Date: Sat, 26 Jun 2004 17:36:13 +0200 (CEST) From: Lupe Christoph <lupe@lupe-christoph.de> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/68396: Racoon racoon-20040617a Interoperability with Free/OpenSWAN Message-ID: <20040626153613.0F9A5154@firewally.lupe-christoph.de> Resent-Message-ID: <200406261550.i5QFoLuv060614@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 68396 >Category: ports >Synopsis: Racoon racoon-20040617a Interoperability with Free/OpenSWAN >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Jun 26 15:50:21 GMT 2004 >Closed-Date: >Last-Modified: >Originator: Lupe Christoph >Release: FreeBSD 4.10-RELEASE i386 >Organization: >Environment: System: FreeBSD firewally.lupe-christoph.de 4.10-RELEASE FreeBSD 4.10-RELEASE #1: Mon Jun 7 12:30:40 CEST 2004 root@firewally.lupe-christoph.de:/usr/obj/usr/src/sys/FIREWALLY i386 >Description: I just upgraded from racoon-20040408a to racoon-20040617a. Two of my tunnels with FreeS/WAN or OpenSWAN machines ceased to operate. Error is: DEBUG: isakmp.c:1143:isakmp_parsewoh(): invalid length of payload ERROR: isakmp.c:1061:isakmp_ph2begin_r(): failed to pre-process packet. The only FreeS/WAN tunnel that works with racoon-20040617a is the one that uses CA-signed certificates. The ones that do not operate use self-signed certificates and PSKs. I have also a zoo of versions (pluto versions below): CA-signed certificates FreeS/WAN 1.96 self-signed certificates Linux FreeS/WAN 2.1.3 PSKs FreeS/WAN 1.95 So it is unlikely that this is a bug in Free/OpenSWAN - the non-working versions bracket the working one. From what I understand from the packet dumps, the decryption fails. Here is a decrypted packet from racoon-20040617a: 34b8e3aa 257dd793 e0150c9b b835f3b1 05100201 00000000 00000134 40621e14 c67ac9b0 62756578 652e622d 352e6465 00000104 1d3029b9 8349f993 e8a29377 6241c9be 74023533 cd262968 47673407 b64ef047 82757682 86592393 4d01f5af 76b949e0 5ca485df 332865fd 213af245 cc57671b 1adb295e c4aef1a4 2e5388fc e939e763 a22660b8 a6524dff e91d5a04 78f7c054 aa21fe0a a3597463 dc537be1 edc7d1d9 d196c048 c75493c5 9478d3fb b780aa58 ffdfd20f 57b3cf77 ec0c66ca 357cf5f7 a44745a6 29d6c43a 8bcea1c2 50efa970 0e364fec 1aca2d62 662eaa7a 45d86331 921b3440 ade57f6b 0b14fd32 406bf7f8 e7f51cf9 5008f1e0 d9b30379 67d45bda d6174e91 57856637 462163d7 4eb93ab5 b74818e6 bfea0817 73702f04 c15add31 11054e58 19a92161 f174b05b 09367861 and here is probably the same thing decoded by racoon-20040408a: e637e4fe 805a1ec2 22eac8ab ba9d8f8b 05100201 00000000 00000134 09000014 02000000 62756578 652e622d 352e6465 00000104 02024668 9a977225 0f016ba6 6e304bdd c3779703 8342e7d1 6395ea79 621d4f16 fa8788db 7f8ff93b 2e7639c5 8e2879be c11dfbf5 0130bbe3 10a52893 65348112 13a82ca4 90fee998 fe2b9e06 1d8313d3 380c60d3 2c0d13fd 6dac45c6 75ad210f 91b2e998 6851521f d182878a 5851b979 5b4a9a4d 9a39f696 a7829acb f49d9a90 80bc0f29 98edfe36 246026c4 1f0c808e bc4bbd30 9ba07af6 5b68d985 6f69bf87 32794d36 9af05dc1 a3e00041 5c4b8301 50f6a87f acf2e114 0700f66d 1c07b2b5 00afec4e 3305181a d89b4565 d0de58cb 7c24cd31 ddab7b79 ab0674fa 71d9b8c2 256bbffa 07a09a12 716a138c a753d48f 2445d869 842fa0ee 6f2d4fd6 674617cd The first packet looks like IPSec gibberish to me. 40621e14 is not a valid Payload Header. What is a payload of 0x40? And the RESERVED is not zero. While the second packet decodes fine. 28 bytes of header 20 bytes of Identification "buexe.b-5.de" 260 bytes of signature --- 308 bytes packet >How-To-Repeat: I have no easy way of repeating this. Set up a Linux box with <any>SWAN, use Certificates. >Fix: >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040626153613.0F9A5154>