From owner-freebsd-security Fri Oct 26 16: 9:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from boromir.vpop.net (dns1.vpop.net [206.117.147.2]) by hub.freebsd.org (Postfix) with ESMTP id 0523437B403 for ; Fri, 26 Oct 2001 16:09:44 -0700 (PDT) Received: from vpop.net (bilbo.vpop.net [63.231.252.113]) by boromir.vpop.net (8.11.4/8.11.4) with ESMTP id f9QN9cR96969; Fri, 26 Oct 2001 16:09:39 -0700 (PDT) (envelope-from mreimer@vpop.net) Message-ID: <3BD9EDE2.9944FB32@vpop.net> Date: Fri, 26 Oct 2001 18:12:34 -0500 From: Matthew Reimer Organization: VPOP Technologies, Inc. X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: Racoon IPSEC issues References: Content-Type: multipart/mixed; boundary="------------63E07C416784556870518E97" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. --------------63E07C416784556870518E97 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Attached is a simple patch that fixes it for me. Matt Colin Legendre wrote: > > I started having this problem with a win2k-freebsd4.4 setup. It was working > fine until I upgraded racoon from 20010831a to 20011016a then this problem > started. > > BTW any idea how to roll back to racoon 20010831a? > > Colin Legendre CCNA, MCP > sudz@ns3g.com > http://www.ns3g.com > > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Eric Anderson > Sent: Thursday, September 06, 2001 10:03 AM > To: freebsd-security@FreeBSD.ORG > Subject: Racoon IPSEC issues > > Ok, I have been setting up VPN's using IPSEC tunnel mode (ESP) with > Racoon on FreeBSD 4.2 for some time now. I have 4 currently running > just fine, and the 3 newest VPN don't work. It appears as though the > Racoon's aren't talking to each other correctly. I have 1 VPN "server" > that all the clients connect to, and the clients are small machines > running from compact flash cards (a stripped down 30Mb freebsd 4.2 > setup). I use the GIF interfaces to connect the vpn's together. I have > gif0,1,3,4 are connected to VPN's that are up and running. Not that the > gif's have anything to do with it, just extra info. Is there something > I'm missing? I have tried configuring the non-working boxes just like > the working ones, etc. I'm out of ideas! > > Here are some blurps from my logs on the vpn "server" box: > > 2001-09-06 08:51:55: INFO: isakmp.c:965:isakmp_ph2begin_r(): responde > new phase 2 negotiation: xx.yy.zz.60[0]<=>xx.yy.zz.128[0] > 2001-09-06 08:51:55: ERROR: proposal.c:951:set_proposal_from_policy(): > not supported nested SA. Ignore. > 2001-09-06 08:51:55: ERROR: proposal.c:999:set_proposal_from_policy(): > There is a difference between the in/out bound policies. > 2001-09-06 08:51:55: ERROR: isakmp_quick.c:1901:get_proposal_r(): failed > to create saprop. > 2001-09-06 08:51:55: ERROR: isakmp_quick.c:1025:quick_r1recv(): failed > to get proposal for responder. > 2001-09-06 08:51:55: ERROR: isakmp.c:975:isakmp_ph2begin_r(): failed to > pre-process packet. > 2001-09-06 08:52:00: INFO: isakmp.c:1618:isakmp_post_acquire(): request > for establishing IPsec-SA was queued due to no phase1 found. > 2001-09-06 08:52:19: INFO: isakmp.c:854:isakmp_ph1begin_r(): responde > new phase 1 negotiation: xx.yy.zz.60[500]<=>xx.yy.zz.128[500] > 2001-09-06 08:52:19: INFO: isakmp.c:859:isakmp_ph1begin_r(): begin > Aggressive mode. > 2001-09-06 08:52:20: INFO: isakmp.c:2313:log_ph1established(): ISAKMP-SA > established xx.yy.zz.60[500]-xx.yy.zz.128[500] spi:9c0e0730a89724fc:3 > 4e869a34c12cf49 > 2001-09-06 08:52:21: INFO: isakmp.c:965:isakmp_ph2begin_r(): responde > new phase 2 negotiation: xx.yy.zz.60[0]<=>xx.yy.zz.128[0] > 2001-09-06 08:52:21: ERROR: proposal.c:951:set_proposal_from_policy(): > not supported nested SA. Ignore. > 2001-09-06 08:52:21: ERROR: proposal.c:999:set_proposal_from_policy(): > There is a difference between the in/out bound policies. > 2001-09-06 08:52:21: ERROR: isakmp_quick.c:1901:get_proposal_r(): failed > to create saprop. > 2001-09-06 08:52:21: ERROR: isakmp_quick.c:1025:quick_r1recv(): failed > to get proposal for responder. > 2001-09-06 08:52:21: ERROR: isakmp.c:975:isakmp_ph2begin_r(): failed to > pre-process packet. > 2001-09-06 08:52:32: INFO: isakmp.c:1618:isakmp_post_acquire(): request > for establishing IPsec-SA was queued due to no phase1 found. > 2001-09-06 08:52:32: ERROR: isakmp.c:1676:isakmp_chkph1there(): phase1 > negotiation failed due to time up. > 2001-09-06 08:52:32: INFO: isakmp.c:1678:isakmp_chkph1there(): delete > phase 2 handler. > > Help please! > > -- > ---------------------------------------------------------------------------- > --- > Eric Anderson anderson@centtech.com Centaur Technology (512) > 418-5792 > Truth is more marvelous than mystery. > ---------------------------------------------------------------------------- > --- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --------------63E07C416784556870518E97 Content-Type: text/plain; charset=us-ascii; name="isakmp_quick.c.patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="isakmp_quick.c.patch" --- isakmp_quick.c.orig Fri Oct 26 15:51:14 2001 +++ isakmp_quick.c Fri Oct 26 15:51:30 2001 @@ -2017,7 +2017,7 @@ } /* set new proposal derived from a policy into the iph2->proposal. */ - if (set_proposal_from_policy(iph2, sp_in, sp_out) < 0) { + if (set_proposal_from_policy(iph2, sp_out, sp_in) < 0) { plog(LLV_ERROR, LOCATION, NULL, "failed to create saprop.\n"); return ISAKMP_INTERNAL_ERROR; --------------63E07C416784556870518E97-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message