Date: Wed, 31 Jul 2002 08:56:26 +0200 From: "Cezary Nolewajka" <c.nolewajka@m2mob.com> To: <freebsd-questions@freebsd.org> Subject: FreeBSD and CISCO Pix IPSec VPN - problem (long) Message-ID: <KCENJJGIFEAMJNMADNOPKEAICBAA.c.nolewajka@m2mob.com>
next in thread | raw e-mail | index | archive | help
Hello everybody, I have a general problem setting up a IPSec VPN connection between freebsd and a cisco router/pix. I got to the stage where both machines can see each other, start the negotiation phase 1 that succeeds and fail at the stage 2. The racoon -F info says that get_ph2approvalx(): not matched and therefore no policy is found. It seems that I have a problem with my or Pixes configuration. I browsed all the net archives and pages I could have found on the VPN/IPSec freebsd installation and configuration and failed to find a solution. If there is anything that you could suggest or even solved such a problem, I would be grateful for any kind of help or support. Below I attached some of the configuration and debugging information concerning the IPSec setup. Regards, Cezary Nolewajka mailto:czarek@homemail.com PS. The full debug output (not shortened) can be found at: http://klub.chip.pl/nolewajk/temp/fbsdvpn.txt (100kb) IFCONFIG: rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255 inet6 fe80::2c0:dfff:fe13:c4b2%rl0 prefixlen 64 scopeid 0x1 ether 00:c0:df:13:c4:b2 media: Ethernet autoselect (100baseTX) status: active rl1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 inet xxx.xxx.xxx.70 netmask 0xffffff00 broadcast xxx.xxx.xxx.255 inet6 fe80::220:edff:fe32:2c79%rl1 prefixlen 64 scopeid 0x2 ether 00:20:ed:32:2c:79 media: Ethernet autoselect (100baseTX <full-duplex>) status: active lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500 lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff000000 ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500 sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552 faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500 gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280 tunnel inet xxx.xxx.xxx.70 --> yyy.yyy.yyy.62 inet6 fe80::2c0:dfff:fe13:c4b2%gif0 prefixlen 64 scopeid 0x8 inet 10.0.0.1 --> 192.168.5.55 netmask 0xffffff00 ------------------------------------------------------------------- SETKEY -PD 192.168.5.55[any] 10.0.0.1[any] any in ipsec esp/tunnel/yyy.yyy.yyy.62-xxx.xxx.xxx.70/require spid=4 seq=1 pid=244 refcnt=1 10.0.0.1[any] 192.168.5.55[any] any out ipsec esp/tunnel/xxx.xxx.xxx.70-yyy.yyy.yyy.62/require spid=3 seq=0 pid=244 refcnt=1 -------------------------------------------------------------------- GIFCONFIG: gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280 inet6 fe80::2c0:dfff:fe13:c4b2%gif0 prefixlen 64 inet 10.0.0.1 --> 192.168.5.55 netmask 0xffffff00 physical address inet xxx.xxx.xxx.70 --> yyy.yyy.yyy.62 -------------------------------------------------------------------- RACOON.CONF: # $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $ # "path" must be placed before it should be used. # You can overwrite which you defined, but it should not use due to confusing. path include "/usr/local/etc/racoon" ; #include "remote.conf" ; # search this file for pre_shared_key with various ID key. path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; # racoon will look for certificate file in the directory, # if the certificate/certificate request payload is received. path certificate "/usr/local/etc/cert" ; # "log" specifies logging level. It is followed by either "notify", "debug" # or "debug2". #log debug; # "padding" defines some parameter of padding. You should not touch these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # if no listen directive is specified, racoon will listen to all # available interface addresses. listen { isakmp xxx.xxx.xxx.70 [500]; #isakmp ::1 [7000]; #isakmp 202.249.11.124 [500]; #admin [7002]; # administrative's port by kmpstat. #strict_address; # required all addresses must be bound. } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 15 sec; } remote yyy.yyy.yyy.62 [500] { #exchange_mode aggressive,main; exchange_mode main,aggressive; doi ipsec_doi; situation identity_only; my_identifier address 10.0.0.1; peers_identifier address 192.168.5.55; nonce_size 16; lifetime time 1 min; # sec,min,hour #lifetime byte 5000 kb; # B,KB,GB initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal { lifetime time 3600 sec; encryption_algorithm des; hash_algorithm md5; authentication_method pre_shared_key ; dh_group 1; } } sainfo address xxx.xxx.xxx.70 any address yyy.yyy.yyy.62 any { pfs_group 1; lifetime time 3600 sec; #lifetime byte 50 MB; encryption_algorithm des; authentication_algorithm hmac_md5; #authentication_algorithm non_auth; compression_algorithm deflate; } remote anonymous { #exchange_mode main,aggressive; exchange_mode aggressive,main; doi ipsec_doi; situation identity_only; #my_identifier address; my_identifier user_fqdn "sakane@kame.net"; peers_identifier user_fqdn "sakane@kame.net"; #certificate_type x509 "mycert" "mypriv"; nonce_size 16; lifetime time 1 min; # sec,min,hour initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal { encryption_algorithm des; hash_algorithm md5; authentication_method pre_shared_key ; dh_group 1; } } remote ::1 [8000] { #exchange_mode main,aggressive; exchange_mode aggressive,main; doi ipsec_doi; situation identity_only; my_identifier user_fqdn "sakane@kame.net"; peers_identifier user_fqdn "sakane@kame.net"; #certificate_type x509 "mycert" "mypriv"; nonce_size 16; lifetime time 1 min; # sec,min,hour proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } sainfo anonymous { pfs_group 1; lifetime time 30 sec; encryption_algorithm des ; authentication_algorithm hmac_md5; compression_algorithm deflate; } sainfo address 203.178.141.209 any address 203.178.141.218 any { pfs_group 1; lifetime time 30 sec; encryption_algorithm des ; authentication_algorithm hmac_md5; compression_algorithm deflate ; } sainfo address ::1 icmp6 address ::1 icmp6 { pfs_group 1; lifetime time 60 sec; encryption_algorithm 3des, cast128, blowfish 448, des ; authentication_algorithm hmac_sha1, hmac_md5 ; compression_algorithm deflate ; } -------------------------------------------------------------------------- NETSTAT -nr Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default xxx.xxx.xxx.254 UGSc 3 179667 rl1 10/24 link#1 UC 2 0 rl0 10.0.0.100 00:c0:df:13:25:3b UHLW 0 8042 rl0 1187 10.0.0.101 00:c0:df:13:25:39 UHLW 4 39888 rl0 898 127.0.0.1 127.0.0.1 UH 0 0 lo0 192.168.5.55 10.0.0.1 UH 0 392 gif0 212.244.99 link#2 UC 1 0 rl1 xxx.xxx.xxx.254 00:50:73:09:f0:81 UHLW 2 0 rl1 1194 Internet6: Destination Gateway Flags Netif Expire ::1 ::1 UH lo0 fe80::%rl0/64 link#1 UC rl0 fe80::2c0:dfff:fe13:c4b2%rl0 00:c0:df:13:c4:b2 UHL lo0 fe80::%rl1/64 link#2 UC rl1 fe80::220:edff:fe32:2c79%rl1 00:20:ed:32:2c:79 UHL lo0 fe80::%lo0/64 fe80::1%lo0 Uc lo0 fe80::1%lo0 link#4 UHL lo0 fe80::%gif0/64 link#8 UC gif0 fe80::2c0:dfff:fe13:c4b2%gif0 link#8 UHL lo0 ff01::/32 ::1 U lo0 ff02::%rl0/32 link#1 UC rl0 ff02::%rl1/32 link#2 UC rl1 ff02::%lo0/32 ::1 UC lo0 ff02::%gif0/32 link#8 UC gif0 -------------------------------------------------------------------------- RACOON -F: Foreground mode. 2002-07-30 09:04:08: INFO: main.c:168:main(): @(#)package version freebsd-20020507a 2002-07-30 09:04:08: INFO: main.c:170:main(): @(#)internal version 20001216 sakane@kame.net 2002-07-30 09:04:08: INFO: main.c:171:main(): @(#)This product linked OpenSSL 0.9.6a 5 Apr 2001 (http://www.openssl.org/) 2002-07-30 09:04:08: INFO: isakmp.c:1357:isakmp_open(): xxx.xxx.xxx.70[500] used as isakmp port (fd=6) 2002-07-30 09:04:15: INFO: isakmp.c:891:isakmp_ph1begin_r(): respond new phase 1 negotiation: xxx.xxx.xxx.70[500]<=>yyy.yyy.yyy.62[500] 2002-07-30 09:04:15: INFO: isakmp.c:896:isakmp_ph1begin_r(): begin Identity Protection mode. 2002-07-30 09:04:15: WARNING: ipsec_doi.c:3059:ipsecdoi_checkid1(): ID value mismatched. 2002-07-30 09:04:15: INFO: isakmp.c:2409:log_ph1established(): ISAKMP-SA established xxx.xxx.xxx.70[500]-yyy.yyy.yyy.62[500] spi:ac807c45add71aa6:fbc011c457a61849 2002-07-30 09:04:15: INFO: isakmp.c:1046:isakmp_ph2begin_r(): respond new phase 2 negotiation: xxx.xxx.xxx.70[0]<=>yyy.yyy.yyy.62[0] 2002-07-30 09:04:15: ERROR: ipsec_doi.c:1001:get_ph2approvalx(): not matched 2002-07-30 09:04:15: ERROR: ipsec_doi.c:966:get_ph2approval(): no suitable policy found. 2002-07-30 09:04:15: ERROR: isakmp.c:1060:isakmp_ph2begin_r(): failed to pre-process packet. 2002-07-30 09:04:18: INFO: session.c:281:check_sigreq(): caught signal 2 2002-07-30 09:04:19: INFO: session.c:180:close_session(): racoon shutdown ------------------------------------------------------------------- RACOON -Fdd: Foreground mode. 2002-07-30 09:07:43: INFO: main.c:168:main(): @(#)package version freebsd-20020507a 2002-07-30 09:07:43: INFO: main.c:170:main(): @(#)internal version 20001216 sakane@kame.net 2002-07-30 09:07:43: INFO: main.c:171:main(): @(#)This product linked OpenSSL 0.9.6a 5 Apr 2001 (http://www.openssl.org/) 2002-07-30 09:07:43: DEBUG: pfkey.c:368:pfkey_init(): call pfkey_send_register for AH 2002-07-30 09:07:43: DEBUG: pfkey.c:368:pfkey_init(): call pfkey_send_register for ESP 2002-07-30 09:07:43: DEBUG: pfkey.c:368:pfkey_init(): call pfkey_send_register for IPCOMP [...] 2002-07-30 09:07:46: DEBUG: algorithm.c:322:alg_oakley_hmacdef(): hmac(hmac_md5) 2002-07-30 09:07:46: DEBUG: oakley.c:874:oakley_ph1hash_common(): HASH computed: 2002-07-30 09:07:46: DEBUG: plog.c:193:plogdump(): 97cbfa45 9d6136c9 c059094f 3046ca17 2002-07-30 09:07:46: DEBUG: isakmp.c:2110:set_isakmp_payload(): add payload of len 8, next type 8 2002-07-30 09:07:46: DEBUG: isakmp.c:2110:set_isakmp_payload(): add payload of len 16, next type 0 2002-07-30 09:07:46: DEBUG: isakmp.c:2245:isakmp_printpacket(): begin. 07:46.556746 xxx.xxx.xxx.70:500 -> yyy.yyy.yyy.62:500: isakmp 1.0 msgid 00000000: phase 1 ? ident: (id: idtype=IPv4 protoid=udp port=500 len=4 10.0.0.1) (hash: len=16) 2002-07-30 09:07:46: DEBUG: oakley.c:2742:oakley_do_encrypt(): begin encryption. 2002-07-30 09:07:46: DEBUG: algorithm.c:382:alg_oakley_encdef(): encription(des) 2002-07-30 09:07:46: DEBUG: oakley.c:2758:oakley_do_encrypt(): pad length = 8 2002-07-30 09:07:46: DEBUG: plog.c:193:plogdump(): 0800000c 011101f4 0a000001 00000014 97cbfa45 9d6136c9 c059094f 3046ca17 00000000 00000008 2002-07-30 09:07:46: DEBUG: algorithm.c:382:alg_oakley_encdef(): encription(des) 2002-07-30 09:07:46: DEBUG: oakley.c:2793:oakley_do_encrypt(): with key: 2002-07-30 09:07:46: DEBUG: plog.c:193:plogdump(): b5a9e14b 687a9d70 2002-07-30 09:07:46: DEBUG: oakley.c:2801:oakley_do_encrypt(): encrypted payload by IV: 2002-07-30 09:07:46: DEBUG: plog.c:193:plogdump(): a7eeef5c 6570a19e 2002-07-30 09:07:46: DEBUG: oakley.c:2808:oakley_do_encrypt(): save IV for next: 2002-07-30 09:07:46: DEBUG: plog.c:193:plogdump(): 5dd5e325 f1e6fcf2 2002-07-30 09:07:46: DEBUG: oakley.c:2825:oakley_do_encrypt(): encrypted. 2002-07-30 09:07:46: DEBUG: sockmisc.c:421:sendfromto(): sockname xxx.xxx.xxx.70[500] 2002-07-30 09:07:46: DEBUG: sockmisc.c:423:sendfromto(): send packet from xxx.xxx.xxx.70[500] 2002-07-30 09:07:46: DEBUG: sockmisc.c:425:sendfromto(): send packet to yyy.yyy.yyy.62[500] 2002-07-30 09:07:46: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 68 bytes message will be sent to xxx.xxx.xxx.70[500] 2002-07-30 09:07:46: DEBUG: plog.c:193:plogdump(): ac807c45 f47b274e 1cbebccd d7441a4e 05100201 00000000 00000044 5c23fae9 69caff06 e00b5a07 459c99d4 d41a4ef7 f4e9a8d2 cc28bebf 6fd25ff8 5dd5e325 f1e6fcf2 2002-07-30 09:07:46: DEBUG: oakley.c:2543:oakley_newiv2(): compute IV for phase2 2002-07-30 09:07:46: DEBUG: oakley.c:2544:oakley_newiv2(): phase1 last IV: 2002-07-30 09:07:46: DEBUG: plog.c:193:plogdump(): 5dd5e325 f1e6fcf2 f589c125 2002-07-30 09:07:46: DEBUG: algorithm.c:252:alg_oakley_hashdef(): hash(md5) 2002-07-30 09:07:46: DEBUG: algorithm.c:382:alg_oakley_encdef(): encription(des) 2002-07-30 09:07:46: DEBUG: oakley.c:2576:oakley_newiv2(): phase2 IV computed: 2002-07-30 09:07:46: DEBUG: plog.c:193:plogdump(): 28555ac9 47919cd4 2002-07-30 09:07:46: DEBUG: oakley.c:745:oakley_compute_hash1(): HASH with: 2002-07-30 09:07:46: DEBUG: plog.c:193:plogdump(): f589c125 0000001c 00000001 01106002 ac807c45 f47b274e 1cbebccd d7441a4e 2002-07-30 09:07:46: DEBUG: algorithm.c:322:alg_oakley_hmacdef(): hmac(hmac_md5) 2002-07-30 09:07:46: DEBUG: oakley.c:755:oakley_compute_hash1(): HASH computed: 2002-07-30 09:07:46: DEBUG: plog.c:193:plogdump(): 4ebb3dd5 a02f5972 274fb122 3ea58c9e 2002-07-30 09:07:46: DEBUG: isakmp.c:2245:isakmp_printpacket(): begin. 07:46.559544 xxx.xxx.xxx.70:500 -> yyy.yyy.yyy.62:500: isakmp 1.0 msgid f589c125: phase 2/others ? inf: (hash: len=16) (n: doi=ipsec proto=isakmp type=INITIAL-CONTACT spi=ac807c45f47b274e1cbebccdd7441a4e) 2002-07-30 09:07:46: DEBUG: oakley.c:2742:oakley_do_encrypt(): begin encryption. 2002-07-30 09:07:46: DEBUG: algorithm.c:382:alg_oakley_encdef(): encription(des) 2002-07-30 09:07:46: DEBUG: oakley.c:2758:oakley_do_encrypt(): pad length = 8 2002-07-30 09:07:46: DEBUG: plog.c:193:plogdump(): 0b000014 4ebb3dd5 a02f5972 274fb122 3ea58c9e 0000001c 00000001 01106002 ac807c45 f47b274e 1cbebccd d7441a4e 00000000 00000008 2002-07-30 09:07:46: DEBUG: algorithm.c:382:alg_oakley_encdef(): encription(des) 2002-07-30 09:07:46: DEBUG: oakley.c:2793:oakley_do_encrypt(): with key: 2002-07-30 09:07:46: DEBUG: plog.c:193:plogdump(): b5a9e14b 687a9d70 2002-07-30 09:07:46: DEBUG: oakley.c:2801:oakley_do_encrypt(): encrypted payload by IV: 2002-07-30 09:07:46: DEBUG: plog.c:193:plogdump(): 28555ac9 47919cd4 2002-07-30 09:07:46: DEBUG: oakley.c:2808:oakley_do_encrypt(): save IV for next: 2002-07-30 09:07:46: DEBUG: plog.c:193:plogdump(): 756eb00a 0162c137 2002-07-30 09:07:46: DEBUG: oakley.c:2825:oakley_do_encrypt(): encrypted. 2002-07-30 09:07:46: DEBUG: sockmisc.c:421:sendfromto(): sockname xxx.xxx.xxx.70[500] 2002-07-30 09:07:46: DEBUG: sockmisc.c:423:sendfromto(): send packet from xxx.xxx.xxx.70[500] 2002-07-30 09:07:46: DEBUG: sockmisc.c:425:sendfromto(): send packet to yyy.yyy.yyy.62[500] 2002-07-30 09:07:46: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 84 bytes message will be sent to xxx.xxx.xxx.70[500] 2002-07-30 09:07:46: DEBUG: plog.c:193:plogdump(): ac807c45 f47b274e 1cbebccd d7441a4e 08100501 f589c125 00000054 9efb20ea b4964749 9fed8b66 b3d52a48 27f8be3f 9340c545 19c2bd9f 3a727d40 1e39992e 7797e0fd 7ec27388 fab9f2e3 756eb00a 0162c137 2002-07-30 09:07:46: DEBUG: isakmp_inf.c:634:isakmp_info_send_common(): sendto Information notify. 2002-07-30 09:07:46: INFO: isakmp.c:2409:log_ph1established(): ISAKMP-SA established xxx.xxx.xxx.70[500]-yyy.yyy.yyy.62[500] spi:ac807c45f47b274e:1cbebccdd7441a4e 2002-07-30 09:07:46: DEBUG: isakmp.c:666:ph1_main(): === 2002-07-30 09:07:46: DEBUG: isakmp.c:218:isakmp_handler(): === 2002-07-30 09:07:46: DEBUG: isakmp.c:219:isakmp_handler(): 316 bytes message received from yyy.yyy.yyy.62[500] 2002-07-30 09:07:46: DEBUG: plog.c:193:plogdump(): ac807c45 f47b274e 1cbebccd d7441a4e 08102001 fe990af1 0000013c 76f9b209 919ce0a2 de383664 35b616c1 726a7c94 32d7a814 500abea9 50824e57 457dbee0 1f5de584 dfbca6c1 ab8eab18 94426b19 c6a5b814 f71c7093 7f3e9d6f 797ec813 0fb3f604 b507f03a d0b992c8 d655654c a0badc5d 56c90f82 21f019bb 1c1861a5 44ea240f 5d465476 409fde28 2f0d9e9e 507c1588 f43a6bdc 48d64e90 af79c269 c45d3273 e4929e86 a6ae982d 2e99d9f8 20723048 6ee0022e e21886ee 55f2f730 0b07ed0f 4f34a001 11bf3119 dbc883df 95dd7b83 be475fa0 cba7e6c5 cc8ab740 a80149e1 8ac96d1d 9d4a6f54 24f510e9 500d51f4 c66b71a9 d68757f9 65cdced2 7c7e5f45 78af9dc6 834882f8 6081a76a fb50acbc a245800e 1b6051f6 9620e8cd 1bb2a20b ce850e0b 7b71cddc 4bc8e714 d3f8e787 ab2b314c cb749e52 2002-07-30 09:07:46: DEBUG: isakmp.c:2245:isakmp_printpacket(): begin. 07:46.727837 yyy.yyy.yyy.62:500 -> xxx.xxx.xxx.70:500: isakmp 1.0 msgid fe990af1: phase 2/others ? oakley-quick[E]: [|hash] 2002-07-30 09:07:46: DEBUG: oakley.c:2543:oakley_newiv2(): compute IV for phase2 2002-07-30 09:07:46: DEBUG: oakley.c:2544:oakley_newiv2(): phase1 last IV: 2002-07-30 09:07:46: DEBUG: plog.c:193:plogdump(): 5dd5e325 f1e6fcf2 fe990af1 2002-07-30 09:07:46: DEBUG: algorithm.c:252:alg_oakley_hashdef(): hash(md5) 2002-07-30 09:07:46: DEBUG: algorithm.c:382:alg_oakley_encdef(): encription(des) 2002-07-30 09:07:46: DEBUG: oakley.c:2576:oakley_newiv2(): phase2 IV computed: 2002-07-30 09:07:46: DEBUG: plog.c:193:plogdump(): 54bd5a4e 41e2d3b7 2002-07-30 09:07:46: DEBUG: isakmp.c:1041:isakmp_ph2begin_r(): === 2002-07-30 09:07:46: INFO: isakmp.c:1046:isakmp_ph2begin_r(): respond new phase 2 negotiation: xxx.xxx.xxx.70[0]<=>yyy.yyy.yyy.62[0] 2002-07-30 09:07:46: DEBUG: oakley.c:2619:oakley_do_decrypt(): begin decryption. 2002-07-30 09:07:46: DEBUG: algorithm.c:382:alg_oakley_encdef(): encription(des) 2002-07-30 09:07:46: DEBUG: oakley.c:2633:oakley_do_decrypt(): IV was saved for next processing: 2002-07-30 09:07:46: DEBUG: plog.c:193:plogdump(): ab2b314c cb749e52 2002-07-30 09:07:46: DEBUG: algorithm.c:382:alg_oakley_encdef(): encription(des) 2002-07-30 09:07:46: DEBUG: oakley.c:2658:oakley_do_decrypt(): with key: 2002-07-30 09:07:46: DEBUG: plog.c:193:plogdump(): b5a9e14b 687a9d70 2002-07-30 09:07:46: DEBUG: oakley.c:2666:oakley_do_decrypt(): decrypted payload by IV: 2002-07-30 09:07:46: DEBUG: plog.c:193:plogdump(): 54bd5a4e 41e2d3b7 2002-07-30 09:07:46: DEBUG: oakley.c:2669:oakley_do_decrypt(): decrypted payload, but not trimed. 2002-07-30 09:07:46: DEBUG: plog.c:193:plogdump(): 01000014 f97e334c 259db005 0b2ca0b0 8eb56996 0a000074 00000001 00000001 02000034 01020401 f17d1bfa 00000028 01020000 80040001 80010001 80027080 80010002 00020004 00465000 80030001 80050001 00000034 01030401 028a2fa8 00000028 01020000 80040001 80010001 80027080 80010002 00020004 00465000 80050001 80030001 04000018 68cd589f b6f640a9 ab51388e 739d559a d3debeed 05000064 5667f1b3 a1acea95 9fc21866 16b09c60 b6fb5011 69293d7e 5529ca69 3343df02 1857d238 eb743bc6 22525df7 56704e9b 212ff9b7 67ccfa06 f5fd33bf 3f0e51cf e3792910 bd2f905d 931c3ad4 10f8b30e a7e40354 1a2694a2 7dee64f1 a3766e7d 0500000c 01000000 c0a80537 0000000c 01000000 0a000001 00000000 2002-07-30 09:07:46: DEBUG: oakley.c:2678:oakley_do_decrypt(): padding len=0 2002-07-30 09:07:46: DEBUG: oakley.c:2692:oakley_do_decrypt(): skip to trim padding. 2002-07-30 09:07:46: DEBUG: oakley.c:2707:oakley_do_decrypt(): decrypted. 2002-07-30 09:07:46: DEBUG: plog.c:193:plogdump(): ac807c45 f47b274e 1cbebccd d7441a4e 08102001 fe990af1 0000013c 01000014 f97e334c 259db005 0b2ca0b0 8eb56996 0a000074 00000001 00000001 02000034 01020401 f17d1bfa 00000028 01020000 80040001 80010001 80027080 80010002 00020004 00465000 80030001 80050001 00000034 01030401 028a2fa8 00000028 01020000 80040001 80010001 80027080 80010002 00020004 00465000 80050001 80030001 04000018 68cd589f b6f640a9 ab51388e 739d559a d3debeed 05000064 5667f1b3 a1acea95 9fc21866 16b09c60 b6fb5011 69293d7e 5529ca69 3343df02 1857d238 eb743bc6 22525df7 56704e9b 212ff9b7 67ccfa06 f5fd33bf 3f0e51cf e3792910 bd2f905d 931c3ad4 10f8b30e a7e40354 1a2694a2 7dee64f1 a3766e7d 0500000c 01000000 c0a80537 0000000c 01000000 0a000001 00000000 2002-07-30 09:07:46: DEBUG: isakmp.c:2245:isakmp_printpacket(): begin. 07:46.730198 yyy.yyy.yyy.62:500 -> xxx.xxx.xxx.70:500: isakmp 1.0 msgid fe990af1: phase 2/others ? oakley-quick: (hash: len=16) (sa: doi=ipsec situation=identity (p: #1 protoid=ipsec-ah transform=1 spi=f17d1bfa (t: #1 id=md5 (type=enc mode value=tunnel)(type=lifetype value=sec)(type=life value=7080)(type=lifetype value=kb)(type=life len=4 value=00465000)(type=group desc value=modp768)(type=auth value=hmac-md5))) (p: #1 protoid=ipsec-esp transform=1 spi=028a2fa8 (t: #1 id=1des (type=enc mode value=tunnel)(type=lifetype value=sec)(type=life value=7080)(type=lifetype value=kb)(type=life len=4 value=00465000)(type=auth value=hmac-md5)(type=group desc value=modp768)))) (nonce: n len=20) (ke: key len=96) (id: idtype=IPv4 protoid=0 port=0 len=4 192.168.5.55) (id: idtype=IPv4 protoid=0 port=0 len=4 10.0.0.1) 2002-07-30 09:07:46: DEBUG: isakmp.c:1109:isakmp_parsewoh(): begin. 2002-07-30 09:07:46: DEBUG: isakmp.c:1136:isakmp_parsewoh(): seen nptype=8(hash) 2002-07-30 09:07:46: DEBUG: isakmp.c:1136:isakmp_parsewoh(): seen nptype=1(sa) 2002-07-30 09:07:46: DEBUG: isakmp.c:1136:isakmp_parsewoh(): seen nptype=10(nonce) 2002-07-30 09:07:46: DEBUG: isakmp.c:1136:isakmp_parsewoh(): seen nptype=4(ke) 2002-07-30 09:07:46: DEBUG: isakmp.c:1136:isakmp_parsewoh(): seen nptype=5(id) 2002-07-30 09:07:46: DEBUG: isakmp.c:1136:isakmp_parsewoh(): seen nptype=5(id) 2002-07-30 09:07:46: DEBUG: isakmp.c:1175:isakmp_parsewoh(): succeed. 2002-07-30 09:07:46: DEBUG: isakmp_quick.c:1004:quick_r1recv(): received IDci2:2002-07-30 09:07:46: DEBUG: plog.c:193:plogdump(): 01000000 c0a80537 2002-07-30 09:07:46: DEBUG: isakmp_quick.c:1008:quick_r1recv(): received IDcr2:2002-07-30 09:07:46: DEBUG: plog.c:193:plogdump(): 01000000 0a000001 2002-07-30 09:07:46: DEBUG: isakmp_quick.c:1023:quick_r1recv(): HASH(1) validate:2002-07-30 09:07:46: DEBUG: plog.c:193:plogdump(): f97e334c 259db005 0b2ca0b0 8eb56996 2002-07-30 09:07:46: DEBUG: oakley.c:745:oakley_compute_hash1(): HASH with: 2002-07-30 09:07:46: DEBUG: plog.c:193:plogdump(): fe990af1 0a000074 00000001 00000001 02000034 01020401 f17d1bfa 00000028 01020000 80040001 80010001 80027080 80010002 00020004 00465000 80030001 80050001 00000034 01030401 028a2fa8 00000028 01020000 80040001 80010001 80027080 80010002 00020004 00465000 80050001 80030001 04000018 68cd589f b6f640a9 ab51388e 739d559a d3debeed 05000064 5667f1b3 a1acea95 9fc21866 16b09c60 b6fb5011 69293d7e 5529ca69 3343df02 1857d238 eb743bc6 22525df7 56704e9b 212ff9b7 67ccfa06 f5fd33bf 3f0e51cf e3792910 bd2f905d 931c3ad4 10f8b30e a7e40354 1a2694a2 7dee64f1 a3766e7d 0500000c 01000000 c0a80537 0000000c 01000000 0a000001 2002-07-30 09:07:46: DEBUG: algorithm.c:322:alg_oakley_hmacdef(): hmac(hmac_md5) 2002-07-30 09:07:46: DEBUG: oakley.c:755:oakley_compute_hash1(): HASH computed: 2002-07-30 09:07:46: DEBUG: plog.c:193:plogdump(): f97e334c 259db005 0b2ca0b0 8eb56996 2002-07-30 09:07:46: DEBUG: sainfo.c:100:getsainfo(): anonymous sainfo selected. 2002-07-30 09:07:46: DEBUG: isakmp_quick.c:1815:get_sainfo_r(): get sa info: anonymous 2002-07-30 09:07:46: DEBUG: isakmp_quick.c:1993:get_proposal_r(): get a src address from ID payload 192.168.5.55[0] prefixlen=32 ul_proto=255 2002-07-30 09:07:46: DEBUG: isakmp_quick.c:1998:get_proposal_r(): get dst address from ID payload 10.0.0.1[0] prefixlen=32 ul_proto=255 2002-07-30 09:07:46: DEBUG: policy.c:216:cmpspidxwild(): sub:0xbfbff7b0: 192.168.5.55/32[0] 10.0.0.1/32[0] proto=any dir=in 2002-07-30 09:07:46: DEBUG: policy.c:217:cmpspidxwild(): db: 0x80a3c08: 192.168.5.55/32[0] 10.0.0.1/32[0] proto=any dir=in 2002-07-30 09:07:46: DEBUG: policy.c:244:cmpspidxwild(): 0xbfbff7b0 masked with /32: 192.168.5.55[0] 2002-07-30 09:07:46: DEBUG: policy.c:246:cmpspidxwild(): 0x80a3c08 masked with /32: 192.168.5.55[0] 2002-07-30 09:07:46: DEBUG: policy.c:260:cmpspidxwild(): 0xbfbff7b0 masked with /32: 10.0.0.1[0] 2002-07-30 09:07:46: DEBUG: policy.c:262:cmpspidxwild(): 0x80a3c08 masked with /32: 10.0.0.1[0] 2002-07-30 09:07:46: DEBUG: policy.c:216:cmpspidxwild(): sub:0xbfbff7b0: 10.0.0.1/32[0] 192.168.5.55/32[0] proto=any dir=out 2002-07-30 09:07:46: DEBUG: policy.c:217:cmpspidxwild(): db: 0x80a3c08: 192.168.5.55/32[0] 10.0.0.1/32[0] proto=any dir=in 2002-07-30 09:07:46: DEBUG: policy.c:216:cmpspidxwild(): sub:0xbfbff7b0: 10.0.0.1/32[0] 192.168.5.55/32[0] proto=any dir=out 2002-07-30 09:07:46: DEBUG: policy.c:217:cmpspidxwild(): db: 0x80b6008: 10.0.0.1/32[0] 192.168.5.55/32[0] proto=any dir=out 2002-07-30 09:07:46: DEBUG: policy.c:244:cmpspidxwild(): 0xbfbff7b0 masked with /32: 10.0.0.1[0] 2002-07-30 09:07:46: DEBUG: policy.c:246:cmpspidxwild(): 0x80b6008 masked with /32: 10.0.0.1[0] 2002-07-30 09:07:46: DEBUG: policy.c:260:cmpspidxwild(): 0xbfbff7b0 masked with /32: 192.168.5.55[0] 2002-07-30 09:07:46: DEBUG: policy.c:262:cmpspidxwild(): 0x80b6008 masked with /32: 192.168.5.55[0] 2002-07-30 09:07:46: DEBUG: isakmp_quick.c:2054:get_proposal_r(): suitable SP found:10.0.0.1/32[0] 192.168.5.55/32[0] proto=any dir=out 2002-07-30 09:07:46: DEBUG: proposal.c:825:printsaproto(): (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0) 2002-07-30 09:07:46: DEBUG: proposal.c:859:printsatrns(): (trns_id=DES encklen=0 authtype=1) 2002-07-30 09:07:46: DEBUG: ipsec_doi.c:1117:get_proppair(): total SA len=112 2002-07-30 09:07:46: DEBUG: plog.c:193:plogdump(): 00000001 00000001 02000034 01020401 f17d1bfa 00000028 01020000 80040001 80010001 80027080 80010002 00020004 00465000 80030001 80050001 00000034 01030401 028a2fa8 00000028 01020000 80040001 80010001 80027080 80010002 00020004 00465000 80050001 80030001 2002-07-30 09:07:46: DEBUG: isakmp.c:1109:isakmp_parsewoh(): begin. 2002-07-30 09:07:46: DEBUG: isakmp.c:1136:isakmp_parsewoh(): seen nptype=2(prop) 2002-07-30 09:07:46: DEBUG: isakmp.c:1136:isakmp_parsewoh(): seen nptype=2(prop) 2002-07-30 09:07:46: DEBUG: isakmp.c:1175:isakmp_parsewoh(): succeed. 2002-07-30 09:07:46: DEBUG: ipsec_doi.c:1170:get_proppair(): proposal #1 len=52 2002-07-30 09:07:46: DEBUG: isakmp.c:1109:isakmp_parsewoh(): begin. 2002-07-30 09:07:46: DEBUG: isakmp.c:1136:isakmp_parsewoh(): seen nptype=3(trns) 2002-07-30 09:07:46: DEBUG: isakmp.c:1175:isakmp_parsewoh(): succeed. 2002-07-30 09:07:46: DEBUG: ipsec_doi.c:1311:get_transform(): transform #1 len=40 2002-07-30 09:07:46: DEBUG: ipsec_doi.c:2067:check_attr_ipsec(): type=Encription Mode, flag=0x8000, lorv=Tunnel 2002-07-30 09:07:46: DEBUG: ipsec_doi.c:2067:check_attr_ipsec(): type=SA Life Type, flag=0x8000, lorv=seconds 2002-07-30 09:07:46: DEBUG: ipsec_doi.c:2067:check_attr_ipsec(): type=SA Life Duration, flag=0x8000, lorv=28800 2002-07-30 09:07:46: DEBUG: ipsec_doi.c:2155:check_attr_ipsec(): life duration was in TLV. 2002-07-30 09:07:46: DEBUG: ipsec_doi.c:2067:check_attr_ipsec(): type=SA Life Type, flag=0x8000, lorv=kilobytes 2002-07-30 09:07:46: DEBUG: ipsec_doi.c:2067:check_attr_ipsec(): type=SA Life Duration, flag=0x0000, lorv=4 2002-07-30 09:07:46: DEBUG: ipsec_doi.c:2067:check_attr_ipsec(): type=Group Description, flag=0x8000, lorv=1 2002-07-30 09:07:46: DEBUG: algorithm.c:610:alg_oakley_dhdef(): hmac(modp768) 2002-07-30 09:07:46: DEBUG: ipsec_doi.c:2067:check_attr_ipsec(): type=Authentication Algorithm, flag=0x8000, lorv=1 2002-07-30 09:07:46: DEBUG: ipsec_doi.c:1170:get_proppair(): proposal #1 len=52 2002-07-30 09:07:46: DEBUG: isakmp.c:1109:isakmp_parsewoh(): begin. 2002-07-30 09:07:46: DEBUG: isakmp.c:1136:isakmp_parsewoh(): seen nptype=3(trns) 2002-07-30 09:07:46: DEBUG: isakmp.c:1175:isakmp_parsewoh(): succeed. 2002-07-30 09:07:46: DEBUG: ipsec_doi.c:1311:get_transform(): transform #1 len=40 2002-07-30 09:07:46: DEBUG: ipsec_doi.c:2067:check_attr_ipsec(): type=Encription Mode, flag=0x8000, lorv=Tunnel 2002-07-30 09:07:46: DEBUG: ipsec_doi.c:2067:check_attr_ipsec(): type=SA Life Type, flag=0x8000, lorv=seconds 2002-07-30 09:07:46: DEBUG: ipsec_doi.c:2067:check_attr_ipsec(): type=SA Life Duration, flag=0x8000, lorv=28800 2002-07-30 09:07:46: DEBUG: ipsec_doi.c:2155:check_attr_ipsec(): life duration was in TLV. 2002-07-30 09:07:46: DEBUG: ipsec_doi.c:2067:check_attr_ipsec(): type=SA Life Type, flag=0x8000, lorv=kilobytes 2002-07-30 09:07:46: DEBUG: ipsec_doi.c:2067:check_attr_ipsec(): type=SA Life Duration, flag=0x0000, lorv=4 2002-07-30 09:07:46: DEBUG: ipsec_doi.c:2067:check_attr_ipsec(): type=Authentication Algorithm, flag=0x8000, lorv=1 2002-07-30 09:07:46: DEBUG: ipsec_doi.c:2067:check_attr_ipsec(): type=Group Description, flag=0x8000, lorv=1 2002-07-30 09:07:46: DEBUG: algorithm.c:610:alg_oakley_dhdef(): hmac(modp768) 2002-07-30 09:07:46: DEBUG: ipsec_doi.c:1213:get_proppair(): pair 1: 2002-07-30 09:07:46: DEBUG: proposal.c:892:print_proppair0(): 0x80a9b30: next=0x80a9b40 tnext=0x0 2002-07-30 09:07:46: DEBUG: proposal.c:892:print_proppair0(): 0x80a9b40: next=0x0 tnext=0x0 2002-07-30 09:07:46: DEBUG: ipsec_doi.c:1248:get_proppair(): proposal #1: 2 transform 2002-07-30 09:07:46: DEBUG: ipsec_doi.c:948:get_ph2approval(): begin compare proposals. 2002-07-30 09:07:46: DEBUG: ipsec_doi.c:954:get_ph2approval(): pair[1]: 0x80a9b30 2002-07-30 09:07:46: DEBUG: proposal.c:892:print_proppair0(): 0x80a9b30: next=0x80a9b40 tnext=0x0 2002-07-30 09:07:46: DEBUG: proposal.c:892:print_proppair0(): 0x80a9b40: next=0x0 tnext=0x0 2002-07-30 09:07:46: DEBUG: proposal.c:681:aproppair2saprop(): prop#=1 prot-id=AH spi-size=4 #trns=1 trns#=1 trns-id=MD5 2002-07-30 09:07:46: DEBUG: ipsec_doi.c:3638:ipsecdoi_t2satrns(): type=Encription Mode, flag=0x8000, lorv=Tunnel 2002-07-30 09:07:46: DEBUG: ipsec_doi.c:3638:ipsecdoi_t2satrns(): type=SA Life Type, flag=0x8000, lorv=seconds 2002-07-30 09:07:46: DEBUG: ipsec_doi.c:3638:ipsecdoi_t2satrns(): type=SA Life Duration, flag=0x8000, lorv=28800 2002-07-30 09:07:46: DEBUG: ipsec_doi.c:3638:ipsecdoi_t2satrns(): type=SA Life Type, flag=0x8000, lorv=kilobytes 2002-07-30 09:07:46: DEBUG: ipsec_doi.c:3638:ipsecdoi_t2satrns(): type=SA Life Duration, flag=0x0000, lorv=4 2002-07-30 09:07:46: DEBUG: ipsec_doi.c:3638:ipsecdoi_t2satrns(): type=Group Description, flag=0x8000, lorv=1 2002-07-30 09:07:46: DEBUG: ipsec_doi.c:3638:ipsecdoi_t2satrns(): type=Authentication Algorithm, flag=0x8000, lorv=1 2002-07-30 09:07:46: DEBUG: proposal.c:681:aproppair2saprop(): prop#=1 prot-id=ESP spi-size=4 #trns=1 trns#=1 trns-id=DES 2002-07-30 09:07:46: DEBUG: ipsec_doi.c:3638:ipsecdoi_t2satrns(): type=Encription Mode, flag=0x8000, lorv=Tunnel 2002-07-30 09:07:46: DEBUG: ipsec_doi.c:3638:ipsecdoi_t2satrns(): type=SA Life Type, flag=0x8000, lorv=seconds 2002-07-30 09:07:46: DEBUG: ipsec_doi.c:3638:ipsecdoi_t2satrns(): type=SA Life Duration, flag=0x8000, lorv=28800 2002-07-30 09:07:46: DEBUG: ipsec_doi.c:3638:ipsecdoi_t2satrns(): type=SA Life Type, flag=0x8000, lorv=kilobytes 2002-07-30 09:07:46: DEBUG: ipsec_doi.c:3638:ipsecdoi_t2satrns(): type=SA Life Duration, flag=0x0000, lorv=4 2002-07-30 09:07:46: DEBUG: ipsec_doi.c:3638:ipsecdoi_t2satrns(): type=Authentication Algorithm, flag=0x8000, lorv=1 2002-07-30 09:07:46: DEBUG: ipsec_doi.c:3638:ipsecdoi_t2satrns(): type=Group Description, flag=0x8000, lorv=1 2002-07-30 09:07:46: DEBUG: ipsec_doi.c:990:get_ph2approvalx(): peer's single bundle: 2002-07-30 09:07:46: DEBUG: proposal.c:825:printsaproto(): (proto_id=AH spisize=4 spi=f17d1bfa spi_p=00000000 encmode=Tunnel reqid=0:0) 2002-07-30 09:07:46: DEBUG: proposal.c:853:printsatrns(): (trns_id=MD5 authtype=1) 2002-07-30 09:07:46: DEBUG: proposal.c:825:printsaproto(): (proto_id=ESP spisize=4 spi=028a2fa8 spi_p=00000000 encmode=Tunnel reqid=0:0) 2002-07-30 09:07:46: DEBUG: proposal.c:859:printsatrns(): (trns_id=DES encklen=0 authtype=1) 2002-07-30 09:07:46: DEBUG: ipsec_doi.c:993:get_ph2approvalx(): my single bundle: 2002-07-30 09:07:46: DEBUG: proposal.c:825:printsaproto(): (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0) 2002-07-30 09:07:46: DEBUG: proposal.c:859:printsatrns(): (trns_id=DES encklen=0 authtype=1) 2002-07-30 09:07:46: ERROR: ipsec_doi.c:1001:get_ph2approvalx(): not matched 2002-07-30 09:07:46: ERROR: ipsec_doi.c:966:get_ph2approval(): no suitable policy found. 2002-07-30 09:07:46: ERROR: isakmp.c:1060:isakmp_ph2begin_r(): failed to pre-process packet. 2002-07-30 09:07:46: DEBUG: oakley.c:2543:oakley_newiv2(): compute IV for phase2 2002-07-30 09:07:46: DEBUG: oakley.c:2544:oakley_newiv2(): phase1 last IV: 2002-07-30 09:07:46: DEBUG: plog.c:193:plogdump(): 5dd5e325 f1e6fcf2 edfe6e03 2002-07-30 09:07:46: DEBUG: algorithm.c:252:alg_oakley_hashdef(): hash(md5) [...] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?KCENJJGIFEAMJNMADNOPKEAICBAA.c.nolewajka>