From owner-freebsd-questions@FreeBSD.ORG Sun Jun 8 11:59:13 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3BB6B37B401 for ; Sun, 8 Jun 2003 11:59:13 -0700 (PDT) Received: from mailhub02.unibe.ch (mailhub02-skge0.unibe.ch [130.92.9.53]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5877443FA3 for ; Sun, 8 Jun 2003 11:59:12 -0700 (PDT) (envelope-from roth@iam.unibe.ch) Received: from localhost (localhost [127.0.0.1]) by mailhub02.unibe.ch (Postfix) with ESMTP id 8E3BF76549 for ; Sun, 8 Jun 2003 20:59:11 +0200 (MEST) Received: from mailhub02.unibe.ch ([127.0.0.1]) by localhost (mailhub02 [127.0.0.1:10024]) (amavisd-new) with LMTP id 05408-01-80 for ; Sun, 8 Jun 2003 20:59:11 +0200 (MEST) Received: from asterix.unibe.ch (asterix.unibe.ch [130.92.64.4]) by mailhub02.unibe.ch (Postfix) with ESMTP id 0021D764B7 for ; Sun, 8 Jun 2003 20:59:11 +0200 (MEST) Received: from speedy.unibe.ch (speedy [130.92.64.35]) by asterix.unibe.ch (8.11.6+Sun/8.11.6) with ESMTP id h58IxAK07335 for ; Sun, 8 Jun 2003 20:59:10 +0200 (MET DST) Received: (from roth@localhost) by speedy.unibe.ch (8.11.6+Sun/8.10.2) id h58IxAD07134 for freebsd-questions@freebsd.org; Sun, 8 Jun 2003 20:59:10 +0200 (MEST) Date: Sun, 8 Jun 2003 20:59:10 +0200 From: Tobias Roth To: freebsd-questions@freebsd.org Message-ID: <20030608185910.GB7044@speedy.unibe.ch> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4i X-Operating-System: SunOS speedy 5.8 Generic_108528-16 sun4u sparc SUNW,Ultra-80 X-Virus-checked: by University of Berne Subject: racoon problem with transport mode X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Jun 2003 18:59:13 -0000 Hi I want to set up an ipsec transport connection between two freebsd hosts, 192.168.0.1 (host A) and 192.168.0.66 (host B). It seems like the connection is set up correctly in only one direction: B# ping -c 1 192.168.0.1 A# setkey -lD No SAD entries. [a couple of those] 0300 esp L 09d18b19 ???/??? #255 192.168.0.66 -> #255 192.168.0.1 0301 esp L 09d18b19 ???/??? #255 192.168.0.66 -> #255 192.168.0.1 3302eesp L 09d18119 ???/??? #255 192.168.0.66 -> #255 192.168.0.1 0303 esp L 09d18b19 ???/??? #255 192.168.0.66 -> #255 192.168.0.1 0304 esp L 09d18b19 ???/??? #255 1921168.0.66 -> #255 192.168.0.1 No SAD entries. [from now on, only those] B# setkey -lD No SAD entries. [again a couple of those] 0255 esp L 051798e8 ???/??? #255 192.168.0.1 -> #255 192.168.0.66 0256 esp L 051798e8 ???/??? #255 192.168.0.1 -> #255 192.168.0.66 0257 esp M 09d18b19 0/big #255 192.168.0.66 -> #255 192.168.0.1 0257 esp M 051798e8 0/big #255 192.168.0.1 -> #255 192.168.0.66 [from now on, the last two lines get repeated] A# cat racoon.log [only interesting parts] INFO: isakmp.c:1358:isakmp_open(): 192.168.0.1[500] used as isakmp port (fd=5) INFO: isakmp.c:894:isakmp_ph1begin_r(): respond new phase 1 negotiation: 192.168.0.1[500]<=>192.168.0.66[500] INFO: isakmp.c:899:isakmp_ph1begin_r(): begin Aggressive mode. NOTIFY: oakley.c:2040:oakley_skeyid(): couldn't find the proper pskey, try to get one by the peer's address. INFO: isakmp.c:2412:log_ph1established(): ISAKMP-SA established 192.168.0.1[500]-192.168.0.66[500] spi:591b8a7c82d7c22f: 2146f0ef2fc89438 INFO: isakmp.c:1049:isakmp_ph2begin_r(): respond new phase 2 negotiation: 192.168.0.1[0]<=>192.168.0.66[0] ERROR: pfkey.c:210:pfkey_handler(): pfkey UPDATE failed: Invalid argument ERROR: pfkey.c:210:pfkey_handler(): pfkey ADD failed: Invalid argument ERROR: pfkey.c:741:pfkey_timeover(): 192.168.0.66 give up to get IPsec-SA due to time up to wait. B# cat racoon.log INFO: isakmp.c:1358:isakmp_open(): 192.168.0.66[500] used as isakmp port (fd=5) INFO: isakmp.c:1684:isakmp_post_acquire(): IPsec-SA request for 192.168.0.1 queued due to no phase1 found. INFO: isakmp.c:798:isakmp_ph1begin_i(): initiate new phase 1 negotiation: 192.168.0.66[500]<=>192.168.0.1[500] INFO: isakmp.c:803:isakmp_ph1begin_i(): begin Aggressive mode. INFO: vendorid.c:128:check_vendorid(): received Vendor ID:KAME/racoon NOTIFY: oakley.c:2040:oakley_skeyid(): couldn't find the proper pskey, try to get one by the peer's address. INFO: isakmp.c:2412:log_ph1established(): ISAKMP-SA established 192.168.0.66[500]-192.168.0.1[500] spi:591b8a7c82d7c22f: 2146f0ef2fc89438 INFO: isakmp.c:942:isakmp_ph2begin_i(): initiate new phase 2 negotiation: 192.168.0.66[0]<=>192.168.0.1[0] INFO: pfkey.c:1110:pk_recvupdate(): IPsec-SA established: ESP/Transport 192.168.0.1->192.168.0.66 spi=85432552(0x51798e8) INFO: pfkey.c:1322:pk_recvadd(): IPsec-SA established: ESP/Transport 192.168.0.66->192.168.0.1 spi=164727577(0x9d18b19) When I flush the SPD, pinging from both sides works. Though when I ping from A to B instead from B to A as above (with the SPs set), I get a .ping: sendto: No such file or directory. My racoon.conf files look correct to me: A# cat racoon.conf [heavily snipped] path pre_shared_key "/usr/local/etc/psk.txt" listen { isakmp 192.168.0.1 [500]; } remote anonymous { [snip] } sainfo anonymous { [snip] } and on B the same except the listen part. The stuff I snipped is also identical on both hosts, it has been taken from Dru Lavignes onlamp tutorial (great work, btw!). psk.txt has correct privileges and looks like this on both hosts: 192.168.0.66 secretkey 192.168.0.1 secretkey A# setkey -DP [snipped a bit] 192.168.0.66[any] 192.168.0.1[any] any in ipsec esp/transport/192.168.0.66-192.168.0.1/require 192.168.0.1[any] 192.168.0.66[any] any out ipsec esp/transport/192.168.0.1-192.168.0.66/require Ok, I think that's all information that is important. I don't really know where to look for the problem, is it a problem at phase 2, or is phase 1 briefly established and then somehow collapses, and therefor the problem is at phase 1? Can I rule out a routing problem, due to the fact that with a flushed SPD, pinging works? The firewall is set to let everything pass, btw. Is it a problem that both hosts are on the same subnet? Any help is apreciated, and please tell me if you need more information. thx in advance, t.