25:30: DEBUG: isakmp.c:1023:isakmp_parsewoh(): begin. 2001-03-22 23:25:30: DEBUG: isakmp.c:1050:isakmp_parsewoh(): seen = nptype=3D3(trns) 2001-03-22 23:25:30: DEBUG: isakmp.c:1088:isakmp_parsewoh(): succeed. 2001-03-22 23:25:30: DEBUG: ipsec_doi.c:1249:get_transform(): transform = #1 len=3D36 2001-03-22 23:25:30: DEBUG: ipsec_doi.c:1808:check_attr_isakmp(): = type=3DLife Type, flag=3D0x8000, lorv=3Dseconds 2001-03-22 23:25:30: DEBUG: ipsec_doi.c:1808:check_attr_isakmp(): = type=3DLife Duration, flag=3D0x0000, lorv=3D4 2001-03-22 23:25:30: DEBUG: ipsec_doi.c:1808:check_attr_isakmp(): = type=3DEncryption Algorithm, flag=3D0x8000, lorv=3D3DES-CBC 2001-03-22 23:25:30: DEBUG: ipsec_doi.c:1808:check_attr_isakmp(): = type=3DAuthentication Method, flag=3D0x8000, lorv=3Dpre-shared key 2001-03-22 23:25:30: DEBUG: ipsec_doi.c:1808:check_attr_isakmp(): = type=3DHash Algorithm, flag=3D0x8000, lorv=3DSHA 2001-03-22 23:25:30: DEBUG: ipsec_doi.c:1808:check_attr_isakmp(): = type=3DGroup Description, flag=3D0x8000, lorv=3D1024-bit MODP group 2001-03-22 23:25:30: DEBUG: ipsec_doi.c:1151:get_proppair(): pair 1: 2001-03-22 23:25:30: DEBUG: proposal.c:880:print_proppair0(): = 0x80ae110: next=3D0x0 tnext=3D0x0 2001-03-22 23:25:30: DEBUG: ipsec_doi.c:1186:get_proppair(): proposal = #1: 1 transform 2001-03-22 23:25:30: DEBUG: ipsec_doi.c:319:get_ph1approvalx(): = prop#=3D1, prot-id=3DISAKMP, spi-size=3D0, #trns=3D1 2001-03-22 23:25:30: DEBUG: ipsec_doi.c:324:get_ph1approvalx(): = trns#=3D1, trns-id=3DIKE 2001-03-22 23:25:30: DEBUG: ipsec_doi.c:422:t2isakmpsa(): type=3DLife = Type, flag=3D0x8000, lorv=3Dseconds 2001-03-22 23:25:30: DEBUG: ipsec_doi.c:422:t2isakmpsa(): type=3DLife = Duration, flag=3D0x0000, lorv=3D4 2001-03-22 23:25:30: DEBUG: ipsec_doi.c:422:t2isakmpsa(): = type=3DEncryption Algorithm, flag=3D0x8000, lorv=3D3DES-CBC 2001-03-22 23:25:30: DEBUG: ipsec_doi.c:422:t2isakmpsa(): = type=3DAuthentication Method, flag=3D0x8000, lorv=3Dpre-shared key 2001-03-22 23:25:30: DEBUG: ipsec_doi.c:422:t2isakmpsa(): type=3DHash = Algorithm, flag=3D0x8000, lorv=3DSHA 2001-03-22 23:25:30: DEBUG: ipsec_doi.c:422:t2isakmpsa(): type=3DGroup = Description, flag=3D0x8000, lorv=3D1024-bit MODP group 2001-03-22 23:25:30: DEBUG: ipsec_doi.c:335:get_ph1approvalx(): = Compared: DB:Peer 2001-03-22 23:25:30: DEBUG: ipsec_doi.c:336:get_ph1approvalx(): = (lifetime =3D 604800:604800) 2001-03-22 23:25:30: DEBUG: ipsec_doi.c:338:get_ph1approvalx(): = (lifebyte =3D 0:0) 2001-03-22 23:25:30: DEBUG: ipsec_doi.c:340:get_ph1approvalx(): enctype = =3D 3DES-CBC:3DES-CBC 2001-03-22 23:25:30: DEBUG: ipsec_doi.c:345:get_ph1approvalx(): (encklen = =3D 0:0) 2001-03-22 23:25:30: DEBUG: ipsec_doi.c:347:get_ph1approvalx(): hashtype = =3D SHA:SHA 2001-03-22 23:25:30: DEBUG: ipsec_doi.c:352:get_ph1approvalx(): = authmethod =3D pre-shared key:pre-shared key 2001-03-22 23:25:30: DEBUG: ipsec_doi.c:357:get_ph1approvalx(): dh_group = =3D 1024-bit MODP group:1024-bit MODP group 2001-03-22 23:25:30: DEBUG: ipsec_doi.c:379:get_ph1approvalx(): = acceptable proposal found. 2001-03-22 23:25:30: DEBUG: oakley.c:192:oakley_dh_compute(): compute = DH's shared. 2001-03-22 23:25:30: DEBUG: plog.c:204:plogdump():=20 a3ed27db 664a97c2 4fe1e42c 8d46e151 2c629ea3 121b9dcb cace5615 1ce0dd14 075a855c 59c8a7fa 318d617b f882df30 e116d1a4 764fa1b1 1f24db67 d4e584e0 6a81a240 6d0aad0a 717b85ae 5c4b745a 2e253dcb fca49331 32ca2875 8ddd89a0 eb9e3a6f c8a2621e 8b83e280 9dfc5fb6 b59dd78c 53c60f31 246c0028 22bd196e 2001-03-22 23:25:30: DEBUG: oakley.c:1924:oakley_skeyid(): psk found:=20 2001-03-22 23:25:30: DEBUG2: plog.c:204:plogdump():=20 70307440 374f7c74 75386f52 2001-03-22 23:25:30: DEBUG: oakley.c:1938:oakley_skeyid(): nonce 1:=20 2001-03-22 23:25:30: DEBUG: plog.c:204:plogdump():=20 b2dc8303 fd56bcea b3692603 e97bbc67 2001-03-22 23:25:30: DEBUG: oakley.c:1944:oakley_skeyid(): nonce 2:=20 2001-03-22 23:25:30: DEBUG: plog.c:204:plogdump():=20 f1333b59 71a73bcd 0713c4c3 9c95a95b b620874b 2001-03-22 23:25:30: DEBUG: oakley.c:310:oakley_prf(): hmac-sha1 used. 2001-03-22 23:25:30: DEBUG: oakley.c:1997:oakley_skeyid(): SKEYID = computed:=20 2001-03-22 23:25:30: DEBUG: plog.c:204:plogdump():=20 8c4c8cbd fe2ec58a bf00691d 12ac2d46 fe17ad23 2001-03-22 23:25:30: DEBUG: oakley.c:310:oakley_prf(): hmac-sha1 used. 2001-03-22 23:25:30: DEBUG: oakley.c:2054:oakley_skeyid_dae(): SKEYID_d = computed:=20 2001-03-22 23:25:30: DEBUG: plog.c:204:plogdump():=20 9972de5d fc10dfcf 84b67d32 4317dfea c097ae10 2001-03-22 23:25:30: DEBUG: oakley.c:310:oakley_prf(): hmac-sha1 used. 2001-03-22 23:25:30: DEBUG: oakley.c:2083:oakley_skeyid_dae(): SKEYID_a = computed:=20 2001-03-22 23:25:30: DEBUG: plog.c:204:plogdump():=20 57ecffd6 3ecec4ee a1f677a5 359ae4cb db1820ff 2001-03-22 23:25:30: DEBUG: oakley.c:310:oakley_prf(): hmac-sha1 used. 2001-03-22 23:25:30: DEBUG: oakley.c:2112:oakley_skeyid_dae(): SKEYID_e = computed:=20 2001-03-22 23:25:30: DEBUG: plog.c:204:plogdump():=20 3c8c8641 5b5c74eb e7b4bb2f a0181c38 86fb2b41 2001-03-22 23:25:30: DEBUG: oakley.c:2207:oakley_compute_enckey(): = len(SKEYID_e) < len(Ka) (20 < 24), generating long key (Ka =3D K1 | K2 | = ...) 2001-03-22 23:25:30: DEBUG: oakley.c:310:oakley_prf(): hmac-sha1 used. 2001-03-22 23:25:30: DEBUG: oakley.c:2232:oakley_compute_enckey(): = compute intermediate cipher key K1 2001-03-22 23:25:30: DEBUG: plog.c:204:plogdump():=20 00 2001-03-22 23:25:30: DEBUG: plog.c:204:plogdump():=20 1b149c9f 84d998f6 a7804081 8edd7279 8a581069 2001-03-22 23:25:31: DEBUG: oakley.c:310:oakley_prf(): hmac-sha1 used. 2001-03-22 23:25:31: DEBUG: oakley.c:2232:oakley_compute_enckey(): = compute intermediate cipher key K2 2001-03-22 23:25:31: DEBUG: plog.c:204:plogdump():=20 1b149c9f 84d998f6 a7804081 8edd7279 8a581069 2001-03-22 23:25:31: DEBUG: plog.c:204:plogdump():=20 80f0c89d bbc320e0 c38a45b9 f86dbb66 f9f4dc66 2001-03-22 23:25:31: DEBUG: oakley.c:2276:oakley_compute_enckey(): final = cipher key computed:=20 2001-03-22 23:25:31: DEBUG: plog.c:204:plogdump():=20 1b149c9f 84d998f6 a7804081 8edd7279 8a581069 80f0c89d 2001-03-22 23:25:31: DEBUG: oakley.c:353:oakley_hash(): use sha1 to = calculate phase 1. 2001-03-22 23:25:31: DEBUG: oakley.c:2379:oakley_newiv(): IV computed:=20 2001-03-22 23:25:31: DEBUG: plog.c:204:plogdump():=20 8745548b 6f31648e 2001-03-22 23:25:31: DEBUG: oakley.c:1123:oakley_validate_auth(): HASH = received: 2001-03-22 23:25:31: DEBUG: plog.c:204:plogdump():=20 10e89a7f 3b87ade3 09940bdf 75e18f13 85fc9844 2001-03-22 23:25:31: DEBUG: oakley.c:834:oakley_ph1hash_common(): HASH = with: 2001-03-22 23:25:31: DEBUG: plog.c:204:plogdump():=20 dcdf9439 0bfec643 be14eb51 7e18935e 3d98aed4 9065d511 4c09d332 279fbcbd 7cd528ae 39a5dc54 968386d4 f4e53aa0 646af999 345a7d64 79f4ceea e4b33d72 69f610a9 8cab284f a88415cf d0264063 130bf429 eced13ff 8b757247 d83e293a 6f91d177 295a96e7 d81079d0 054a1c18 4c51d75c 962ac9d6 ed3f0fbf b643912e 3abbb763 ed32b193 3641ee47 4fa1a2cd 8268de70 ed189da4 0fa51954 8943222c 11ecff2d 7e4daa36 c0fb7cab 6cb1534f 5147c51b c058a93c 0d03a7c5 f51baf2f e00b73e0 8426c854 fed128f9 cfdce559 b45bf58a c9f197ed a6c939e0 754ed305 1361a1c6 930b7ce1 355463a8 3205c538 f936eb02 8336fa11 0d2f00aa 2a0e6f33 16db15fd 70dfe9a6 22995282 a09bc7c6 00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 000c0004 00093a80 80010005 80030001 80020002 80040002 01000000 cfe7963e 2001-03-22 23:25:31: DEBUG: oakley.c:310:oakley_prf(): hmac-sha1 used. 2001-03-22 23:25:31: DEBUG: oakley.c:844:oakley_ph1hash_common(): HASH = computed:=20 2001-03-22 23:25:31: DEBUG: plog.c:204:plogdump():=20 10e89a7f 3b87ade3 09940bdf 75e18f13 85fc9844 2001-03-22 23:25:31: DEBUG: oakley.c:1154:oakley_validate_auth(): HASH = for PSK validated. 2001-03-22 23:25:31: DEBUG: isakmp.c:610:ph1_main(): =3D=3D=3D 2001-03-22 23:25:31: DEBUG: isakmp_agg.c:467:agg_i2send(): generate = HASH_I 2001-03-22 23:25:31: DEBUG: oakley.c:834:oakley_ph1hash_common(): HASH = with: 2001-03-22 23:25:31: DEBUG: plog.c:204:plogdump():=20 3abbb763 ed32b193 3641ee47 4fa1a2cd 8268de70 ed189da4 0fa51954 8943222c 11ecff2d 7e4daa36 c0fb7cab 6cb1534f 5147c51b c058a93c 0d03a7c5 f51baf2f e00b73e0 8426c854 fed128f9 cfdce559 b45bf58a c9f197ed a6c939e0 754ed305 1361a1c6 930b7ce1 355463a8 3205c538 f936eb02 8336fa11 0d2f00aa 2a0e6f33 dcdf9439 0bfec643 be14eb51 7e18935e 3d98aed4 9065d511 4c09d332 279fbcbd 7cd528ae 39a5dc54 968386d4 f4e53aa0 646af999 345a7d64 79f4ceea e4b33d72 69f610a9 8cab284f a88415cf d0264063 130bf429 eced13ff 8b757247 d83e293a 6f91d177 295a96e7 d81079d0 054a1c18 4c51d75c 962ac9d6 ed3f0fbf b643912e 22995282 a09bc7c6 16db15fd 70dfe9a6 00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 000c0004 00093a80 80010005 80030001 80020002 80040002 011101f4 18835818 2001-03-22 23:25:31: DEBUG: oakley.c:310:oakley_prf(): hmac-sha1 used. 2001-03-22 23:25:31: DEBUG: oakley.c:844:oakley_ph1hash_common(): HASH = computed:=20 2001-03-22 23:25:31: DEBUG: plog.c:204:plogdump():=20 0d3d1c79 11cb21d2 fca99343 f20f5d60 e69c3cbf 2001-03-22 23:25:31: DEBUG: isakmp.c:2012:set_isakmp_payload(): add = payload of len 20, next type 0 2001-03-22 23:25:31: DEBUG: isakmp.c:2147:isakmp_printpacket(): begin. 25:31.122695 :500 -> :500: isakmp 1.0 = msgid 00000000: phase 1 ? agg: (hash: len=3D20) 2001-03-22 23:25:31: DEBUG: sockmisc.c:357:sendfromto(): sockname = [500] 2001-03-22 23:25:31: DEBUG: sockmisc.c:359:sendfromto(): send packet = from [500] 2001-03-22 23:25:31: DEBUG: sockmisc.c:361:sendfromto(): send packet to = [500] 2001-03-22 23:25:31: DEBUG: isakmp.c:1349:isakmp_send(): 1 times of 52 = bytes message will be sent. 2001-03-22 23:25:31: DEBUG: plog.c:204:plogdump():=20 22995282 a09bc7c6 16db15fd 70dfe9a6 08100400 00000000 00000034 00000018 0d3d1c79 11cb21d2 fca99343 f20f5d60 e69c3cbf 2001-03-22 23:25:31: DEBUG: oakley.c:2423:oakley_newiv2(): compute IV = for phase2 2001-03-22 23:25:31: DEBUG: oakley.c:2424:oakley_newiv2(): phase1 last = IV:=20 2001-03-22 23:25:31: DEBUG: plog.c:204:plogdump():=20 8745548b 6f31648e eb02331e 2001-03-22 23:25:31: DEBUG: oakley.c:353:oakley_hash(): use sha1 to = calculate phase 1. 2001-03-22 23:25:31: DEBUG: oakley.c:2450:oakley_newiv2(): phase2 IV = computed:=20 2001-03-22 23:25:31: DEBUG: plog.c:204:plogdump():=20 badfd429 5d0808ce 2001-03-22 23:25:31: DEBUG: oakley.c:715:oakley_compute_hash1(): HASH = with: 2001-03-22 23:25:31: DEBUG: plog.c:204:plogdump():=20 eb02331e 0000001c 00000001 01106002 22995282 a09bc7c6 16db15fd 70dfe9a6 2001-03-22 23:25:31: DEBUG: oakley.c:310:oakley_prf(): hmac-sha1 used. 2001-03-22 23:25:31: DEBUG: oakley.c:725:oakley_compute_hash1(): HASH = computed:=20 2001-03-22 23:25:31: DEBUG: plog.c:204:plogdump():=20 9b7f9c68 25c93432 2d58d3d8 2d1727d1 9a096ca1 2001-03-22 23:25:31: DEBUG: isakmp.c:2147:isakmp_printpacket(): begin. 25:31.259879 :500 -> :500: isakmp 1.0 = msgid eb02331e: phase 2/others ? inf: (hash: len=3D20) (n: doi=3Dipsec proto=3Disakmp type=3DINITIAL-CONTACT = spi=3D22995282a09bc7c616db15fd70dfe9a6) 2001-03-22 23:25:31: DEBUG: oakley.c:2610:oakley_do_encrypt(): begin = encryption. 2001-03-22 23:25:31: DEBUG: oakley.c:2617:oakley_do_encrypt(): pad = length =3D 4 2001-03-22 23:25:31: DEBUG: plog.c:204:plogdump():=20 0b000018 9b7f9c68 25c93432 2d58d3d8 2d1727d1 9a096ca1 0000001c 00000001 01106002 22995282 a09bc7c6 16db15fd 70dfe9a6 fb143203 2001-03-22 23:25:31: DEBUG: oakley.c:2652:oakley_do_encrypt(): = encrypt(3des). 2001-03-22 23:25:31: DEBUG: oakley.c:2655:oakley_do_encrypt(): with key: = 2001-03-22 23:25:31: DEBUG: plog.c:204:plogdump():=20 1b149c9f 84d998f6 a7804081 8edd7279 8a581069 80f0c89d 2001-03-22 23:25:31: DEBUG: oakley.c:2664:oakley_do_encrypt(): encrypted = payload by IV:=20 2001-03-22 23:25:31: DEBUG: plog.c:204:plogdump():=20 d8afd2bf ea5e28f8 2001-03-22 23:25:31: DEBUG: oakley.c:2671:oakley_do_encrypt(): save IV = for next:=20 2001-03-22 23:25:31: DEBUG: plog.c:204:plogdump():=20 d8afd2bf ea5e28f8 2001-03-22 23:25:31: DEBUG: oakley.c:2688:oakley_do_encrypt(): = encrypted. 2001-03-22 23:25:31: DEBUG: sockmisc.c:357:sendfromto(): sockname = [500] 2001-03-22 23:25:31: DEBUG: sockmisc.c:359:sendfromto(): send packet = from [500] 2001-03-22 23:25:31: DEBUG: sockmisc.c:361:sendfromto(): send packet to = [500] 2001-03-22 23:25:31: DEBUG: isakmp.c:1349:isakmp_send(): 1 times of 84 = bytes message will be sent. 2001-03-22 23:25:31: DEBUG: plog.c:204:plogdump():=20 22995282 a09bc7c6 16db15fd 70dfe9a6 08100501 eb02331e 00000054 9baebe0d 2ef3fb58 ed6da934 a3a038fc 05d5e7e1 c0f94ca6 a7cc5bba 42823420 37fddb70 e481f024 54e8316e 4b90ed6c d8afd2bf ea5e28f8 2001-03-22 23:25:31: DEBUG: isakmp_inf.c:633:isakmp_info_send_common(): = sendto Information notify. 2001-03-22 23:25:31: INFO: isakmp.c:2310:log_ph1established(): ISAKMP-SA = established [500]-[500] = spi:22995282a09bc7c6:16db15fd70dfe9a6 2001-03-22 23:25:31: DEBUG: isakmp.c:650:ph1_main(): =3D=3D=3D 2001-03-22 23:25:31: DEBUG: oakley.c:2423:oakley_newiv2(): compute IV = for phase2 2001-03-22 23:25:31: DEBUG: oakley.c:2424:oakley_newiv2(): phase1 last = IV:=20 2001-03-22 23:25:31: DEBUG: plog.c:204:plogdump():=20 8745548b 6f31648e fedc407e 2001-03-22 23:25:31: DEBUG: oakley.c:353:oakley_hash(): use sha1 to = calculate phase 1. 2001-03-22 23:25:31: DEBUG: oakley.c:2450:oakley_newiv2(): phase2 IV = computed:=20 2001-03-22 23:25:31: DEBUG: plog.c:204:plogdump():=20 88674500 12e13a95 2001-03-22 23:25:31: DEBUG: pfkey.c:827:pk_sendgetspi(): call = pfkey_send_getspi 2001-03-22 23:25:31: DEBUG: pfkey.c:840:pk_sendgetspi(): pfkey GETSPI = sent: ESP/Tunnel ->=20 2001-03-22 23:25:31: DEBUG: isakmp_quick.c:128:quick_i1prep(): pfkey = getspi sent. 2001-03-22 23:25:31: DEBUG: pfkey.c:191:pfkey_handler(): get pfkey = GETSPI message 2001-03-22 23:25:31: DEBUG: plog.c:204:plogdump():=20 02010003 0a000000 79000000 0e430000 02000100 01db2bb7 900081ab 02731b56 03000500 ff200000 10020000 cfe7963e 00000000 00000000 03000600 ff200000 10020000 18835818 00000000 00000000 2001-03-22 23:25:31: DEBUG: pfkey.c:901:pk_recvgetspi(): pfkey GETSPI = succeeded: ESP/Tunnel -> = spi=3D31140791(0x1db2bb7) 2001-03-22 23:25:31: DEBUG: oakley.c:228:oakley_dh_generate(): compute = DH's private. 2001-03-22 23:25:31: DEBUG: plog.c:204:plogdump():=20 504fcfee cbf60ec7 09d50e9c f2baa268 d5de357b 07a6a461 3ecfc49e 85ae42b2 fc9e94a1 fee24bd6 bedd03b9 a73997ed 0ee23ce5 82f27a3f e4dd5da1 b70008b5 e23031c8 fb1a84be 765016cb 2e45046f 8703081e c2f8ee08 2ccc18d0 36bbb39b 6c3a6897 36e82141 ec17b148 fff83c31 32cd5cbc 9079cdfc 70e1aff5 4daefd0e 2001-03-22 23:25:31: DEBUG: oakley.c:230:oakley_dh_generate(): compute = DH's public. 2001-03-22 23:25:31: DEBUG: plog.c:204:plogdump():=20 16bf44b3 aae8dc27 b062499f 1052bb77 d2054d7f 9a527119 34a41236 94dc4360 293cafd4 99e9ea2c 37a31d61 72a85dbb a58240fb 79f6bfa0 39d0186e fc7b6f04 0671a96b 5f57714b afc5d99d 9f5d5d45 7d714b35 13401d6d c9233199 7c76fc40 721b4387 ab7af135 447f6168 ff36968c 58a0b654 f27f9ece a3f4106b e2aecbdf 2001-03-22 23:25:31: DEBUG: ipsec_doi.c:3280:ipsecdoi_setid2(): use = local ID type IPv4_subnet 2001-03-22 23:25:31: DEBUG: ipsec_doi.c:3320:ipsecdoi_setid2(): use = remote ID type IPv4_subnet 2001-03-22 23:25:31: DEBUG: isakmp_quick.c:199:quick_i1send(): IDci: 2001-03-22 23:25:31: DEBUG: plog.c:204:plogdump():=20 04000000 c0a80000 ffffff00 2001-03-22 23:25:31: DEBUG: isakmp_quick.c:201:quick_i1send(): IDcr: 2001-03-22 23:25:31: DEBUG: plog.c:204:plogdump():=20 04000000 c0a86400 ffffff00 2001-03-22 23:25:31: DEBUG: isakmp.c:2012:set_isakmp_payload(): add = payload of len 48, next type 10 2001-03-22 23:25:31: DEBUG: isakmp.c:2012:set_isakmp_payload(): add = payload of len 16, next type 4 2001-03-22 23:25:31: DEBUG: isakmp.c:2012:set_isakmp_payload(): add = payload of len 128, next type 5 2001-03-22 23:25:31: DEBUG: isakmp.c:2012:set_isakmp_payload(): add = payload of len 12, next type 5 2001-03-22 23:25:31: DEBUG: isakmp.c:2012:set_isakmp_payload(): add = payload of len 12, next type 0 2001-03-22 23:25:31: DEBUG: oakley.c:715:oakley_compute_hash1(): HASH = with: 2001-03-22 23:25:31: DEBUG: plog.c:204:plogdump():=20 fedc407e 0a000034 00000001 00000001 00000028 01030401 01db2bb7 0000001c 01030000 80010001 80020e10 80040001 80050002 80030002 04000014 e378c4ee 60866d1e b6b2a637 df2a76c1 05000084 16bf44b3 aae8dc27 b062499f 1052bb77 d2054d7f 9a527119 34a41236 94dc4360 293cafd4 99e9ea2c 37a31d61 72a85dbb a58240fb 79f6bfa0 39d0186e fc7b6f04 0671a96b 5f57714b afc5d99d 9f5d5d45 7d714b35 13401d6d c9233199 7c76fc40 721b4387 ab7af135 447f6168 ff36968c 58a0b654 f27f9ece a3f4106b e2aecbdf 05000010 04000000 c0a80000 ffffff00 00000010 04000000 c0a86400 ffffff00 2001-03-22 23:25:31: DEBUG: oakley.c:310:oakley_prf(): hmac-sha1 used. 2001-03-22 23:25:31: DEBUG: oakley.c:725:oakley_compute_hash1(): HASH = computed:=20 2001-03-22 23:25:31: DEBUG: plog.c:204:plogdump():=20 10e3078a d3d3f443 791fbe65 a5869b2a 74dbcc6e 2001-03-22 23:25:31: DEBUG: isakmp.c:2012:set_isakmp_payload(): add = payload of len 20, next type 1 2001-03-22 23:25:31: DEBUG: isakmp.c:2147:isakmp_printpacket(): begin. 25:31.946708 :500 -> :500: isakmp 1.0 = msgid fedc407e: phase 2/others ? oakley-quick: (hash: len=3D20) (sa: doi=3Dipsec situation=3Didentity (p: #1 protoid=3Dipsec-esp transform=3D1 spi=3D01db2bb7 (t: #1 id=3D3des (type=3Dlifetype value=3Dsec)(type=3Dlife = value=3D0e10)(type=3Denc mode value=3Dtunnel)(type=3Dauth = value=3Dhmac-sha1)(type=3Dgroup desc value=3Dmodp1024)))) (nonce: n len=3D16) (ke: key len=3D128) (id: idtype=3DIPv4net protoid=3D0 port=3D0 len=3D8 = 192.168.0.0/255.255.255.0) (id: idtype=3DIPv4net protoid=3D0 port=3D0 len=3D8 = 192.168.100.0/255.255.255.0) 2001-03-22 23:25:31: DEBUG: oakley.c:2610:oakley_do_encrypt(): begin = encryption. 2001-03-22 23:25:31: DEBUG: oakley.c:2617:oakley_do_encrypt(): pad = length =3D 4 2001-03-22 23:25:31: DEBUG: plog.c:204:plogdump():=20 01000018 10e3078a d3d3f443 791fbe65 a5869b2a 74dbcc6e 0a000034 00000001 00000001 00000028 01030401 01db2bb7 0000001c 01030000 80010001 80020e10 80040001 80050002 80030002 04000014 e378c4ee 60866d1e b6b2a637 df2a76c1 05000084 16bf44b3 aae8dc27 b062499f 1052bb77 d2054d7f 9a527119 34a41236 94dc4360 293cafd4 99e9ea2c 37a31d61 72a85dbb a58240fb 79f6bfa0 39d0186e fc7b6f04 0671a96b 5f57714b afc5d99d 9f5d5d45 7d714b35 13401d6d c9233199 7c76fc40 721b4387 ab7af135 447f6168 ff36968c 58a0b654 f27f9ece a3f4106b e2aecbdf 05000010 04000000 c0a80000 ffffff00 00000010 04000000 c0a86400 ffffff00 62938003 2001-03-22 23:25:31: DEBUG: oakley.c:2652:oakley_do_encrypt(): = encrypt(3des). 2001-03-22 23:25:31: DEBUG: oakley.c:2655:oakley_do_encrypt(): with key: = 2001-03-22 23:25:31: DEBUG: plog.c:204:plogdump():=20 1b149c9f 84d998f6 a7804081 8edd7279 8a581069 80f0c89d 2001-03-22 23:25:31: DEBUG: oakley.c:2664:oakley_do_encrypt(): encrypted = payload by IV:=20 2001-03-22 23:25:31: DEBUG: plog.c:204:plogdump():=20 18c09f52 7ef0ab45 2001-03-22 23:25:31: DEBUG: oakley.c:2671:oakley_do_encrypt(): save IV = for next:=20 2001-03-22 23:25:31: DEBUG: plog.c:204:plogdump():=20 18c09f52 7ef0ab45 2001-03-22 23:25:31: DEBUG: oakley.c:2688:oakley_do_encrypt(): = encrypted. 2001-03-22 23:25:31: DEBUG: sockmisc.c:357:sendfromto(): sockname = [500] 2001-03-22 23:25:31: DEBUG: sockmisc.c:359:sendfromto(): send packet = from [500] 2001-03-22 23:25:31: DEBUG: sockmisc.c:361:sendfromto(): send packet to = [500] 2001-03-22 23:25:31: DEBUG: isakmp.c:1349:isakmp_send(): 1 times of 292 = bytes message will be sent. 2001-03-22 23:25:31: DEBUG: plog.c:204:plogdump():=20 22995282 a09bc7c6 16db15fd 70dfe9a6 08102001 fedc407e 00000124 e153dae5 17d72111 7f83c519 dd8dc039 7dc3dd4f 6387456f 301d5f81 fb3c6a98 2cd470cb a128f947 c949b45d aa239f91 91ecc2b6 811b84db 907d926d bdc03341 a3b06710 3a6cdef4 67291e88 9bc5f8e4 b88785b9 b3b7c599 c1758a06 9fc43839 d1a42a3f f50d24ab 5d8e343a d77f2fe5 080e4892 59461cab 3d832fb1 617c1dcc 680dd502 fa5377b4 a53f66e7 fc886f77 81ed931f 4102f9dc 5c670d94 b6231cfb 630373ea 0db84013 383987b7 454836cf 8b17c68d c4961631 0179a378 0318a084 9c03510f b8697a3f fde03c7e ee10355c 6a2864bf 21de233a 3836b94c 012a253e e6c2356b 31831e73 7730fb43 d84cf64e 1b4b5bf5 72c233ed 16d1fbf3 2aab5134 18c09f52 7ef0ab45 2001-03-22 23:25:32: DEBUG: isakmp.c:232:isakmp_handler(): =3D=3D=3D 2001-03-22 23:25:32: DEBUG: isakmp.c:233:isakmp_handler(): 300 bytes = message received from [500] 2001-03-22 23:25:32: DEBUG: plog.c:204:plogdump():=20 22995282 a09bc7c6 16db15fd 70dfe9a6 08102001 fedc407e 0000012c 6a63ccf0 ee8fbf2a 90f95160 27feb56c 0fa41090 3d10c638 4c7433ff d9782e85 a6efcab5 3468be11 122980c4 a3bc077d 977db81c 8347d6ff 1bc1f32d f6c02a05 78b58152 b65fbdb3 ea659151 f83c348e 0d116a6d 8425a261 b27722fe 064e0593 1b367fe4 5d2bc330 53bd2869 e6124233 f8fe89f0 172d5e36 67eaa05a c803e619 17546e25 7b9cdc98 f7cda610 bccae8ef fb906ed6 551c989c 4339cdee d8d77ea6 b8cf979e 4aab2d18 60151ce4 867e43d8 f2e01f09 777ec7b9 79cd129e e480a849 487ccb9a a80efd09 860deb9a 6769057f 20e1b24f 7384e5c0 3b16b5a2 eafc0833 e447ccab 940a6703 8e189c26 69cfb093 91eaf531 66dd0992 2950098f a5056185 1e0be3e0 b9aa96ed 32bb3fa1 c745c399 2001-03-22 23:25:32: DEBUG: isakmp.c:2147:isakmp_printpacket(): begin. 25:32.198778 :500 -> :500: isakmp 1.0 = msgid fedc407e: phase 2/others ? oakley-quick[E]: [|hash] 2001-03-22 23:25:32: DEBUG: oakley.c:2492:oakley_do_decrypt(): begin = decryption. 2001-03-22 23:25:32: DEBUG: oakley.c:2498:oakley_do_decrypt(): IV was = saved for next processing:=20 2001-03-22 23:25:32: DEBUG: plog.c:204:plogdump():=20 32bb3fa1 c745c399 2001-03-22 23:25:32: DEBUG: oakley.c:2523:oakley_do_decrypt(): = decrypt(3des) 2001-03-22 23:25:32: DEBUG: oakley.c:2526:oakley_do_decrypt(): with key: = 2001-03-22 23:25:32: DEBUG: plog.c:204:plogdump():=20 1b149c9f 84d998f6 a7804081 8edd7279 8a581069 80f0c89d 2001-03-22 23:25:32: DEBUG: oakley.c:2535:oakley_do_decrypt(): decrypted = payload by IV:=20 2001-03-22 23:25:32: DEBUG: plog.c:204:plogdump():=20 32bb3fa1 c745c399 2001-03-22 23:25:32: DEBUG: oakley.c:2538:oakley_do_decrypt(): decrypted = payload, but not trimed. 2001-03-22 23:25:32: DEBUG: plog.c:204:plogdump():=20 01000018 b1cee678 6746eb92 b0336373 ab764011 c79eb892 0a000034 00000001 00000001 00000028 01030401 59135eab 0000001c 01030000 80010001 80020e10 80040001 80050002 80030002 04000018 f74c1189 a7ebf39f 8bd6a8a0 5e553ec4 ef686e05 05000084 89a4d7a3 bb18aa20 453f8924 4e704558 aa4253f2 8f063030 985850c1 cce74341 d3b26267 6dcdb66b a5ce4a2c 36e6586c 361b97cc 3be4c9a2 9db494ee 350438d6 f5d5d44c e846f26b 7018b5a7 d51f6a7c 4eb9aee2 0dbd9620 ed42c65f c02a1f7e 1069c0aa be92cbff d780312e f540f265 0d1346a0 b461c6d2 ca8d2086 6411fbb6 05000010 04000000 c0a80000 ffffff00 00000010 04000000 c0a86400 ffffff00 00000000 00000007 2001-03-22 23:25:32: DEBUG: oakley.c:2547:oakley_do_decrypt(): padding = len=3D8 2001-03-22 23:25:32: DEBUG: oakley.c:2561:oakley_do_decrypt(): skip to = trim padding. 2001-03-22 23:25:32: DEBUG: oakley.c:2576:oakley_do_decrypt(): = decrypted. 2001-03-22 23:25:32: DEBUG: plog.c:204:plogdump():=20 22995282 a09bc7c6 16db15fd 70dfe9a6 08102001 fedc407e 0000012c 01000018 b1cee678 6746eb92 b0336373 ab764011 c79eb892 0a000034 00000001 00000001 00000028 01030401 59135eab 0000001c 01030000 80010001 80020e10 80040001 80050002 80030002 04000018 f74c1189 a7ebf39f 8bd6a8a0 5e553ec4 ef686e05 05000084 89a4d7a3 bb18aa20 453f8924 4e704558 aa4253f2 8f063030 985850c1 cce74341 d3b26267 6dcdb66b a5ce4a2c 36e6586c 361b97cc 3be4c9a2 9db494ee 350438d6 f5d5d44c e846f26b 7018b5a7 d51f6a7c 4eb9aee2 0dbd9620 ed42c65f c02a1f7e 1069c0aa be92cbff d780312e f540f265 0d1346a0 b461c6d2 ca8d2086 6411fbb6 05000010 04000000 c0a80000 ffffff00 00000010 04000000 c0a86400 ffffff00 00000000 00000007 2001-03-22 23:25:32: DEBUG: isakmp.c:2147:isakmp_printpacket(): begin. 25:32.213763 :500 -> :500: isakmp 1.0 = msgid fedc407e: phase 2/others ? oakley-quick: (hash: len=3D20) (sa: doi=3Dipsec situation=3Didentity (p: #1 protoid=3Dipsec-esp transform=3D1 spi=3D59135eab (t: #1 id=3D3des (type=3Dlifetype value=3Dsec)(type=3Dlife = value=3D0e10)(type=3Denc mode value=3Dtunnel)(type=3Dauth = value=3Dhmac-sha1)(type=3Dgroup desc value=3Dmodp1024)))) (nonce: n len=3D20) (ke: key len=3D128) (id: idtype=3DIPv4net protoid=3D0 port=3D0 len=3D8 = 192.168.0.0/255.255.255.0) (id: idtype=3DIPv4net protoid=3D0 port=3D0 len=3D8 = 192.168.100.0/255.255.255.0) 2001-03-22 23:25:32: DEBUG: isakmp.c:1023:isakmp_parsewoh(): begin. 2001-03-22 23:25:32: DEBUG: isakmp.c:1050:isakmp_parsewoh(): seen = nptype=3D8(hash) 2001-03-22 23:25:32: DEBUG: isakmp.c:1050:isakmp_parsewoh(): seen = nptype=3D1(sa) 2001-03-22 23:25:32: DEBUG: isakmp.c:1050:isakmp_parsewoh(): seen = nptype=3D10(nonce) 2001-03-22 23:25:32: DEBUG: isakmp.c:1050:isakmp_parsewoh(): seen = nptype=3D4(ke) 2001-03-22 23:25:32: DEBUG: isakmp.c:1050:isakmp_parsewoh(): seen = nptype=3D5(id) 2001-03-22 23:25:32: DEBUG: isakmp.c:1050:isakmp_parsewoh(): seen = nptype=3D5(id) 2001-03-22 23:25:32: DEBUG: isakmp.c:1088:isakmp_parsewoh(): succeed. 2001-03-22 23:25:32: DEBUG: isakmp_quick.c:464:quick_i2recv(): HASH = allocated:hbuf->l=3D288 actual:tlen=3D256 2001-03-22 23:25:32: DEBUG: isakmp_quick.c:478:quick_i2recv(): HASH(2) = received: 2001-03-22 23:25:32: DEBUG: plog.c:204:plogdump():=20 b1cee678 6746eb92 b0336373 ab764011 c79eb892 2001-03-22 23:25:32: DEBUG: oakley.c:715:oakley_compute_hash1(): HASH = with: 2001-03-22 23:25:32: DEBUG: plog.c:204:plogdump():=20 fedc407e e378c4ee 60866d1e b6b2a637 df2a76c1 0a000034 00000001 00000001 00000028 01030401 59135eab 0000001c 01030000 80010001 80020e10 80040001 80050002 80030002 04000018 f74c1189 a7ebf39f 8bd6a8a0 5e553ec4 ef686e05 05000084 89a4d7a3 bb18aa20 453f8924 4e704558 aa4253f2 8f063030 985850c1 cce74341 d3b26267 6dcdb66b a5ce4a2c 36e6586c 361b97cc 3be4c9a2 9db494ee 350438d6 f5d5d44c e846f26b 7018b5a7 d51f6a7c 4eb9aee2 0dbd9620 ed42c65f c02a1f7e 1069c0aa be92cbff d780312e f540f265 0d1346a0 b461c6d2 ca8d2086 6411fbb6 05000010 04000000 c0a80000 ffffff00 00000010 04000000 c0a86400 ffffff00 2001-03-22 23:25:32: DEBUG: oakley.c:310:oakley_prf(): hmac-sha1 used. 2001-03-22 23:25:32: DEBUG: oakley.c:725:oakley_compute_hash1(): HASH = computed:=20 2001-03-22 23:25:32: DEBUG: plog.c:204:plogdump():=20 b1cee678 6746eb92 b0336373 ab764011 c79eb892 2001-03-22 23:25:32: DEBUG: ipsec_doi.c:1055:get_proppair(): total SA = len=3D48 2001-03-22 23:25:32: DEBUG: plog.c:204:plogdump():=20 00000001 00000001 00000028 01030401 01db2bb7 0000001c 01030000 80010001 80020e10 80040001 80050002 80030002 2001-03-22 23:25:32: DEBUG: isakmp.c:1023:isakmp_parsewoh(): begin. 2001-03-22 23:25:32: DEBUG: isakmp.c:1050:isakmp_parsewoh(): seen = nptype=3D2(prop) 2001-03-22 23:25:32: DEBUG: isakmp.c:1088:isakmp_parsewoh(): succeed. 2001-03-22 23:25:32: DEBUG: ipsec_doi.c:1108:get_proppair(): proposal #1 = len=3D40 2001-03-22 23:25:32: DEBUG: isakmp.c:1023:isakmp_parsewoh(): begin. 2001-03-22 23:25:32: DEBUG: isakmp.c:1050:isakmp_parsewoh(): seen = nptype=3D3(trns) 2001-03-22 23:25:32: DEBUG: isakmp.c:1088:isakmp_parsewoh(): succeed. 2001-03-22 23:25:32: DEBUG: ipsec_doi.c:1249:get_transform(): transform = #1 len=3D28 2001-03-22 23:25:32: DEBUG: ipsec_doi.c:2040:check_attr_ipsec(): = type=3DSA Life Type, flag=3D0x8000, lorv=3Dseconds 2001-03-22 23:25:32: DEBUG: ipsec_doi.c:2040:check_attr_ipsec(): = type=3DSA Life Duration, flag=3D0x8000, lorv=3D3600 2001-03-22 23:25:32: DEBUG: ipsec_doi.c:2128:check_attr_ipsec(): life = duration was in TLV. 2001-03-22 23:25:32: DEBUG: ipsec_doi.c:2040:check_attr_ipsec(): = type=3DEncription Mode, flag=3D0x8000, lorv=3DTunnel 2001-03-22 23:25:32: DEBUG: ipsec_doi.c:2040:check_attr_ipsec(): = type=3DAuthentication Algorithm, flag=3D0x8000, lorv=3D2 2001-03-22 23:25:32: DEBUG: ipsec_doi.c:2040:check_attr_ipsec(): = type=3DGroup Description, flag=3D0x8000, lorv=3D2 2001-03-22 23:25:32: DEBUG: ipsec_doi.c:1151:get_proppair(): pair 1: 2001-03-22 23:25:32: DEBUG: proposal.c:880:print_proppair0(): = 0x80ae3e0: next=3D0x0 tnext=3D0x0 2001-03-22 23:25:32: DEBUG: ipsec_doi.c:1186:get_proppair(): proposal = #1: 1 transform 2001-03-22 23:25:32: DEBUG: ipsec_doi.c:1055:get_proppair(): total SA = len=3D48 2001-03-22 23:25:32: DEBUG: plog.c:204:plogdump():=20 00000001 00000001 00000028 01030401 59135eab 0000001c 01030000 80010001 80020e10 80040001 80050002 80030002 2001-03-22 23:25:32: DEBUG: isakmp.c:1023:isakmp_parsewoh(): begin. 2001-03-22 23:25:32: DEBUG: isakmp.c:1050:isakmp_parsewoh(): seen = nptype=3D2(prop) 2001-03-22 23:25:32: DEBUG: isakmp.c:1088:isakmp_parsewoh(): succeed. 2001-03-22 23:25:32: DEBUG: ipsec_doi.c:1108:get_proppair(): proposal #1 = len=3D40 2001-03-22 23:25:32: DEBUG: isakmp.c:1023:isakmp_parsewoh(): begin. 2001-03-22 23:25:32: DEBUG: isakmp.c:1050:isakmp_parsewoh(): seen = nptype=3D3(trns) 2001-03-22 23:25:32: DEBUG: isakmp.c:1088:isakmp_parsewoh(): succeed. 2001-03-22 23:25:32: DEBUG: ipsec_doi.c:1249:get_transform(): transform = #1 len=3D28 2001-03-22 23:25:32: DEBUG: ipsec_doi.c:2040:check_attr_ipsec(): = type=3DSA Life Type, flag=3D0x8000, lorv=3Dseconds 2001-03-22 23:25:32: DEBUG: ipsec_doi.c:2040:check_attr_ipsec(): = type=3DSA Life Duration, flag=3D0x8000, lorv=3D3600 2001-03-22 23:25:32: DEBUG: ipsec_doi.c:2128:check_attr_ipsec(): life = duration was in TLV. 2001-03-22 23:25:32: DEBUG: ipsec_doi.c:2040:check_attr_ipsec(): = type=3DEncription Mode, flag=3D0x8000, lorv=3DTunnel 2001-03-22 23:25:32: DEBUG: ipsec_doi.c:2040:check_attr_ipsec(): = type=3DAuthentication Algorithm, flag=3D0x8000, lorv=3D2 2001-03-22 23:25:32: DEBUG: ipsec_doi.c:2040:check_attr_ipsec(): = type=3DGroup Description, flag=3D0x8000, lorv=3D2 2001-03-22 23:25:32: DEBUG: ipsec_doi.c:1151:get_proppair(): pair 1: 2001-03-22 23:25:32: DEBUG: proposal.c:880:print_proppair0(): = 0x80ae3f0: next=3D0x0 tnext=3D0x0 2001-03-22 23:25:32: DEBUG: ipsec_doi.c:1186:get_proppair(): proposal = #1: 1 transform 2001-03-22 23:25:32: DEBUG: ipsec_doi.c:890:get_ph2approval(): begin = compare proposals. 2001-03-22 23:25:32: DEBUG: ipsec_doi.c:896:get_ph2approval(): pair[1]: = 0x80ae3f0 2001-03-22 23:25:32: DEBUG: proposal.c:880:print_proppair0(): = 0x80ae3f0: next=3D0x0 tnext=3D0x0 2001-03-22 23:25:32: DEBUG: proposal.c:681:aproppair2saprop(): prop#=3D1 = prot-id=3DESP spi-size=3D4 #trns=3D1 trns#=3D1 trns-id=3D3DES 2001-03-22 23:25:32: DEBUG: ipsec_doi.c:3597:ipsecdoi_t2satrns(): = type=3DSA Life Type, flag=3D0x8000, lorv=3Dseconds 2001-03-22 23:25:32: DEBUG: ipsec_doi.c:3597:ipsecdoi_t2satrns(): = type=3DSA Life Duration, flag=3D0x8000, lorv=3D3600 2001-03-22 23:25:32: DEBUG: ipsec_doi.c:3597:ipsecdoi_t2satrns(): = type=3DEncription Mode, flag=3D0x8000, lorv=3DTunnel 2001-03-22 23:25:32: DEBUG: ipsec_doi.c:3597:ipsecdoi_t2satrns(): = type=3DAuthentication Algorithm, flag=3D0x8000, lorv=3D2 2001-03-22 23:25:32: DEBUG: ipsec_doi.c:3597:ipsecdoi_t2satrns(): = type=3DGroup Description, flag=3D0x8000, lorv=3D2 2001-03-22 23:25:32: DEBUG: ipsec_doi.c:932:get_ph2approvalx(): peer's = single bundle: 2001-03-22 23:25:32: DEBUG: proposal.c:813:printsaproto(): = (proto_id=3DESP spisize=3D4 spi=3D59135eab spi_p=3D00000000 = encmode=3DTunnel reqid=3D0:0) 2001-03-22 23:25:32: DEBUG: proposal.c:847:printsatrns(): = (trns_id=3D3DES encklen=3D0 authtype=3D2) 2001-03-22 23:25:32: DEBUG: ipsec_doi.c:935:get_ph2approvalx(): my = single bundle: 2001-03-22 23:25:32: DEBUG: proposal.c:813:printsaproto(): = (proto_id=3DESP spisize=3D4 spi=3D01db2bb7 spi_p=3D00000000 = encmode=3DTunnel reqid=3D0:0) 2001-03-22 23:25:32: DEBUG: proposal.c:847:printsatrns(): = (trns_id=3D3DES encklen=3D0 authtype=3D2) 2001-03-22 23:25:32: DEBUG: ipsec_doi.c:953:get_ph2approvalx(): matched 2001-03-22 23:25:32: DEBUG: isakmp.c:714:quick_main(): =3D=3D=3D 2001-03-22 23:25:32: DEBUG: isakmp_quick.c:552:quick_i2send(): HASH(3) = generate 2001-03-22 23:25:32: DEBUG: oakley.c:659:oakley_compute_hash3(): HASH = with:=20 2001-03-22 23:25:32: DEBUG: plog.c:204:plogdump():=20 00fedc40 7ee378c4 ee60866d 1eb6b2a6 37df2a76 c1f74c11 89a7ebf3 9f8bd6a8 a05e553e c4ef686e 05 2001-03-22 23:25:32: DEBUG: oakley.c:310:oakley_prf(): hmac-sha1 used. 2001-03-22 23:25:32: DEBUG: oakley.c:669:oakley_compute_hash3(): HASH = computed:=20 2001-03-22 23:25:32: DEBUG: plog.c:204:plogdump():=20 a85f03ba 9e9bc01f a08e71bb 016e8682 703985cb 2001-03-22 23:25:32: DEBUG: isakmp.c:2012:set_isakmp_payload(): add = payload of len 20, next type 0 2001-03-22 23:25:32: DEBUG: isakmp.c:2147:isakmp_printpacket(): begin. 25:32.940767 :500 -> :500: isakmp 1.0 = msgid fedc407e: phase 2/others ? oakley-quick: (hash: len=3D20) 2001-03-22 23:25:32: DEBUG: oakley.c:2610:oakley_do_encrypt(): begin = encryption. 2001-03-22 23:25:32: DEBUG: oakley.c:2617:oakley_do_encrypt(): pad = length =3D 8 2001-03-22 23:25:32: DEBUG: plog.c:204:plogdump():=20 00000018 a85f03ba 9e9bc01f a08e71bb 016e8682 703985cb 8ab45b6c 21b95207 2001-03-22 23:25:32: DEBUG: oakley.c:2652:oakley_do_encrypt(): = encrypt(3des). 2001-03-22 23:25:32: DEBUG: oakley.c:2655:oakley_do_encrypt(): with key: = 2001-03-22 23:25:32: DEBUG: plog.c:204:plogdump():=20 1b149c9f 84d998f6 a7804081 8edd7279 8a581069 80f0c89d 2001-03-22 23:25:32: DEBUG: oakley.c:2664:oakley_do_encrypt(): encrypted = payload by IV:=20 2001-03-22 23:25:32: DEBUG: plog.c:204:plogdump():=20 e0d1b6a9 1989a7fc 2001-03-22 23:25:32: DEBUG: oakley.c:2671:oakley_do_encrypt(): save IV = for next:=20 2001-03-22 23:25:32: DEBUG: plog.c:204:plogdump():=20 e0d1b6a9 1989a7fc 2001-03-22 23:25:32: DEBUG: oakley.c:2688:oakley_do_encrypt(): = encrypted. 2001-03-22 23:25:32: DEBUG: sockmisc.c:357:sendfromto(): sockname = [500] 2001-03-22 23:25:32: DEBUG: sockmisc.c:359:sendfromto(): send packet = from [500] 2001-03-22 23:25:32: DEBUG: sockmisc.c:361:sendfromto(): send packet to = [500] 2001-03-22 23:25:32: DEBUG: isakmp.c:1349:isakmp_send(): 1 times of 60 = bytes message will be sent. 2001-03-22 23:25:32: DEBUG: plog.c:204:plogdump():=20 22995282 a09bc7c6 16db15fd 70dfe9a6 08102001 fedc407e 0000003c 29daac41 47d1c791 d2eabf71 2af93469 c54ce561 cf852e78 e0d1b6a9 1989a7fc 2001-03-22 23:25:33: DEBUG: oakley.c:192:oakley_dh_compute(): compute = DH's shared. 2001-03-22 23:25:33: DEBUG: plog.c:204:plogdump():=20 1cbbadae ac593cb5 86648589 9b444988 7ad70df1 b667ef98 7173e6ec f93d7204 3bcb4598 5d8a6a9f ded51437 5803801f 85b6ca63 590d3625 4239f2ac c9685215 6adebf24 39685dc2 9dc98f4d fa897f10 7d394e6d 9cfc9ced ba9c3d91 ff818be1 66612eb5 6ef3f008 bd5009b0 8e80bc1a 5918b8a6 63155c9a 656bfc12 e7eab712 2001-03-22 23:25:33: DEBUG: oakley.c:462:oakley_compute_keymat_x(): = KEYMAT compute with 2001-03-22 23:25:33: DEBUG: plog.c:204:plogdump():=20 1cbbadae ac593cb5 86648589 9b444988 7ad70df1 b667ef98 7173e6ec f93d7204 3bcb4598 5d8a6a9f ded51437 5803801f 85b6ca63 590d3625 4239f2ac c9685215 6adebf24 39685dc2 9dc98f4d fa897f10 7d394e6d 9cfc9ced ba9c3d91 ff818be1 66612eb5 6ef3f008 bd5009b0 8e80bc1a 5918b8a6 63155c9a 656bfc12 e7eab712 0301db2b b7e378c4 ee60866d 1eb6b2a6 37df2a76 c1f74c11 89a7ebf3 9f8bd6a8 a05e553e c4ef686e 05 2001-03-22 23:25:33: DEBUG: oakley.c:310:oakley_prf(): hmac-sha1 used. 2001-03-22 23:25:33: DEBUG: oakley.c:475:oakley_compute_keymat_x(): = dupkeymat=3D3 2001-03-22 23:25:33: DEBUG: oakley.c:491:oakley_compute_keymat_x(): = generating K1...K3 for KEYMAT. 2001-03-22 23:25:33: DEBUG: oakley.c:310:oakley_prf(): hmac-sha1 used. 2001-03-22 23:25:33: DEBUG: oakley.c:310:oakley_prf(): hmac-sha1 used. 2001-03-22 23:25:33: DEBUG: plog.c:204:plogdump():=20 8b715bc0 e0fb5459 d0a64fb1 96913db4 e05741ef f406193f 91ae0f13 d8fab440 359b661a e2cf4a33 80228851 62922c67 5c3318cc 5e91ef88 54fab45d 2001-03-22 23:25:33: DEBUG: oakley.c:462:oakley_compute_keymat_x(): = KEYMAT compute with 2001-03-22 23:25:33: DEBUG: plog.c:204:plogdump():=20 1cbbadae ac593cb5 86648589 9b444988 7ad70df1 b667ef98 7173e6ec f93d7204 3bcb4598 5d8a6a9f ded51437 5803801f 85b6ca63 590d3625 4239f2ac c9685215 6adebf24 39685dc2 9dc98f4d fa897f10 7d394e6d 9cfc9ced ba9c3d91 ff818be1 66612eb5 6ef3f008 bd5009b0 8e80bc1a 5918b8a6 63155c9a 656bfc12 e7eab712 0359135e abe378c4 ee60866d 1eb6b2a6 37df2a76 c1f74c11 89a7ebf3 9f8bd6a8 a05e553e c4ef686e 05 2001-03-22 23:25:33: DEBUG: oakley.c:310:oakley_prf(): hmac-sha1 used. 2001-03-22 23:25:33: DEBUG: oakley.c:475:oakley_compute_keymat_x(): = dupkeymat=3D3 2001-03-22 23:25:33: DEBUG: oakley.c:491:oakley_compute_keymat_x(): = generating K1...K3 for KEYMAT. 2001-03-22 23:25:33: DEBUG: oakley.c:310:oakley_prf(): hmac-sha1 used. 2001-03-22 23:25:33: DEBUG: oakley.c:310:oakley_prf(): hmac-sha1 used. 2001-03-22 23:25:33: DEBUG: plog.c:204:plogdump():=20 b5d31f90 38a5c659 02fc7ada c18e3a2e dc37dc29 5c7d32e7 0cef6657 47dee168 cec75ffc c69b4d24 35011e73 e91d6506 683e35e0 198070c2 5debff94 2001-03-22 23:25:33: DEBUG: oakley.c:392:oakley_compute_keymat(): KEYMAT = computed. 2001-03-22 23:25:33: DEBUG: isakmp_quick.c:623:quick_i2send(): call = pk_sendupdate 2001-03-22 23:25:33: DEBUG: pfkey.c:988:pk_sendupdate(): call = pfkey_send_update 2001-03-22 23:25:33: DEBUG: isakmp_quick.c:628:quick_i2send(): pfkey = update sent. 2001-03-22 23:25:33: DEBUG: pfkey.c:1203:pk_sendadd(): call = pfkey_send_add 2001-03-22 23:25:33: DEBUG: isakmp_quick.c:635:quick_i2send(): pfkey add = sent. 2001-03-22 23:25:33: DEBUG: pfkey.c:191:pfkey_handler(): get pfkey = UPDATE message 2001-03-22 23:25:33: DEBUG: plog.c:204:plogdump():=20 02020003 1c000000 79000000 0e430000 02000100 01db2bb7 04000303 00000000 02001300 02000000 00000000 00000000 03000500 ff200000 10020000 cfe7963e 00000000 00000000 03000600 ff200000 10020000 18835818 00000000 00000000 04000900 c0000000 8b715bc0 e0fb5459 d0a64fb1 96913db4 e05741ef f406193f 04000800 a0000000 91ae0f13 d8fab440 359b661a e2cf4a33 80228851 00000000 04000300 00000000 00000000 00000000 100e0000 00000000 00000000 00000000 04000400 00000000 00000000 00000000 400b0000 00000000 00000000 00000000 2001-03-22 23:25:33: DEBUG: pfkey.c:1108:pk_recvupdate(): pfkey UPDATE = succeeded: ESP/Tunnel -> = spi=3D31140791(0x1db2bb7) 2001-03-22 23:25:33: INFO: pfkey.c:1115:pk_recvupdate(): IPsec-SA = established: ESP/Tunnel -> = spi=3D31140791(0x1db2bb7) 2001-03-22 23:25:33: DEBUG: pfkey.c:1147:pk_recvupdate(): =3D=3D=3D 2001-03-22 23:25:33: DEBUG: pfkey.c:191:pfkey_handler(): get pfkey ADD = message 2001-03-22 23:25:33: DEBUG: plog.c:204:plogdump():=20 02031603 1c000000 79000000 0e430000 02000100 59135eab 04000303 00000000 02001300 02000000 00000000 00000000 03000500 ff200000 10020000 18835818 00000000 00000000 03000600 ff200000 10020000 cfe7963e 00000000 00000000 04000900 c0000000 b5d31f90 38a5c659 02fc7ada c18e3a2e dc37dc29 5c7d32e7 04000800 a0000000 0cef6657 47dee168 cec75ffc c69b4d24 35011e73 00000000 04000300 00000000 00000000 00000000 100e0000 00000000 00000000 00000000 04000400 00000000 00000000 00000000 400b0000 00000000 00000000 00000000 2001-03-22 23:25:33: ERROR: pfkey.c:207:pfkey_handler(): pfkey ADD = failed Invalid argument ------=_NextPart_000_05AB_01C0B3F4.339FD9C0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 23 20:55:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from demai05.mw.mediaone.net (demai05.mw.mediaone.net [24.131.1.56]) by hub.freebsd.org (Postfix) with ESMTP id 725F937B719 for ; Fri, 23 Mar 2001 20:54:59 -0800 (PST) (envelope-from jerkart@mw.mediaone.net) Received: from jose (nic-131-c88-24.mw.mediaone.net [24.131.88.24]) by demai05.mw.mediaone.net (8.11.1/8.11.1) with SMTP id f2O4swa22630 for ; Fri, 23 Mar 2001 23:54:58 -0500 (EST) Message-ID: <05c501c0b41e$97277d20$0200a8c0@jose> From: "Jeremy Karteczka" To: Subject: Trying to set up an IKE vpn between FreeBSD and Checkpoint FW-1 Date: Fri, 23 Mar 2001 23:54:59 -0500 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_05C2_01C0B3F4.AB4609E0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_05C2_01C0B3F4.AB4609E0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Greetings, I am trying to get an IKE vpn going between a 4.2-RELEASE machine (using racoon for key exchange) and a Checkpoint firewall (v4.1 SP3). I have tried both sha1 and md5. Every time I try to establish a connection phase 1 negotiation succeeds and phase 2 says it succeeds in the racoon log file, but then I get this message at the bottom of /var/log/messages: When using md5: key_mature: invalid AH key length 128 (160-160 allowed) with sha1: key_mature: invalid AH key length 160 (128-128 allowed) I was able to speak with Checkpoint Tech support on this and they did confirm that Firewall-1 uses a 128-bit key for md5 and a 160-bit key for sha1. I have looked for RFCs to find out which is the accepted standard but could not find one that specifically states how long the key should be for each hash method. Can anyone point me to the proper RFCs and/or tell me if there is a way I can reverse the expected key lenght on the FreeBSD side? The Checkpoint tech I spoke with stated that Firewall-1 is compliant with RFCs 2408 and 2409 but I see no mention of AH key length for hash methods. I have attached a copy of the racoon log (the external IPs have been cleansed) and the conf used for an attempt to connect while using sha1. Thanks in advance, Jeremy ------=_NextPart_000_05C2_01C0B3F4.AB4609E0 Content-Type: application/x-gzip; name="racoon.tar.gz" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="racoon.tar.gz" H4sICCIovDoCA3JhY29vbi50YXIA7Fxbb+NGlu5nA/4PB+6HsQFbXVeyqMTe6aQ7SSOTpDfOYHcx WAjFutiMJVEhqXZ7Fvvf9xQpyrraomwnwWIMdJuXqu+cqjr3Krr3ptAmz8c9k4/9q5f5oYREhMAr ABpLGn7jD5n9BmA0ogAxk5EUseQEmzHO5Csgr36Hn2lZ6QLg1a+uuNFFtbXd7bVzw1f/735ew9Ew vzqCcuJM5jNXAt5eZeMrGLpPbtgD+FBBVoLPh8P81llI78Bl1bUr4GicV5m/OzqFI+vS6dXR4cFr yIvZHTvqHR4gFjR3X+DLcNf0wbvDg8KN8sqBHufju1E+LQ8P/ufwYCYT4D6baz2+coNRbrHN1VXh yjL75E5HOhufprp0NUbbfJh5V2UjB/V/KHCKwCgbwxez96+hdOYUn5xe59NisedrmFwjGlCYFPkk L/UQjj2O4sPl2+9/+AiXb0/u285bLDA6Z3hsirtJleXjgR5e5QXO0Qi4deUX622R4PVCq/Ja0w2t 9BSneVxlRteoI1dd5xZ5cAPsUDg7uHF3sKGfvR5cFfl0Amzx7f8uDxqhIah8djUtanwY6Rtc/cYa wLEuQQPO+SQfW1ecQJVDniI97LcIk42zKtNVXvylvF8DPbbw8ZtLaLhoJ623TB5lqqFYubIK8lbm MJqaa3C6zFzRW5/1gbl25qZmA8dVj6ddPLa6eB9xucPa9UIbbaopvllrepsNh/NRzSQ8cJJVblT2 Q88zuHHF2A1ngJN8mJm7lXk7HmY3Do5wqt5UhR7jjBXVmzfT0p00CBNXjKZV0zb3zcQHScnfBDF4 Y/LRpJZtfD0XiTIsc4mLHxTOIVuHByXKvc+3aMvEl+2af7FVKSCI/qJIbBXZxUYrUnjf8HqkTZBE uth6YTQLTa3zQ42qHpbt1b9+/kw/M++PpvnlaDzo/6mkUkYz/y8p5TT4fxLTf/n/3+OHEULPCD9j DBjvM9knqg8ffvzmpz4ET9szfSqifrg8PunDX49fn8w8BHYkFEM3KPWNHru/3lmDMWTv18nhwS6Y 8RLmL8EdoF22U1Oh2RrfoN0rc1/dop9D64GBSD5pYo9gPn+auPHl5d/gY5H/6rBDsPhob9EZLb3+ Jc+HN1nVg+Prqpr037y5vb3tIc64LIe9vLh6c7KF1Xfvv/r7t6wPxlf5jUPl6Is47t/dDd3nwPCX /GI5lNkRhEl1D5I6DLIQil80YVAHlGSRFX6x4BH2G428eL0cbdUh1kLINYu2dmUw4svoS+AdYFaY vGeoA4ZYxjjt0DVa7hom5fchLJe7htl/wtKO7gaZDQ4cg/sC/G92DEelKz5hiHWjR643dtXRF0/A N64I2BgeuEF1N3HwWZIEjnye/7XF74U2RyvPJkX26Qg6iFWyMqVtdNMBYWVmO/UWRC33rpOMnbvz ZKX7qIM4rc/6SjqzN04Tv2NonY8rDJMxQPVP4erxVGrntdpgK+OLFnf3aV9etfhiU8y7O5pIltFC sLx7b0qWey+ngbvjLJum+CIE4R1mZGUMG9PM3eHiFWaW89MOk0OXcdosdl8FjS/YUyT5Sfnx/mS7 5dNPGd7j+feuqqpWLNtyvt4BJ1nGCfP5aO+JLkrXu8OIkop+6apBhvHoaDJomQhg84k8h4gIRUgX 1Pgh1PSuCqhdABnZBlhWhRtfVdfn7nNVaLjOrq674LJtuGjyboZufN6FS8X77vMEBW8GGMqDAWvS p1Dhvy5Q8WYo/u795dnXX319LE/gyWCX3709ZifPwRYlTJylWQU//PTuY6NyAfnJuGgXzxq7CGgX j2knZjH22Qi6fwKzQ+Fsb+h96217E3xqme4JhJ+purerjeTrYRFLLpraYAeURUuL/bunkEwsuX16 Ma9A7uuvaQd/zZbjMLpHLiDJMsJTcgF60SH8SlZYf0oAT1EEV0q9tUeSBH74qktuJdky7HNGybRb lMwkX+69rQDdIV5eGd28ct2BKbEMsbHO3YGjlRmaFci3APzH259//PDjt+hDPLqOUD5LBOtPbpoA C8kHmI2WBowehzoV2gqoGzvb293tSIztZ7e1BwsXUE6NQTKPAPXRc+p0dKetLZBhzkQ/PBg0T8oA N7rDaLdyhdfG4Sx8Uzj31eW7QZlZd4HO6POEnDwrBZqwHo1Uj/QoHH8eviT6VeafG57FCF2DD/NO 2AIXEVUoD96wxQ++r5GZxkMGJ4wiqKfDsNcbAgwITbqssMCEfRsZAfUthGJuSzIUeBtJ8tPh8O7B onHDUpD7UJWbRbihkFvHa+3M/EMS8t+hDmwBk7OFYaAw2fPo5Akk7tf2YSLxNiLvf/75p5+XqEi1 SsXrbIiwmEimGSZ8x29xznB6UJkLp22QhkB3a2C2wziWdezhoahHZOzeFNF+fT24xvB06IpA6MpV TQP4z8Hlx3fv/v7DRxjhWPSVewR1mF8hKCOiHy7tdDRpwlzCaNhwIEB82HcIF5SQ5okTvLkIv3BQ 4D1V9RNs0vQyRKtIhMSPkLbb/CJ0i7Z2W2k8+0GgOOx/hEes5YitQjPszWdt2Aq0d3EScbeJo3kj qhSXiqpN9P/ci0M6Ls5sTrsuTljTxxeHLYnLDovTzvuDi9OuYOfFqbOTsDqK9U3I5TJbBwLlNO2T z6lPvU9itWh2yBsm/oHK2j5BHubPMLuq8nM9vgObFef5tNqZOl+iblNA6oromJEF4ouk1hlaJr6x os3irmL59ut///uHn98/IJSLmNuFMsgN4cCi2fLEyUbpaoRSkd1FYEEoVQehCE0eE0pq8H8bpHOh P18FqpWMbDALnS42Dm1vILH2LoyF/oEcrb+L1nnEFYz/QI4eNRyLot6qLprbueoObrOhXbUekXgh Bb7ngK9zYNM+vLQFmTMgyDoD98OHkS7DGYJbTIIAKa1wg4R3psM20ZkN8vnIyGi/4XSkovYazE5E WtsuWRRS08KZT9r8Ns0K10hnVul06ODyI/h8OrZ7u7fernzgYNf5GLtbmN0+o39doN+U4pABzIfQ pTW3gfK8xjZrAqUbOlNtzqMXAJvjISFtqqP6OKAWo3C/jLpc7WzB67MxX36Dw73Vw+EZbUL/bSRX cwiZzHOISV5Wg4WJrCutZ5dvkb/fpq6sNhMCfDdFLuzUhcRmnDdFYdrIwCMjn/MR36cyk2talz0H WWDi/Px8t5HEMd2MMNtvc7VgtLvXY3eVh6c4kRuTpi/PL9ZGWr/YlZktw2kKum/n51wgHJjZdZKo SpIWFgdj8vwmm4t8cxdK7CxJJFNMkyQ1sYngEfQJrvLA5lkoUtAIJzE8wPtB6arM0oAfTl59eAf1 2Y/co2B8EgPd5K4Pg+f6ZljrKmOq39wMwq6vGzuUYtcWtaa4Ou+++0sommef8Hlvz4Aw9lyKJLXA 0dpyj5EhjxSJtPJ4kUrv0wioxVlMOQejErS8PgJOE52kXoGOlbSceHTkJkqNTCkC0ZTEPAWZcOqJ ScGpNJVWO4ipN4pKA7FmXtOUg5SUOOIM8JiLSEbs8CBKJDXca5DM2ihxHLQQnFudAtFUIWICzCYu 0kaCiIWQKY441jZW2jCIvDeSU3p4kCbMRrEnwBX3yvkYhEtsmogEHJLiKUVGCMeQVmhIZaRixzAw dixJU00hEfiMkHjX5eJkp+Wapuh39l0trtM0jSMOznKW0iSslqDOCRwbTqhmxoJikbIuJtgGpd9q gQmoljSRAlQiOGPMHB5Q6oz3zELshNWaR5g4+jQ2OMmRSankwoOkIjaSpvhKKp1wAxiDc43PwONj 7RkuuyMkjbkjoASLjEIiHuky5ROM+q1xUiaQ4hJ5hACTeJrEobQSmYQn2CuWAodCJHLEI6op6l7C EdGgNeRSiohrhRJFJK6pAp/wyKWEgeI8wvFiHG0ZZtdaA+quizznu9iFgb66qg153MerQUZLN669 fiiqzz4oqE9eLu5N7mhwGCYzS1vO+m6Y6wbdWpjdBpMwdGMU8VO0RJ+rxk6IF6GBi7FIhJKXoRIt EpEvQmNpHDsPI5yqne//Z+Nqos2Nq+aeJahi6NmLBVFoGpY9Wz/kwWcX6z48vGipAO0RGJVXmZ3n LP252/wQPtPpN98CHJcaE4I8O68dBpRZNa396XlzFrG6u/9k4HjSh9e0ibMyez4jVO/RYkwxOqfL X7gcV3Xz0PLG4R3O0Hm9+xWm6pMeTt05Ujy5f2HbmCicgRCzJsh4ggpHZu3c2MxehL2q2cOgI7On YWel1o/Zq7C32xK71nT2tDmfgwAtGPrvSThPcII/s3m5cf2gYzUzKK/tYwzjQpm/YZJG7eMM4+TM 1uDBr84naWqbUu15WLRmXMurefJIlJqbm1FWmuDWZTjhMra+yEdVHamGl2M9cptCnw6wySos3kEj khCePg0eY5Ht8BhqdgrQ1mKpsIU506TWYtL6K5oyaCgTqt5nLdsSVXOyIXWBiWpfj9eGZjCPzTYU CiitKy2rrzA+aQow/L5gNS+9tBfMhIITXXwi2ifo1dC9ta9CEUrUQLWShHehkQwXvG6kmoIXCxei viA6wCgBa54bnfk+rhvWPPfhwV6uG9Y89+HBXq4b1jw3Dm0f1w2h6IjTKCBl1ihOcI68lRhWOozP eJSwCMNTl8RpaqJ5eSosH64/9WKhOrkmahicrXsGzlpxXqi4bs6eNvfnG/qzOFpRA0y2HeYtttXv HVVwgWQH7aCRRRnwKB7EepfoaJt2UJznP412WGM9CngCJPXORAJXPnVUuFRSlHPUBS4dcJso7ayA hETSShQhYUhiOccZixOfGsxiYmNxPjDV4ImW1gShTiLFVYTdvHCSa00gEpH2SZIAF1LHNhKA3YVx KGZOYJ5jY0wjMM2hRCegULGYEhjqaqUEJi8eLGGRIKjLFAXeC4b5hEHN4d6DSmMZM9RpqzgmElxj PpJQS+MYWCJ1EjnMJ6yiJE4sLoQUqDhU4UAktTEmRknEtElsFMyER7X2kOJsJJS5VjtQlSjnPJUJ Jm9UY6KFhoPElBthOCQmUJEpdmNExQJzJjVXk9nyr1Tjg75gEqYSHWPOlyrMpDDnIkkiSGo9qjnO P5IEJb1JlBC7asdOcRcnvZjGSaI2R1hN6LUakO0Ud/3bv+Ku54m7GHks7iJN1HUfc62sZNs/8Nm/ x9xJjJDhuZWtj9rc5tdLMrQbiCSbQEqHWcV4Uo+IopCcPCOewMl9TjxKmmV5TkyJS/qceKpe4t0R ldqIGE7AbK4AL8IsFOGQNxkqwPUB74nOakdc5ZUewuXbWuAk29PD/iGO8c+mG+w4TOwfsK4Itbau 84PTaHdrgyP+bNPFj6tiXP4B0xVOAIfpmrurWg/am3bCQsqwM6TCFajPSA50VRWzOk0NG0b6N/Ro 8AtenYIf6qvzsG1GyCkM8+JTcHz52JbPS+zdzH/OCZJ7guLZSL2fn/SFt+2p0U1DbL/WeDbCb5eO 9cIPdTFyE+VHi5P70f8uhBIPDvnyu7fPRu3bOkR5hyFKkU2WVnWB4IZPT7pYEEnXLQj+Btp/xCO0 H5SZvlKkX4ewcxQSYJpNYodGql/XJYMwQtVedeFRRQ9ZubrK0irx7rCcNsZgck31BOEwCPzcIr8+ p6d1+HaG4VvzIeoplJPsrMz+ieHoKbwOFuycdqAWDutuoBZwamrhoqb2/fvdUcP3WxWbfd2jX8js PETkmczNFhIvZ2a2EHxx87KF7jOblS1UXt6ccC43SvnX+WgSJgs7fdX/6FzRBTLaCHm89n1mv/l1 0gVbbcduv9Lsd0IUZCMipqx1yns+/4Cx311oudg8u8ezbzX34DbeCBiylBm7KHf9TrLHJduIubB3 eL6yddjfV5vCLsQmWvO/ZXa+6cPM/tNEPN7sNjRGo5PmtNLcN209r7KAPd8gpwlb2CCfbYqv7Y83 09TbM1vT3FkW2xSiSOgkNgyEd9QJzNaUFZHDaACYiVjiNAfKaJpYk4LRxsmISqDGEWtpyNZiqZWU BmRilI69Bk6VjWicgleKWc8JoOePLNUC4ihU8FMK1DNh0ygGK5xUwmEQEGlFNRMEIku0xn8QI4iS 2oE0Io2F1OHIgeSBEW+0SDgPZyiMZirGHNFaqxKNQC5NHNeRB+SHRYw6UGmoMWJGmVhvZDiokcrE 2lgh19xExCMQExHmn0wBY6mlSeR2XyzRrlaJMpvVuz2T8qY9p/YQDnvovAnmvLHA+eCx8LGJcfYk V5F/LEFf4Iyrdc7q0gjGdLCn4LQ7DrB9w2Fn/oTYxh/bm7+25gs7lHx3ZDT84Y0Zn5OiPjYXvgA8 q/923bR0HfQ6idcHfPn9+//68K7Vbbv3wBWOUYXKvnfMmbATlXpCooRa1F9tGGo1vqKxtoz/zgNn RK6s9MBqdz/4gX368HFumXUSh28oQTX3oAQaGMvRsnEaW4+SakgSYxpCfvfhK/7g8PXThy/jsNlp I+DOOCOcA019FMdaApeJdgKNpk2pYmTjX+h50eFTyh4cvnv68DmKvooEBZlKNJUuBRenIk2ZB02o ooYrQNuZslTQXdlmZK6tM/4GIbxyd/Vf73Dj45b9E/iyvv9en8AxI3jHxMnp/7V3pS1uZFf7/Wzw f7gfZ+B15+5LgwMmYxLjLGbGbyAMwdx10sTTdtx2FsiPf59TpZK6pZJUJanb9qCCGeRW6e7nnOfc s7GFZ1uXC/cd/kfmA7wDKPJSsP+ylxL/u7i4+Paht4OsuVvnNUCMLnb051o659Z89Z4S9tIEXoqD r4cP/CHgggbnJnouIfhmyZWSa+4F8xVCXLrAfDRegNeNdSFOtJTi5Espd3fzACuyXZjwxrMPhUGg K8krZ6CgqE0KQHW2pGQhTELTJVs7ebGc3b5Y7eoaMPnW6uxmCSdeJTbMd+oBMkuGThrS4MbcHaCP 7wCT3+ZPXcbahY118oEinWLR8HX919U/O1f5Px+/GEA7xmgPuA+sa7WvEwcE1r2cKfSbq0Jp+kiB o2Z/9+yH3y19Ni4P3aYjDeojg/ZqiTagm3VZ0rCAP7+7Xg6aYlQOHfCGBwY7yAEDAH/dA4Md5IBB fuBrHhjsIAcMNLTugcEOcsA4e19P8b7e9D/a6sG3y6Y6GF53GlXZBJsqMf3B22jdAeaB5arX+wj4 eOlwerYjxErLGeeVFOP06oeXbPh234IsLZ8g70usxJsh5/EW1zsx7r6v7cJ9Xw7OqEPQRTesNy++ CL565hn7ecZZ9uyXPZM8PT8XX53gf/t181VeVBEZ0FqInKQokq5qQ1A4qk3yZooF8dqQVU5tIvOb F/oi+b7Yl9E+pvlgigshpQ3m5LEvd3ww93r/iXsJxNjW7IkCMbY0f7JAjLFt3ROIYeTMOIwpFDCJ //jxOAylb7kan46UVvqlXqlznX4pb19UQNEkhNKdSTm9Rb3Z4iJK+228+YhWT6e1MpKQSon6ufV0 bfiWWcuT6OspllZIZJrCPfd56oSdMOt3LDRxcRKENiz+cEbzLfEJwWZJxE04/Q8s9JzcsyRHb1ZI roVsPZMmE3nit8V4UC/+AkgjXREsYD1sHk0ZeZQ8kiZ4d2ws5rCxgzySv3pHFdpuIJaurtsWsdT7 v9+OFuhTXQyBAJ3z+x9fvH7x7PdPfvOnP75+9pvX5Dj1dD2FwHA+huPx7VQatKsDUt69WaQcXeVB WOUgvZjeohtv8T3wxdsuuTZ7yvSh0CgtwlLmnJdNWkNDM4iNtSTQA1eT18DI8TUYPnaRFtOX1Jjx 5ro0MeTy8SXe70pr9c5VqCvcmf5zjIgrPrYiocDUaCpUSz95hE6Mj/Am/nMpygkIf4aheb9n8S7O qPb+UK3XnxPVGqCBNaBAtwsp1lQ50V9tqiXjobrbEsH+WFSRK9/A4Uwx1QE3Zt6CzpEoOmeTUmQa XSstyRmmlZIcufloLxqp50ZXD3hYmU6Bo9XMZp7cxVJedSmS7CpWldIsdQt8S0umf2L/XlyTi3Hv G9rX8dq2sGvJeyTBGqwsKeD1hrzErm7+Vrst7L2LKSfSrS/GjuGT8dND0vVyXbperovXqTeOZuaN 4y9Hx2i1ZM3dL17H8N5i7pQ0UlahYjB72llkRvPSUWI0IgRKUPa+Sz2FWb7t3+gJpv9mYoOabzbY p/L87fPXP7x60TGuS/b8h1e/ev3pmuo0bBDAk1+vJQCfRPH/+HSV/96FA/nL7vObK/H+Q32/GkA/ oEmcc1py0sWMtucmnYQkZXfZqBZh4Xdyky4T5i7TCouSZEqO0SteUHIo6ZRIBqzgVgJTOTkT6e38 pXKRd/KwlMMjyxe4GNLubTsMfbQXHfxZJ4J0DyUEKDuIb/i/F6syWds4OsfYlI01XDcsfGU5Nctr doyHYngNmTWZYgS0YsWUClSEbXTRRm0FuXy1rENl5CyrZQJfbTnUoMGB0JjUqVjI/1K4SgEyVYXO UMHxlcrVMC+bdFFBXOqC1vErCFiclQSOgFe4EtmTHhG9BopwEA3C5sRkBffQFoCDXFU9xH2WzdfK ocbknIUvnDKjpaRCevzIZhWtDw5/qh7qLVBCFg4YHk235lXunXmLySnjqLqQS6OsY1XE1gzTJdZW eJ3sSHFkjrFJGohNTeukWIzVlywdS9xKHaCTCG7odDlWyPexuAaFzkgnBFlTohZSWRY05IyyRBhB ZSAWwCTsWo2SkrxFJQr21snoTUmJQZORmrdERhj0G7G2oUCbBO5p2SXbutBZaAUx2MRMM84JjZ+1 bKAeFRYa0FXRhrlCXyjKRqLBG2xhORBaC4G57CxOEkbkpEhaecdicrEJvK21a9DVabeUDZZcp33k yZJVTEKfrbkCyTUNdSuxKmPNqey74b8TFeX5WnZAOYjSt+8gXpY5ArsEgTef0nX9OKN5qMDbml/U kZ/f/poQCWEpRAZU/uK7fHXobVufcuR2FvnWPZzPGhZExdiwPpxkWF3+9DnDmm3O0ftTsh3fyd2U bPp++ribXM7cUycP3Qf/Ei6mB8S+wENLK8qIgdeTNVfhEIsVMBqu2OhmbZEsfWHOXVhxq+BDxoHu L2bIQaB6s65eZGOqynnyvYa0497aApGYbJLRKgiCJqOzWSyy00BJnyA+Hj+aID/YBPHx+NEE+cEm iA+Ihv3yg00QHwA7++XHkMqHs13ccLF/ay/N4E1foc1B8Kq485EVVbBqWmFfRUvVGkIKNuDUMadL ytnWB7Czn9yuEbR13B9p1xj4wohdo9+dJ51k3GXgODwfEv3gSb25kxKpU0IGvrMtPxJdsE9JkDSk RAJ3upUOqavA3n/zsVONNrMiLc/0jPxHWxJMbkmLtJb/6JrU37EUSP5uEnVjLob/+OFNLbKvrzX2 C7UpiYVNaQ4/2BSTG9l7dspJtl1MLp2dJslJtl1MYkQz5OQONevxozlycoeaRUr1dDm5Q80i77vp cnKHmkXa+XQ5ybaLSUxteMlikWjDzubCL9JcKHzmOGKSudp4TNp8OebCw4d2Nhd+TnOhDJ/TC44a Zyv9reNQEhJCGFViJd9pMFIpBFg0XRIacPZSIAW4grpRsipFN2YVWXFsYwqc1jSQdEsq2xjoJrJo xzMpQJ3ntnbgwzrgeBbIE6lCC4IFUXOWyTIvRAJ/SHQBWYIE007UldICTDcR2+fkqG5zqU0z6yR+ 6cmhI6PXqlny3nkKkksquWygEmXhiIFDWwPDVx6jpkQIEiwcTNfwInWEGCm+Kq0gvJ1rslVDuUir 9tgZAyAsyHVdFa9kS4IBUGRRcmbW81IMORi3aJRzSUN6qWbJd7pl722DYPSiFqouwSAxZAsF8iQD WZegKQpeiQxRZxVXTtVILoeYPheKCkEE7yDztdFeWYqmTujXeogxHSCgFOECFyIkOeNKYIqQ1AFr ZQTVuEiAHN2VciuVq4ytrUAHivJE2CghdBIOnigVEjFSZzYFTbhCRmkUXrZZKkMSDk0rUR3gjFMQ y8A1xevcrIbOkXQi53tIUbytwGMpy0RLTTEZYzI492xgSpC5O7iSPDLlsZya8hg46EQpj+U9kyDt k1U5N7K0V49VBYAMvAUjCEm5VpOxmcIvcLACUFIRPIMOmc5OK/LxL8F5WT3wp60NJxgrr7T1qYKW BcbmeSbbf8rcOeAm/C95YEuvtCsWvxcpi6YkVsZmLiPHPvsE+UybCTzUUgEkrNGaQLlKOgsCWW95 EQJDLxS0YSLgN0vSOQmqAmzTlZug0LSymAFAtykyZaU4MyoVnEsqeCLIgq3QYqs+NM6Ek8VUZUHv NWIckWXPFd4L+MpoWyXdiqSQSwbDaS6XCDWCAWoDr1aQQArc1mKphAveCJlhgfA28C84mUOjFowj t+ACQKbG0ZUFiN5yzCuDqXj0q8k5rMnKReNgfPgRsCg+oBkhAwhGe2A5HZj2LucUIiVh5mQxAZix vFT8CeO3gRuAZILqSYJxOuV1NRnbl4CysVxY0Ja5x/QrkChmkAg/8wiWoYCTBEYvsRABbINjIcH+ YjPgBUDx6Ar8SgacWMArsCJurMD2i8pTVZThBWOgyA6qoJOSalEwnBWTVQhTiWra7QHUQDAvd2ym 5Im3Bz8+/+sl+/G/dHmwh1JvmfbDbdRc6pqaufjDNjVzvEU/3iKg3b/iTQfzyhLkkQpNtZOvrn8a x3sT2MvMTVwN1az8Q+4OdfjYqQzTW7Pjre3WGOQDagyjw1Zm5yJM0xjudZuUnzjC/2Xp08euTPzH D0CV5eLAoS4vMxL4XrUgYOvAXhMBVIAwC5BCijI0VkHTCTURQpp3mQFpoUwlJ4jTXGYQw9dZgDHi dFRgDzovqdgIRMRMNUAzGXKmNusthM/q9t+HqAsgEksJ6ClKDqilGiakma6Oa2M8ACpkmGrotXEC aRhR8MYbnjH/XCFoAUyLStJCv2O25JKspTsMiI3uesNWa7ylDyIFsHPw+apziBChoSQd6A5GGQ5g CvHU31wAhlWvbZNoyGF+kAqOFSOajQ6SiwRJrZh+SSVYSeigaJkhjxlJadEcWekgIChwMdUgcyIs AMJRlJq/Gc3RtCExDTSANUqEb23BiHL0RXIP8aIFYBzg+EG3GlTlY+32f8MZxU0mAu3GieB9LKXL 7EJXj5Nbs2K8tZu/X70nPY/oZ2h6Mus3zu4h1IvPgyAHeobkP4qgNyj7UIJeGvE6yj6CoNlAz7eu KQ8iaDbQM07tUQTNBnqmkjLHEDQb6Jno6BiCZgM9P350HEGPXVPOJOj5CFIKRbHoD4IgH9j+NFDM 12t/Wi3P12x/kqdIvC9PXn9CnrgqiLyHKh7yxJVG5ImrgjxIe/OLIchtTmLa6sFJTJLr7dJPAZzv XaZMJZd/S5/ak1+/fSo9xFgGG3p7+bGjRWPndeX8aFffyG9355KagFfmwIyJ6OpwvyU5w29pgkH0 DIvOsGgfLJp4pg/ycpIn93J6UIKeVwRJ+0OvMA7xO9wkzY4Q9/kdfmmYYkfto9PLr9m1j/iXtlw7 ah/d73JNq30k/fQmQQf8TvEa+m5ZbAI0dWgZkmO62yhIcrtMiN3HLO/0R/FhY/11WtCyTiFds19d s9e///PFqeZCZU/6Ah3sD9CrxqbSxz+dqsO1sic7C5HIU3U6qRrJHP4+s5SRnF/KSNXJpYzk/ZQy +iJF2wTUeRZtZ9F2Fm1n0XYWbV+qaGtfpmjzYSioJYdySyuPidyXFVt2c3Mxp2E71jCN/Efx18vV snzOBb7VuvXiMg4Ny5vu461yhctqhc9/eLWqVKiHQoVDncFlmUGqPjZ9sZQJbhVI+xHdUzv3xxAn 9nc6jrinw3tgW3t6vCe+tafXUzOuoOQ6kfU1Nmv9QMXMrq5/eltZ+kSukjM4mVA9oXVU0LtOs2+6 j29WFLAggNu2L/rHm/dPl2bEep3JcLXYO/ah/oPsO5f7DDe3h6LdMJRhIcmoho9vFkTGFsX5nvKu BF4PLL+ds4RmdAl//s+DLd/y6uprXD6jxpcvfoT4LhPBqhODpWRPZqStBhBj5NIAMrjjdwYQ9e0y L/vEC1hrwtgFrLprnGAHK3y9fYK52tsnWK29fYKJ2tsnmHK9fYJl0dsH6L6/sw+w0Hr7wONHkfcG ApZ1byBg3DzwVbW1e1bq6Kvq6E3jKkUWakiZCyo85asTCcqwsNVbL5njKniT01RnhVMnvj7GISJo 7qz7rAG509yhjgvhlAeHcB53ryI8m3OCmKdYhmQzo9KcRk73aDsiYE+eLmDvc7vfniZgb8IsKi8i 2RiYCF29kTx5hMcF7N3r0A4L2JP3E7An7zdgT95zwJ6cHbBn+dx4vft19eQKXCiUGDPVVtSuS1ov WJHA2c0JJmMLSoNIs9Fd+WCWmzeyOs8mHUF1DxWS1QT+k1OKJVYWswkqJ8MAfbQ3PrCQtNbBe+Zi l1dTsGStqy14qlmsqq2Z6rmAR1FSLpUyeDW+M8VHTLaxUosRWjlmPFeeOL0nXh6tYibwoqw0TFNs ooyZ5WCxWsJQheQCZCU1U/Snksm7IYMzagjW6INrAlitqKArIFrILYcMPpZiyKpgQ1rzgsKv0JC1 QlbMyFIyVs49S4XCdhIHa/U8ZRHpKt8njJdZJYzJFD5kbGpZSFYddtYJOXGztN0okgi5ANj9psPf L5//5Q/PXi93juTGecfubce46nU4ltzDgHp1IlA/drCc2XWwyqf3/T+fqqkNBrGrwVsFXV+Ki4uL l6oTwv0BvnjgyR/ZzvassDgnBvATvLklAypghUerKfI42CBUSTgy3DgtKLRRcyuCaiyIiPcFRec2 IFMySUEEg8ZwLqvMTUelANKk9N4ISjIhZYY2YbJSwufMTA1oD/RpNP3elDNv+Rp5S3+9xmI685Yz bxlx5zNFiUbR4lDcsgVv4bJlkE3EcfBVRVlZyTgimSrfZCreXh3jGYfAGscALWsVFgck1+xMayAH C+orRASGiy5PABhJsYbjpHpVcRg5YUvuOOjDEMG0oKeuQtjCWzY5y74VWbsCtHhh/Qqwz6Ddp8H+ 9L5suQRUmwmToYzd+dlYOu4pDW6M0W+Msc/D3De2XdvYHKOQXA2DjKWMjRB/njc8ZbYMj67G5oxt d77u/3v13bPXz3fl61aT8nXLLl+3yDPydXfOMYqyfC8zaHfqlxre5iOBUIvs3Ltzei+deXYl9WaT cnp3gwydN/Liu4MAxKIhj9/HoaENTMF2QIq1EanxpRk+YGp12/LdbUjvbkj3FSF3NzTpGJKnzyLx +YqO75zBB0h8roZ6FathCbM5rBevKLbsbqGKex3UxmJptzmqLYaY2ST/7Lvvjqd3JexEel/5zJ2c 3ldlRmfR+/bU/2P0fpBQH6P3DTnPdoj5r47en3///Z++X51Byd3mGVydvxav3gKtv7juSkWz+OGn Tz9Dpv3P+Tk/5+f8nJ/zc37Oz/k5P+fn/Jyf83N+zs/5OT8P+vw/Qx/BSgDwAAA= ------=_NextPart_000_05C2_01C0B3F4.AB4609E0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 0:25:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from empty1.ekahuna.com (empty1.ekahuna.com [205.178.102.196]) by hub.freebsd.org (Postfix) with ESMTP id CCA7837B71B for ; Sat, 24 Mar 2001 00:25:06 -0800 (PST) (envelope-from pjklist@ekahuna.com) Received: from pc-02 (pc02.ekahuna.com [205.178.102.197]) by empty1.ekahuna.com (Post.Office MTA v3.5.3 release 223 ID# 0-0U10L2S100V35) with ESMTP id com for ; Sat, 24 Mar 2001 00:25:06 -0800 From: "Philip J. Koenig" Organization: The Electric Kahuna Organization To: security@FreeBSD.ORG Date: Sat, 24 Mar 2001 00:25:06 -0800 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Delayed security advisories Reply-To: pjklist@ekahuna.com Message-ID: <3ABBE962.21950.29D4882@localhost> In-reply-to: X-mailer: Pegasus Mail for Win32 (v3.12c) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org See message snippet included below. Can someone tell me why there are security advisories coming out now for security vulnerabilities known to have been corrected 3 months ago? Phil > Date: Thu, 22 Mar 2001 13:12:32 -0800 (PST) > From: FreeBSD Security Advisories > Subject: FreeBSD Security Advisory FreeBSD-SA-01:30.ufs-ext2fs > > - -----BEGIN PGP SIGNED MESSAGE----- > > ============================================================================= > FreeBSD-SA-01:30 Security Advisory > FreeBSD, Inc. > > Topic: UFS/EXT2FS allows disclosure of deleted data > > Category: kernel > Module: ufs/ext2fs > Announced: 2001-03-22 > Credits: Sven Berkvens , Marc Olzheim > Affects: All released versions of FreeBSD 3.x, 4.x. > FreeBSD 3.5-STABLE prior to the correction date. > FreeBSD 4.2-STABLE prior to the correction date. > Corrected: 2000-12-22 (FreeBSD 3.5-STABLE) > 2000-12-22 (FreeBSD 4.2-STABLE) > FreeBSD only: NO -- Philip J. Koenig pjklist@ekahuna.com Electric Kahuna Systems -- Computers & Communications for the New Millenium To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 1:39: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-43.dsl.lsan03.pacbell.net [63.207.60.43]) by hub.freebsd.org (Postfix) with ESMTP id 2798E37B718 for ; Sat, 24 Mar 2001 01:39:01 -0800 (PST) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 3015F66C3B; Sat, 24 Mar 2001 01:39:00 -0800 (PST) Date: Sat, 24 Mar 2001 01:39:00 -0800 From: Kris Kennaway To: "Philip J. Koenig" Cc: security@FreeBSD.ORG Subject: Re: Delayed security advisories Message-ID: <20010324013900.A32192@xor.obsecurity.org> References: <3ABBE962.21950.29D4882@localhost> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="9amGYk9869ThD9tj" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3ABBE962.21950.29D4882@localhost>; from pjklist@ekahuna.com on Sat, Mar 24, 2001 at 12:25:06AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --9amGYk9869ThD9tj Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Mar 24, 2001 at 12:25:06AM -0800, Philip J. Koenig wrote: > See message snippet included below. >=20 > Can someone tell me why there are security advisories coming out now=20 > for security vulnerabilities known to have been corrected 3 months=20 > ago? In this instance, we were trying to coordinate with CERT who wanted vendors to hold off immediately releasing since it affects most UNIX systems. After 2 1/2 months we hadn't heard anything more about it (and I had kind of lost track of it in the meantime due to other more pressing issues). I pinged CERT again, they asked us to delay another week while they got back to it, 1 1/2 weeks later we still had heard nothing so we just released it. Hope this clarifies the issue. Kris --9amGYk9869ThD9tj Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6vGszWry0BWjoQKURArp9AJ4pHmGirnqsIvmnn5mNkss85bP5WQCePZUx AoVanoxPzIAhz5/ro/PwrFo= =m7qC -----END PGP SIGNATURE----- --9amGYk9869ThD9tj-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 1:50:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from empty1.ekahuna.com (empty1.ekahuna.com [205.178.102.196]) by hub.freebsd.org (Postfix) with ESMTP id B85F237B719 for ; Sat, 24 Mar 2001 01:50:48 -0800 (PST) (envelope-from pjklist@ekahuna.com) Received: from pc-02 (pc02.ekahuna.com [205.178.102.197]) by empty1.ekahuna.com (Post.Office MTA v3.5.3 release 223 ID# 0-0U10L2S100V35) with ESMTP id com; Sat, 24 Mar 2001 01:50:47 -0800 From: "Philip J. Koenig" Organization: The Electric Kahuna Organization To: Kris Kennaway Date: Sat, 24 Mar 2001 01:50:48 -0800 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Delayed security advisories Reply-To: pjklist@ekahuna.com Cc: security@FreeBSD.ORG Message-ID: <3ABBFD78.30833.2EBC336@localhost> In-reply-to: <20010324013900.A32192@xor.obsecurity.org> References: <3ABBE962.21950.29D4882@localhost>; from pjklist@ekahuna.com on Sat, Mar 24, 2001 at 12:25:06AM -0800 X-mailer: Pegasus Mail for Win32 (v3.12c) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 24 Mar 2001, at 1:39, Kris Kennaway boldly uttered: > On Sat, Mar 24, 2001 at 12:25:06AM -0800, Philip J. Koenig wrote: > > See message snippet included below. > > > > Can someone tell me why there are security advisories coming out now > > for security vulnerabilities known to have been corrected 3 months > > ago? > > In this instance, we were trying to coordinate with CERT who wanted > vendors to hold off immediately releasing since it affects most UNIX > systems. After 2 1/2 months we hadn't heard anything more about it > (and I had kind of lost track of it in the meantime due to other more > pressing issues). I pinged CERT again, they asked us to delay another > week while they got back to it, 1 1/2 weeks later we still had heard > nothing so we just released it. > > Hope this clarifies the issue. > > Kris It does indeed - thanks for the info. I have to admit sometimes I wonder whether CERT is more of a hindrance than a help. Well at least they aren't unwittingly distributing viruses and causing DoS attacks from code distributed on their mailing list like Bugtraq. :-) Phil -- Philip J. Koenig pjklist@ekahuna.com Electric Kahuna Systems -- Computers & Communications for the New Millenium To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 11:24: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp6.mindspring.com (smtp6.mindspring.com [207.69.200.110]) by hub.freebsd.org (Postfix) with ESMTP id A5D0537B71E for ; Sat, 24 Mar 2001 11:24:04 -0800 (PST) (envelope-from mvh@ix.netcom.com) Received: from netcom1.netcom.com (lai-ca3b-185.ix.netcom.com [209.110.241.185]) by smtp6.mindspring.com (8.9.3/8.8.5) with ESMTP id OAA00638; Sat, 24 Mar 2001 14:24:00 -0500 (EST) Received: by netcom1.netcom.com (Postfix, from userid 1000) id 9D2D5114069; Sat, 24 Mar 2001 11:23:33 -0800 (PST) From: Mike Harding To: itojun@iijlab.net Cc: freebsd-security@freebsd.org In-reply-to: <10518.985201829@coconut.itojun.org> Subject: Re: IPSEC/VPN/NAT and filtering References: <10518.985201829@coconut.itojun.org> Message-Id: <20010324192333.9D2D5114069@netcom1.netcom.com> Date: Sat, 24 Mar 2001 11:23:33 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Okay, I think I know enough now to procede in making a doc on interacting with a Cisco VPN, with a very minor kernel change. Can anybody suggest who I should contact to determine if this makes sense, and how I can coordinate with the FreeBSD team? Also, Itojun, can you provide reference to 'scoped addresses' and 'strong host model node'? Thanks, Mike Harding Cc: freebsd-security@freebsd.org X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 From: itojun@iijlab.net Date: Thu, 22 Mar 2001 04:10:29 +0900 Sender: itojun@itojun.org X-SpamBouncer: 1.3 (1/18/00) X-SBClass: OK >My modest proposal would be to have a sysctl variable to indicate an >alternate interface to reinject the decrypted packets (like a local >loopback, the default or maybe a new one, lo1). Then you know that >anything coming in that interface was inserted by the KAME stack and >you can apply filtering to it. This would allow firewall and IPSEC >gateway functionality to be put into the same box. strong no to changing m->m_pkthdr.rcvif on IPsec tunnel operations. that behavior will kill scoped addresses, as well as recently- discussed-to-death strong host model node. see latest NetBSD source code tree, and the following URL, on how we handled it (now ipfilter looks at wire format packet only). i have no environment/time to do the same on freebsd, but i can say that the foundations are there in kame and netbsd tree. (you can check if the packet went throught ip sec on inbound, by using ipsec_gethist()) http://www.netbsd.org/Documentation/network/ipsec/#ipf-interaction itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 11:43:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from sol.cc.u-szeged.hu (sol.cc.u-szeged.hu [160.114.8.24]) by hub.freebsd.org (Postfix) with ESMTP id 86B5E37B718; Sat, 24 Mar 2001 11:43:13 -0800 (PST) (envelope-from sziszi@petra.hos.u-szeged.hu) Received: from petra.hos.u-szeged.hu by sol.cc.u-szeged.hu (8.9.3+Sun/SMI-SVR4) id UAA09140; Sat, 24 Mar 2001 20:43:01 +0100 (MET) Received: from sziszi by petra.hos.u-szeged.hu with local (Exim 3.12 #1 (Debian)) id 14gtwD-0007hF-00; Sat, 24 Mar 2001 20:43:01 +0100 Date: Sat, 24 Mar 2001 20:43:01 +0100 From: Szilveszter Adam To: freebsd-security@freebsd.org Cc: freebsd-doc@freebsd.org Subject: Re: IPSEC/VPN/NAT and filtering Message-ID: <20010324204301.A28945@petra.hos.u-szeged.hu> Mail-Followup-To: Szilveszter Adam , freebsd-security@freebsd.org, freebsd-doc@freebsd.org References: <10518.985201829@coconut.itojun.org> <20010324192333.9D2D5114069@netcom1.netcom.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010324192333.9D2D5114069@netcom1.netcom.com>; from mvh@ix.netcom.com on Sat, Mar 24, 2001 at 11:23:33AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello Mike, On Sat, Mar 24, 2001 at 11:23:33AM -0800, Mike Harding wrote: > > Okay, I think I know enough now to procede in making a doc on > interacting with a Cisco VPN, with a very minor kernel change. Can > anybody suggest who I should contact to determine if this makes sense, > and how I can coordinate with the FreeBSD team? For documentation issues - including the ones you mentioned - there is always the freebsd-doc list, since members of the FreeBSD Doc Team tend to hang out there but not always on other lists. It is also a good place to post your drafts etc to for review and eventual inclusion. I think the idea is very good BTW, you can make a nice tutorial out of it. (This message has already been Cc:-d there to get the discussion going, the -security list should eventually be removed from recipients.) -- Regards: Szilveszter ADAM Szeged University Szeged Hungary To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 12:53:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id 26CC437B71B for ; Sat, 24 Mar 2001 12:53:18 -0800 (PST) (envelope-from jorge@aker.com.br) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340354 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 14:53:30 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 14:52:23 -0600 Content-Type: multipart/mixed; boundary="----=_NextPart_000_15B3_01C0B472.09013780" Received: from tyr.kinsman.lan ([127.0.0.1] RDNS failed) by tyr.kinsman.lan with Microsoft SMTPSVC(5.0.2195.1600); Thu, 15 Mar 2001 11:28:35 -0600 Content-Class: urn:content-classes:message MIME-Version: 1.0 Subject: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 14:51:44 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE4020161E8@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcCtdV9v68hUrNQJROyQfKBgDBcVfA== From: "Jorge Peixoto Vasquez" To: X-OriginalArrivalTime: 24 Mar 2001 20:52:23.0992 (UTC) FILETIME=[53CC7B80:01C0B4A4] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_15B3_01C0B472.09013780 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable I've read the mini-howto on how to setup IPSEC on the FreeBSD (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most succesful so far.=20 I would be very glad if anyone could help me on the following matter:=20 The only problem I've encountered is that, when making Win2K and FreeBSD interoperate, the IKE's phase 2 only suceeds if Win2K initiates the process. If racoon is to start it, Win2k will not accept any proposal for phase 2, complaining that the dh group number (which should correctly be either 1 or 2) received is 1 or 2 (depending on the pfs_group setting in racoon.conf) and not null(0). If I try setting pfs_group to null, I get a parse error.=20 All the docs I found in the kame site (www.kame.net), the handbook, and the man pages haven't been of any help too. Thank you very much for your attention,=20 Sincerely,=20 jOrge=20 p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got the high-encryption pack and SP1 installed on the Win2K box.=20 --=20 Jorge Peixoto Vasquez, Elet. Eng. Aker Security Solutions tel. +55 - 61 - 340 9083 ------=_NextPart_000_15B3_01C0B472.09013780 X-TNEF_Part_ID: 256 Content-Transfer-Encoding: quoted-printable Content-Type: application/octet-stream; name="racoon.conf" Content-Disposition: attachment; filename="racoon.conf" # search this file for pre_shared_key with various ID key. path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; # "log" specifies logging level. It is followed by either "info", = "notify", # "debug" or "debug2". log debug; # "padding" defines some parameter of padding. You should not touch = these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 20 sec; } remote anonymous { exchange_mode main; doi ipsec_doi; situation identity_only; nonce_size 16; lifetime time 1 min; # sec,min,hour lifetime byte 5 MB; # B,KB,GB initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal=20 { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2; } } sainfo anonymous { # does not matter if 1 or 2, zero (expected by Win2K) won't parse. pfs_group 2; lifetime time 36000 sec; lifetime byte 50000 KB; encryption_algorithm 3des,des ; authentication_algorithm hmac_sha1,hmac_md5; compression_algorithm deflate ; } ------=_NextPart_000_15B3_01C0B472.09013780-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 12:57:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id EE57037B71A for ; Sat, 24 Mar 2001 12:57:41 -0800 (PST) (envelope-from jorge@aker.com.br) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340407 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 14:57:54 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 14:57:40 -0600 Content-Type: multipart/mixed; boundary="----=_NextPart_000_1A09_01C0B472.C59BB000" Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 14:57:37 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 14:57:36 -0600 MIME-Version: 1.0 Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <29@243200114573629> directly for ; Sat, 24 Mar 2001 2:57:36 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 14:57:38 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE402016286@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcCtdV9v68hUrNQJROyQfKBgDBcVfA== From: "Jorge Peixoto Vasquez" To: X-OriginalArrivalTime: 24 Mar 2001 20:57:40.0186 (UTC) FILETIME=[1043DBA0:01C0B4A5] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_1A09_01C0B472.C59BB000 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable I've read the mini-howto on how to setup IPSEC on the FreeBSD (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most succesful so far.=20 I would be very glad if anyone could help me on the following matter:=20 The only problem I've encountered is that, when making Win2K and FreeBSD interoperate, the IKE's phase 2 only suceeds if Win2K initiates the process. If racoon is to start it, Win2k will not accept any proposal for phase 2, complaining that the dh group number (which should correctly be either 1 or 2) received is 1 or 2 (depending on the pfs_group setting in racoon.conf) and not null(0). If I try setting pfs_group to null, I get a parse error.=20 All the docs I found in the kame site (www.kame.net), the handbook, and the man pages haven't been of any help too. Thank you very much for your attention,=20 Sincerely,=20 jOrge=20 p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got the high-encryption pack and SP1 installed on the Win2K box.=20 --=20 Jorge Peixoto Vasquez, Elet. Eng. Aker Security Solutions tel. +55 - 61 - 340 9083 ------=_NextPart_000_1A09_01C0B472.C59BB000 X-TNEF_Part_ID: 256 Content-Transfer-Encoding: quoted-printable Content-Type: application/octet-stream; name="racoon.conf" Content-Disposition: attachment; filename="racoon.conf" # search this file for pre_shared_key with various ID key. path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; # "log" specifies logging level. It is followed by either "info", = "notify", # "debug" or "debug2". log debug; # "padding" defines some parameter of padding. You should not touch = these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 20 sec; } remote anonymous { exchange_mode main; doi ipsec_doi; situation identity_only; nonce_size 16; lifetime time 1 min; # sec,min,hour lifetime byte 5 MB; # B,KB,GB initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal=20 { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2; } } sainfo anonymous { # does not matter if 1 or 2, zero (expected by Win2K) won't parse. pfs_group 2; lifetime time 36000 sec; lifetime byte 50000 KB; encryption_algorithm 3des,des ; authentication_algorithm hmac_sha1,hmac_md5; compression_algorithm deflate ; } ------=_NextPart_000_1A09_01C0B472.C59BB000-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 13: 2:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id 4965B37B71A for ; Sat, 24 Mar 2001 13:02:43 -0800 (PST) (envelope-from jorge@aker.com.br) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340410 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 15:02:55 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:02:41 -0600 Content-Type: multipart/mixed; boundary="----=_NextPart_000_1A27_01C0B473.79159470" Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:02:37 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:02:36 -0600 MIME-Version: 1.0 Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <34@24320011523634> directly for ; Sat, 24 Mar 2001 3:02:36 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 15:02:38 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE402016287@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcCtdV9v68hUrNQJROyQfKBgDBcVfA== From: "Jorge Peixoto Vasquez" To: X-OriginalArrivalTime: 24 Mar 2001 21:02:41.0297 (UTC) FILETIME=[C3BDC010:01C0B4A5] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_1A27_01C0B473.79159470 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable I've read the mini-howto on how to setup IPSEC on the FreeBSD (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most succesful so far.=20 I would be very glad if anyone could help me on the following matter:=20 The only problem I've encountered is that, when making Win2K and FreeBSD interoperate, the IKE's phase 2 only suceeds if Win2K initiates the process. If racoon is to start it, Win2k will not accept any proposal for phase 2, complaining that the dh group number (which should correctly be either 1 or 2) received is 1 or 2 (depending on the pfs_group setting in racoon.conf) and not null(0). If I try setting pfs_group to null, I get a parse error.=20 All the docs I found in the kame site (www.kame.net), the handbook, and the man pages haven't been of any help too. Thank you very much for your attention,=20 Sincerely,=20 jOrge=20 p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got the high-encryption pack and SP1 installed on the Win2K box.=20 --=20 Jorge Peixoto Vasquez, Elet. Eng. Aker Security Solutions tel. +55 - 61 - 340 9083 ------=_NextPart_000_1A27_01C0B473.79159470 X-TNEF_Part_ID: 256 Content-Transfer-Encoding: quoted-printable Content-Type: application/octet-stream; name="racoon.conf" Content-Disposition: attachment; filename="racoon.conf" # search this file for pre_shared_key with various ID key. path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; # "log" specifies logging level. It is followed by either "info", = "notify", # "debug" or "debug2". log debug; # "padding" defines some parameter of padding. You should not touch = these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 20 sec; } remote anonymous { exchange_mode main; doi ipsec_doi; situation identity_only; nonce_size 16; lifetime time 1 min; # sec,min,hour lifetime byte 5 MB; # B,KB,GB initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal=20 { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2; } } sainfo anonymous { # does not matter if 1 or 2, zero (expected by Win2K) won't parse. pfs_group 2; lifetime time 36000 sec; lifetime byte 50000 KB; encryption_algorithm 3des,des ; authentication_algorithm hmac_sha1,hmac_md5; compression_algorithm deflate ; } ------=_NextPart_000_1A27_01C0B473.79159470-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 13: 7:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id F13C437B719 for ; Sat, 24 Mar 2001 13:07:42 -0800 (PST) (envelope-from jorge@aker.com.br) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340412 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 15:07:55 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:07:41 -0600 Content-Type: multipart/mixed; boundary="----=_NextPart_000_1A45_01C0B474.2BD37BE0" Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:07:38 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:07:36 -0600 MIME-Version: 1.0 Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <41@24320011573641> directly for ; Sat, 24 Mar 2001 3:07:36 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 15:07:38 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE402016289@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcCtdV9v68hUrNQJROyQfKBgDBcVfA== From: "Jorge Peixoto Vasquez" To: X-OriginalArrivalTime: 24 Mar 2001 21:07:41.0176 (UTC) FILETIME=[767BA780:01C0B4A6] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_1A45_01C0B474.2BD37BE0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable I've read the mini-howto on how to setup IPSEC on the FreeBSD (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most succesful so far.=20 I would be very glad if anyone could help me on the following matter:=20 The only problem I've encountered is that, when making Win2K and FreeBSD interoperate, the IKE's phase 2 only suceeds if Win2K initiates the process. If racoon is to start it, Win2k will not accept any proposal for phase 2, complaining that the dh group number (which should correctly be either 1 or 2) received is 1 or 2 (depending on the pfs_group setting in racoon.conf) and not null(0). If I try setting pfs_group to null, I get a parse error.=20 All the docs I found in the kame site (www.kame.net), the handbook, and the man pages haven't been of any help too. Thank you very much for your attention,=20 Sincerely,=20 jOrge=20 p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got the high-encryption pack and SP1 installed on the Win2K box.=20 --=20 Jorge Peixoto Vasquez, Elet. Eng. Aker Security Solutions tel. +55 - 61 - 340 9083 ------=_NextPart_000_1A45_01C0B474.2BD37BE0 X-TNEF_Part_ID: 256 Content-Transfer-Encoding: quoted-printable Content-Type: application/octet-stream; name="racoon.conf" Content-Disposition: attachment; filename="racoon.conf" # search this file for pre_shared_key with various ID key. path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; # "log" specifies logging level. It is followed by either "info", = "notify", # "debug" or "debug2". log debug; # "padding" defines some parameter of padding. You should not touch = these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 20 sec; } remote anonymous { exchange_mode main; doi ipsec_doi; situation identity_only; nonce_size 16; lifetime time 1 min; # sec,min,hour lifetime byte 5 MB; # B,KB,GB initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal=20 { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2; } } sainfo anonymous { # does not matter if 1 or 2, zero (expected by Win2K) won't parse. pfs_group 2; lifetime time 36000 sec; lifetime byte 50000 KB; encryption_algorithm 3des,des ; authentication_algorithm hmac_sha1,hmac_md5; compression_algorithm deflate ; } ------=_NextPart_000_1A45_01C0B474.2BD37BE0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 13:12:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id 8260C37B71A for ; Sat, 24 Mar 2001 13:12:43 -0800 (PST) (envelope-from jorge@aker.com.br) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340415 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 15:12:56 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:12:41 -0600 Content-Type: multipart/mixed; boundary="----=_NextPart_000_1A8D_01C0B474.DEE88400" Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:12:38 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:12:36 -0600 MIME-Version: 1.0 Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <45@243200115123645> directly for ; Sat, 24 Mar 2001 3:12:36 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 15:12:39 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE40201628A@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcCtdV9v68hUrNQJROyQfKBgDBcVfA== From: "Jorge Peixoto Vasquez" To: X-OriginalArrivalTime: 24 Mar 2001 21:12:41.0606 (UTC) FILETIME=[298DA260:01C0B4A7] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_1A8D_01C0B474.DEE88400 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable I've read the mini-howto on how to setup IPSEC on the FreeBSD (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most succesful so far.=20 I would be very glad if anyone could help me on the following matter:=20 The only problem I've encountered is that, when making Win2K and FreeBSD interoperate, the IKE's phase 2 only suceeds if Win2K initiates the process. If racoon is to start it, Win2k will not accept any proposal for phase 2, complaining that the dh group number (which should correctly be either 1 or 2) received is 1 or 2 (depending on the pfs_group setting in racoon.conf) and not null(0). If I try setting pfs_group to null, I get a parse error.=20 All the docs I found in the kame site (www.kame.net), the handbook, and the man pages haven't been of any help too. Thank you very much for your attention,=20 Sincerely,=20 jOrge=20 p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got the high-encryption pack and SP1 installed on the Win2K box.=20 --=20 Jorge Peixoto Vasquez, Elet. Eng. Aker Security Solutions tel. +55 - 61 - 340 9083 ------=_NextPart_000_1A8D_01C0B474.DEE88400 X-TNEF_Part_ID: 256 Content-Transfer-Encoding: quoted-printable Content-Type: application/octet-stream; name="racoon.conf" Content-Disposition: attachment; filename="racoon.conf" # search this file for pre_shared_key with various ID key. path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; # "log" specifies logging level. It is followed by either "info", = "notify", # "debug" or "debug2". log debug; # "padding" defines some parameter of padding. You should not touch = these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 20 sec; } remote anonymous { exchange_mode main; doi ipsec_doi; situation identity_only; nonce_size 16; lifetime time 1 min; # sec,min,hour lifetime byte 5 MB; # B,KB,GB initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal=20 { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2; } } sainfo anonymous { # does not matter if 1 or 2, zero (expected by Win2K) won't parse. pfs_group 2; lifetime time 36000 sec; lifetime byte 50000 KB; encryption_algorithm 3des,des ; authentication_algorithm hmac_sha1,hmac_md5; compression_algorithm deflate ; } ------=_NextPart_000_1A8D_01C0B474.DEE88400-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 13:17:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id 3E41E37B71B for ; Sat, 24 Mar 2001 13:17:44 -0800 (PST) (envelope-from jorge@aker.com.br) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340418 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 15:17:56 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:17:41 -0600 Content-Type: multipart/mixed; boundary="----=_NextPart_000_1AAB_01C0B475.91F46460" Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:17:39 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:17:36 -0600 MIME-Version: 1.0 Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <49@243200115173649> directly for ; Sat, 24 Mar 2001 3:17:36 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 15:17:40 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE40201628B@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcCtdV9v68hUrNQJROyQfKBgDBcVfA== From: "Jorge Peixoto Vasquez" To: X-OriginalArrivalTime: 24 Mar 2001 21:17:41.0996 (UTC) FILETIME=[DC9982C0:01C0B4A7] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_1AAB_01C0B475.91F46460 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable I've read the mini-howto on how to setup IPSEC on the FreeBSD (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most succesful so far.=20 I would be very glad if anyone could help me on the following matter:=20 The only problem I've encountered is that, when making Win2K and FreeBSD interoperate, the IKE's phase 2 only suceeds if Win2K initiates the process. If racoon is to start it, Win2k will not accept any proposal for phase 2, complaining that the dh group number (which should correctly be either 1 or 2) received is 1 or 2 (depending on the pfs_group setting in racoon.conf) and not null(0). If I try setting pfs_group to null, I get a parse error.=20 All the docs I found in the kame site (www.kame.net), the handbook, and the man pages haven't been of any help too. Thank you very much for your attention,=20 Sincerely,=20 jOrge=20 p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got the high-encryption pack and SP1 installed on the Win2K box.=20 --=20 Jorge Peixoto Vasquez, Elet. Eng. Aker Security Solutions tel. +55 - 61 - 340 9083 ------=_NextPart_000_1AAB_01C0B475.91F46460 X-TNEF_Part_ID: 256 Content-Transfer-Encoding: quoted-printable Content-Type: application/octet-stream; name="racoon.conf" Content-Disposition: attachment; filename="racoon.conf" # search this file for pre_shared_key with various ID key. path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; # "log" specifies logging level. It is followed by either "info", = "notify", # "debug" or "debug2". log debug; # "padding" defines some parameter of padding. You should not touch = these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 20 sec; } remote anonymous { exchange_mode main; doi ipsec_doi; situation identity_only; nonce_size 16; lifetime time 1 min; # sec,min,hour lifetime byte 5 MB; # B,KB,GB initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal=20 { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2; } } sainfo anonymous { # does not matter if 1 or 2, zero (expected by Win2K) won't parse. pfs_group 2; lifetime time 36000 sec; lifetime byte 50000 KB; encryption_algorithm 3des,des ; authentication_algorithm hmac_sha1,hmac_md5; compression_algorithm deflate ; } ------=_NextPart_000_1AAB_01C0B475.91F46460-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 13:22:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id 638EB37B71B for ; Sat, 24 Mar 2001 13:22:44 -0800 (PST) (envelope-from jorge@aker.com.br) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340420 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 15:22:56 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:22:42 -0600 Content-Type: multipart/mixed; boundary="----=_NextPart_000_1AC3_01C0B476.45035200" Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:22:39 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:22:36 -0600 MIME-Version: 1.0 Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <57@243200115223657> directly for ; Sat, 24 Mar 2001 3:22:36 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 15:22:40 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE40201628C@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcCtdV9v68hUrNQJROyQfKBgDBcVfA== From: "Jorge Peixoto Vasquez" To: X-OriginalArrivalTime: 24 Mar 2001 21:22:42.0426 (UTC) FILETIME=[8FAB7DA0:01C0B4A8] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_1AC3_01C0B476.45035200 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable I've read the mini-howto on how to setup IPSEC on the FreeBSD (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most succesful so far.=20 I would be very glad if anyone could help me on the following matter:=20 The only problem I've encountered is that, when making Win2K and FreeBSD interoperate, the IKE's phase 2 only suceeds if Win2K initiates the process. If racoon is to start it, Win2k will not accept any proposal for phase 2, complaining that the dh group number (which should correctly be either 1 or 2) received is 1 or 2 (depending on the pfs_group setting in racoon.conf) and not null(0). If I try setting pfs_group to null, I get a parse error.=20 All the docs I found in the kame site (www.kame.net), the handbook, and the man pages haven't been of any help too. Thank you very much for your attention,=20 Sincerely,=20 jOrge=20 p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got the high-encryption pack and SP1 installed on the Win2K box.=20 --=20 Jorge Peixoto Vasquez, Elet. Eng. Aker Security Solutions tel. +55 - 61 - 340 9083 ------=_NextPart_000_1AC3_01C0B476.45035200 X-TNEF_Part_ID: 256 Content-Transfer-Encoding: quoted-printable Content-Type: application/octet-stream; name="racoon.conf" Content-Disposition: attachment; filename="racoon.conf" # search this file for pre_shared_key with various ID key. path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; # "log" specifies logging level. It is followed by either "info", = "notify", # "debug" or "debug2". log debug; # "padding" defines some parameter of padding. You should not touch = these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 20 sec; } remote anonymous { exchange_mode main; doi ipsec_doi; situation identity_only; nonce_size 16; lifetime time 1 min; # sec,min,hour lifetime byte 5 MB; # B,KB,GB initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal=20 { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2; } } sainfo anonymous { # does not matter if 1 or 2, zero (expected by Win2K) won't parse. pfs_group 2; lifetime time 36000 sec; lifetime byte 50000 KB; encryption_algorithm 3des,des ; authentication_algorithm hmac_sha1,hmac_md5; compression_algorithm deflate ; } ------=_NextPart_000_1AC3_01C0B476.45035200-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 13:27:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id B9BAD37B71D for ; Sat, 24 Mar 2001 13:27:44 -0800 (PST) (envelope-from jorge@aker.com.br) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340422 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 15:27:57 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:27:42 -0600 Content-Type: multipart/mixed; boundary="----=_NextPart_000_1ADB_01C0B476.F8185A20" Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:27:39 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:27:36 -0600 MIME-Version: 1.0 Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <61@243200115273661> directly for ; Sat, 24 Mar 2001 3:27:36 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 15:27:40 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE40201628D@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcCtdV9v68hUrNQJROyQfKBgDBcVfA== From: "Jorge Peixoto Vasquez" To: X-OriginalArrivalTime: 24 Mar 2001 21:27:42.0876 (UTC) FILETIME=[42C085C0:01C0B4A9] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_1ADB_01C0B476.F8185A20 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable I've read the mini-howto on how to setup IPSEC on the FreeBSD (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most succesful so far.=20 I would be very glad if anyone could help me on the following matter:=20 The only problem I've encountered is that, when making Win2K and FreeBSD interoperate, the IKE's phase 2 only suceeds if Win2K initiates the process. If racoon is to start it, Win2k will not accept any proposal for phase 2, complaining that the dh group number (which should correctly be either 1 or 2) received is 1 or 2 (depending on the pfs_group setting in racoon.conf) and not null(0). If I try setting pfs_group to null, I get a parse error.=20 All the docs I found in the kame site (www.kame.net), the handbook, and the man pages haven't been of any help too. Thank you very much for your attention,=20 Sincerely,=20 jOrge=20 p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got the high-encryption pack and SP1 installed on the Win2K box.=20 --=20 Jorge Peixoto Vasquez, Elet. Eng. Aker Security Solutions tel. +55 - 61 - 340 9083 ------=_NextPart_000_1ADB_01C0B476.F8185A20 X-TNEF_Part_ID: 256 Content-Transfer-Encoding: quoted-printable Content-Type: application/octet-stream; name="racoon.conf" Content-Disposition: attachment; filename="racoon.conf" # search this file for pre_shared_key with various ID key. path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; # "log" specifies logging level. It is followed by either "info", = "notify", # "debug" or "debug2". log debug; # "padding" defines some parameter of padding. You should not touch = these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 20 sec; } remote anonymous { exchange_mode main; doi ipsec_doi; situation identity_only; nonce_size 16; lifetime time 1 min; # sec,min,hour lifetime byte 5 MB; # B,KB,GB initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal=20 { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2; } } sainfo anonymous { # does not matter if 1 or 2, zero (expected by Win2K) won't parse. pfs_group 2; lifetime time 36000 sec; lifetime byte 50000 KB; encryption_algorithm 3des,des ; authentication_algorithm hmac_sha1,hmac_md5; compression_algorithm deflate ; } ------=_NextPart_000_1ADB_01C0B476.F8185A20-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 13:32:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id DFFDA37B71D for ; Sat, 24 Mar 2001 13:32:45 -0800 (PST) (envelope-from jorge@aker.com.br) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340425 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 15:32:58 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:32:43 -0600 Content-Type: multipart/mixed; boundary="----=_NextPart_000_1AFF_01C0B477.AB879030" Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:32:40 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:32:37 -0600 MIME-Version: 1.0 Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <66@243200115323666> directly for ; Sat, 24 Mar 2001 3:32:36 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 15:32:42 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE40201628F@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcCtdV9v68hUrNQJROyQfKBgDBcVfA== From: "Jorge Peixoto Vasquez" To: X-OriginalArrivalTime: 24 Mar 2001 21:32:43.0907 (UTC) FILETIME=[F62E3530:01C0B4A9] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_1AFF_01C0B477.AB879030 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable I've read the mini-howto on how to setup IPSEC on the FreeBSD (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most succesful so far.=20 I would be very glad if anyone could help me on the following matter:=20 The only problem I've encountered is that, when making Win2K and FreeBSD interoperate, the IKE's phase 2 only suceeds if Win2K initiates the process. If racoon is to start it, Win2k will not accept any proposal for phase 2, complaining that the dh group number (which should correctly be either 1 or 2) received is 1 or 2 (depending on the pfs_group setting in racoon.conf) and not null(0). If I try setting pfs_group to null, I get a parse error.=20 All the docs I found in the kame site (www.kame.net), the handbook, and the man pages haven't been of any help too. Thank you very much for your attention,=20 Sincerely,=20 jOrge=20 p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got the high-encryption pack and SP1 installed on the Win2K box.=20 --=20 Jorge Peixoto Vasquez, Elet. Eng. Aker Security Solutions tel. +55 - 61 - 340 9083 ------=_NextPart_000_1AFF_01C0B477.AB879030 X-TNEF_Part_ID: 256 Content-Transfer-Encoding: quoted-printable Content-Type: application/octet-stream; name="racoon.conf" Content-Disposition: attachment; filename="racoon.conf" # search this file for pre_shared_key with various ID key. path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; # "log" specifies logging level. It is followed by either "info", = "notify", # "debug" or "debug2". log debug; # "padding" defines some parameter of padding. You should not touch = these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 20 sec; } remote anonymous { exchange_mode main; doi ipsec_doi; situation identity_only; nonce_size 16; lifetime time 1 min; # sec,min,hour lifetime byte 5 MB; # B,KB,GB initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal=20 { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2; } } sainfo anonymous { # does not matter if 1 or 2, zero (expected by Win2K) won't parse. pfs_group 2; lifetime time 36000 sec; lifetime byte 50000 KB; encryption_algorithm 3des,des ; authentication_algorithm hmac_sha1,hmac_md5; compression_algorithm deflate ; } ------=_NextPart_000_1AFF_01C0B477.AB879030-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 13:37:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id B862137B71A for ; Sat, 24 Mar 2001 13:37:42 -0800 (PST) (envelope-from jorge@aker.com.br) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340427 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 15:37:55 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:37:40 -0600 Content-Type: multipart/mixed; boundary="----=_NextPart_000_1B17_01C0B478.5C77E390" Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:37:37 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:37:36 -0600 MIME-Version: 1.0 Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <73@243200115373673> directly for ; Sat, 24 Mar 2001 3:37:36 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 15:37:38 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE402016290@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcCtdV9v68hUrNQJROyQfKBgDBcVfA== From: "Jorge Peixoto Vasquez" To: X-OriginalArrivalTime: 24 Mar 2001 21:37:40.0832 (UTC) FILETIME=[A7295E00:01C0B4AA] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_1B17_01C0B478.5C77E390 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable I've read the mini-howto on how to setup IPSEC on the FreeBSD (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most succesful so far.=20 I would be very glad if anyone could help me on the following matter:=20 The only problem I've encountered is that, when making Win2K and FreeBSD interoperate, the IKE's phase 2 only suceeds if Win2K initiates the process. If racoon is to start it, Win2k will not accept any proposal for phase 2, complaining that the dh group number (which should correctly be either 1 or 2) received is 1 or 2 (depending on the pfs_group setting in racoon.conf) and not null(0). If I try setting pfs_group to null, I get a parse error.=20 All the docs I found in the kame site (www.kame.net), the handbook, and the man pages haven't been of any help too. Thank you very much for your attention,=20 Sincerely,=20 jOrge=20 p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got the high-encryption pack and SP1 installed on the Win2K box.=20 --=20 Jorge Peixoto Vasquez, Elet. Eng. Aker Security Solutions tel. +55 - 61 - 340 9083 ------=_NextPart_000_1B17_01C0B478.5C77E390 X-TNEF_Part_ID: 256 Content-Transfer-Encoding: quoted-printable Content-Type: application/octet-stream; name="racoon.conf" Content-Disposition: attachment; filename="racoon.conf" # search this file for pre_shared_key with various ID key. path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; # "log" specifies logging level. It is followed by either "info", = "notify", # "debug" or "debug2". log debug; # "padding" defines some parameter of padding. You should not touch = these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 20 sec; } remote anonymous { exchange_mode main; doi ipsec_doi; situation identity_only; nonce_size 16; lifetime time 1 min; # sec,min,hour lifetime byte 5 MB; # B,KB,GB initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal=20 { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2; } } sainfo anonymous { # does not matter if 1 or 2, zero (expected by Win2K) won't parse. pfs_group 2; lifetime time 36000 sec; lifetime byte 50000 KB; encryption_algorithm 3des,des ; authentication_algorithm hmac_sha1,hmac_md5; compression_algorithm deflate ; } ------=_NextPart_000_1B17_01C0B478.5C77E390-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 13:40:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from mls.gtonet.net (mls.gtonet.net [216.112.90.195]) by hub.freebsd.org (Postfix) with ESMTP id 334A037B719 for ; Sat, 24 Mar 2001 13:40:11 -0800 (PST) (envelope-from oldfart@gtonet.net) Received: from pld (pld.gtonet.net [216.112.90.200]) by mls.gtonet.net (8.11.3/8.11.3) with SMTP id f2OLdHR20434; Sat, 24 Mar 2001 13:39:18 -0800 (PST) (envelope-from oldfart@gtonet.net) Reply-To: From: "oldfart@gtonet" To: "Jorge Peixoto Vasquez" , Subject: RE: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 13:39:12 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <39F078A4FCEC5D408C23FC3D92DEE40201628F@tyr.kinsman.lan> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You've posted the same message 9 times, please stop. Somebody will help IF/when they can. OF > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Jorge Peixoto > Vasquez > Sent: Saturday, March 24, 2001 1:33 PM > To: freebsd-security@FreeBSD.ORG > Subject: IPSEC: racoon and Win2K > > > I've read the mini-howto on how to setup IPSEC on the FreeBSD > (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most > succesful so far. > > I would be very glad if anyone could help me on the following matter: > > The only problem I've encountered is that, when making Win2K and FreeBSD > interoperate, the IKE's phase 2 only suceeds if > Win2K initiates the process. If racoon is to start it, Win2k will not > accept any proposal for phase 2, complaining that the dh group number > (which should correctly be either 1 or 2) received is 1 or 2 (depending > on the pfs_group setting in racoon.conf) and not null(0). If I try > setting pfs_group to null, I get a parse error. > > All the docs I found in the kame site (www.kame.net), the handbook, and > the man pages haven't been of any help too. > > Thank you very much for your attention, > > Sincerely, > > jOrge > > p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got the > high-encryption pack and SP1 installed on the Win2K box. > -- > Jorge Peixoto Vasquez, Elet. Eng. > Aker Security Solutions > tel. +55 - 61 - 340 9083 > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 13:42:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id 8533D37B719 for ; Sat, 24 Mar 2001 13:42:49 -0800 (PST) (envelope-from oldfart@gtonet.net) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340434 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 15:43:02 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:42:47 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:42:41 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:42:37 -0600 MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <85@243200115423785> directly for ; Sat, 24 Mar 2001 3:42:37 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: RE: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 15:42:44 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE402016292@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcC0q1uu4tAaEfdmTK2d18vVpZSK8w== From: "oldfart@gtonet" To: Reply-To: X-OriginalArrivalTime: 24 Mar 2001 21:42:47.0200 (UTC) FILETIME=[5DC56A00:01C0B4AB] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You've posted the same message 9 times, please stop. Somebody will help IF/when they can. OF > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Jorge Peixoto > Vasquez > Sent: Saturday, March 24, 2001 1:33 PM > To: freebsd-security@FreeBSD.ORG > Subject: IPSEC: racoon and Win2K > > > I've read the mini-howto on how to setup IPSEC on the FreeBSD > (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most > succesful so far. > > I would be very glad if anyone could help me on the following matter: > > The only problem I've encountered is that, when making Win2K and = FreeBSD > interoperate, the IKE's phase 2 only suceeds if > Win2K initiates the process. If racoon is to start it, Win2k will not > accept any proposal for phase 2, complaining that the dh group number > (which should correctly be either 1 or 2) received is 1 or 2 = (depending > on the pfs_group setting in racoon.conf) and not null(0). If I try > setting pfs_group to null, I get a parse error. > > All the docs I found in the kame site (www.kame.net), the handbook, = and > the man pages haven't been of any help too. > > Thank you very much for your attention, > > Sincerely, > > jOrge > > p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got = the > high-encryption pack and SP1 installed on the Win2K box. > -- > Jorge Peixoto Vasquez, Elet. Eng. > Aker Security Solutions > tel. +55 - 61 - 340 9083 > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 13:43: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id 21FC637B71A for ; Sat, 24 Mar 2001 13:42:50 -0800 (PST) (envelope-from jorge@aker.com.br) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340435 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 15:43:02 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:42:47 -0600 Content-Type: multipart/mixed; boundary="----=_NextPart_000_1B47_01C0B479.1366A370" Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:42:42 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:42:37 -0600 MIME-Version: 1.0 Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <82@243200115423782> directly for ; Sat, 24 Mar 2001 3:42:37 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 15:42:44 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE402016293@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcCtdV9v68hUrNQJROyQfKBgDBcVfA== From: "Jorge Peixoto Vasquez" To: X-OriginalArrivalTime: 24 Mar 2001 21:42:47.0661 (UTC) FILETIME=[5E0BC1D0:01C0B4AB] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_1B47_01C0B479.1366A370 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable I've read the mini-howto on how to setup IPSEC on the FreeBSD (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most succesful so far.=20 I would be very glad if anyone could help me on the following matter:=20 The only problem I've encountered is that, when making Win2K and FreeBSD interoperate, the IKE's phase 2 only suceeds if Win2K initiates the process. If racoon is to start it, Win2k will not accept any proposal for phase 2, complaining that the dh group number (which should correctly be either 1 or 2) received is 1 or 2 (depending on the pfs_group setting in racoon.conf) and not null(0). If I try setting pfs_group to null, I get a parse error.=20 All the docs I found in the kame site (www.kame.net), the handbook, and the man pages haven't been of any help too. Thank you very much for your attention,=20 Sincerely,=20 jOrge=20 p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got the high-encryption pack and SP1 installed on the Win2K box.=20 --=20 Jorge Peixoto Vasquez, Elet. Eng. Aker Security Solutions tel. +55 - 61 - 340 9083 ------=_NextPart_000_1B47_01C0B479.1366A370 X-TNEF_Part_ID: 256 Content-Transfer-Encoding: quoted-printable Content-Type: application/octet-stream; name="racoon.conf" Content-Disposition: attachment; filename="racoon.conf" # search this file for pre_shared_key with various ID key. path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; # "log" specifies logging level. It is followed by either "info", = "notify", # "debug" or "debug2". log debug; # "padding" defines some parameter of padding. You should not touch = these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 20 sec; } remote anonymous { exchange_mode main; doi ipsec_doi; situation identity_only; nonce_size 16; lifetime time 1 min; # sec,min,hour lifetime byte 5 MB; # B,KB,GB initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal=20 { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2; } } sainfo anonymous { # does not matter if 1 or 2, zero (expected by Win2K) won't parse. pfs_group 2; lifetime time 36000 sec; lifetime byte 50000 KB; encryption_algorithm 3des,des ; authentication_algorithm hmac_sha1,hmac_md5; compression_algorithm deflate ; } ------=_NextPart_000_1B47_01C0B479.1366A370-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 13:44:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from mls.gtonet.net (mls.gtonet.net [216.112.90.195]) by hub.freebsd.org (Postfix) with ESMTP id 2C2CE37B719 for ; Sat, 24 Mar 2001 13:44:24 -0800 (PST) (envelope-from oldfart@gtonet.net) Received: from pld (pld.gtonet.net [216.112.90.200]) by mls.gtonet.net (8.11.3/8.11.3) with SMTP id f2OLiOR20478 for ; Sat, 24 Mar 2001 13:44:24 -0800 (PST) (envelope-from oldfart@gtonet.net) Reply-To: From: "oldfart@gtonet" To: Subject: RE: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 13:44:19 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <39F078A4FCEC5D408C23FC3D92DEE402016292@tyr.kinsman.lan> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org OK, now I see it's majordomo, can someone fix it? OF > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of oldfart@gtonet > Sent: Saturday, March 24, 2001 1:43 PM > To: freebsd-security@FreeBSD.ORG > Subject: RE: IPSEC: racoon and Win2K > > > You've posted the same message 9 times, please stop. Somebody will help > IF/when they can. > > OF > > > -----Original Message----- > > From: owner-freebsd-security@FreeBSD.ORG > > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Jorge Peixoto > > Vasquez > > Sent: Saturday, March 24, 2001 1:33 PM > > To: freebsd-security@FreeBSD.ORG > > Subject: IPSEC: racoon and Win2K > > > > > > I've read the mini-howto on how to setup IPSEC on the FreeBSD > > (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most > > succesful so far. > > > > I would be very glad if anyone could help me on the following matter: > > > > The only problem I've encountered is that, when making Win2K and FreeBSD > > interoperate, the IKE's phase 2 only suceeds if > > Win2K initiates the process. If racoon is to start it, Win2k will not > > accept any proposal for phase 2, complaining that the dh group number > > (which should correctly be either 1 or 2) received is 1 or 2 (depending > > on the pfs_group setting in racoon.conf) and not null(0). If I try > > setting pfs_group to null, I get a parse error. > > > > All the docs I found in the kame site (www.kame.net), the handbook, and > > the man pages haven't been of any help too. > > > > Thank you very much for your attention, > > > > Sincerely, > > > > jOrge > > > > p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got the > > high-encryption pack and SP1 installed on the Win2K box. > > -- > > Jorge Peixoto Vasquez, Elet. Eng. > > Aker Security Solutions > > tel. +55 - 61 - 340 9083 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 13:47:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id 0984937B71E for ; Sat, 24 Mar 2001 13:47:44 -0800 (PST) (envelope-from oldfart@gtonet.net) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340432 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 15:47:56 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:47:41 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:47:38 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:47:37 -0600 MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <91@243200115473791> directly for ; Sat, 24 Mar 2001 3:47:37 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: RE: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 15:47:40 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE402016294@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcC0q1uu4tAaEfdmTK2d18vVpZSK8w== From: "oldfart@gtonet" To: Reply-To: X-OriginalArrivalTime: 24 Mar 2001 21:47:41.0882 (UTC) FILETIME=[0D6A51A0:01C0B4AC] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You've posted the same message 9 times, please stop. Somebody will help IF/when they can. OF > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Jorge Peixoto > Vasquez > Sent: Saturday, March 24, 2001 1:33 PM > To: freebsd-security@FreeBSD.ORG > Subject: IPSEC: racoon and Win2K > > > I've read the mini-howto on how to setup IPSEC on the FreeBSD > (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most > succesful so far. > > I would be very glad if anyone could help me on the following matter: > > The only problem I've encountered is that, when making Win2K and = FreeBSD > interoperate, the IKE's phase 2 only suceeds if > Win2K initiates the process. If racoon is to start it, Win2k will not > accept any proposal for phase 2, complaining that the dh group number > (which should correctly be either 1 or 2) received is 1 or 2 = (depending > on the pfs_group setting in racoon.conf) and not null(0). If I try > setting pfs_group to null, I get a parse error. > > All the docs I found in the kame site (www.kame.net), the handbook, = and > the man pages haven't been of any help too. > > Thank you very much for your attention, > > Sincerely, > > jOrge > > p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got = the > high-encryption pack and SP1 installed on the Win2K box. > -- > Jorge Peixoto Vasquez, Elet. Eng. > Aker Security Solutions > tel. +55 - 61 - 340 9083 > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 13:48: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id 0CBE037B71F for ; Sat, 24 Mar 2001 13:47:47 -0800 (PST) (envelope-from jorge@aker.com.br) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340433 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 15:47:59 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:47:44 -0600 Content-Type: multipart/mixed; boundary="----=_NextPart_000_1B7B_01C0B479.C46F87E0" Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:47:39 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:47:37 -0600 MIME-Version: 1.0 Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <94@243200115473794> directly for ; Sat, 24 Mar 2001 3:47:37 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 15:47:41 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE402016295@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcCtdV9v68hUrNQJROyQfKBgDBcVfA== From: "Jorge Peixoto Vasquez" To: X-OriginalArrivalTime: 24 Mar 2001 21:47:44.0696 (UTC) FILETIME=[0F17B380:01C0B4AC] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_1B7B_01C0B479.C46F87E0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable I've read the mini-howto on how to setup IPSEC on the FreeBSD (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most succesful so far.=20 I would be very glad if anyone could help me on the following matter:=20 The only problem I've encountered is that, when making Win2K and FreeBSD interoperate, the IKE's phase 2 only suceeds if Win2K initiates the process. If racoon is to start it, Win2k will not accept any proposal for phase 2, complaining that the dh group number (which should correctly be either 1 or 2) received is 1 or 2 (depending on the pfs_group setting in racoon.conf) and not null(0). If I try setting pfs_group to null, I get a parse error.=20 All the docs I found in the kame site (www.kame.net), the handbook, and the man pages haven't been of any help too. Thank you very much for your attention,=20 Sincerely,=20 jOrge=20 p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got the high-encryption pack and SP1 installed on the Win2K box.=20 --=20 Jorge Peixoto Vasquez, Elet. Eng. Aker Security Solutions tel. +55 - 61 - 340 9083 ------=_NextPart_000_1B7B_01C0B479.C46F87E0 X-TNEF_Part_ID: 256 Content-Transfer-Encoding: quoted-printable Content-Type: application/octet-stream; name="racoon.conf" Content-Disposition: attachment; filename="racoon.conf" # search this file for pre_shared_key with various ID key. path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; # "log" specifies logging level. It is followed by either "info", = "notify", # "debug" or "debug2". log debug; # "padding" defines some parameter of padding. You should not touch = these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 20 sec; } remote anonymous { exchange_mode main; doi ipsec_doi; situation identity_only; nonce_size 16; lifetime time 1 min; # sec,min,hour lifetime byte 5 MB; # B,KB,GB initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal=20 { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2; } } sainfo anonymous { # does not matter if 1 or 2, zero (expected by Win2K) won't parse. pfs_group 2; lifetime time 36000 sec; lifetime byte 50000 KB; encryption_algorithm 3des,des ; authentication_algorithm hmac_sha1,hmac_md5; compression_algorithm deflate ; } ------=_NextPart_000_1B7B_01C0B479.C46F87E0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 13:48:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id 9FFE337B71B for ; Sat, 24 Mar 2001 13:47:47 -0800 (PST) (envelope-from oldfart@gtonet.net) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340441 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 15:48:00 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:47:45 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:47:39 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:47:37 -0600 MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <97@243200115473797> directly for ; Sat, 24 Mar 2001 3:47:37 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: RE: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 15:47:42 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE402016296@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcC0rA1efAZjoewUQHKXdczG+L8++w== From: "oldfart@gtonet" To: Reply-To: X-OriginalArrivalTime: 24 Mar 2001 21:47:45.0227 (UTC) FILETIME=[0F68B9B0:01C0B4AC] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org OK, now I see it's majordomo, can someone fix it? OF > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of oldfart@gtonet > Sent: Saturday, March 24, 2001 1:43 PM > To: freebsd-security@FreeBSD.ORG > Subject: RE: IPSEC: racoon and Win2K > > > You've posted the same message 9 times, please stop. Somebody will = help > IF/when they can. > > OF > > > -----Original Message----- > > From: owner-freebsd-security@FreeBSD.ORG > > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Jorge = Peixoto > > Vasquez > > Sent: Saturday, March 24, 2001 1:33 PM > > To: freebsd-security@FreeBSD.ORG > > Subject: IPSEC: racoon and Win2K > > > > > > I've read the mini-howto on how to setup IPSEC on the FreeBSD > > (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most > > succesful so far. > > > > I would be very glad if anyone could help me on the following = matter: > > > > The only problem I've encountered is that, when making Win2K and = FreeBSD > > interoperate, the IKE's phase 2 only suceeds if > > Win2K initiates the process. If racoon is to start it, Win2k will = not > > accept any proposal for phase 2, complaining that the dh group = number > > (which should correctly be either 1 or 2) received is 1 or 2 = (depending > > on the pfs_group setting in racoon.conf) and not null(0). If I try > > setting pfs_group to null, I get a parse error. > > > > All the docs I found in the kame site (www.kame.net), the handbook, = and > > the man pages haven't been of any help too. > > > > Thank you very much for your attention, > > > > Sincerely, > > > > jOrge > > > > p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got = the > > high-encryption pack and SP1 installed on the Win2K box. > > -- > > Jorge Peixoto Vasquez, Elet. Eng. > > Aker Security Solutions > > tel. +55 - 61 - 340 9083 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 13:53: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id 5B41A37B736 for ; Sat, 24 Mar 2001 13:52:45 -0800 (PST) (envelope-from oldfart@gtonet.net) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340443 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 15:52:57 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:52:42 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:52:39 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:52:37 -0600 MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <107@2432001155237107> directly for ; Sat, 24 Mar 2001 3:52:37 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: RE: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 15:52:40 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE402016297@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcC0q1uu4tAaEfdmTK2d18vVpZSK8w== From: "oldfart@gtonet" To: Reply-To: X-OriginalArrivalTime: 24 Mar 2001 21:52:42.0081 (UTC) FILETIME=[C0590D10:01C0B4AC] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You've posted the same message 9 times, please stop. Somebody will help IF/when they can. OF > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Jorge Peixoto > Vasquez > Sent: Saturday, March 24, 2001 1:33 PM > To: freebsd-security@FreeBSD.ORG > Subject: IPSEC: racoon and Win2K > > > I've read the mini-howto on how to setup IPSEC on the FreeBSD > (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most > succesful so far. > > I would be very glad if anyone could help me on the following matter: > > The only problem I've encountered is that, when making Win2K and = FreeBSD > interoperate, the IKE's phase 2 only suceeds if > Win2K initiates the process. If racoon is to start it, Win2k will not > accept any proposal for phase 2, complaining that the dh group number > (which should correctly be either 1 or 2) received is 1 or 2 = (depending > on the pfs_group setting in racoon.conf) and not null(0). If I try > setting pfs_group to null, I get a parse error. > > All the docs I found in the kame site (www.kame.net), the handbook, = and > the man pages haven't been of any help too. > > Thank you very much for your attention, > > Sincerely, > > jOrge > > p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got = the > high-encryption pack and SP1 installed on the Win2K box. > -- > Jorge Peixoto Vasquez, Elet. Eng. > Aker Security Solutions > tel. +55 - 61 - 340 9083 > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 13:53: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id EA32F37B75B for ; Sat, 24 Mar 2001 13:52:45 -0800 (PST) (envelope-from jorge@aker.com.br) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340444 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 15:52:58 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:52:42 -0600 Content-Type: multipart/mixed; boundary="----=_NextPart_000_1BAB_01C0B47A.75FBCD20" Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:52:39 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:52:37 -0600 MIME-Version: 1.0 Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <110@2432001155237110> directly for ; Sat, 24 Mar 2001 3:52:37 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 15:52:41 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE402016298@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcCtdV9v68hUrNQJROyQfKBgDBcVfA== From: "Jorge Peixoto Vasquez" To: X-OriginalArrivalTime: 24 Mar 2001 21:52:42.0542 (UTC) FILETIME=[C09F64E0:01C0B4AC] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_1BAB_01C0B47A.75FBCD20 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable I've read the mini-howto on how to setup IPSEC on the FreeBSD (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most succesful so far.=20 I would be very glad if anyone could help me on the following matter:=20 The only problem I've encountered is that, when making Win2K and FreeBSD interoperate, the IKE's phase 2 only suceeds if Win2K initiates the process. If racoon is to start it, Win2k will not accept any proposal for phase 2, complaining that the dh group number (which should correctly be either 1 or 2) received is 1 or 2 (depending on the pfs_group setting in racoon.conf) and not null(0). If I try setting pfs_group to null, I get a parse error.=20 All the docs I found in the kame site (www.kame.net), the handbook, and the man pages haven't been of any help too. Thank you very much for your attention,=20 Sincerely,=20 jOrge=20 p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got the high-encryption pack and SP1 installed on the Win2K box.=20 --=20 Jorge Peixoto Vasquez, Elet. Eng. Aker Security Solutions tel. +55 - 61 - 340 9083 ------=_NextPart_000_1BAB_01C0B47A.75FBCD20 X-TNEF_Part_ID: 256 Content-Transfer-Encoding: quoted-printable Content-Type: application/octet-stream; name="racoon.conf" Content-Disposition: attachment; filename="racoon.conf" # search this file for pre_shared_key with various ID key. path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; # "log" specifies logging level. It is followed by either "info", = "notify", # "debug" or "debug2". log debug; # "padding" defines some parameter of padding. You should not touch = these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 20 sec; } remote anonymous { exchange_mode main; doi ipsec_doi; situation identity_only; nonce_size 16; lifetime time 1 min; # sec,min,hour lifetime byte 5 MB; # B,KB,GB initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal=20 { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2; } } sainfo anonymous { # does not matter if 1 or 2, zero (expected by Win2K) won't parse. pfs_group 2; lifetime time 36000 sec; lifetime byte 50000 KB; encryption_algorithm 3des,des ; authentication_algorithm hmac_sha1,hmac_md5; compression_algorithm deflate ; } ------=_NextPart_000_1BAB_01C0B47A.75FBCD20-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 13:53:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id B353337B776 for ; Sat, 24 Mar 2001 13:52:47 -0800 (PST) (envelope-from oldfart@gtonet.net) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340445 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 15:52:58 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:52:43 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:52:40 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:52:37 -0600 MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <113@2432001155237113> directly for ; Sat, 24 Mar 2001 3:52:37 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: RE: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 15:52:41 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE402016299@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcC0rA1efAZjoewUQHKXdczG+L8++w== From: "oldfart@gtonet" To: Reply-To: X-OriginalArrivalTime: 24 Mar 2001 21:52:43.0003 (UTC) FILETIME=[C0E5BCB0:01C0B4AC] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org OK, now I see it's majordomo, can someone fix it? OF > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of oldfart@gtonet > Sent: Saturday, March 24, 2001 1:43 PM > To: freebsd-security@FreeBSD.ORG > Subject: RE: IPSEC: racoon and Win2K > > > You've posted the same message 9 times, please stop. Somebody will = help > IF/when they can. > > OF > > > -----Original Message----- > > From: owner-freebsd-security@FreeBSD.ORG > > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Jorge = Peixoto > > Vasquez > > Sent: Saturday, March 24, 2001 1:33 PM > > To: freebsd-security@FreeBSD.ORG > > Subject: IPSEC: racoon and Win2K > > > > > > I've read the mini-howto on how to setup IPSEC on the FreeBSD > > (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most > > succesful so far. > > > > I would be very glad if anyone could help me on the following = matter: > > > > The only problem I've encountered is that, when making Win2K and = FreeBSD > > interoperate, the IKE's phase 2 only suceeds if > > Win2K initiates the process. If racoon is to start it, Win2k will = not > > accept any proposal for phase 2, complaining that the dh group = number > > (which should correctly be either 1 or 2) received is 1 or 2 = (depending > > on the pfs_group setting in racoon.conf) and not null(0). If I try > > setting pfs_group to null, I get a parse error. > > > > All the docs I found in the kame site (www.kame.net), the handbook, = and > > the man pages haven't been of any help too. > > > > Thank you very much for your attention, > > > > Sincerely, > > > > jOrge > > > > p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got = the > > high-encryption pack and SP1 installed on the Win2K box. > > -- > > Jorge Peixoto Vasquez, Elet. Eng. > > Aker Security Solutions > > tel. +55 - 61 - 340 9083 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 13:57:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id B3B4F37B71B for ; Sat, 24 Mar 2001 13:57:44 -0800 (PST) (envelope-from oldfart@gtonet.net) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340451 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 15:57:57 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:57:42 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:57:39 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:57:37 -0600 MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <120@2432001155737120> directly for ; Sat, 24 Mar 2001 3:57:37 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: RE: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 15:57:41 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE40201629A@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcC0q1uu4tAaEfdmTK2d18vVpZSK8w== From: "oldfart@gtonet" To: Reply-To: X-OriginalArrivalTime: 24 Mar 2001 21:57:42.0722 (UTC) FILETIME=[738B3A20:01C0B4AD] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You've posted the same message 9 times, please stop. Somebody will help IF/when they can. OF > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Jorge Peixoto > Vasquez > Sent: Saturday, March 24, 2001 1:33 PM > To: freebsd-security@FreeBSD.ORG > Subject: IPSEC: racoon and Win2K > > > I've read the mini-howto on how to setup IPSEC on the FreeBSD > (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most > succesful so far. > > I would be very glad if anyone could help me on the following matter: > > The only problem I've encountered is that, when making Win2K and = FreeBSD > interoperate, the IKE's phase 2 only suceeds if > Win2K initiates the process. If racoon is to start it, Win2k will not > accept any proposal for phase 2, complaining that the dh group number > (which should correctly be either 1 or 2) received is 1 or 2 = (depending > on the pfs_group setting in racoon.conf) and not null(0). If I try > setting pfs_group to null, I get a parse error. > > All the docs I found in the kame site (www.kame.net), the handbook, = and > the man pages haven't been of any help too. > > Thank you very much for your attention, > > Sincerely, > > jOrge > > p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got = the > high-encryption pack and SP1 installed on the Win2K box. > -- > Jorge Peixoto Vasquez, Elet. Eng. > Aker Security Solutions > tel. +55 - 61 - 340 9083 > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 13:58: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id 4FB5B37B722 for ; Sat, 24 Mar 2001 13:57:48 -0800 (PST) (envelope-from jorge@aker.com.br) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340452 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 15:58:00 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:57:45 -0600 Content-Type: multipart/mixed; boundary="----=_NextPart_000_1BE1_01C0B47B.2A9E2C00" Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:57:40 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:57:37 -0600 MIME-Version: 1.0 Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <126@2432001155737126> directly for ; Sat, 24 Mar 2001 3:57:37 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 15:57:41 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE40201629B@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcCtdV9v68hUrNQJROyQfKBgDBcVfA== From: "Jorge Peixoto Vasquez" To: X-OriginalArrivalTime: 24 Mar 2001 21:57:45.0606 (UTC) FILETIME=[75434A60:01C0B4AD] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_1BE1_01C0B47B.2A9E2C00 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable I've read the mini-howto on how to setup IPSEC on the FreeBSD (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most succesful so far.=20 I would be very glad if anyone could help me on the following matter:=20 The only problem I've encountered is that, when making Win2K and FreeBSD interoperate, the IKE's phase 2 only suceeds if Win2K initiates the process. If racoon is to start it, Win2k will not accept any proposal for phase 2, complaining that the dh group number (which should correctly be either 1 or 2) received is 1 or 2 (depending on the pfs_group setting in racoon.conf) and not null(0). If I try setting pfs_group to null, I get a parse error.=20 All the docs I found in the kame site (www.kame.net), the handbook, and the man pages haven't been of any help too. Thank you very much for your attention,=20 Sincerely,=20 jOrge=20 p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got the high-encryption pack and SP1 installed on the Win2K box.=20 --=20 Jorge Peixoto Vasquez, Elet. Eng. Aker Security Solutions tel. +55 - 61 - 340 9083 ------=_NextPart_000_1BE1_01C0B47B.2A9E2C00 X-TNEF_Part_ID: 256 Content-Transfer-Encoding: quoted-printable Content-Type: application/octet-stream; name="racoon.conf" Content-Disposition: attachment; filename="racoon.conf" # search this file for pre_shared_key with various ID key. path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; # "log" specifies logging level. It is followed by either "info", = "notify", # "debug" or "debug2". log debug; # "padding" defines some parameter of padding. You should not touch = these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 20 sec; } remote anonymous { exchange_mode main; doi ipsec_doi; situation identity_only; nonce_size 16; lifetime time 1 min; # sec,min,hour lifetime byte 5 MB; # B,KB,GB initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal=20 { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2; } } sainfo anonymous { # does not matter if 1 or 2, zero (expected by Win2K) won't parse. pfs_group 2; lifetime time 36000 sec; lifetime byte 50000 KB; encryption_algorithm 3des,des ; authentication_algorithm hmac_sha1,hmac_md5; compression_algorithm deflate ; } ------=_NextPart_000_1BE1_01C0B47B.2A9E2C00-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 13:58:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id 2B40037B718 for ; Sat, 24 Mar 2001 13:57:49 -0800 (PST) (envelope-from oldfart@gtonet.net) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340453 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 15:58:01 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:57:46 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:57:41 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 15:57:37 -0600 MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <129@2432001155737129> directly for ; Sat, 24 Mar 2001 3:57:37 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: RE: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 15:57:43 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE40201629D@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcC0rA1efAZjoewUQHKXdczG+L8++w== From: "oldfart@gtonet" To: Reply-To: X-OriginalArrivalTime: 24 Mar 2001 21:57:46.0558 (UTC) FILETIME=[75D48DE0:01C0B4AD] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org OK, now I see it's majordomo, can someone fix it? OF > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of oldfart@gtonet > Sent: Saturday, March 24, 2001 1:43 PM > To: freebsd-security@FreeBSD.ORG > Subject: RE: IPSEC: racoon and Win2K > > > You've posted the same message 9 times, please stop. Somebody will = help > IF/when they can. > > OF > > > -----Original Message----- > > From: owner-freebsd-security@FreeBSD.ORG > > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Jorge = Peixoto > > Vasquez > > Sent: Saturday, March 24, 2001 1:33 PM > > To: freebsd-security@FreeBSD.ORG > > Subject: IPSEC: racoon and Win2K > > > > > > I've read the mini-howto on how to setup IPSEC on the FreeBSD > > (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most > > succesful so far. > > > > I would be very glad if anyone could help me on the following = matter: > > > > The only problem I've encountered is that, when making Win2K and = FreeBSD > > interoperate, the IKE's phase 2 only suceeds if > > Win2K initiates the process. If racoon is to start it, Win2k will = not > > accept any proposal for phase 2, complaining that the dh group = number > > (which should correctly be either 1 or 2) received is 1 or 2 = (depending > > on the pfs_group setting in racoon.conf) and not null(0). If I try > > setting pfs_group to null, I get a parse error. > > > > All the docs I found in the kame site (www.kame.net), the handbook, = and > > the man pages haven't been of any help too. > > > > Thank you very much for your attention, > > > > Sincerely, > > > > jOrge > > > > p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got = the > > high-encryption pack and SP1 installed on the Win2K box. > > -- > > Jorge Peixoto Vasquez, Elet. Eng. > > Aker Security Solutions > > tel. +55 - 61 - 340 9083 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 14: 2:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id 370AD37B718 for ; Sat, 24 Mar 2001 14:02:45 -0800 (PST) (envelope-from oldfart@gtonet.net) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340458 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 16:02:58 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:02:43 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:02:40 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:02:37 -0600 MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <135@243200116237135> directly for ; Sat, 24 Mar 2001 4:02:37 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: RE: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 16:02:42 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE40201629E@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcC0q1uu4tAaEfdmTK2d18vVpZSK8w== From: "oldfart@gtonet" To: Reply-To: X-OriginalArrivalTime: 24 Mar 2001 22:02:43.0142 (UTC) FILETIME=[269BAE60:01C0B4AE] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You've posted the same message 9 times, please stop. Somebody will help IF/when they can. OF > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Jorge Peixoto > Vasquez > Sent: Saturday, March 24, 2001 1:33 PM > To: freebsd-security@FreeBSD.ORG > Subject: IPSEC: racoon and Win2K > > > I've read the mini-howto on how to setup IPSEC on the FreeBSD > (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most > succesful so far. > > I would be very glad if anyone could help me on the following matter: > > The only problem I've encountered is that, when making Win2K and = FreeBSD > interoperate, the IKE's phase 2 only suceeds if > Win2K initiates the process. If racoon is to start it, Win2k will not > accept any proposal for phase 2, complaining that the dh group number > (which should correctly be either 1 or 2) received is 1 or 2 = (depending > on the pfs_group setting in racoon.conf) and not null(0). If I try > setting pfs_group to null, I get a parse error. > > All the docs I found in the kame site (www.kame.net), the handbook, = and > the man pages haven't been of any help too. > > Thank you very much for your attention, > > Sincerely, > > jOrge > > p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got = the > high-encryption pack and SP1 installed on the Win2K box. > -- > Jorge Peixoto Vasquez, Elet. Eng. > Aker Security Solutions > tel. +55 - 61 - 340 9083 > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 14: 3: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id 2514C37B71D for ; Sat, 24 Mar 2001 14:02:49 -0800 (PST) (envelope-from oldfart@gtonet.net) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340460 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 16:03:01 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:02:46 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:02:41 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:02:37 -0600 MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <141@243200116237141> directly for ; Sat, 24 Mar 2001 4:02:37 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: RE: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 16:02:42 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE4020162A0@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcC0rA1efAZjoewUQHKXdczG+L8++w== From: "oldfart@gtonet" To: Reply-To: X-OriginalArrivalTime: 24 Mar 2001 22:02:46.0557 (UTC) FILETIME=[28A4C4D0:01C0B4AE] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org OK, now I see it's majordomo, can someone fix it? OF > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of oldfart@gtonet > Sent: Saturday, March 24, 2001 1:43 PM > To: freebsd-security@FreeBSD.ORG > Subject: RE: IPSEC: racoon and Win2K > > > You've posted the same message 9 times, please stop. Somebody will = help > IF/when they can. > > OF > > > -----Original Message----- > > From: owner-freebsd-security@FreeBSD.ORG > > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Jorge = Peixoto > > Vasquez > > Sent: Saturday, March 24, 2001 1:33 PM > > To: freebsd-security@FreeBSD.ORG > > Subject: IPSEC: racoon and Win2K > > > > > > I've read the mini-howto on how to setup IPSEC on the FreeBSD > > (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most > > succesful so far. > > > > I would be very glad if anyone could help me on the following = matter: > > > > The only problem I've encountered is that, when making Win2K and = FreeBSD > > interoperate, the IKE's phase 2 only suceeds if > > Win2K initiates the process. If racoon is to start it, Win2k will = not > > accept any proposal for phase 2, complaining that the dh group = number > > (which should correctly be either 1 or 2) received is 1 or 2 = (depending > > on the pfs_group setting in racoon.conf) and not null(0). If I try > > setting pfs_group to null, I get a parse error. > > > > All the docs I found in the kame site (www.kame.net), the handbook, = and > > the man pages haven't been of any help too. > > > > Thank you very much for your attention, > > > > Sincerely, > > > > jOrge > > > > p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got = the > > high-encryption pack and SP1 installed on the Win2K box. > > -- > > Jorge Peixoto Vasquez, Elet. Eng. > > Aker Security Solutions > > tel. +55 - 61 - 340 9083 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 14: 3: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id 7CDED37B71B for ; Sat, 24 Mar 2001 14:02:48 -0800 (PST) (envelope-from jorge@aker.com.br) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340459 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 16:03:01 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:02:46 -0600 Content-Type: multipart/mixed; boundary="----=_NextPart_000_1C1D_01C0B47B.DDB33420" Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:02:40 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:02:37 -0600 MIME-Version: 1.0 Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <138@243200116237138> directly for ; Sat, 24 Mar 2001 4:02:37 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 16:02:42 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE40201629F@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcCtdV9v68hUrNQJROyQfKBgDBcVfA== From: "Jorge Peixoto Vasquez" To: X-OriginalArrivalTime: 24 Mar 2001 22:02:46.0056 (UTC) FILETIME=[28585280:01C0B4AE] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_1C1D_01C0B47B.DDB33420 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable I've read the mini-howto on how to setup IPSEC on the FreeBSD (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most succesful so far.=20 I would be very glad if anyone could help me on the following matter:=20 The only problem I've encountered is that, when making Win2K and FreeBSD interoperate, the IKE's phase 2 only suceeds if Win2K initiates the process. If racoon is to start it, Win2k will not accept any proposal for phase 2, complaining that the dh group number (which should correctly be either 1 or 2) received is 1 or 2 (depending on the pfs_group setting in racoon.conf) and not null(0). If I try setting pfs_group to null, I get a parse error.=20 All the docs I found in the kame site (www.kame.net), the handbook, and the man pages haven't been of any help too. Thank you very much for your attention,=20 Sincerely,=20 jOrge=20 p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got the high-encryption pack and SP1 installed on the Win2K box.=20 --=20 Jorge Peixoto Vasquez, Elet. Eng. Aker Security Solutions tel. +55 - 61 - 340 9083 ------=_NextPart_000_1C1D_01C0B47B.DDB33420 X-TNEF_Part_ID: 256 Content-Transfer-Encoding: quoted-printable Content-Type: application/octet-stream; name="racoon.conf" Content-Disposition: attachment; filename="racoon.conf" # search this file for pre_shared_key with various ID key. path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; # "log" specifies logging level. It is followed by either "info", = "notify", # "debug" or "debug2". log debug; # "padding" defines some parameter of padding. You should not touch = these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 20 sec; } remote anonymous { exchange_mode main; doi ipsec_doi; situation identity_only; nonce_size 16; lifetime time 1 min; # sec,min,hour lifetime byte 5 MB; # B,KB,GB initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal=20 { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2; } } sainfo anonymous { # does not matter if 1 or 2, zero (expected by Win2K) won't parse. pfs_group 2; lifetime time 36000 sec; lifetime byte 50000 KB; encryption_algorithm 3des,des ; authentication_algorithm hmac_sha1,hmac_md5; compression_algorithm deflate ; } ------=_NextPart_000_1C1D_01C0B47B.DDB33420-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 14: 7:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id 6B19737B71D for ; Sat, 24 Mar 2001 14:07:46 -0800 (PST) (envelope-from oldfart@gtonet.net) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340465 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 16:07:59 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:07:43 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:07:40 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:07:37 -0600 MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <151@243200116737151> directly for ; Sat, 24 Mar 2001 4:07:37 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: RE: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 16:07:42 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE4020162A1@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcC0q1uu4tAaEfdmTK2d18vVpZSK8w== From: "oldfart@gtonet" To: Reply-To: X-OriginalArrivalTime: 24 Mar 2001 22:07:43.0472 (UTC) FILETIME=[D99E6700:01C0B4AE] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You've posted the same message 9 times, please stop. Somebody will help IF/when they can. OF > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Jorge Peixoto > Vasquez > Sent: Saturday, March 24, 2001 1:33 PM > To: freebsd-security@FreeBSD.ORG > Subject: IPSEC: racoon and Win2K > > > I've read the mini-howto on how to setup IPSEC on the FreeBSD > (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most > succesful so far. > > I would be very glad if anyone could help me on the following matter: > > The only problem I've encountered is that, when making Win2K and = FreeBSD > interoperate, the IKE's phase 2 only suceeds if > Win2K initiates the process. If racoon is to start it, Win2k will not > accept any proposal for phase 2, complaining that the dh group number > (which should correctly be either 1 or 2) received is 1 or 2 = (depending > on the pfs_group setting in racoon.conf) and not null(0). If I try > setting pfs_group to null, I get a parse error. > > All the docs I found in the kame site (www.kame.net), the handbook, = and > the man pages haven't been of any help too. > > Thank you very much for your attention, > > Sincerely, > > jOrge > > p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got = the > high-encryption pack and SP1 installed on the Win2K box. > -- > Jorge Peixoto Vasquez, Elet. Eng. > Aker Security Solutions > tel. +55 - 61 - 340 9083 > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 14: 7:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id E27A637B718 for ; Sat, 24 Mar 2001 14:07:46 -0800 (PST) (envelope-from oldfart@gtonet.net) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340466 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 16:07:59 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:07:43 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:07:40 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:07:37 -0600 MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <157@243200116737157> directly for ; Sat, 24 Mar 2001 4:07:37 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: RE: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 16:07:42 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE4020162A2@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcC0rA1efAZjoewUQHKXdczG+L8++w== From: "oldfart@gtonet" To: Reply-To: X-OriginalArrivalTime: 24 Mar 2001 22:07:43.0932 (UTC) FILETIME=[D9E497C0:01C0B4AE] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org OK, now I see it's majordomo, can someone fix it? OF > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of oldfart@gtonet > Sent: Saturday, March 24, 2001 1:43 PM > To: freebsd-security@FreeBSD.ORG > Subject: RE: IPSEC: racoon and Win2K > > > You've posted the same message 9 times, please stop. Somebody will = help > IF/when they can. > > OF > > > -----Original Message----- > > From: owner-freebsd-security@FreeBSD.ORG > > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Jorge = Peixoto > > Vasquez > > Sent: Saturday, March 24, 2001 1:33 PM > > To: freebsd-security@FreeBSD.ORG > > Subject: IPSEC: racoon and Win2K > > > > > > I've read the mini-howto on how to setup IPSEC on the FreeBSD > > (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most > > succesful so far. > > > > I would be very glad if anyone could help me on the following = matter: > > > > The only problem I've encountered is that, when making Win2K and = FreeBSD > > interoperate, the IKE's phase 2 only suceeds if > > Win2K initiates the process. If racoon is to start it, Win2k will = not > > accept any proposal for phase 2, complaining that the dh group = number > > (which should correctly be either 1 or 2) received is 1 or 2 = (depending > > on the pfs_group setting in racoon.conf) and not null(0). If I try > > setting pfs_group to null, I get a parse error. > > > > All the docs I found in the kame site (www.kame.net), the handbook, = and > > the man pages haven't been of any help too. > > > > Thank you very much for your attention, > > > > Sincerely, > > > > jOrge > > > > p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got = the > > high-encryption pack and SP1 installed on the Win2K box. > > -- > > Jorge Peixoto Vasquez, Elet. Eng. > > Aker Security Solutions > > tel. +55 - 61 - 340 9083 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 14: 8:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id E515037B71E for ; Sat, 24 Mar 2001 14:07:47 -0800 (PST) (envelope-from jorge@aker.com.br) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340467 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 16:08:00 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:07:44 -0600 Content-Type: multipart/mixed; boundary="----=_NextPart_000_1C53_01C0B47C.8F8A6510" Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:07:41 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:07:37 -0600 MIME-Version: 1.0 Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <154@243200116737154> directly for ; Sat, 24 Mar 2001 4:07:37 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 16:07:42 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE4020162A3@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcCtdV9v68hUrNQJROyQfKBgDBcVfA== From: "Jorge Peixoto Vasquez" To: X-OriginalArrivalTime: 24 Mar 2001 22:07:44.0463 (UTC) FILETIME=[DA359DF0:01C0B4AE] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_1C53_01C0B47C.8F8A6510 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable I've read the mini-howto on how to setup IPSEC on the FreeBSD (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most succesful so far.=20 I would be very glad if anyone could help me on the following matter:=20 The only problem I've encountered is that, when making Win2K and FreeBSD interoperate, the IKE's phase 2 only suceeds if Win2K initiates the process. If racoon is to start it, Win2k will not accept any proposal for phase 2, complaining that the dh group number (which should correctly be either 1 or 2) received is 1 or 2 (depending on the pfs_group setting in racoon.conf) and not null(0). If I try setting pfs_group to null, I get a parse error.=20 All the docs I found in the kame site (www.kame.net), the handbook, and the man pages haven't been of any help too. Thank you very much for your attention,=20 Sincerely,=20 jOrge=20 p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got the high-encryption pack and SP1 installed on the Win2K box.=20 --=20 Jorge Peixoto Vasquez, Elet. Eng. Aker Security Solutions tel. +55 - 61 - 340 9083 ------=_NextPart_000_1C53_01C0B47C.8F8A6510 X-TNEF_Part_ID: 256 Content-Transfer-Encoding: quoted-printable Content-Type: application/octet-stream; name="racoon.conf" Content-Disposition: attachment; filename="racoon.conf" # search this file for pre_shared_key with various ID key. path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; # "log" specifies logging level. It is followed by either "info", = "notify", # "debug" or "debug2". log debug; # "padding" defines some parameter of padding. You should not touch = these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 20 sec; } remote anonymous { exchange_mode main; doi ipsec_doi; situation identity_only; nonce_size 16; lifetime time 1 min; # sec,min,hour lifetime byte 5 MB; # B,KB,GB initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal=20 { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2; } } sainfo anonymous { # does not matter if 1 or 2, zero (expected by Win2K) won't parse. pfs_group 2; lifetime time 36000 sec; lifetime byte 50000 KB; encryption_algorithm 3des,des ; authentication_algorithm hmac_sha1,hmac_md5; compression_algorithm deflate ; } ------=_NextPart_000_1C53_01C0B47C.8F8A6510-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 14:12:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id E2B9637B72D for ; Sat, 24 Mar 2001 14:12:46 -0800 (PST) (envelope-from oldfart@gtonet.net) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340470 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 16:12:59 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:12:43 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:12:40 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:12:37 -0600 MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <163@2432001161237163> directly for ; Sat, 24 Mar 2001 4:12:37 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: RE: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 16:12:42 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE4020162A4@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcC0q1uu4tAaEfdmTK2d18vVpZSK8w== From: "oldfart@gtonet" To: Reply-To: X-OriginalArrivalTime: 24 Mar 2001 22:12:43.0942 (UTC) FILETIME=[8CB67C60:01C0B4AF] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You've posted the same message 9 times, please stop. Somebody will help IF/when they can. OF > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Jorge Peixoto > Vasquez > Sent: Saturday, March 24, 2001 1:33 PM > To: freebsd-security@FreeBSD.ORG > Subject: IPSEC: racoon and Win2K > > > I've read the mini-howto on how to setup IPSEC on the FreeBSD > (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most > succesful so far. > > I would be very glad if anyone could help me on the following matter: > > The only problem I've encountered is that, when making Win2K and = FreeBSD > interoperate, the IKE's phase 2 only suceeds if > Win2K initiates the process. If racoon is to start it, Win2k will not > accept any proposal for phase 2, complaining that the dh group number > (which should correctly be either 1 or 2) received is 1 or 2 = (depending > on the pfs_group setting in racoon.conf) and not null(0). If I try > setting pfs_group to null, I get a parse error. > > All the docs I found in the kame site (www.kame.net), the handbook, = and > the man pages haven't been of any help too. > > Thank you very much for your attention, > > Sincerely, > > jOrge > > p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got = the > high-encryption pack and SP1 installed on the Win2K box. > -- > Jorge Peixoto Vasquez, Elet. Eng. > Aker Security Solutions > tel. +55 - 61 - 340 9083 > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 14:12:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id 7AB1D37B71B for ; Sat, 24 Mar 2001 14:12:47 -0800 (PST) (envelope-from oldfart@gtonet.net) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340471 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 16:13:00 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:12:44 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:12:41 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:12:37 -0600 MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <166@2432001161237166> directly for ; Sat, 24 Mar 2001 4:12:37 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: RE: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 16:12:42 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE4020162A5@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcC0rA1efAZjoewUQHKXdczG+L8++w== From: "oldfart@gtonet" To: Reply-To: X-OriginalArrivalTime: 24 Mar 2001 22:12:44.0412 (UTC) FILETIME=[8CFE33C0:01C0B4AF] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org OK, now I see it's majordomo, can someone fix it? OF > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of oldfart@gtonet > Sent: Saturday, March 24, 2001 1:43 PM > To: freebsd-security@FreeBSD.ORG > Subject: RE: IPSEC: racoon and Win2K > > > You've posted the same message 9 times, please stop. Somebody will = help > IF/when they can. > > OF > > > -----Original Message----- > > From: owner-freebsd-security@FreeBSD.ORG > > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Jorge = Peixoto > > Vasquez > > Sent: Saturday, March 24, 2001 1:33 PM > > To: freebsd-security@FreeBSD.ORG > > Subject: IPSEC: racoon and Win2K > > > > > > I've read the mini-howto on how to setup IPSEC on the FreeBSD > > (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most > > succesful so far. > > > > I would be very glad if anyone could help me on the following = matter: > > > > The only problem I've encountered is that, when making Win2K and = FreeBSD > > interoperate, the IKE's phase 2 only suceeds if > > Win2K initiates the process. If racoon is to start it, Win2k will = not > > accept any proposal for phase 2, complaining that the dh group = number > > (which should correctly be either 1 or 2) received is 1 or 2 = (depending > > on the pfs_group setting in racoon.conf) and not null(0). If I try > > setting pfs_group to null, I get a parse error. > > > > All the docs I found in the kame site (www.kame.net), the handbook, = and > > the man pages haven't been of any help too. > > > > Thank you very much for your attention, > > > > Sincerely, > > > > jOrge > > > > p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got = the > > high-encryption pack and SP1 installed on the Win2K box. > > -- > > Jorge Peixoto Vasquez, Elet. Eng. > > Aker Security Solutions > > tel. +55 - 61 - 340 9083 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 14:13:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id 09E3E37B718 for ; Sat, 24 Mar 2001 14:12:48 -0800 (PST) (envelope-from jorge@aker.com.br) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340472 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 16:13:00 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:12:44 -0600 Content-Type: multipart/mixed; boundary="----=_NextPart_000_1C83_01C0B47D.429F6D30" Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:12:41 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:12:37 -0600 MIME-Version: 1.0 Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <169@2432001161237169> directly for ; Sat, 24 Mar 2001 4:12:37 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 16:12:43 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE4020162A6@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcCtdV9v68hUrNQJROyQfKBgDBcVfA== From: "Jorge Peixoto Vasquez" To: X-OriginalArrivalTime: 24 Mar 2001 22:12:44.0863 (UTC) FILETIME=[8D4304F0:01C0B4AF] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_1C83_01C0B47D.429F6D30 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable I've read the mini-howto on how to setup IPSEC on the FreeBSD (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most succesful so far.=20 I would be very glad if anyone could help me on the following matter:=20 The only problem I've encountered is that, when making Win2K and FreeBSD interoperate, the IKE's phase 2 only suceeds if Win2K initiates the process. If racoon is to start it, Win2k will not accept any proposal for phase 2, complaining that the dh group number (which should correctly be either 1 or 2) received is 1 or 2 (depending on the pfs_group setting in racoon.conf) and not null(0). If I try setting pfs_group to null, I get a parse error.=20 All the docs I found in the kame site (www.kame.net), the handbook, and the man pages haven't been of any help too. Thank you very much for your attention,=20 Sincerely,=20 jOrge=20 p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got the high-encryption pack and SP1 installed on the Win2K box.=20 --=20 Jorge Peixoto Vasquez, Elet. Eng. Aker Security Solutions tel. +55 - 61 - 340 9083 ------=_NextPart_000_1C83_01C0B47D.429F6D30 X-TNEF_Part_ID: 256 Content-Transfer-Encoding: quoted-printable Content-Type: application/octet-stream; name="racoon.conf" Content-Disposition: attachment; filename="racoon.conf" # search this file for pre_shared_key with various ID key. path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; # "log" specifies logging level. It is followed by either "info", = "notify", # "debug" or "debug2". log debug; # "padding" defines some parameter of padding. You should not touch = these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 20 sec; } remote anonymous { exchange_mode main; doi ipsec_doi; situation identity_only; nonce_size 16; lifetime time 1 min; # sec,min,hour lifetime byte 5 MB; # B,KB,GB initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal=20 { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2; } } sainfo anonymous { # does not matter if 1 or 2, zero (expected by Win2K) won't parse. pfs_group 2; lifetime time 36000 sec; lifetime byte 50000 KB; encryption_algorithm 3des,des ; authentication_algorithm hmac_sha1,hmac_md5; compression_algorithm deflate ; } ------=_NextPart_000_1C83_01C0B47D.429F6D30-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 14:17:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id A497C37B720 for ; Sat, 24 Mar 2001 14:17:46 -0800 (PST) (envelope-from oldfart@gtonet.net) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340478 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 16:17:59 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:17:44 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:17:41 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:17:37 -0600 MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <179@2432001161737179> directly for ; Sat, 24 Mar 2001 4:17:37 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: RE: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 16:17:43 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE4020162A8@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcC0rA1efAZjoewUQHKXdczG+L8++w== From: "oldfart@gtonet" To: Reply-To: X-OriginalArrivalTime: 24 Mar 2001 22:17:44.0412 (UTC) FILETIME=[3FCE91C0:01C0B4B0] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org OK, now I see it's majordomo, can someone fix it? OF > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of oldfart@gtonet > Sent: Saturday, March 24, 2001 1:43 PM > To: freebsd-security@FreeBSD.ORG > Subject: RE: IPSEC: racoon and Win2K > > > You've posted the same message 9 times, please stop. Somebody will = help > IF/when they can. > > OF > > > -----Original Message----- > > From: owner-freebsd-security@FreeBSD.ORG > > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Jorge = Peixoto > > Vasquez > > Sent: Saturday, March 24, 2001 1:33 PM > > To: freebsd-security@FreeBSD.ORG > > Subject: IPSEC: racoon and Win2K > > > > > > I've read the mini-howto on how to setup IPSEC on the FreeBSD > > (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most > > succesful so far. > > > > I would be very glad if anyone could help me on the following = matter: > > > > The only problem I've encountered is that, when making Win2K and = FreeBSD > > interoperate, the IKE's phase 2 only suceeds if > > Win2K initiates the process. If racoon is to start it, Win2k will = not > > accept any proposal for phase 2, complaining that the dh group = number > > (which should correctly be either 1 or 2) received is 1 or 2 = (depending > > on the pfs_group setting in racoon.conf) and not null(0). If I try > > setting pfs_group to null, I get a parse error. > > > > All the docs I found in the kame site (www.kame.net), the handbook, = and > > the man pages haven't been of any help too. > > > > Thank you very much for your attention, > > > > Sincerely, > > > > jOrge > > > > p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got = the > > high-encryption pack and SP1 installed on the Win2K box. > > -- > > Jorge Peixoto Vasquez, Elet. Eng. > > Aker Security Solutions > > tel. +55 - 61 - 340 9083 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 14:17:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id 29D7C37B71F for ; Sat, 24 Mar 2001 14:17:45 -0800 (PST) (envelope-from oldfart@gtonet.net) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340477 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 16:17:58 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:17:42 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:17:38 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:17:37 -0600 MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <176@2432001161737176> directly for ; Sat, 24 Mar 2001 4:17:37 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: RE: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 16:17:39 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE4020162A7@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcC0q1uu4tAaEfdmTK2d18vVpZSK8w== From: "oldfart@gtonet" To: Reply-To: X-OriginalArrivalTime: 24 Mar 2001 22:17:42.0729 (UTC) FILETIME=[3ECDC390:01C0B4B0] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You've posted the same message 9 times, please stop. Somebody will help IF/when they can. OF > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Jorge Peixoto > Vasquez > Sent: Saturday, March 24, 2001 1:33 PM > To: freebsd-security@FreeBSD.ORG > Subject: IPSEC: racoon and Win2K > > > I've read the mini-howto on how to setup IPSEC on the FreeBSD > (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most > succesful so far. > > I would be very glad if anyone could help me on the following matter: > > The only problem I've encountered is that, when making Win2K and = FreeBSD > interoperate, the IKE's phase 2 only suceeds if > Win2K initiates the process. If racoon is to start it, Win2k will not > accept any proposal for phase 2, complaining that the dh group number > (which should correctly be either 1 or 2) received is 1 or 2 = (depending > on the pfs_group setting in racoon.conf) and not null(0). If I try > setting pfs_group to null, I get a parse error. > > All the docs I found in the kame site (www.kame.net), the handbook, = and > the man pages haven't been of any help too. > > Thank you very much for your attention, > > Sincerely, > > jOrge > > p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got = the > high-encryption pack and SP1 installed on the Win2K box. > -- > Jorge Peixoto Vasquez, Elet. Eng. > Aker Security Solutions > tel. +55 - 61 - 340 9083 > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 14:18:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id 39E0F37B71A for ; Sat, 24 Mar 2001 14:17:47 -0800 (PST) (envelope-from jorge@aker.com.br) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340479 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 16:18:00 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:17:44 -0600 Content-Type: multipart/mixed; boundary="----=_NextPart_000_1CB5_01C0B47D.F5712AC0" Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:17:41 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:17:37 -0600 MIME-Version: 1.0 Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <182@2432001161737182> directly for ; Sat, 24 Mar 2001 4:17:37 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 16:17:43 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE4020162A9@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcCtdV9v68hUrNQJROyQfKBgDBcVfA== From: "Jorge Peixoto Vasquez" To: X-OriginalArrivalTime: 24 Mar 2001 22:17:44.0892 (UTC) FILETIME=[4017CFC0:01C0B4B0] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_1CB5_01C0B47D.F5712AC0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable I've read the mini-howto on how to setup IPSEC on the FreeBSD (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most succesful so far.=20 I would be very glad if anyone could help me on the following matter:=20 The only problem I've encountered is that, when making Win2K and FreeBSD interoperate, the IKE's phase 2 only suceeds if Win2K initiates the process. If racoon is to start it, Win2k will not accept any proposal for phase 2, complaining that the dh group number (which should correctly be either 1 or 2) received is 1 or 2 (depending on the pfs_group setting in racoon.conf) and not null(0). If I try setting pfs_group to null, I get a parse error.=20 All the docs I found in the kame site (www.kame.net), the handbook, and the man pages haven't been of any help too. Thank you very much for your attention,=20 Sincerely,=20 jOrge=20 p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got the high-encryption pack and SP1 installed on the Win2K box.=20 --=20 Jorge Peixoto Vasquez, Elet. Eng. Aker Security Solutions tel. +55 - 61 - 340 9083 ------=_NextPart_000_1CB5_01C0B47D.F5712AC0 X-TNEF_Part_ID: 256 Content-Transfer-Encoding: quoted-printable Content-Type: application/octet-stream; name="racoon.conf" Content-Disposition: attachment; filename="racoon.conf" # search this file for pre_shared_key with various ID key. path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; # "log" specifies logging level. It is followed by either "info", = "notify", # "debug" or "debug2". log debug; # "padding" defines some parameter of padding. You should not touch = these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 20 sec; } remote anonymous { exchange_mode main; doi ipsec_doi; situation identity_only; nonce_size 16; lifetime time 1 min; # sec,min,hour lifetime byte 5 MB; # B,KB,GB initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal=20 { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2; } } sainfo anonymous { # does not matter if 1 or 2, zero (expected by Win2K) won't parse. pfs_group 2; lifetime time 36000 sec; lifetime byte 50000 KB; encryption_algorithm 3des,des ; authentication_algorithm hmac_sha1,hmac_md5; compression_algorithm deflate ; } ------=_NextPart_000_1CB5_01C0B47D.F5712AC0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 14:23: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id 9F1F537B71F for ; Sat, 24 Mar 2001 14:22:44 -0800 (PST) (envelope-from oldfart@gtonet.net) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340484 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 16:22:57 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:22:42 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:22:39 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:22:37 -0600 MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <194@2432001162237194> directly for ; Sat, 24 Mar 2001 4:22:37 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: RE: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 16:22:40 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE4020162AB@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcC0rA1efAZjoewUQHKXdczG+L8++w== From: "oldfart@gtonet" To: Reply-To: X-OriginalArrivalTime: 24 Mar 2001 22:22:42.0358 (UTC) FILETIME=[F1658560:01C0B4B0] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org OK, now I see it's majordomo, can someone fix it? OF > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of oldfart@gtonet > Sent: Saturday, March 24, 2001 1:43 PM > To: freebsd-security@FreeBSD.ORG > Subject: RE: IPSEC: racoon and Win2K > > > You've posted the same message 9 times, please stop. Somebody will = help > IF/when they can. > > OF > > > -----Original Message----- > > From: owner-freebsd-security@FreeBSD.ORG > > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Jorge = Peixoto > > Vasquez > > Sent: Saturday, March 24, 2001 1:33 PM > > To: freebsd-security@FreeBSD.ORG > > Subject: IPSEC: racoon and Win2K > > > > > > I've read the mini-howto on how to setup IPSEC on the FreeBSD > > (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most > > succesful so far. > > > > I would be very glad if anyone could help me on the following = matter: > > > > The only problem I've encountered is that, when making Win2K and = FreeBSD > > interoperate, the IKE's phase 2 only suceeds if > > Win2K initiates the process. If racoon is to start it, Win2k will = not > > accept any proposal for phase 2, complaining that the dh group = number > > (which should correctly be either 1 or 2) received is 1 or 2 = (depending > > on the pfs_group setting in racoon.conf) and not null(0). If I try > > setting pfs_group to null, I get a parse error. > > > > All the docs I found in the kame site (www.kame.net), the handbook, = and > > the man pages haven't been of any help too. > > > > Thank you very much for your attention, > > > > Sincerely, > > > > jOrge > > > > p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got = the > > high-encryption pack and SP1 installed on the Win2K box. > > -- > > Jorge Peixoto Vasquez, Elet. Eng. > > Aker Security Solutions > > tel. +55 - 61 - 340 9083 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 14:23: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id 2C9C737B71E for ; Sat, 24 Mar 2001 14:22:44 -0800 (PST) (envelope-from oldfart@gtonet.net) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340483 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 16:22:57 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:22:41 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:22:39 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:22:37 -0600 MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <191@2432001162237191> directly for ; Sat, 24 Mar 2001 4:22:37 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: RE: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 16:22:40 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE4020162AA@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcC0q1uu4tAaEfdmTK2d18vVpZSK8w== From: "oldfart@gtonet" To: Reply-To: X-OriginalArrivalTime: 24 Mar 2001 22:22:41.0847 (UTC) FILETIME=[F1178C70:01C0B4B0] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You've posted the same message 9 times, please stop. Somebody will help IF/when they can. OF > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Jorge Peixoto > Vasquez > Sent: Saturday, March 24, 2001 1:33 PM > To: freebsd-security@FreeBSD.ORG > Subject: IPSEC: racoon and Win2K > > > I've read the mini-howto on how to setup IPSEC on the FreeBSD > (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most > succesful so far. > > I would be very glad if anyone could help me on the following matter: > > The only problem I've encountered is that, when making Win2K and = FreeBSD > interoperate, the IKE's phase 2 only suceeds if > Win2K initiates the process. If racoon is to start it, Win2k will not > accept any proposal for phase 2, complaining that the dh group number > (which should correctly be either 1 or 2) received is 1 or 2 = (depending > on the pfs_group setting in racoon.conf) and not null(0). If I try > setting pfs_group to null, I get a parse error. > > All the docs I found in the kame site (www.kame.net), the handbook, = and > the man pages haven't been of any help too. > > Thank you very much for your attention, > > Sincerely, > > jOrge > > p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got = the > high-encryption pack and SP1 installed on the Win2K box. > -- > Jorge Peixoto Vasquez, Elet. Eng. > Aker Security Solutions > tel. +55 - 61 - 340 9083 > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 14:23:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id D72FF37B722 for ; Sat, 24 Mar 2001 14:22:46 -0800 (PST) (envelope-from jorge@aker.com.br) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340485 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 16:22:59 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:22:44 -0600 Content-Type: multipart/mixed; boundary="----=_NextPart_000_1CE5_01C0B47E.A83CCDD0" Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:22:40 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:22:37 -0600 MIME-Version: 1.0 Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <197@2432001162237197> directly for ; Sat, 24 Mar 2001 4:22:37 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 16:22:41 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE4020162AC@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcCtdV9v68hUrNQJROyQfKBgDBcVfA== From: "Jorge Peixoto Vasquez" To: X-OriginalArrivalTime: 24 Mar 2001 22:22:44.0862 (UTC) FILETIME=[F2E399E0:01C0B4B0] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_1CE5_01C0B47E.A83CCDD0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable I've read the mini-howto on how to setup IPSEC on the FreeBSD (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most succesful so far.=20 I would be very glad if anyone could help me on the following matter:=20 The only problem I've encountered is that, when making Win2K and FreeBSD interoperate, the IKE's phase 2 only suceeds if Win2K initiates the process. If racoon is to start it, Win2k will not accept any proposal for phase 2, complaining that the dh group number (which should correctly be either 1 or 2) received is 1 or 2 (depending on the pfs_group setting in racoon.conf) and not null(0). If I try setting pfs_group to null, I get a parse error.=20 All the docs I found in the kame site (www.kame.net), the handbook, and the man pages haven't been of any help too. Thank you very much for your attention,=20 Sincerely,=20 jOrge=20 p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got the high-encryption pack and SP1 installed on the Win2K box.=20 --=20 Jorge Peixoto Vasquez, Elet. Eng. Aker Security Solutions tel. +55 - 61 - 340 9083 ------=_NextPart_000_1CE5_01C0B47E.A83CCDD0 X-TNEF_Part_ID: 256 Content-Transfer-Encoding: quoted-printable Content-Type: application/octet-stream; name="racoon.conf" Content-Disposition: attachment; filename="racoon.conf" # search this file for pre_shared_key with various ID key. path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; # "log" specifies logging level. It is followed by either "info", = "notify", # "debug" or "debug2". log debug; # "padding" defines some parameter of padding. You should not touch = these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 20 sec; } remote anonymous { exchange_mode main; doi ipsec_doi; situation identity_only; nonce_size 16; lifetime time 1 min; # sec,min,hour lifetime byte 5 MB; # B,KB,GB initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal=20 { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2; } } sainfo anonymous { # does not matter if 1 or 2, zero (expected by Win2K) won't parse. pfs_group 2; lifetime time 36000 sec; lifetime byte 50000 KB; encryption_algorithm 3des,des ; authentication_algorithm hmac_sha1,hmac_md5; compression_algorithm deflate ; } ------=_NextPart_000_1CE5_01C0B47E.A83CCDD0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 14:27:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id 71AFD37B71F for ; Sat, 24 Mar 2001 14:27:44 -0800 (PST) (envelope-from oldfart@gtonet.net) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340489 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 16:27:57 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:27:42 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:27:39 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:27:37 -0600 MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <206@2432001162737206> directly for ; Sat, 24 Mar 2001 4:27:37 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: RE: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 16:27:41 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE4020162AD@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcC0rA1efAZjoewUQHKXdczG+L8++w== From: "oldfart@gtonet" To: Reply-To: X-OriginalArrivalTime: 24 Mar 2001 22:27:42.0397 (UTC) FILETIME=[A43BD6D0:01C0B4B1] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org OK, now I see it's majordomo, can someone fix it? OF > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of oldfart@gtonet > Sent: Saturday, March 24, 2001 1:43 PM > To: freebsd-security@FreeBSD.ORG > Subject: RE: IPSEC: racoon and Win2K > > > You've posted the same message 9 times, please stop. Somebody will = help > IF/when they can. > > OF > > > -----Original Message----- > > From: owner-freebsd-security@FreeBSD.ORG > > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Jorge = Peixoto > > Vasquez > > Sent: Saturday, March 24, 2001 1:33 PM > > To: freebsd-security@FreeBSD.ORG > > Subject: IPSEC: racoon and Win2K > > > > > > I've read the mini-howto on how to setup IPSEC on the FreeBSD > > (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most > > succesful so far. > > > > I would be very glad if anyone could help me on the following = matter: > > > > The only problem I've encountered is that, when making Win2K and = FreeBSD > > interoperate, the IKE's phase 2 only suceeds if > > Win2K initiates the process. If racoon is to start it, Win2k will = not > > accept any proposal for phase 2, complaining that the dh group = number > > (which should correctly be either 1 or 2) received is 1 or 2 = (depending > > on the pfs_group setting in racoon.conf) and not null(0). If I try > > setting pfs_group to null, I get a parse error. > > > > All the docs I found in the kame site (www.kame.net), the handbook, = and > > the man pages haven't been of any help too. > > > > Thank you very much for your attention, > > > > Sincerely, > > > > jOrge > > > > p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got = the > > high-encryption pack and SP1 installed on the Win2K box. > > -- > > Jorge Peixoto Vasquez, Elet. Eng. > > Aker Security Solutions > > tel. +55 - 61 - 340 9083 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 14:28: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id 962B937B71A for ; Sat, 24 Mar 2001 14:27:47 -0800 (PST) (envelope-from jorge@aker.com.br) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340490 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 16:28:00 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:27:45 -0600 Content-Type: multipart/mixed; boundary="----=_NextPart_000_1D0F_01C0B47F.5B51D5F0" Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:27:39 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:27:37 -0600 MIME-Version: 1.0 Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <209@2432001162737209> directly for ; Sat, 24 Mar 2001 4:27:37 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 16:27:41 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE4020162AE@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcCtdV9v68hUrNQJROyQfKBgDBcVfA== From: "Jorge Peixoto Vasquez" To: X-OriginalArrivalTime: 24 Mar 2001 22:27:45.0282 (UTC) FILETIME=[A5F40E20:01C0B4B1] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_1D0F_01C0B47F.5B51D5F0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable I've read the mini-howto on how to setup IPSEC on the FreeBSD (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most succesful so far.=20 I would be very glad if anyone could help me on the following matter:=20 The only problem I've encountered is that, when making Win2K and FreeBSD interoperate, the IKE's phase 2 only suceeds if Win2K initiates the process. If racoon is to start it, Win2k will not accept any proposal for phase 2, complaining that the dh group number (which should correctly be either 1 or 2) received is 1 or 2 (depending on the pfs_group setting in racoon.conf) and not null(0). If I try setting pfs_group to null, I get a parse error.=20 All the docs I found in the kame site (www.kame.net), the handbook, and the man pages haven't been of any help too. Thank you very much for your attention,=20 Sincerely,=20 jOrge=20 p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got the high-encryption pack and SP1 installed on the Win2K box.=20 --=20 Jorge Peixoto Vasquez, Elet. Eng. Aker Security Solutions tel. +55 - 61 - 340 9083 ------=_NextPart_000_1D0F_01C0B47F.5B51D5F0 X-TNEF_Part_ID: 256 Content-Transfer-Encoding: quoted-printable Content-Type: application/octet-stream; name="racoon.conf" Content-Disposition: attachment; filename="racoon.conf" # search this file for pre_shared_key with various ID key. path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; # "log" specifies logging level. It is followed by either "info", = "notify", # "debug" or "debug2". log debug; # "padding" defines some parameter of padding. You should not touch = these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 20 sec; } remote anonymous { exchange_mode main; doi ipsec_doi; situation identity_only; nonce_size 16; lifetime time 1 min; # sec,min,hour lifetime byte 5 MB; # B,KB,GB initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal=20 { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2; } } sainfo anonymous { # does not matter if 1 or 2, zero (expected by Win2K) won't parse. pfs_group 2; lifetime time 36000 sec; lifetime byte 50000 KB; encryption_algorithm 3des,des ; authentication_algorithm hmac_sha1,hmac_md5; compression_algorithm deflate ; } ------=_NextPart_000_1D0F_01C0B47F.5B51D5F0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 14:28:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id 31D1837B71B for ; Sat, 24 Mar 2001 14:27:48 -0800 (PST) (envelope-from oldfart@gtonet.net) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340491 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 16:28:01 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:27:45 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:27:40 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:27:37 -0600 MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <203@2432001162737203> directly for ; Sat, 24 Mar 2001 4:27:37 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: RE: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 16:27:42 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE4020162AF@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcC0q1uu4tAaEfdmTK2d18vVpZSK8w== From: "oldfart@gtonet" To: Reply-To: X-OriginalArrivalTime: 24 Mar 2001 22:27:45.0802 (UTC) FILETIME=[A64366A0:01C0B4B1] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You've posted the same message 9 times, please stop. Somebody will help IF/when they can. OF > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Jorge Peixoto > Vasquez > Sent: Saturday, March 24, 2001 1:33 PM > To: freebsd-security@FreeBSD.ORG > Subject: IPSEC: racoon and Win2K > > > I've read the mini-howto on how to setup IPSEC on the FreeBSD > (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most > succesful so far. > > I would be very glad if anyone could help me on the following matter: > > The only problem I've encountered is that, when making Win2K and = FreeBSD > interoperate, the IKE's phase 2 only suceeds if > Win2K initiates the process. If racoon is to start it, Win2k will not > accept any proposal for phase 2, complaining that the dh group number > (which should correctly be either 1 or 2) received is 1 or 2 = (depending > on the pfs_group setting in racoon.conf) and not null(0). If I try > setting pfs_group to null, I get a parse error. > > All the docs I found in the kame site (www.kame.net), the handbook, = and > the man pages haven't been of any help too. > > Thank you very much for your attention, > > Sincerely, > > jOrge > > p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got = the > high-encryption pack and SP1 installed on the Win2K box. > -- > Jorge Peixoto Vasquez, Elet. Eng. > Aker Security Solutions > tel. +55 - 61 - 340 9083 > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 14:32:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id 81D5D37B71D for ; Sat, 24 Mar 2001 14:32:45 -0800 (PST) (envelope-from oldfart@gtonet.net) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340495 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 16:32:58 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:32:42 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:32:39 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:32:37 -0600 MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <215@2432001163237215> directly for ; Sat, 24 Mar 2001 4:32:37 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: RE: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 16:32:41 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE4020162B0@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcC0rA1efAZjoewUQHKXdczG+L8++w== From: "oldfart@gtonet" To: Reply-To: X-OriginalArrivalTime: 24 Mar 2001 22:32:42.0727 (UTC) FILETIME=[573E8F70:01C0B4B2] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org OK, now I see it's majordomo, can someone fix it? OF > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of oldfart@gtonet > Sent: Saturday, March 24, 2001 1:43 PM > To: freebsd-security@FreeBSD.ORG > Subject: RE: IPSEC: racoon and Win2K > > > You've posted the same message 9 times, please stop. Somebody will = help > IF/when they can. > > OF > > > -----Original Message----- > > From: owner-freebsd-security@FreeBSD.ORG > > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Jorge = Peixoto > > Vasquez > > Sent: Saturday, March 24, 2001 1:33 PM > > To: freebsd-security@FreeBSD.ORG > > Subject: IPSEC: racoon and Win2K > > > > > > I've read the mini-howto on how to setup IPSEC on the FreeBSD > > (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most > > succesful so far. > > > > I would be very glad if anyone could help me on the following = matter: > > > > The only problem I've encountered is that, when making Win2K and = FreeBSD > > interoperate, the IKE's phase 2 only suceeds if > > Win2K initiates the process. If racoon is to start it, Win2k will = not > > accept any proposal for phase 2, complaining that the dh group = number > > (which should correctly be either 1 or 2) received is 1 or 2 = (depending > > on the pfs_group setting in racoon.conf) and not null(0). If I try > > setting pfs_group to null, I get a parse error. > > > > All the docs I found in the kame site (www.kame.net), the handbook, = and > > the man pages haven't been of any help too. > > > > Thank you very much for your attention, > > > > Sincerely, > > > > jOrge > > > > p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got = the > > high-encryption pack and SP1 installed on the Win2K box. > > -- > > Jorge Peixoto Vasquez, Elet. Eng. > > Aker Security Solutions > > tel. +55 - 61 - 340 9083 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 14:32:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id 1C72E37B71E for ; Sat, 24 Mar 2001 14:32:46 -0800 (PST) (envelope-from oldfart@gtonet.net) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340496 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 16:32:59 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:32:43 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:32:40 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:32:37 -0600 MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <221@2432001163237221> directly for ; Sat, 24 Mar 2001 4:32:37 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: RE: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 16:32:41 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE4020162B1@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcC0q1uu4tAaEfdmTK2d18vVpZSK8w== From: "oldfart@gtonet" To: Reply-To: X-OriginalArrivalTime: 24 Mar 2001 22:32:43.0198 (UTC) FILETIME=[57866DE0:01C0B4B2] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You've posted the same message 9 times, please stop. Somebody will help IF/when they can. OF > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Jorge Peixoto > Vasquez > Sent: Saturday, March 24, 2001 1:33 PM > To: freebsd-security@FreeBSD.ORG > Subject: IPSEC: racoon and Win2K > > > I've read the mini-howto on how to setup IPSEC on the FreeBSD > (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most > succesful so far. > > I would be very glad if anyone could help me on the following matter: > > The only problem I've encountered is that, when making Win2K and = FreeBSD > interoperate, the IKE's phase 2 only suceeds if > Win2K initiates the process. If racoon is to start it, Win2k will not > accept any proposal for phase 2, complaining that the dh group number > (which should correctly be either 1 or 2) received is 1 or 2 = (depending > on the pfs_group setting in racoon.conf) and not null(0). If I try > setting pfs_group to null, I get a parse error. > > All the docs I found in the kame site (www.kame.net), the handbook, = and > the man pages haven't been of any help too. > > Thank you very much for your attention, > > Sincerely, > > jOrge > > p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got = the > high-encryption pack and SP1 installed on the Win2K box. > -- > Jorge Peixoto Vasquez, Elet. Eng. > Aker Security Solutions > tel. +55 - 61 - 340 9083 > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 14:33:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id 94D7A37B720 for ; Sat, 24 Mar 2001 14:32:46 -0800 (PST) (envelope-from jorge@aker.com.br) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340497 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 16:32:59 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:32:43 -0600 Content-Type: multipart/mixed; boundary="----=_NextPart_000_1D45_01C0B480.0D39F6D0" Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:32:40 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:32:37 -0600 MIME-Version: 1.0 Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <218@2432001163237218> directly for ; Sat, 24 Mar 2001 4:32:37 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 16:32:42 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE4020162B2@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcCtdV9v68hUrNQJROyQfKBgDBcVfA== From: "Jorge Peixoto Vasquez" To: X-OriginalArrivalTime: 24 Mar 2001 22:32:43.0769 (UTC) FILETIME=[57DD8E90:01C0B4B2] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_1D45_01C0B480.0D39F6D0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable I've read the mini-howto on how to setup IPSEC on the FreeBSD (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most succesful so far.=20 I would be very glad if anyone could help me on the following matter:=20 The only problem I've encountered is that, when making Win2K and FreeBSD interoperate, the IKE's phase 2 only suceeds if Win2K initiates the process. If racoon is to start it, Win2k will not accept any proposal for phase 2, complaining that the dh group number (which should correctly be either 1 or 2) received is 1 or 2 (depending on the pfs_group setting in racoon.conf) and not null(0). If I try setting pfs_group to null, I get a parse error.=20 All the docs I found in the kame site (www.kame.net), the handbook, and the man pages haven't been of any help too. Thank you very much for your attention,=20 Sincerely,=20 jOrge=20 p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got the high-encryption pack and SP1 installed on the Win2K box.=20 --=20 Jorge Peixoto Vasquez, Elet. Eng. Aker Security Solutions tel. +55 - 61 - 340 9083 ------=_NextPart_000_1D45_01C0B480.0D39F6D0 X-TNEF_Part_ID: 256 Content-Transfer-Encoding: quoted-printable Content-Type: application/octet-stream; name="racoon.conf" Content-Disposition: attachment; filename="racoon.conf" # search this file for pre_shared_key with various ID key. path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; # "log" specifies logging level. It is followed by either "info", = "notify", # "debug" or "debug2". log debug; # "padding" defines some parameter of padding. You should not touch = these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 20 sec; } remote anonymous { exchange_mode main; doi ipsec_doi; situation identity_only; nonce_size 16; lifetime time 1 min; # sec,min,hour lifetime byte 5 MB; # B,KB,GB initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal=20 { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2; } } sainfo anonymous { # does not matter if 1 or 2, zero (expected by Win2K) won't parse. pfs_group 2; lifetime time 36000 sec; lifetime byte 50000 KB; encryption_algorithm 3des,des ; authentication_algorithm hmac_sha1,hmac_md5; compression_algorithm deflate ; } ------=_NextPart_000_1D45_01C0B480.0D39F6D0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 14:37:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id 8812137B71B for ; Sat, 24 Mar 2001 14:37:45 -0800 (PST) (envelope-from oldfart@gtonet.net) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340504 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 16:37:58 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:37:43 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:37:40 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:37:37 -0600 MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <230@2432001163737230> directly for ; Sat, 24 Mar 2001 4:37:37 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: RE: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 16:37:42 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE4020162B3@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcC0rA1efAZjoewUQHKXdczG+L8++w== From: "oldfart@gtonet" To: Reply-To: X-OriginalArrivalTime: 24 Mar 2001 22:37:43.0197 (UTC) FILETIME=[0A56A4D0:01C0B4B3] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org OK, now I see it's majordomo, can someone fix it? OF > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of oldfart@gtonet > Sent: Saturday, March 24, 2001 1:43 PM > To: freebsd-security@FreeBSD.ORG > Subject: RE: IPSEC: racoon and Win2K > > > You've posted the same message 9 times, please stop. Somebody will = help > IF/when they can. > > OF > > > -----Original Message----- > > From: owner-freebsd-security@FreeBSD.ORG > > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Jorge = Peixoto > > Vasquez > > Sent: Saturday, March 24, 2001 1:33 PM > > To: freebsd-security@FreeBSD.ORG > > Subject: IPSEC: racoon and Win2K > > > > > > I've read the mini-howto on how to setup IPSEC on the FreeBSD > > (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most > > succesful so far. > > > > I would be very glad if anyone could help me on the following = matter: > > > > The only problem I've encountered is that, when making Win2K and = FreeBSD > > interoperate, the IKE's phase 2 only suceeds if > > Win2K initiates the process. If racoon is to start it, Win2k will = not > > accept any proposal for phase 2, complaining that the dh group = number > > (which should correctly be either 1 or 2) received is 1 or 2 = (depending > > on the pfs_group setting in racoon.conf) and not null(0). If I try > > setting pfs_group to null, I get a parse error. > > > > All the docs I found in the kame site (www.kame.net), the handbook, = and > > the man pages haven't been of any help too. > > > > Thank you very much for your attention, > > > > Sincerely, > > > > jOrge > > > > p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got = the > > high-encryption pack and SP1 installed on the Win2K box. > > -- > > Jorge Peixoto Vasquez, Elet. Eng. > > Aker Security Solutions > > tel. +55 - 61 - 340 9083 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 14:37:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id 1FB4337B71D for ; Sat, 24 Mar 2001 14:37:46 -0800 (PST) (envelope-from jorge@aker.com.br) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340505 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 16:37:59 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:37:43 -0600 Content-Type: multipart/mixed; boundary="----=_NextPart_000_1D6F_01C0B480.C0010600" Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:37:40 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:37:37 -0600 MIME-Version: 1.0 Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <233@2432001163737233> directly for ; Sat, 24 Mar 2001 4:37:37 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 16:37:42 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE4020162B4@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcCtdV9v68hUrNQJROyQfKBgDBcVfA== From: "Jorge Peixoto Vasquez" To: X-OriginalArrivalTime: 24 Mar 2001 22:37:43.0738 (UTC) FILETIME=[0AA931A0:01C0B4B3] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_1D6F_01C0B480.C0010600 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable I've read the mini-howto on how to setup IPSEC on the FreeBSD (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most succesful so far.=20 I would be very glad if anyone could help me on the following matter:=20 The only problem I've encountered is that, when making Win2K and FreeBSD interoperate, the IKE's phase 2 only suceeds if Win2K initiates the process. If racoon is to start it, Win2k will not accept any proposal for phase 2, complaining that the dh group number (which should correctly be either 1 or 2) received is 1 or 2 (depending on the pfs_group setting in racoon.conf) and not null(0). If I try setting pfs_group to null, I get a parse error.=20 All the docs I found in the kame site (www.kame.net), the handbook, and the man pages haven't been of any help too. Thank you very much for your attention,=20 Sincerely,=20 jOrge=20 p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got the high-encryption pack and SP1 installed on the Win2K box.=20 --=20 Jorge Peixoto Vasquez, Elet. Eng. Aker Security Solutions tel. +55 - 61 - 340 9083 ------=_NextPart_000_1D6F_01C0B480.C0010600 X-TNEF_Part_ID: 256 Content-Transfer-Encoding: quoted-printable Content-Type: application/octet-stream; name="racoon.conf" Content-Disposition: attachment; filename="racoon.conf" # search this file for pre_shared_key with various ID key. path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; # "log" specifies logging level. It is followed by either "info", = "notify", # "debug" or "debug2". log debug; # "padding" defines some parameter of padding. You should not touch = these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 20 sec; } remote anonymous { exchange_mode main; doi ipsec_doi; situation identity_only; nonce_size 16; lifetime time 1 min; # sec,min,hour lifetime byte 5 MB; # B,KB,GB initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal=20 { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2; } } sainfo anonymous { # does not matter if 1 or 2, zero (expected by Win2K) won't parse. pfs_group 2; lifetime time 36000 sec; lifetime byte 50000 KB; encryption_algorithm 3des,des ; authentication_algorithm hmac_sha1,hmac_md5; compression_algorithm deflate ; } ------=_NextPart_000_1D6F_01C0B480.C0010600-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 14:38:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id 2C8DC37B718 for ; Sat, 24 Mar 2001 14:37:48 -0800 (PST) (envelope-from oldfart@gtonet.net) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340506 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 16:38:01 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:37:46 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:37:41 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:37:37 -0600 MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <227@2432001163737227> directly for ; Sat, 24 Mar 2001 4:37:37 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: RE: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 16:37:42 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE4020162B5@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcC0q1uu4tAaEfdmTK2d18vVpZSK8w== From: "oldfart@gtonet" To: Reply-To: X-OriginalArrivalTime: 24 Mar 2001 22:37:46.0182 (UTC) FILETIME=[0C1E1E60:01C0B4B3] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You've posted the same message 9 times, please stop. Somebody will help IF/when they can. OF > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Jorge Peixoto > Vasquez > Sent: Saturday, March 24, 2001 1:33 PM > To: freebsd-security@FreeBSD.ORG > Subject: IPSEC: racoon and Win2K > > > I've read the mini-howto on how to setup IPSEC on the FreeBSD > (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most > succesful so far. > > I would be very glad if anyone could help me on the following matter: > > The only problem I've encountered is that, when making Win2K and = FreeBSD > interoperate, the IKE's phase 2 only suceeds if > Win2K initiates the process. If racoon is to start it, Win2k will not > accept any proposal for phase 2, complaining that the dh group number > (which should correctly be either 1 or 2) received is 1 or 2 = (depending > on the pfs_group setting in racoon.conf) and not null(0). If I try > setting pfs_group to null, I get a parse error. > > All the docs I found in the kame site (www.kame.net), the handbook, = and > the man pages haven't been of any help too. > > Thank you very much for your attention, > > Sincerely, > > jOrge > > p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got = the > high-encryption pack and SP1 installed on the Win2K box. > -- > Jorge Peixoto Vasquez, Elet. Eng. > Aker Security Solutions > tel. +55 - 61 - 340 9083 > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 14:43: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id 5E82A37B71D for ; Sat, 24 Mar 2001 14:42:46 -0800 (PST) (envelope-from oldfart@gtonet.net) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340510 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 16:42:59 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:42:43 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:42:40 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:42:37 -0600 MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <239@2432001164237239> directly for ; Sat, 24 Mar 2001 4:42:37 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: RE: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 16:42:42 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE4020162B6@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcC0rA1efAZjoewUQHKXdczG+L8++w== From: "oldfart@gtonet" To: Reply-To: X-OriginalArrivalTime: 24 Mar 2001 22:42:43.0657 (UTC) FILETIME=[BD6D3390:01C0B4B3] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org OK, now I see it's majordomo, can someone fix it? OF > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of oldfart@gtonet > Sent: Saturday, March 24, 2001 1:43 PM > To: freebsd-security@FreeBSD.ORG > Subject: RE: IPSEC: racoon and Win2K > > > You've posted the same message 9 times, please stop. Somebody will = help > IF/when they can. > > OF > > > -----Original Message----- > > From: owner-freebsd-security@FreeBSD.ORG > > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Jorge = Peixoto > > Vasquez > > Sent: Saturday, March 24, 2001 1:33 PM > > To: freebsd-security@FreeBSD.ORG > > Subject: IPSEC: racoon and Win2K > > > > > > I've read the mini-howto on how to setup IPSEC on the FreeBSD > > (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most > > succesful so far. > > > > I would be very glad if anyone could help me on the following = matter: > > > > The only problem I've encountered is that, when making Win2K and = FreeBSD > > interoperate, the IKE's phase 2 only suceeds if > > Win2K initiates the process. If racoon is to start it, Win2k will = not > > accept any proposal for phase 2, complaining that the dh group = number > > (which should correctly be either 1 or 2) received is 1 or 2 = (depending > > on the pfs_group setting in racoon.conf) and not null(0). If I try > > setting pfs_group to null, I get a parse error. > > > > All the docs I found in the kame site (www.kame.net), the handbook, = and > > the man pages haven't been of any help too. > > > > Thank you very much for your attention, > > > > Sincerely, > > > > jOrge > > > > p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got = the > > high-encryption pack and SP1 installed on the Win2K box. > > -- > > Jorge Peixoto Vasquez, Elet. Eng. > > Aker Security Solutions > > tel. +55 - 61 - 340 9083 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 14:43: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id 0455B37B722 for ; Sat, 24 Mar 2001 14:42:47 -0800 (PST) (envelope-from jorge@aker.com.br) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340511 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 16:42:59 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:42:44 -0600 Content-Type: multipart/mixed; boundary="----=_NextPart_000_1D9F_01C0B481.73148780" Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:42:41 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:42:37 -0600 MIME-Version: 1.0 Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <242@2432001164237242> directly for ; Sat, 24 Mar 2001 4:42:37 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 16:42:42 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE4020162B7@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcCtdV9v68hUrNQJROyQfKBgDBcVfA== From: "Jorge Peixoto Vasquez" To: X-OriginalArrivalTime: 24 Mar 2001 22:42:44.0168 (UTC) FILETIME=[BDBB2C80:01C0B4B3] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_1D9F_01C0B481.73148780 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable I've read the mini-howto on how to setup IPSEC on the FreeBSD (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most succesful so far.=20 I would be very glad if anyone could help me on the following matter:=20 The only problem I've encountered is that, when making Win2K and FreeBSD interoperate, the IKE's phase 2 only suceeds if Win2K initiates the process. If racoon is to start it, Win2k will not accept any proposal for phase 2, complaining that the dh group number (which should correctly be either 1 or 2) received is 1 or 2 (depending on the pfs_group setting in racoon.conf) and not null(0). If I try setting pfs_group to null, I get a parse error.=20 All the docs I found in the kame site (www.kame.net), the handbook, and the man pages haven't been of any help too. Thank you very much for your attention,=20 Sincerely,=20 jOrge=20 p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got the high-encryption pack and SP1 installed on the Win2K box.=20 --=20 Jorge Peixoto Vasquez, Elet. Eng. Aker Security Solutions tel. +55 - 61 - 340 9083 ------=_NextPart_000_1D9F_01C0B481.73148780 X-TNEF_Part_ID: 256 Content-Transfer-Encoding: quoted-printable Content-Type: application/octet-stream; name="racoon.conf" Content-Disposition: attachment; filename="racoon.conf" # search this file for pre_shared_key with various ID key. path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; # "log" specifies logging level. It is followed by either "info", = "notify", # "debug" or "debug2". log debug; # "padding" defines some parameter of padding. You should not touch = these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 20 sec; } remote anonymous { exchange_mode main; doi ipsec_doi; situation identity_only; nonce_size 16; lifetime time 1 min; # sec,min,hour lifetime byte 5 MB; # B,KB,GB initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal=20 { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2; } } sainfo anonymous { # does not matter if 1 or 2, zero (expected by Win2K) won't parse. pfs_group 2; lifetime time 36000 sec; lifetime byte 50000 KB; encryption_algorithm 3des,des ; authentication_algorithm hmac_sha1,hmac_md5; compression_algorithm deflate ; } ------=_NextPart_000_1D9F_01C0B481.73148780-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 14:43:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id 9184C37B726 for ; Sat, 24 Mar 2001 14:42:47 -0800 (PST) (envelope-from oldfart@gtonet.net) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340512 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 16:43:00 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:42:44 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:42:41 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:42:37 -0600 MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <245@2432001164237245> directly for ; Sat, 24 Mar 2001 4:42:37 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: RE: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 16:42:42 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE4020162B8@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcC0q1uu4tAaEfdmTK2d18vVpZSK8w== From: "oldfart@gtonet" To: Reply-To: X-OriginalArrivalTime: 24 Mar 2001 22:42:44.0568 (UTC) FILETIME=[BDF83580:01C0B4B3] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You've posted the same message 9 times, please stop. Somebody will help IF/when they can. OF > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Jorge Peixoto > Vasquez > Sent: Saturday, March 24, 2001 1:33 PM > To: freebsd-security@FreeBSD.ORG > Subject: IPSEC: racoon and Win2K > > > I've read the mini-howto on how to setup IPSEC on the FreeBSD > (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most > succesful so far. > > I would be very glad if anyone could help me on the following matter: > > The only problem I've encountered is that, when making Win2K and = FreeBSD > interoperate, the IKE's phase 2 only suceeds if > Win2K initiates the process. If racoon is to start it, Win2k will not > accept any proposal for phase 2, complaining that the dh group number > (which should correctly be either 1 or 2) received is 1 or 2 = (depending > on the pfs_group setting in racoon.conf) and not null(0). If I try > setting pfs_group to null, I get a parse error. > > All the docs I found in the kame site (www.kame.net), the handbook, = and > the man pages haven't been of any help too. > > Thank you very much for your attention, > > Sincerely, > > jOrge > > p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got = the > high-encryption pack and SP1 installed on the Win2K box. > -- > Jorge Peixoto Vasquez, Elet. Eng. > Aker Security Solutions > tel. +55 - 61 - 340 9083 > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 14:48: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id C184837B719 for ; Sat, 24 Mar 2001 14:47:46 -0800 (PST) (envelope-from jorge@aker.com.br) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340517 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 16:47:59 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:47:44 -0600 Content-Type: multipart/mixed; boundary="----=_NextPart_000_1DC9_01C0B482.25DA1010" Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:47:41 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:47:38 -0600 MIME-Version: 1.0 Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <251@2432001164737251> directly for ; Sat, 24 Mar 2001 4:47:37 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 16:47:42 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE4020162B9@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcCtdV9v68hUrNQJROyQfKBgDBcVfA== From: "Jorge Peixoto Vasquez" To: X-OriginalArrivalTime: 24 Mar 2001 22:47:44.0097 (UTC) FILETIME=[7080B510:01C0B4B4] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_1DC9_01C0B482.25DA1010 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable I've read the mini-howto on how to setup IPSEC on the FreeBSD (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most succesful so far.=20 I would be very glad if anyone could help me on the following matter:=20 The only problem I've encountered is that, when making Win2K and FreeBSD interoperate, the IKE's phase 2 only suceeds if Win2K initiates the process. If racoon is to start it, Win2k will not accept any proposal for phase 2, complaining that the dh group number (which should correctly be either 1 or 2) received is 1 or 2 (depending on the pfs_group setting in racoon.conf) and not null(0). If I try setting pfs_group to null, I get a parse error.=20 All the docs I found in the kame site (www.kame.net), the handbook, and the man pages haven't been of any help too. Thank you very much for your attention,=20 Sincerely,=20 jOrge=20 p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got the high-encryption pack and SP1 installed on the Win2K box.=20 --=20 Jorge Peixoto Vasquez, Elet. Eng. Aker Security Solutions tel. +55 - 61 - 340 9083 ------=_NextPart_000_1DC9_01C0B482.25DA1010 X-TNEF_Part_ID: 256 Content-Transfer-Encoding: quoted-printable Content-Type: application/octet-stream; name="racoon.conf" Content-Disposition: attachment; filename="racoon.conf" # search this file for pre_shared_key with various ID key. path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; # "log" specifies logging level. It is followed by either "info", = "notify", # "debug" or "debug2". log debug; # "padding" defines some parameter of padding. You should not touch = these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 20 sec; } remote anonymous { exchange_mode main; doi ipsec_doi; situation identity_only; nonce_size 16; lifetime time 1 min; # sec,min,hour lifetime byte 5 MB; # B,KB,GB initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal=20 { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2; } } sainfo anonymous { # does not matter if 1 or 2, zero (expected by Win2K) won't parse. pfs_group 2; lifetime time 36000 sec; lifetime byte 50000 KB; encryption_algorithm 3des,des ; authentication_algorithm hmac_sha1,hmac_md5; compression_algorithm deflate ; } ------=_NextPart_000_1DC9_01C0B482.25DA1010-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 14:48: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id 5D77637B71E for ; Sat, 24 Mar 2001 14:47:47 -0800 (PST) (envelope-from oldfart@gtonet.net) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340518 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 16:48:00 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:47:44 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:47:41 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:47:38 -0600 MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <254@2432001164737254> directly for ; Sat, 24 Mar 2001 4:47:37 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: RE: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 16:47:43 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE4020162BA@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcC0rA1efAZjoewUQHKXdczG+L8++w== From: "oldfart@gtonet" To: Reply-To: X-OriginalArrivalTime: 24 Mar 2001 22:47:44.0558 (UTC) FILETIME=[70C70CE0:01C0B4B4] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org OK, now I see it's majordomo, can someone fix it? OF > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of oldfart@gtonet > Sent: Saturday, March 24, 2001 1:43 PM > To: freebsd-security@FreeBSD.ORG > Subject: RE: IPSEC: racoon and Win2K > > > You've posted the same message 9 times, please stop. Somebody will = help > IF/when they can. > > OF > > > -----Original Message----- > > From: owner-freebsd-security@FreeBSD.ORG > > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Jorge = Peixoto > > Vasquez > > Sent: Saturday, March 24, 2001 1:33 PM > > To: freebsd-security@FreeBSD.ORG > > Subject: IPSEC: racoon and Win2K > > > > > > I've read the mini-howto on how to setup IPSEC on the FreeBSD > > (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most > > succesful so far. > > > > I would be very glad if anyone could help me on the following = matter: > > > > The only problem I've encountered is that, when making Win2K and = FreeBSD > > interoperate, the IKE's phase 2 only suceeds if > > Win2K initiates the process. If racoon is to start it, Win2k will = not > > accept any proposal for phase 2, complaining that the dh group = number > > (which should correctly be either 1 or 2) received is 1 or 2 = (depending > > on the pfs_group setting in racoon.conf) and not null(0). If I try > > setting pfs_group to null, I get a parse error. > > > > All the docs I found in the kame site (www.kame.net), the handbook, = and > > the man pages haven't been of any help too. > > > > Thank you very much for your attention, > > > > Sincerely, > > > > jOrge > > > > p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got = the > > high-encryption pack and SP1 installed on the Win2K box. > > -- > > Jorge Peixoto Vasquez, Elet. Eng. > > Aker Security Solutions > > tel. +55 - 61 - 340 9083 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 14:48:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id 0A75337B71D for ; Sat, 24 Mar 2001 14:47:48 -0800 (PST) (envelope-from oldfart@gtonet.net) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340519 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 16:48:00 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:47:45 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:47:42 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:47:38 -0600 MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Received: from mailbox lists@valkery.mentisworks.com by Pop2Smtpcom id <257@2432001164737257> directly for ; Sat, 24 Mar 2001 4:47:37 PM -0600 smtpmailfrom Content-Class: urn:content-classes:message Subject: RE: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 16:47:43 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE4020162BB@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcC0q1uu4tAaEfdmTK2d18vVpZSK8w== From: "oldfart@gtonet" To: Reply-To: X-OriginalArrivalTime: 24 Mar 2001 22:47:45.0059 (UTC) FILETIME=[71137F30:01C0B4B4] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You've posted the same message 9 times, please stop. Somebody will help IF/when they can. OF > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Jorge Peixoto > Vasquez > Sent: Saturday, March 24, 2001 1:33 PM > To: freebsd-security@FreeBSD.ORG > Subject: IPSEC: racoon and Win2K > > > I've read the mini-howto on how to setup IPSEC on the FreeBSD > (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most > succesful so far. > > I would be very glad if anyone could help me on the following matter: > > The only problem I've encountered is that, when making Win2K and = FreeBSD > interoperate, the IKE's phase 2 only suceeds if > Win2K initiates the process. If racoon is to start it, Win2k will not > accept any proposal for phase 2, complaining that the dh group number > (which should correctly be either 1 or 2) received is 1 or 2 = (depending > on the pfs_group setting in racoon.conf) and not null(0). If I try > setting pfs_group to null, I get a parse error. > > All the docs I found in the kame site (www.kame.net), the handbook, = and > the man pages haven't been of any help too. > > Thank you very much for your attention, > > Sincerely, > > jOrge > > p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got = the > high-encryption pack and SP1 installed on the Win2K box. > -- > Jorge Peixoto Vasquez, Elet. Eng. > Aker Security Solutions > tel. +55 - 61 - 340 9083 > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 14:53:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from peter3.wemm.org (c1315225-a.plstn1.sfba.home.com [65.0.135.147]) by hub.freebsd.org (Postfix) with ESMTP id 7184A37B71A for ; Sat, 24 Mar 2001 14:53:15 -0800 (PST) (envelope-from peter@netplex.com.au) Received: from mobile.wemm.org (mobile.wemm.org [10.0.0.5]) by peter3.wemm.org (8.11.0/8.11.0) with ESMTP id f2OMrFp10935 for ; Sat, 24 Mar 2001 14:53:15 -0800 (PST) (envelope-from peter@netplex.com.au) Received: from netplex.com.au (localhost [127.0.0.1]) by mobile.wemm.org (8.11.1/8.11.1) with ESMTP id f2OMrDh03001; Sat, 24 Mar 2001 14:53:14 -0800 (PST) (envelope-from peter@netplex.com.au) Message-Id: <200103242253.f2OMrDh03001@mobile.wemm.org> X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 To: oldfart@gtonet.net, lists@mentisworks.com, abuse@mentisworks.com, postmaster@mentisworks.com, root@mentisworks.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPSEC: racoon and Win2K In-Reply-To: <39F078A4FCEC5D408C23FC3D92DEE4020162B6@tyr.kinsman.lan> Date: Sat, 24 Mar 2001 14:53:13 -0800 From: Peter Wemm Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "oldfart@gtonet" wrote: > OK, now I see it's majordomo, can someone fix it? No, I think it was lists@mentisworks.com.. Have a look at the headers. They have an exploder there, and one of their clients was looping. (lists@kinsman.org). I have unsubscribed them and we'll see if it stops.. > OF > > > -----Original Message----- > > From: owner-freebsd-security@FreeBSD.ORG > > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of oldfart@gtonet > > Sent: Saturday, March 24, 2001 1:43 PM > > To: freebsd-security@FreeBSD.ORG > > Subject: RE: IPSEC: racoon and Win2K > > > > > > You've posted the same message 9 times, please stop. Somebody will help > > IF/when they can. > > > > OF > > > > > -----Original Message----- > > > From: owner-freebsd-security@FreeBSD.ORG > > > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Jorge Peixoto > > > Vasquez > > > Sent: Saturday, March 24, 2001 1:33 PM > > > To: freebsd-security@FreeBSD.ORG > > > Subject: IPSEC: racoon and Win2K > > > > > > > > > I've read the mini-howto on how to setup IPSEC on the FreeBSD > > > (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most > > > succesful so far. > > > > > > I would be very glad if anyone could help me on the following matter: > > > > > > The only problem I've encountered is that, when making Win2K and FreeBSD > > > interoperate, the IKE's phase 2 only suceeds if > > > Win2K initiates the process. If racoon is to start it, Win2k will not > > > accept any proposal for phase 2, complaining that the dh group number > > > (which should correctly be either 1 or 2) received is 1 or 2 (depending > > > on the pfs_group setting in racoon.conf) and not null(0). If I try > > > setting pfs_group to null, I get a parse error. > > > > > > All the docs I found in the kame site (www.kame.net), the handbook, and > > > the man pages haven't been of any help too. > > > > > > Thank you very much for your attention, > > > > > > Sincerely, > > > > > > jOrge > > > > > > p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got the > > > high-encryption pack and SP1 installed on the Win2K box. > > > -- > > > Jorge Peixoto Vasquez, Elet. Eng. > > > Aker Security Solutions > > > tel. +55 - 61 - 340 9083 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Cheers, -Peter -- Peter Wemm - peter@FreeBSD.org; peter@yahoo-inc.com; peter@netplex.com.au "All of this is for nothing if we don't go to the stars" - JMS/B5 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 14:57:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id 2672A37B71A for ; Sat, 24 Mar 2001 14:57:44 -0800 (PST) (envelope-from peter@netplex.com.au) Received: from [24.29.197.39] (HELO tyr.kinsman.lan) by mentisworks.com (CommuniGate Pro SMTP 3.4.2) with ESMTP id 340526 for freebsd-security@freebsd.org; Sat, 24 Mar 2001 16:57:56 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:57:42 -0600 Received: from mail pickup service by tyr.kinsman.lan with Microsoft SMTPSVC; Sat, 24 Mar 2001 16:57:39 -0600 Content-Class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Subject: Re: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 16:57:40 -0600 Message-ID: <39F078A4FCEC5D408C23FC3D92DEE4020162BC@tyr.kinsman.lan> Thread-Topic: IPSEC: racoon and Win2K thread-index: AcC0tdPCInPOjX8XTsKUj8qRkVBqDg== From: "Peter Wemm" To: X-OriginalArrivalTime: 24 Mar 2001 22:57:42.0143 (UTC) FILETIME=[D4F748F0:01C0B4B5] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "oldfart@gtonet" wrote: > OK, now I see it's majordomo, can someone fix it? No, I think it was lists@mentisworks.com.. Have a look at the headers. They have an exploder there, and one of their clients was looping. (lists@kinsman.org). I have unsubscribed them and we'll see if it stops.. > OF >=20 > > -----Original Message----- > > From: owner-freebsd-security@FreeBSD.ORG > > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of = oldfart@gtonet > > Sent: Saturday, March 24, 2001 1:43 PM > > To: freebsd-security@FreeBSD.ORG > > Subject: RE: IPSEC: racoon and Win2K > > > > > > You've posted the same message 9 times, please stop. Somebody will = help > > IF/when they can. > > > > OF > > > > > -----Original Message----- > > > From: owner-freebsd-security@FreeBSD.ORG > > > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Jorge = Peixoto > > > Vasquez > > > Sent: Saturday, March 24, 2001 1:33 PM > > > To: freebsd-security@FreeBSD.ORG > > > Subject: IPSEC: racoon and Win2K > > > > > > > > > I've read the mini-howto on how to setup IPSEC on the FreeBSD > > > (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been = most > > > succesful so far. > > > > > > I would be very glad if anyone could help me on the following = matter: > > > > > > The only problem I've encountered is that, when making Win2K and = FreeBSD > > > interoperate, the IKE's phase 2 only suceeds if > > > Win2K initiates the process. If racoon is to start it, Win2k will = not > > > accept any proposal for phase 2, complaining that the dh group = number > > > (which should correctly be either 1 or 2) received is 1 or 2 = (depending > > > on the pfs_group setting in racoon.conf) and not null(0). If I try > > > setting pfs_group to null, I get a parse error. > > > > > > All the docs I found in the kame site (www.kame.net), the = handbook, and > > > the man pages haven't been of any help too. > > > > > > Thank you very much for your attention, > > > > > > Sincerely, > > > > > > jOrge > > > > > > p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I = got the > > > high-encryption pack and SP1 installed on the Win2K box. > > > -- > > > Jorge Peixoto Vasquez, Elet. Eng. > > > Aker Security Solutions > > > tel. +55 - 61 - 340 9083 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message >=20 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message >=20 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message >=20 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message >=20 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message >=20 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message >=20 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message >=20 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message >=20 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message >=20 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message >=20 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message >=20 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message >=20 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message >=20 Cheers, -Peter -- Peter Wemm - peter@FreeBSD.org; peter@yahoo-inc.com; = peter@netplex.com.au "All of this is for nothing if we don't go to the stars" - JMS/B5 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 14:58:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from starfruit.itojun.org (p205.usslc10.stsn.com [63.161.205.205]) by hub.freebsd.org (Postfix) with ESMTP id 2E7D237B719 for ; Sat, 24 Mar 2001 14:58:47 -0800 (PST) (envelope-from itojun@itojun.org) Received: from itojun.org (localhost [127.0.0.1]) by starfruit.itojun.org (Postfix) with ESMTP id 92CA07E73; Sun, 25 Mar 2001 07:58:35 +0900 (JST) To: Mike Harding Cc: freebsd-security@freebsd.org In-reply-to: mvh's message of Sat, 24 Mar 2001 11:23:33 PST. <20010324192333.9D2D5114069@netcom1.netcom.com> X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 Subject: Re: IPSEC/VPN/NAT and filtering From: Jun-ichiro itojun Hagino Date: Sun, 25 Mar 2001 07:58:35 +0900 Message-Id: <20010324225835.92CA07E73@starfruit.itojun.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Okay, I think I know enough now to procede in making a doc on >interacting with a Cisco VPN, with a very minor kernel change. Can >anybody suggest who I should contact to determine if this makes sense, >and how I can coordinate with the FreeBSD team? why kernel change is needed to interoperate with specific implementation? anyway, contact kame guys, core@kame.net or snap-users@kame.net. >Also, Itojun, can you provide reference to 'scoped addresses' and >'strong host model node'? scoped addresses: IPv6 docs, like RFC2460, RFC2373, whatever. strong host model: RFC1122. itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 15:11:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from mls.gtonet.net (mls.gtonet.net [216.112.90.195]) by hub.freebsd.org (Postfix) with ESMTP id 0769637B71A for ; Sat, 24 Mar 2001 15:11:03 -0800 (PST) (envelope-from oldfart@gtonet.net) Received: from pld (pld.gtonet.net [216.112.90.200]) by mls.gtonet.net (8.11.3/8.11.3) with SMTP id f2ONB2R21126; Sat, 24 Mar 2001 15:11:02 -0800 (PST) (envelope-from oldfart@gtonet.net) Reply-To: From: "oldfart@gtonet" To: "Peter Wemm" Cc: Subject: RE: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 15:10:56 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <200103242253.f2OMrDh03001@mobile.wemm.org> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thanks, Peter, for clearing it up. I, originally, thought it was Jorge Peixoto Vasquez posting over and over until I started getting dupes of my reply too. I, then, assumed it was majordomo. Just as I thought Jorge was repeat posting, a few other people thought I was too. Most were civil but one was PMS'ing so bad I had to filter her due to threats. I guess "Cranial-Rectal Inversion(TM)" exists here too. :( Let this be a lesson in patience for all of us. As I said, thanks for fixing it, OF > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Peter Wemm > Sent: Saturday, March 24, 2001 2:53 PM > To: oldfart@gtonet.net; lists@mentisworks.com; abuse@mentisworks.com; > postmaster@mentisworks.com; root@mentisworks.com > Cc: freebsd-security@FreeBSD.ORG > Subject: Re: IPSEC: racoon and Win2K > > > "oldfart@gtonet" wrote: > > OK, now I see it's majordomo, can someone fix it? > > No, I think it was lists@mentisworks.com.. Have a look at the headers. > They have an exploder there, and one of their clients was looping. > (lists@kinsman.org). > > I have unsubscribed them and we'll see if it stops.. > > > OF > > > > > -----Original Message----- > > > From: owner-freebsd-security@FreeBSD.ORG > > > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of oldfart@gtonet > > > Sent: Saturday, March 24, 2001 1:43 PM > > > To: freebsd-security@FreeBSD.ORG > > > Subject: RE: IPSEC: racoon and Win2K > > > > > > > > > You've posted the same message 9 times, please stop. Somebody > will help > > > IF/when they can. > > > > > > OF > > > > > > > -----Original Message----- > > > > From: owner-freebsd-security@FreeBSD.ORG > > > > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of > Jorge Peixoto > > > > Vasquez > > > > Sent: Saturday, March 24, 2001 1:33 PM > > > > To: freebsd-security@FreeBSD.ORG > > > > Subject: IPSEC: racoon and Win2K > > > > > > > > > > > > I've read the mini-howto on how to setup IPSEC on the FreeBSD > > > > (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most > > > > succesful so far. > > > > > > > > I would be very glad if anyone could help me on the > following matter: > > > > > > > > The only problem I've encountered is that, when making > Win2K and FreeBSD > > > > interoperate, the IKE's phase 2 only suceeds if > > > > Win2K initiates the process. If racoon is to start it, > Win2k will not > > > > accept any proposal for phase 2, complaining that the dh > group number > > > > (which should correctly be either 1 or 2) received is 1 or > 2 (depending > > > > on the pfs_group setting in racoon.conf) and not null(0). If I try > > > > setting pfs_group to null, I get a parse error. > > > > > > > > All the docs I found in the kame site (www.kame.net), the > handbook, and > > > > the man pages haven't been of any help too. > > > > > > > > Thank you very much for your attention, > > > > > > > > Sincerely, > > > > > > > > jOrge > > > > > > > > p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and > (YES) I got the > > > > high-encryption pack and SP1 installed on the Win2K box. > > > > -- > > > > Jorge Peixoto Vasquez, Elet. Eng. > > > > Aker Security Solutions > > > > tel. +55 - 61 - 340 9083 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > Cheers, > -Peter > -- > Peter Wemm - peter@FreeBSD.org; peter@yahoo-inc.com; peter@netplex.com.au > "All of this is for nothing if we don't go to the stars" - JMS/B5 > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 15:19:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from peter3.wemm.org (c1315225-a.plstn1.sfba.home.com [65.0.135.147]) by hub.freebsd.org (Postfix) with ESMTP id 7783F37B718 for ; Sat, 24 Mar 2001 15:19:30 -0800 (PST) (envelope-from peter@netplex.com.au) Received: from mobile.wemm.org (mobile.wemm.org [10.0.0.5]) by peter3.wemm.org (8.11.0/8.11.0) with ESMTP id f2ONJRp11065 for ; Sat, 24 Mar 2001 15:19:27 -0800 (PST) (envelope-from peter@netplex.com.au) Received: from netplex.com.au (localhost [127.0.0.1]) by mobile.wemm.org (8.11.1/8.11.1) with ESMTP id f2ONJRh03313 for ; Sat, 24 Mar 2001 15:19:27 -0800 (PST) (envelope-from peter@netplex.com.au) Message-Id: <200103242319.f2ONJRh03313@mobile.wemm.org> X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 To: freebsd-security@FreeBSD.ORG Subject: Re: IPSEC: racoon and Win2K In-Reply-To: <39F078A4FCEC5D408C23FC3D92DEE4020162BC@tyr.kinsman.lan> Date: Sat, 24 Mar 2001 15:19:27 -0800 From: Peter Wemm Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Peter Wemm" wrote: > "oldfart@gtonet" wrote: > > OK, now I see it's majordomo, can someone fix it? > > No, I think it was lists@mentisworks.com.. Have a look at the headers. > They have an exploder there, and one of their clients was looping. > (lists@kinsman.org). > > I have unsubscribed them and we'll see if it stops.. I was expecting this loop because I cc:'ed the suspect address with the mail. Hopefully there will not be a duplicate of this one. > > OF > > > > > -----Original Message----- > > > From: owner-freebsd-security@FreeBSD.ORG > > > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of oldfart@gtonet > > > Sent: Saturday, March 24, 2001 1:43 PM > > > To: freebsd-security@FreeBSD.ORG > > > Subject: RE: IPSEC: racoon and Win2K > > > > > > > > > You've posted the same message 9 times, please stop. Somebody will help > > > IF/when they can. > > > > > > OF > > > > > > > -----Original Message----- > > > > From: owner-freebsd-security@FreeBSD.ORG > > > > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Jorge Peixoto > > > > Vasquez > > > > Sent: Saturday, March 24, 2001 1:33 PM > > > > To: freebsd-security@FreeBSD.ORG > > > > Subject: IPSEC: racoon and Win2K > > > > > > > > > > > > I've read the mini-howto on how to setup IPSEC on the FreeBSD > > > > (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most > > > > succesful so far. > > > > > > > > I would be very glad if anyone could help me on the following matter: > > > > > > > > The only problem I've encountered is that, when making Win2K and FreeBS D > > > > interoperate, the IKE's phase 2 only suceeds if > > > > Win2K initiates the process. If racoon is to start it, Win2k will not > > > > accept any proposal for phase 2, complaining that the dh group number > > > > (which should correctly be either 1 or 2) received is 1 or 2 (depending > > > > on the pfs_group setting in racoon.conf) and not null(0). If I try > > > > setting pfs_group to null, I get a parse error. > > > > > > > > All the docs I found in the kame site (www.kame.net), the handbook, and > > > > the man pages haven't been of any help too. > > > > > > > > Thank you very much for your attention, > > > > > > > > Sincerely, > > > > > > > > jOrge > > > > > > > > p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got th e > > > > high-encryption pack and SP1 installed on the Win2K box. > > > > -- > > > > Jorge Peixoto Vasquez, Elet. Eng. > > > > Aker Security Solutions > > > > tel. +55 - 61 - 340 9083 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > Cheers, > -Peter > -- > Peter Wemm - peter@FreeBSD.org; peter@yahoo-inc.com; peter@netplex.com.au > "All of this is for nothing if we don't go to the stars" - JMS/B5 > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Cheers, -Peter -- Peter Wemm - peter@FreeBSD.org; peter@yahoo-inc.com; peter@netplex.com.au "All of this is for nothing if we don't go to the stars" - JMS/B5 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 15:36:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from bootp-20-219.bootp.virginia.edu (bootp-20-219.bootp.Virginia.EDU [128.143.20.219]) by hub.freebsd.org (Postfix) with ESMTP id D376637B71D for ; Sat, 24 Mar 2001 15:36:43 -0800 (PST) (envelope-from mipam@virginia.edu) Received: by bootp-20-219.bootp.virginia.edu (Postfix) id 394231D001; Sat, 24 Mar 2001 18:38:49 -0500 (EST) Date: Sat, 24 Mar 2001 18:38:48 -0500 From: Mipam To: Jeremy Karteczka Cc: freebsd-security@FreeBSD.ORG Subject: Re: Trying to set up an IKE vpn between FreeBSD and Checkpoint FW-1 Message-ID: <20010324183848.A4464@bootp-20-219.bootp.virginia.edu> Reply-To: mipam@ibb.net References: <05ae01c0b41e$1f82ac90$0200a8c0@jose> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <05ae01c0b41e$1f82ac90$0200a8c0@jose>; from jerkart@mw.mediaone.net on Fri, Mar 23, 2001 at 11:51:38PM -0500 X-Operating-System: BSD Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Mar 23, 2001 at 11:51:38PM -0500, Jeremy Karteczka wrote: > Greetings, > I am trying to get an IKE vpn going between a 4.2-RELEASE machine (using racoon > for key exchange) and a Checkpoint firewall (v4.1 SP3). I have tried both sha1 [SNIP] > I have looked for RFCs to find out which is the accepted standard but could not > find one that specifically states how long the key should be for each hash > method. > Can anyone point me to the proper RFCs and/or tell me if there is a way I can > reverse the expected key lenght on the FreeBSD side? md5 is 128 bits and sha1 is 160 bits. For some rfc's to read: RFC 2085 - HMAC-MD5 IP Authentication with Replay Prevention RFC 2104 - HMAC: Keyed-Hashing for Message Authentication RFC 2202 - Test Cases for HMAC-MD5 and HMAC-SHA-1 RFC 2403 - The Use of HMAC-MD5-96 within ESP and AH RFC 2404 - The Use of HMAC-SHA-1-96 within ESP and AH And of course rfc 2402 - AH Bye, Mipam. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 15:47: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from test.kens.com (kens.com [129.250.30.40]) by hub.freebsd.org (Postfix) with ESMTP id EC46537B718 for ; Sat, 24 Mar 2001 15:46:57 -0800 (PST) (envelope-from robin@socha.net) Received: (qmail 66875 invoked by uid 1002); 24 Mar 2001 23:47:00 -0000 Date: Sat, 24 Mar 2001 18:47:00 -0500 From: "Robin S. Socha" To: freebsd-security@FreeBSD.ORG Subject: Re: IPSEC: racoon and Win2K Message-ID: <20010324184700.D64290@kens.com> Reply-To: abuse@socha.net References: <200103242253.f2OMrDh03001@mobile.wemm.org> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline User-Agent: Mutt/1.3.15i In-Reply-To: ; from oldfart@gtonet.net on Sat, Mar 24, 2001 at 03:10:56PM -0800 X-Mailer: Mutt http://www.mutt.org/ X-URL: https://socha.net/ X-Editor: Vim-600 http://www.vim.org/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * oldfart@gtonet [010324 18:12]: > I, originally, thought it was Jorge Peixoto Vasquez posting over and > over until I started getting dupes of my reply too. I, then, assumed > it was majordomo. Just as I thought Jorge was repeat posting, a few > other people thought I was too. Most were civil but one was PMS'ing so > bad I had to filter her due to threats. Well, sweetheart, if you consider "stop posting to the list and crop your quotes because some people pay for their downloads" a threat, that's ok. I find "Suck my fucking cock you cunt, I'm NOT sending over and over it's majodome you dumb bitch." an amazing reaction to it though. Way off-topic, reply-to set. OpMLM: majordomo sucks. Bad. Amazing enough that a security list is running it. This incident would not have occurred with ezmlm. -- Robin S. Socha To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 15:55:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-43.dsl.lsan03.pacbell.net [63.207.60.43]) by hub.freebsd.org (Postfix) with ESMTP id 16AA937B71A for ; Sat, 24 Mar 2001 15:55:13 -0800 (PST) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 313B166C95; Sat, 24 Mar 2001 15:55:04 -0800 (PST) Date: Sat, 24 Mar 2001 15:55:03 -0800 From: Kris Kennaway To: abuse@socha.net Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPSEC: racoon and Win2K Message-ID: <20010324155503.A42447@xor.obsecurity.org> References: <200103242253.f2OMrDh03001@mobile.wemm.org> <20010324184700.D64290@kens.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="jI8keyz6grp/JLjh" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010324184700.D64290@kens.com>; from robin@socha.net on Sat, Mar 24, 2001 at 06:47:00PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --jI8keyz6grp/JLjh Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sat, Mar 24, 2001 at 06:47:00PM -0500, Robin S. Socha wrote: > OpMLM: majordomo sucks. Bad. Amazing enough that a security list is > running it. This incident would not have occurred with ezmlm. It wasn't majordomo or anything to do with the FreeBSD.org mailing lists which was repeating the email. A mailing list subscriber was feeding list mail back into the list. Kris --jI8keyz6grp/JLjh Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6vTPXWry0BWjoQKURAjFQAKDZ/cwGdIWM6QG0BrxO/wmUSm4OUQCcCDze F27XS57p7aRV3MFdc/9c7DA= =B2Bt -----END PGP SIGNATURE----- --jI8keyz6grp/JLjh-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 16:17:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from mls.gtonet.net (mls.gtonet.net [216.112.90.195]) by hub.freebsd.org (Postfix) with ESMTP id 9375A37B718 for ; Sat, 24 Mar 2001 16:17:52 -0800 (PST) (envelope-from oldfart@gtonet.net) Received: from pld (pld.gtonet.net [216.112.90.200]) by mls.gtonet.net (8.11.3/8.11.3) with SMTP id f2P0HqR21449 for ; Sat, 24 Mar 2001 16:17:53 -0800 (PST) (envelope-from oldfart@gtonet.net) Reply-To: From: "oldfart@gtonet" To: "freebsd-security@FreeBSD. ORG" Subject: RE: IPSEC: racoon and Win2K Date: Sat, 24 Mar 2001 16:17:45 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20010324184700.D64290@kens.com> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Well PMS-Queen, if you'd quote yourself correctly and then include your threats, maybe it's be more clear to those you mean to decieve. > > Stop writing to the list. Some people fucking pay for their > bandwidth. to which I responded, "Look you fucking retard, I wrote *once* to warn teh FreeBSD people that majordomo was broken so they can fix it. If you want to bitch and moan write to them not me. It's not my fault majodomo is broken. I'd suggest unsubscribing until THEY fix it." That was just as civil as *you* were when you accused me of posting over and over. at least when I wrote Jorge, I didn't swear at him AND I said please. You, however, are typically demanding. then *YOUR* threats start... > > Last warning, honey. One more and I will get *very* angry. Just stop it. THAT is when you got the reply you quoted. I don't respond well to threats, kid. Then to follow your big mouth, you threaten again. I suggest you take your nazi-anger and funnel it elsewhere because I dont care how "angry" you are/get. > > You have just made a mistake. > -- Indeed I did make a mistake...I misspelled Majordomo. Your mistake was opening your big mouth in the fisrt place. :) So, in short, Kiss my...well, this *IS* a public list. You can TRY to do whatever you want but I'm neither concerned nor worried. As Peter made clear, MajorDomo wasn't to blame so the incident didn't occur with majordomo either and that was my only other mistake. I certainly feel sorry for German Web Force if you are what they have to deal with. Now, *PLEASE*, go away, OF > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Robin S. Socha > Sent: Saturday, March 24, 2001 3:47 PM > To: freebsd-security@FreeBSD.ORG > Subject: Re: IPSEC: racoon and Win2K > > > * oldfart@gtonet [010324 18:12]: > > I, originally, thought it was Jorge Peixoto Vasquez posting over and > > over until I started getting dupes of my reply too. I, then, assumed > > it was majordomo. Just as I thought Jorge was repeat posting, a few > > other people thought I was too. Most were civil but one was PMS'ing so > > bad I had to filter her due to threats. > > Well, sweetheart, if you consider "stop posting to the list and crop > your quotes because some people pay for their downloads" a threat, > that's ok. I find "Suck my fucking cock you cunt, I'm NOT sending over > and over it's majodome you dumb bitch." an amazing reaction to it > though. Way off-topic, reply-to set. > > OpMLM: majordomo sucks. Bad. Amazing enough that a security list is > running it. This incident would not have occurred with ezmlm. > -- > Robin S. Socha > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 16:37:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from closed-networks.com (shady.org [195.153.248.241]) by hub.freebsd.org (Postfix) with SMTP id 337D937B718 for ; Sat, 24 Mar 2001 16:37:24 -0800 (PST) (envelope-from marcr@closed-networks.com) Received: (qmail 41965 invoked by uid 1000); 25 Mar 2001 00:40:51 -0000 Date: Sun, 25 Mar 2001 00:40:51 +0000 From: Marc Rogers To: freebsd-security@FreeBSD.ORG Subject: Re: IPSEC: racoon and Win2K Message-ID: <20010325004051.Z10016@shady.org> References: <20010324184700.D64290@kens.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: ; from oldfart@gtonet.net on Sat, Mar 24, 2001 at 04:17:45PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org jeeez. Cant we all just get along? Or at the very least, please take it to email, and off this list? I mean if I wanted this i'd be watching jerry springer, not checking my mail. Marc Rogers Head of Network Operations & Security EDC Group To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 16:38:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from mclean.mail.mindspring.net (mclean.mail.mindspring.net [207.69.200.57]) by hub.freebsd.org (Postfix) with ESMTP id ACD3E37B71B for ; Sat, 24 Mar 2001 16:38:20 -0800 (PST) (envelope-from mvh@ix.netcom.com) Received: from netcom1.netcom.com (lai-ca17b-210.ix.netcom.com [204.32.29.210]) by mclean.mail.mindspring.net (8.9.3/8.8.5) with ESMTP id TAA22963; Sat, 24 Mar 2001 19:38:17 -0500 (EST) Received: by netcom1.netcom.com (Postfix, from userid 1000) id 090C1113CDC; Sat, 24 Mar 2001 16:38:06 -0800 (PST) From: Mike Harding To: itojun@iijlab.net Cc: freebsd-security@freebsd.org In-reply-to: <20010324225835.92CA07E73@starfruit.itojun.org> (message from Jun-ichiro itojun Hagino on Sun, 25 Mar 2001 07:58:35 +0900) Subject: Re: IPSEC/VPN/NAT and filtering References: <20010324225835.92CA07E73@starfruit.itojun.org> Message-Id: <20010325003806.090C1113CDC@netcom1.netcom.com> Date: Sat, 24 Mar 2001 16:38:06 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I meant a kernel change to the current FreeBSD code to allow decrypted packets to bypass the packet filter, similar to what you commited to the KAME tree already. I think the change you made is sufficient, I was looking for somebody on the FreeBSD side to coordinate doc and possible kernel changes. This would be the check for the use of the M_DECRYPTED flag on the packet to bypass the packet filter. This is clearly inferior to your change, if you are planning to incorporate that into the FreeBSD releases I will just write a configuration document. Thanks for the RFC references! - Mike Harding Cc: freebsd-security@freebsd.org X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 From: Jun-ichiro itojun Hagino Date: Sun, 25 Mar 2001 07:58:35 +0900 Sender: itojun@itojun.org X-SpamBouncer: 1.3 (1/18/00) X-SBClass: OK >Okay, I think I know enough now to procede in making a doc on >interacting with a Cisco VPN, with a very minor kernel change. Can >anybody suggest who I should contact to determine if this makes sense, >and how I can coordinate with the FreeBSD team? why kernel change is needed to interoperate with specific implementation? anyway, contact kame guys, core@kame.net or snap-users@kame.net. >Also, Itojun, can you provide reference to 'scoped addresses' and >'strong host model node'? scoped addresses: IPv6 docs, like RFC2460, RFC2373, whatever. strong host model: RFC1122. itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 16:48:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from mls.gtonet.net (mls.gtonet.net [216.112.90.195]) by hub.freebsd.org (Postfix) with ESMTP id 58B6E37B71B for ; Sat, 24 Mar 2001 16:48:15 -0800 (PST) (envelope-from oldfart@gtonet.net) Received: from pld (pld.gtonet.net [216.112.90.200]) by mls.gtonet.net (8.11.3/8.11.3) with SMTP id f2P0mCR21564; Sat, 24 Mar 2001 16:48:13 -0800 (PST) (envelope-from oldfart@gtonet.net) Reply-To: From: "oldfart@gtonet" To: "Marc Rogers" Cc: "freebsd-security@FreeBSD. ORG" Subject: the end of it...I hope... Date: Sat, 24 Mar 2001 16:48:06 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20010325004051.Z10016@shady.org> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Sheesh...I guess we can't. That might also explain murder and war. :) I have nothing more to say to her (and she's been filtered) now that I've corrected her PUBLIC lies/misquote. I can not control what other people post but I will respond to public lies/misquotes in public just as I'm sure you'd be eager to correct anyone who misquoted you. As far as I'm concerned, it *was* dropped until she lied/misquoted. If you were REALLY concerned with this being off the list, maybe you should have replied OFF the list, yourself. :P And it gets dropped once again, OF > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Marc Rogers > Sent: Saturday, March 24, 2001 4:41 PM > To: > Subject: Re: IPSEC: racoon and Win2K > > > jeeez. > > > Cant we all just get along? > > Or at the very least, please take it to email, and > off this list? I mean if I wanted this i'd be watching > jerry springer, not checking my mail. > > > > Marc Rogers > Head of Network Operations & Security > EDC Group To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 17:46:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from dnull.com (dnull.com [209.133.53.79]) by hub.freebsd.org (Postfix) with ESMTP id 09D1237B71E for ; Sat, 24 Mar 2001 17:46:24 -0800 (PST) (envelope-from jessem@jigsaw.svbug.com) Received: from jigsaw.svbug.com ([198.79.110.2]) by dnull.com (8.8.8/8.8.8) with ESMTP id RAA36357 for ; Sat, 24 Mar 2001 17:46:52 -0800 (PST) Message-Id: <200103250146.RAA36357@dnull.com> Date: Sat, 24 Mar 2001 17:46:18 -0800 (PST) From: jessem@livecam.com Reply-To: jessemonroy@email.com Subject: Fwd: A Simple TCP Port Alarm To: security@freebsd.org MIME-Version: 1.0 Content-Type: TEXT/plain; CHARSET=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ------ Forwarded message ------ From: "Jesus Monroy, Jr." Subject: A Simple TCP Port Alarm Date: Sat, 24 Mar 2001 17:43:45 -0800 To: lsec@linux-consulting.com Cc: security@freebsd.org Reply-To: jessemonroy@email.com I've written a simple TCP port alarm in Perl. The default configuration spoofs the daytime service on port 13. It logs all connections, then emails to the configured recipient. You can check it out at: http://www.livecam.com/~jessem/software/perl/spa/spa.html Best Regards Jessem. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 18:47:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 92FE737B71A for ; Sat, 24 Mar 2001 18:47:32 -0800 (PST) (envelope-from cjc@rfx-216-196-73-168.users.reflexcom.com) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sat, 24 Mar 2001 18:45:25 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.3/8.11.1) id f2P2lKB02277; Sat, 24 Mar 2001 18:47:20 -0800 (PST) (envelope-from cjc) Date: Sat, 24 Mar 2001 18:47:09 -0800 From: "Crist J. Clark" To: Chris Byrnes Cc: scanner@jurai.net, Marc Rogers , freebsd-security@FreeBSD.ORG Subject: Re: DoS attack - advice needed Message-ID: <20010324184709.A797@cjc-desktop.users.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from chris@jeah.net on Thu, Mar 22, 2001 at 11:54:25AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Mar 22, 2001 at 11:54:25AM -0600, Chris Byrnes wrote: > > Idiots is a subjective term. Anyway. Ill tell you why you can't just *flip > > off* ICMP. It's an integral part of IP. http://users.worldgate.com/~marcs/mtu/ > > Alot of people need to take some "Protocol 101" classes. If you dont like > > how ICMP works. I dont care. It's your broken network not mine. But the > > fact is you can't filter the entire protocol without consequences. If you > > choose to ignore said consequences well again it's your broken network not > > mine. I dont care. > > Wow, buddy. Seriously, come on. > > You don't have to get personal about it. I asked a valid question, and > people gave me some valid answers. You, however, seem personally insulted > by the fact that I don't want ICMP turned on. People get really peeved about ICMP breakage when someone upstream from them breaks it for them. It also is really annoying when your users start complaining to _you_ when someone else has broken their own services. I've had PMTU discovery broken by someone upstream and it is _very_ frustrating. Feel free to break your own network provided that no one else has to live with it too. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 19:51:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from yez.hyperreal.org (dsl027-182-008-sfo.dsl-isp.net [216.27.182.8]) by hub.freebsd.org (Postfix) with SMTP id 93A0F37B71D for ; Sat, 24 Mar 2001 19:51:54 -0800 (PST) (envelope-from brian@collab.net) Received: (qmail 2289 invoked by uid 1000); 25 Mar 2001 03:52:47 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 25 Mar 2001 03:52:47 -0000 Date: Sat, 24 Mar 2001 19:52:47 -0800 (PST) From: Brian Behlendorf X-X-Sender: To: Kris Kennaway Cc: Subject: Re: IPSEC: racoon and Win2K In-Reply-To: <20010324155503.A42447@xor.obsecurity.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 24 Mar 2001, Kris Kennaway wrote: > It wasn't majordomo or anything to do with the FreeBSD.org mailing > lists which was repeating the email. A mailing list subscriber was > feeding list mail back into the list. Actually, ezmlm would have prevented the loop, unless that subscriber's MTA removes the "Mailing-List:" header from the message. Brian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 20:31:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from mx.bccwa.wa.edu.au (mx.bccwa.wa.edu.au [203.18.251.55]) by hub.freebsd.org (Postfix) with ESMTP id 5E67337B71B for ; Sat, 24 Mar 2001 20:31:37 -0800 (PST) (envelope-from bhutton@bccwa.wa.edu.au) Received: (from nobody@localhost) by mx.bccwa.wa.edu.au (8.11.2/8.9.3) id f2P4YHu06825; Sun, 25 Mar 2001 12:34:17 +0800 (WST) (envelope-from bhutton@bccwa.wa.edu.au) Date: Sun, 25 Mar 2001 12:34:17 +0800 (WST) Message-Id: <200103250434.f2P4YHu06825@mx.bccwa.wa.edu.au> From: "Benjamin Hutton" To: freebsd-security@freebsd.org Subject: X-Mailer: NeoMail 1.22 X-IPAddress: 192.168.1.101 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm attempting to setup a firewall for our network. The machine is running 4.2 STABLE. I have the problem that when I enable the firewall I can not longer ping the outside world. How do I fix this? ---------------------------------- Benjamin Hutton IT Officer Bunbury Catholic College To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 24 21: 7:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from d156h168.resnet.uconn.edu (d170h113.resnet.uconn.edu [137.99.170.113]) by hub.freebsd.org (Postfix) with SMTP id AADCD37B71D for ; Sat, 24 Mar 2001 21:07:44 -0800 (PST) (envelope-from sirmoo@cowbert.2y.net) Received: (qmail 720 invoked by alias); 25 Mar 2001 05:07:15 -0000 Received: from modemu2-81.wtco.net (HELO sirmoobert) (204.60.235.186) by d170h113.resnet.uconn.edu with SMTP; 25 Mar 2001 05:07:15 -0000 Message-ID: <017c01c0b4e9$91d4dcc0$baeb3ccc@sirmoobert> From: "Peter C. Lai" To: "Benjamin Hutton" , References: <200103250434.f2P4YHu06825@mx.bccwa.wa.edu.au> Subject: Re: Date: Sun, 25 Mar 2001 00:06:11 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org by default the firewall rule is set to "deny all" have you set up any firewall rulesets to allow the traffic that you need? ----- Original Message ----- From: "Benjamin Hutton" To: Sent: Saturday, March 24, 2001 11:34 PM > I'm attempting to setup a firewall for our network. The machine is > running 4.2 STABLE. I have the problem that when I enable the firewall > I can not longer ping the outside world. How do I fix this? > > ---------------------------------- > Benjamin Hutton > IT Officer Bunbury Catholic College > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message