Date: Sun, 8 Jun 2003 20:59:10 +0200 From: Tobias Roth <roth@iam.unibe.ch> To: freebsd-questions@freebsd.org Subject: racoon problem with transport mode Message-ID: <20030608185910.GB7044@speedy.unibe.ch>
next in thread | raw e-mail | index | archive | help
Hi
I want to set up an ipsec transport connection between two freebsd
hosts, 192.168.0.1 (host A) and 192.168.0.66 (host B). It seems like
the connection is set up correctly in only one direction:
B# ping -c 1 192.168.0.1
A# setkey -lD
No SAD entries. [a couple of those]
0300 esp L 09d18b19 ???/??? #255 192.168.0.66 -> #255 192.168.0.1
0301 esp L 09d18b19 ???/??? #255 192.168.0.66 -> #255 192.168.0.1
3302eesp L 09d18119 ???/??? #255 192.168.0.66 -> #255 192.168.0.1
0303 esp L 09d18b19 ???/??? #255 192.168.0.66 -> #255 192.168.0.1
0304 esp L 09d18b19 ???/??? #255 1921168.0.66 -> #255 192.168.0.1
No SAD entries. [from now on, only those]
B# setkey -lD
No SAD entries. [again a couple of those]
0255 esp L 051798e8 ???/??? #255 192.168.0.1 -> #255 192.168.0.66
0256 esp L 051798e8 ???/??? #255 192.168.0.1 -> #255 192.168.0.66
0257 esp M 09d18b19 0/big #255 192.168.0.66 -> #255 192.168.0.1
0257 esp M 051798e8 0/big #255 192.168.0.1 -> #255 192.168.0.66
[from now on, the last two lines get repeated]
A# cat racoon.log [only interesting parts]
INFO: isakmp.c:1358:isakmp_open(): 192.168.0.1[500] used as isakmp
port (fd=5)
INFO: isakmp.c:894:isakmp_ph1begin_r(): respond new phase 1
negotiation: 192.168.0.1[500]<=>192.168.0.66[500]
INFO: isakmp.c:899:isakmp_ph1begin_r(): begin Aggressive mode.
NOTIFY: oakley.c:2040:oakley_skeyid(): couldn't find the proper
pskey, try to get one by the peer's address.
INFO: isakmp.c:2412:log_ph1established(): ISAKMP-SA established
192.168.0.1[500]-192.168.0.66[500] spi:591b8a7c82d7c22f:
2146f0ef2fc89438
INFO: isakmp.c:1049:isakmp_ph2begin_r(): respond new phase 2
negotiation: 192.168.0.1[0]<=>192.168.0.66[0]
ERROR: pfkey.c:210:pfkey_handler(): pfkey UPDATE failed:
Invalid argument
ERROR: pfkey.c:210:pfkey_handler(): pfkey ADD failed:
Invalid argument
ERROR: pfkey.c:741:pfkey_timeover(): 192.168.0.66 give up to get
IPsec-SA due to time up to wait.
B# cat racoon.log
INFO: isakmp.c:1358:isakmp_open(): 192.168.0.66[500] used as isakmp
port (fd=5)
INFO: isakmp.c:1684:isakmp_post_acquire(): IPsec-SA request for
192.168.0.1 queued due to no phase1 found.
INFO: isakmp.c:798:isakmp_ph1begin_i(): initiate new phase 1
negotiation: 192.168.0.66[500]<=>192.168.0.1[500]
INFO: isakmp.c:803:isakmp_ph1begin_i(): begin Aggressive mode.
INFO: vendorid.c:128:check_vendorid(): received Vendor ID:KAME/racoon
NOTIFY: oakley.c:2040:oakley_skeyid(): couldn't find the proper
pskey, try to get one by the peer's address.
INFO: isakmp.c:2412:log_ph1established(): ISAKMP-SA established
192.168.0.66[500]-192.168.0.1[500] spi:591b8a7c82d7c22f:
2146f0ef2fc89438
INFO: isakmp.c:942:isakmp_ph2begin_i(): initiate new phase 2
negotiation: 192.168.0.66[0]<=>192.168.0.1[0]
INFO: pfkey.c:1110:pk_recvupdate(): IPsec-SA established:
ESP/Transport 192.168.0.1->192.168.0.66 spi=85432552(0x51798e8)
INFO: pfkey.c:1322:pk_recvadd(): IPsec-SA established:
ESP/Transport 192.168.0.66->192.168.0.1 spi=164727577(0x9d18b19)
When I flush the SPD, pinging from both sides works. Though when I ping
from A to B instead from B to A as above (with the SPs set), I get a
.ping: sendto: No such file or directory.
My racoon.conf files look correct to me:
A# cat racoon.conf [heavily snipped]
path pre_shared_key "/usr/local/etc/psk.txt"
listen
{
isakmp 192.168.0.1 [500];
}
remote anonymous
{
[snip]
}
sainfo anonymous
{
[snip]
}
and on B the same except the listen part. The stuff I snipped is also
identical on both hosts, it has been taken from Dru Lavignes onlamp
tutorial (great work, btw!).
psk.txt has correct privileges and looks like this on both hosts:
192.168.0.66 secretkey
192.168.0.1 secretkey
A# setkey -DP [snipped a bit]
192.168.0.66[any] 192.168.0.1[any] any
in ipsec
esp/transport/192.168.0.66-192.168.0.1/require
192.168.0.1[any] 192.168.0.66[any] any
out ipsec
esp/transport/192.168.0.1-192.168.0.66/require
Ok, I think that's all information that is important. I don't really
know where to look for the problem, is it a problem at phase 2, or is
phase 1 briefly established and then somehow collapses, and therefor
the problem is at phase 1? Can I rule out a routing problem, due to
the fact that with a flushed SPD, pinging works? The firewall is set
to let everything pass, btw. Is it a problem that both hosts are on
the same subnet?
Any help is apreciated, and please tell me if you need more information.
thx in advance, t.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030608185910.GB7044>