From owner-freebsd-questions@FreeBSD.ORG Tue Jan 20 21:04:56 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B11DA16A4CF for ; Tue, 20 Jan 2004 21:04:56 -0800 (PST) Received: from mx1.au.itouchnet.net (nat2.au.itouchnet.net [144.135.23.100]) by mx1.FreeBSD.org (Postfix) with ESMTP id A406943D49 for ; Tue, 20 Jan 2004 21:04:51 -0800 (PST) (envelope-from andrewjt@applecomm.net) Received: from nobody by mx1.au.itouchnet.net with scanned_ok (Exim 3.36 #1) id 1AjAaU-0004Fq-00 for freebsd-questions@freebsd.org; Wed, 21 Jan 2004 16:07:34 +1100 Received: from [192.168.13.202] (helo=[192.168.13.202]) by mx1.au.itouchnet.net with esmtp (Exim 3.36 #1) id 1AjAaT-0004Fa-00; Wed, 21 Jan 2004 16:07:33 +1100 From: Andrew Thomson To: Kris Kennaway In-Reply-To: <20040121033854.GA29338@xor.obsecurity.org> References: <1074554991.701.57.camel@itouch-1011.prv.au.itouchnet.net> <20040121033854.GA29338@xor.obsecurity.org> Content-Type: text/plain Message-Id: <1074661486.2786.10.camel@itouch-1011.prv.au.itouchnet.net> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.5 Date: Wed, 21 Jan 2004 16:04:47 +1100 Content-Transfer-Encoding: 7bit X-Checked: Scanned for any viruses and unauthorized attachments at mx1.au.itouchnet.net X-iScan-ID: 16354-1074661654-62735@mx1.au.itouchnet.net version $Name: REL_2_0_2 $ cc: freebsd-questions@freebsd.org Subject: Re: ipsec changes in 5.2 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Jan 2004 05:04:57 -0000 Can't quite access my laptop from work so I've replicated the scenario here at work on my 5.2 desktop. My host: 192.168.13.202 Firewall: 192.168.13.1 Just recompiled kernel with IPSEC options and installed racoon. Install the following as per previous setup: spdadd 192.168.13.202/32 0.0.0.0/0 any -P out ipsec esp/tunnel/192.168.13.202-192.168.13.1/require; spdadd 0.0.0.0/0 192.168.13.202/32 any -P in ipsec esp/tunnel/192.168.13.1-192.168.13.202/require; Have an all.log tail and a tcpdump on xl0 listening for my ip or the firewall ip. I then try a single ping to the firewall. ping -c 1 192.168.13.1 PING 192.168.13.1 (192.168.13.1): 56 data bytes 64 bytes from 192.168.13.1: icmp_seq=0 ttl=64 time=0.373 ms --- 192.168.13.1 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.373/0.373/0.373/0.000 ms ajt@itouch-1011:~ > ping -c 1 192.168.13.1 PING 192.168.13.1 (192.168.13.1): 56 data bytes --- 192.168.13.1 ping statistics --- 1 packets transmitted, 0 packets received, 100% packet loss all.log Jan 21 15:56:20 1011 racoon: INFO: isakmp.c:1682:isakmp_post_acquire(): IPsec-SA request for 192.168.13.1 queued due to no phase1 found. Jan 21 15:56:20 1011 racoon: INFO: isakmp.c:796:isakmp_ph1begin_i(): initiate new phase 1 negotiation: 192.168.13.202[500]<=>192.168.13.1[500] Jan 21 15:56:20 1011 racoon: INFO: isakmp.c:801:isakmp_ph1begin_i(): begin Aggressive mode. Jan 21 15:56:51 1011 racoon: ERROR: isakmp.c:1774:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 192.168.13.1->192.168.13.202 Jan 21 15:56:51 1011 racoon: INFO: isakmp.c:1779:isakmp_chkph1there(): delete phase 2 handler. Jan 21 15:57:00 1011 racoon: INFO: isakmp.c:1701:isakmp_post_acquire(): request for establishing IPsec-SA was queued due to no phase1 found. Jan 21 15:57:32 1011 racoon: ERROR: isakmp.c:1774:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 192.168.13.1->192.168.13.202 However as soon as I setkey -FP and try the ping again... It works.. and it's only once SPD entries are cleared that I see anything on xl0 - previously with the SPD in place there was nothing. Especially the udp 500 communication that is obviously essential to setting up the VPN appears..! Any tips appreciated... Again this worked between a 5.0 <-> 4.9p1 host setup. thanks, ajt. On Wed, 2004-01-21 at 14:38, Kris Kennaway wrote: > On Tue, Jan 20, 2004 at 10:29:51AM +1100, Andrew Thomson wrote: > > I'm really more interested in changes wrt ipsec since 5.0! ;) > > > > I just upgraded my laptop from 5.0 to 5.2 the other day and now my IPSEC > > VPN doesn't work. > > > > I run a VPN over my wireless adhoc network at home. > > > > There are just two hosts on the network, the firewall and the laptop. > > > > The firewall is running Freebsd 4.8. > > > > When my laptop was on 5.0 the following setup worked a treat. However > > since the upgrade, the VPN has stopped working. > > Is anything logged by the kernel? What does tcpdump show happening on > the wire? > > Kris