From owner-freebsd-questions Tue Nov 26 15: 1: 6 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 800F937B401 for ; Tue, 26 Nov 2002 15:01:04 -0800 (PST) Received: from herodotus.toolhouse.com (sw0.toolhouse.com [216.57.198.20]) by mx1.FreeBSD.org (Postfix) with SMTP id 12A4D43EAF for ; Tue, 26 Nov 2002 15:01:04 -0800 (PST) (envelope-from cameron@toolhouse.com) Received: (qmail 63039 invoked from network); 25 Nov 2002 21:50:53 -0000 Received: from cameron-mac.toolhouse.com (HELO toolhouse.com) (192.168.1.30) by 0 with SMTP; 25 Nov 2002 21:50:53 -0000 Date: Mon, 25 Nov 2002 14:00:38 -0800 Subject: Re: isakmpd issues Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v548) From: Cameron S.Watters To: freebsd-questions@freebsd.org Content-Transfer-Encoding: 7bit In-Reply-To: <562F1486-00B3-11D7-8AC3-00306599D91A@toolhouse.com> Message-Id: <5532F0DA-00C1-11D7-8AC3-00306599D91A@toolhouse.com> X-Mailer: Apple Mail (2.548) Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Ok. I've solved my own two problems, but am replying so that this sits in the archives. One problem required a one-line change to the isakmpd source. > a) incorrect SPD entries being added by isakmpd solution below > b) connection doesn't work if the FreeBSD/isakmpd box initiates my fault. didn't realize Host A's lifetime was time & size sensitive. > Host A is an AS/400 running OS/400 V4R5. I don't control this host, > and have had frustrating experiences with the brain-damaged IPSec > implementation it has. Nonetheless I get to work with it. > > Host B is a FreeBSD box (4.6-RELEASE) using ports/security/isakmpd as > the IKE daemon because ports/security/racoon caused the AS/400 IPSec > services to crash and burn. The problem described in detail below is simply a result of the fact that the IPSec mode (tunnel vs. transport) is hardcoded in isakmpd (how nice). This was a simple change (once i figured it out...thankfully the code is well organized and the debugging output in the logs is VERY helpful...kudos to the author) to pf_key_v2.c on line near 1973. The line looks something like this: ipsecrequest->sadb_x_ipsecrequest_mode = IPSEC_MODE_TUNNEL; /* XXX */ I get the feeling the "/* XXX */" is a way of indicating that something needs to be fixed/changed or is incomplete, so that seems appropriate in this case. Simply replace "IPSEC_MODE_TUNNEL" with "IPSEC_MODE_TRANSPORT", recompile, and you're on your way. The quick steps as to how I did that are as follows: # make configure < edit work/isakmpd/pf_key_v2.c, and save changes > # make # make install > A connection can successfully be established when/if the AS/400 is the > initiator. However, if the FreeBSD/isakmpd box initiates, negotiation > fails during phase 2 and the AS/400 sends a notify with > "NO_PROPOSAL_CHOSEN" as the contents. I'm awaiting details of the > AS/400's log when this occurs. > > When a connection IS negotiated, the SPD entries added are as such: > > a.a.a.a[any] b.b.b.b[any] any > in ipsec > ah/tunnel/a.a.a.a-b.b.b.b/use > spid=96 seq=1 pid=41900 > refcnt=1 > b.b.b.b[any] a.a.a.a[any] any > out ipsec > ah/tunnel/b.b.b.b-a.a.a.a/require > spid=95 seq=0 pid=41900 > refcnt=1 > > whereas they should be like this: > > a.a.a.a[any] 216.57.198.37[any] any > in ipsec > ah/transport/a.a.a.a-216.57.198.37/require > spid=96 seq=1 pid=41900 > refcnt=1 > b.b.b.b[any] a.a.a.a[any] any > out ipsec > ah/transport/b.b.b.b-a.a.a.a/require > spid=95 seq=0 pid=41900 > refcnt=1 > Cameron S. Watters | Programmer | 360.676.9275.105 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message