Date: Mon, 25 Nov 2002 14:00:38 -0800 From: Cameron S.Watters <cameron@toolhouse.com> To: freebsd-questions@freebsd.org Subject: Re: isakmpd issues Message-ID: <5532F0DA-00C1-11D7-8AC3-00306599D91A@toolhouse.com> In-Reply-To: <562F1486-00B3-11D7-8AC3-00306599D91A@toolhouse.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Ok. I've solved my own two problems, but am replying so that this sits in the archives. One problem required a one-line change to the isakmpd source. > a) incorrect SPD entries being added by isakmpd solution below > b) connection doesn't work if the FreeBSD/isakmpd box initiates my fault. didn't realize Host A's lifetime was time & size sensitive. > Host A is an AS/400 running OS/400 V4R5. I don't control this host, > and have had frustrating experiences with the brain-damaged IPSec > implementation it has. Nonetheless I get to work with it. > > Host B is a FreeBSD box (4.6-RELEASE) using ports/security/isakmpd as > the IKE daemon because ports/security/racoon caused the AS/400 IPSec > services to crash and burn. The problem described in detail below is simply a result of the fact that the IPSec mode (tunnel vs. transport) is hardcoded in isakmpd (how nice). This was a simple change (once i figured it out...thankfully the code is well organized and the debugging output in the logs is VERY helpful...kudos to the author) to pf_key_v2.c on line near 1973. The line looks something like this: ipsecrequest->sadb_x_ipsecrequest_mode = IPSEC_MODE_TUNNEL; /* XXX */ I get the feeling the "/* XXX */" is a way of indicating that something needs to be fixed/changed or is incomplete, so that seems appropriate in this case. Simply replace "IPSEC_MODE_TUNNEL" with "IPSEC_MODE_TRANSPORT", recompile, and you're on your way. The quick steps as to how I did that are as follows: # make configure < edit work/isakmpd/pf_key_v2.c, and save changes > # make # make install > A connection can successfully be established when/if the AS/400 is the > initiator. However, if the FreeBSD/isakmpd box initiates, negotiation > fails during phase 2 and the AS/400 sends a notify with > "NO_PROPOSAL_CHOSEN" as the contents. I'm awaiting details of the > AS/400's log when this occurs. > > When a connection IS negotiated, the SPD entries added are as such: > > a.a.a.a[any] b.b.b.b[any] any > in ipsec > ah/tunnel/a.a.a.a-b.b.b.b/use > spid=96 seq=1 pid=41900 > refcnt=1 > b.b.b.b[any] a.a.a.a[any] any > out ipsec > ah/tunnel/b.b.b.b-a.a.a.a/require > spid=95 seq=0 pid=41900 > refcnt=1 > > whereas they should be like this: > > a.a.a.a[any] 216.57.198.37[any] any > in ipsec > ah/transport/a.a.a.a-216.57.198.37/require > spid=96 seq=1 pid=41900 > refcnt=1 > b.b.b.b[any] a.a.a.a[any] any > out ipsec > ah/transport/b.b.b.b-a.a.a.a/require > spid=95 seq=0 pid=41900 > refcnt=1 > Cameron S. Watters | Programmer | 360.676.9275.105 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5532F0DA-00C1-11D7-8AC3-00306599D91A>