Site Navigation

Date:      Thu, 23 Jan 2003 15:31:50 +1100
From:      "Scott Penno" <scott.penno@gennex.com.au>
To:        <freebsd-questions@FreeBSD.ORG>, "Dru" <dlavigne6@cogeco.ca>
Subject:   Re: Problems with IPSec
Message-ID:  <009901c2c298$5a02b6a0$0128a8c0@jupiter>
References:  <001f01c2b2bb$0bf04780$0128a8c0@jupiter> <003c01c2b2bb$26770d00$0128a8c0@jupiter> <20030122193532.P201@dhcp-17-14.kico2.on.cogeco.ca>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

Hi there,

The output of setkey -PD is as follows:

On the 5.0-RC1 host:

atlas# setkey -PD
192.168.40.0/24[any] 192.168.2.0/24[any] any
        in ipsec
        esp/tunnel/a.b.c.d-w.x.y.z/unique#16386
        spid=14 seq=1 pid=7720
        refcnt=1
192.168.2.0/24[any] 192.168.40.0/24[any] any
        out ipsec
        esp/tunnel/w.x.y.z-a.b.c.d/unique#16385
        spid=13 seq=0 pid=7720
        refcnt=1

And on the -STABLE host:

mercury# setkey -PD
192.168.2.0/24[any] 192.168.40.0/24[any] any
        in ipsec
        esp/tunnel/w.x.y.z-a.b.c.d/unique#16390
        spid=14 seq=2 pid=20242
        refcnt=1
192.168.40.0/24[any] 192.168.2.0/24[any] any
        out ipsec
        esp/tunnel/a.b.c.d-w.x.y.z/unique#16389
        spid=13 seq=0 pid=20242
        refcnt=1

Below is the debug output on both hosts.  Interestingly, both hosts indicate
that the IPSec SA is established but everything falls apart when pfkey sends
the add message.


On the 5.0-RC1 host:

2003-01-23 14:57:18: DEBUG: isakmp.c:2245:isakmp_printpacket(): begin.
57:18.390133 a.b.c.d:500 -> w.x.y.z:500: isakmp 1.0 msgid 098b554f cookie
f35babe69ec702d4->69c1401fbb220e73: phase 2/others ? oakley-quick[E]:
[|hash]
2003-01-23 14:57:18: DEBUG: oakley.c:2619:oakley_do_decrypt(): begin
decryption.
2003-01-23 14:57:18: DEBUG: algorithm.c:382:alg_oakley_encdef():
encription(3des)
2003-01-23 14:57:18: DEBUG: oakley.c:2633:oakley_do_decrypt(): IV was saved
for next processing:
2003-01-23 14:57:18: DEBUG: plog.c:193:plogdump():
520a8fcc feb7ce57
2003-01-23 14:57:18: DEBUG: algorithm.c:382:alg_oakley_encdef():
encription(3des)
2003-01-23 14:57:18: DEBUG: oakley.c:2658:oakley_do_decrypt(): with key:
2003-01-23 14:57:18: DEBUG: plog.c:193:plogdump():
a7447cba 77fa15bd bacfdc4b 984e19ff 54a63f68 b054e7ed
2003-01-23 14:57:18: DEBUG: oakley.c:2666:oakley_do_decrypt(): decrypted
payload by IV:
2003-01-23 14:57:18: DEBUG: plog.c:193:plogdump():
520a8fcc feb7ce57
2003-01-23 14:57:18: DEBUG: oakley.c:2669:oakley_do_decrypt(): decrypted
payload, but not trimed.
2003-01-23 14:57:18: DEBUG: plog.c:193:plogdump():
00000018 d00d9ce1 f536f9b8 d5238936 753da903 36981eed 00000000 00000008
2003-01-23 14:57:18: DEBUG: oakley.c:2678:oakley_do_decrypt(): padding len=8
2003-01-23 14:57:18: DEBUG: oakley.c:2692:oakley_do_decrypt(): skip to trim
padding.
2003-01-23 14:57:18: DEBUG: oakley.c:2707:oakley_do_decrypt(): decrypted.
2003-01-23 14:57:18: DEBUG: plog.c:193:plogdump():
f35babe6 9ec702d4 69c1401f bb220e73 08102001 098b554f 0000003c 00000018
d00d9ce1 f536f9b8 d5238936 753da903 36981eed 00000000 00000008
2003-01-23 14:57:18: DEBUG: isakmp.c:2245:isakmp_printpacket(): begin.
57:18.391998 a.b.c.d:500 -> w.x.y.z:500: isakmp 1.0 msgid 098b554f cookie
f35babe69ec702d4->69c1401fbb220e73: phase 2/others ? oakley-quick:
    (hash: len=20)
2003-01-23 14:57:18: DEBUG: isakmp.c:1109:isakmp_parsewoh(): begin.
2003-01-23 14:57:18: DEBUG: isakmp.c:1136:isakmp_parsewoh(): seen
nptype=8(hash)
2003-01-23 14:57:18: DEBUG: isakmp.c:1175:isakmp_parsewoh(): succeed.
2003-01-23 14:57:18: DEBUG: isakmp_quick.c:1428:quick_r3recv(): HASH(3)
validate:2003-01-23 14:57:18: DEBUG: plog.c:193:plogdump():
d00d9ce1 f536f9b8 d5238936 753da903 36981eed
2003-01-23 14:57:18: DEBUG: oakley.c:689:oakley_compute_hash3(): HASH with:
2003-01-23 14:57:18: DEBUG: plog.c:193:plogdump():
00098b55 4f983c7d c8c3231f 03b4fe3d 30d773fa b1dcb571 d43faad5 505707b5
78e247c4 c2
2003-01-23 14:57:18: DEBUG: algorithm.c:322:alg_oakley_hmacdef():
hmac(hmac_sha1)
2003-01-23 14:57:18: DEBUG: oakley.c:699:oakley_compute_hash3(): HASH
computed:
2003-01-23 14:57:18: DEBUG: plog.c:193:plogdump():
d00d9ce1 f536f9b8 d5238936 753da903 36981eed
2003-01-23 14:57:18: DEBUG: isakmp.c:733:quick_main(): ===
2003-01-23 14:57:18: DEBUG: oakley.c:207:oakley_dh_compute(): compute DH's
shared.
2003-01-23 14:57:18: DEBUG: plog.c:193:plogdump():
10bcd096 5ee29182 519424ae ce6b5972 b4eb62c0 bf994198 c44ceb59 5e3c938e
c340c8f8 a90306cd f2e1700f 3f24c96e 0f547d5e e2da39e3 f0a5d812 fe4b3a52
5227db6e 243899e1 0d8e6940 f2bedc21 034bbd39 2107f23d 79a453b9 d14cfd13
2003-01-23 14:57:18: DEBUG: oakley.c:461:oakley_compute_keymat_x(): KEYMAT
compute with
2003-01-23 14:57:18: DEBUG: plog.c:193:plogdump():
10bcd096 5ee29182 519424ae ce6b5972 b4eb62c0 bf994198 c44ceb59 5e3c938e
c340c8f8 a90306cd f2e1700f 3f24c96e 0f547d5e e2da39e3 f0a5d812 fe4b3a52
5227db6e 243899e1 0d8e6940 f2bedc21 034bbd39 2107f23d 79a453b9 d14cfd13
0305db09 a5983c7d c8c3231f 03b4fe3d 30d773fa b1dcb571 d43faad5 505707b5
78e247c4 c2
2003-01-23 14:57:18: DEBUG: algorithm.c:322:alg_oakley_hmacdef():
hmac(hmac_sha1)
2003-01-23 14:57:18: DEBUG: algorithm.c:509:alg_ipsec_encdef():
encription(3des)
2003-01-23 14:57:18: DEBUG: algorithm.c:552:alg_ipsec_hmacdef():
hmac(hmac_sha1)
2003-01-23 14:57:18: DEBUG: oakley.c:494:oakley_compute_keymat_x():
encklen=192 authklen=160
2003-01-23 14:57:18: DEBUG: oakley.c:501:oakley_compute_keymat_x():
generating 640 bits of key (dupkeymat=4)
2003-01-23 14:57:18: DEBUG: oakley.c:519:oakley_compute_keymat_x():
generating K1...K4 for KEYMAT.
2003-01-23 14:57:18: DEBUG: algorithm.c:322:alg_oakley_hmacdef():
hmac(hmac_sha1)
2003-01-23 14:57:18: DEBUG: algorithm.c:322:alg_oakley_hmacdef():
hmac(hmac_sha1)
2003-01-23 14:57:18: DEBUG: algorithm.c:322:alg_oakley_hmacdef():
hmac(hmac_sha1)
2003-01-23 14:57:18: DEBUG: plog.c:193:plogdump():
528d67dd 9d9e19de 4b120caf 00dbb0c1 6725317a 7de31724 e1322e2f bef48fe8
2d45549c 5285a8dc 0ebec52e 2820ba5f a3b954af 42e67ef9 6a39629e 67f8945c
fb2a6a11 cb6247b1 90d18519 194f51a8
2003-01-23 14:57:18: DEBUG: oakley.c:461:oakley_compute_keymat_x(): KEYMAT
compute with
2003-01-23 14:57:18: DEBUG: plog.c:193:plogdump():
10bcd096 5ee29182 519424ae ce6b5972 b4eb62c0 bf994198 c44ceb59 5e3c938e
c340c8f8 a90306cd f2e1700f 3f24c96e 0f547d5e e2da39e3 f0a5d812 fe4b3a52
5227db6e 243899e1 0d8e6940 f2bedc21 034bbd39 2107f23d 79a453b9 d14cfd13
030e714a 25983c7d c8c3231f 03b4fe3d 30d773fa b1dcb571 d43faad5 505707b5
78e247c4 c2
2003-01-23 14:57:18: DEBUG: algorithm.c:322:alg_oakley_hmacdef():
hmac(hmac_sha1)
2003-01-23 14:57:18: DEBUG: algorithm.c:509:alg_ipsec_encdef():
encription(3des)
2003-01-23 14:57:18: DEBUG: algorithm.c:552:alg_ipsec_hmacdef():
hmac(hmac_sha1)
2003-01-23 14:57:18: DEBUG: oakley.c:494:oakley_compute_keymat_x():
encklen=192 authklen=160
2003-01-23 14:57:18: DEBUG: oakley.c:501:oakley_compute_keymat_x():
generating 640 bits of key (dupkeymat=4)
2003-01-23 14:57:18: DEBUG: oakley.c:519:oakley_compute_keymat_x():
generating K1...K4 for KEYMAT.
2003-01-23 14:57:18: DEBUG: algorithm.c:322:alg_oakley_hmacdef():
hmac(hmac_sha1)
2003-01-23 14:57:18: DEBUG: algorithm.c:322:alg_oakley_hmacdef():
hmac(hmac_sha1)
2003-01-23 14:57:18: DEBUG: algorithm.c:322:alg_oakley_hmacdef():
hmac(hmac_sha1)
2003-01-23 14:57:18: DEBUG: plog.c:193:plogdump():
681258fa d8aa6d62 7c529b32 36820f0d d174614d 3a709c98 da785ed5 b2a1677e
a569b4dc da9b24a4 e2e29deb e337ba6c 2b01691d ad06068f 5301495a 9efb43f9
66f97df8 65ec39cb d88fefaf 4db1f878
2003-01-23 14:57:18: DEBUG: oakley.c:389:oakley_compute_keymat(): KEYMAT
computed.
2003-01-23 14:57:18: DEBUG: isakmp_quick.c:1611:quick_r3prep(): call
pk_sendupdate
2003-01-23 14:57:18: DEBUG: algorithm.c:509:alg_ipsec_encdef():
encription(3des)
2003-01-23 14:57:18: DEBUG: algorithm.c:552:alg_ipsec_hmacdef():
hmac(hmac_sha1)
2003-01-23 14:57:18: DEBUG: pfkey.c:971:pk_sendupdate(): call
pfkey_send_update
2003-01-23 14:57:18: DEBUG: isakmp_quick.c:1616:quick_r3prep(): pfkey update
sent.
2003-01-23 14:57:18: DEBUG: algorithm.c:509:alg_ipsec_encdef():
encription(3des)
2003-01-23 14:57:18: DEBUG: algorithm.c:552:alg_ipsec_hmacdef():
hmac(hmac_sha1)
2003-01-23 14:57:18: DEBUG: pfkey.c:1212:pk_sendadd(): call pfkey_send_add
2003-01-23 14:57:18: DEBUG: isakmp_quick.c:1623:quick_r3prep(): pfkey add
sent.
2003-01-23 14:57:18: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey UPDATE
message
2003-01-23 14:57:18: DEBUG2: plog.c:193:plogdump():
02020003 1c000000 dc57f412 101e0000 02000100 05db09a5 04000202 00000000
02001300 02000000 00000000 02400000 03000500 ff200000 10020000 90841fa0
00000000 00000000 03000600 ff200000 10020000 d232027c 00000000 00000000
04000900 c0000000 528d67dd 9d9e19de 4b120caf 00dbb0c1 6725317a 7de31724
04000800 a0000000 e1322e2f bef48fe8 2d45549c 5285a8dc 0ebec52e 00000000
04000300 00000000 00000000 00000000 80510100 00000000 00000000 00000000
04000400 00000000 00000000 00000000 000e0100 00000000 00000000 00000000
2003-01-23 14:57:18: DEBUG: pfkey.c:1100:pk_recvupdate(): pfkey UPDATE
succeeded: ESP/Tunnel a.b.c.d->w.x.y.z spi=98240933(0x5db09a5)
2003-01-23 14:57:18: INFO: pfkey.c:1107:pk_recvupdate(): IPsec-SA
established: ESP/Tunnel a.b.c.d->w.x.y.z spi=98240933(0x5db09a5)
2003-01-23 14:57:18: DEBUG: pfkey.c:1145:pk_recvupdate(): ===
2003-01-23 14:57:18: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey ADD
message
2003-01-23 14:57:18: DEBUG2: plog.c:193:plogdump():
02031603 1c000000 dc57f412 101e0000 02000100 0e714a25 04000202 00000000
02001300 02000000 00000000 01400000 03000500 ff200000 10020000 d232027c
00000000 00000000 03000600 ff200000 10020000 90841fa0 00000000 00000000
04000900 c0000000 681258fa d8aa6d62 7c529b32 36820f0d d174614d 3a709c98
04000800 a0000000 da785ed5 b2a1677e a569b4dc da9b24a4 e2e29deb 00000000
04000300 00000000 00000000 00000000 80510100 00000000 00000000 00000000
04000400 00000000 00000000 00000000 000e0100 00000000 00000000 00000000
2003-01-23 14:57:18: ERROR: pfkey.c:207:pfkey_handler(): pfkey ADD failed:
Invalid argument


And on the host running -STABLE:

2003-01-23 14:57:18: DEBUG: isakmp.c:1109:isakmp_parsewoh(): begin.
2003-01-23 14:57:18: DEBUG: isakmp.c:1136:isakmp_parsewoh(): seen
nptype=2(prop)
2003-01-23 14:57:18: DEBUG: isakmp.c:1175:isakmp_parsewoh(): succeed.
2003-01-23 14:57:18: DEBUG: ipsec_doi.c:1170:get_proppair(): proposal #1
len=44
2003-01-23 14:57:18: DEBUG: isakmp.c:1109:isakmp_parsewoh(): begin.
2003-01-23 14:57:18: DEBUG: isakmp.c:1136:isakmp_parsewoh(): seen
nptype=3(trns)
2003-01-23 14:57:18: DEBUG: isakmp.c:1175:isakmp_parsewoh(): succeed.
2003-01-23 14:57:18: DEBUG: ipsec_doi.c:1311:get_transform(): transform #1
len=32
2003-01-23 14:57:18: DEBUG: ipsec_doi.c:2067:check_attr_ipsec(): type=SA
Life Type, flag=0x8000, lorv=seconds
2003-01-23 14:57:18: DEBUG: ipsec_doi.c:2067:check_attr_ipsec(): type=SA
Life Duration, flag=0x0000, lorv=4
2003-01-23 14:57:18: DEBUG: ipsec_doi.c:2067:check_attr_ipsec():
type=Encription Mode, flag=0x8000, lorv=Tunnel
2003-01-23 14:57:18: DEBUG: ipsec_doi.c:2067:check_attr_ipsec():
type=Authentication Algorithm, flag=0x8000, lorv=2
2003-01-23 14:57:18: DEBUG: ipsec_doi.c:2067:check_attr_ipsec(): type=Group
Description, flag=0x8000, lorv=1
2003-01-23 14:57:18: DEBUG: algorithm.c:610:alg_oakley_dhdef():
hmac(modp768)
2003-01-23 14:57:18: DEBUG: ipsec_doi.c:1213:get_proppair(): pair 1:
2003-01-23 14:57:18: DEBUG: proposal.c:892:print_proppair0():  0x80a9840:
next=0x0 tnext=0x0
2003-01-23 14:57:18: DEBUG: ipsec_doi.c:1248:get_proppair(): proposal #1: 1
transform
2003-01-23 14:57:18: DEBUG: ipsec_doi.c:948:get_ph2approval(): begin compare
proposals.
2003-01-23 14:57:18: DEBUG: ipsec_doi.c:954:get_ph2approval(): pair[1]:
0x80a9840
2003-01-23 14:57:18: DEBUG: proposal.c:892:print_proppair0():  0x80a9840:
next=0x0 tnext=0x0
2003-01-23 14:57:18: DEBUG: proposal.c:681:aproppair2saprop(): prop#=1
prot-id=ESP spi-size=4 #trns=1 trns#=1 trns-id=3DES
2003-01-23 14:57:18: DEBUG: ipsec_doi.c:3638:ipsecdoi_t2satrns(): type=SA
Life Type, flag=0x8000, lorv=seconds
2003-01-23 14:57:18: DEBUG: ipsec_doi.c:3638:ipsecdoi_t2satrns(): type=SA
Life Duration, flag=0x0000, lorv=4
2003-01-23 14:57:18: DEBUG: ipsec_doi.c:3638:ipsecdoi_t2satrns():
type=Encription Mode, flag=0x8000, lorv=Tunnel
2003-01-23 14:57:18: DEBUG: ipsec_doi.c:3638:ipsecdoi_t2satrns():
type=Authentication Algorithm, flag=0x8000, lorv=2
2003-01-23 14:57:18: DEBUG: ipsec_doi.c:3638:ipsecdoi_t2satrns(): type=Group
Description, flag=0x8000, lorv=1
2003-01-23 14:57:18: DEBUG: ipsec_doi.c:990:get_ph2approvalx(): peer's
single bundle:
2003-01-23 14:57:18: DEBUG: proposal.c:825:printsaproto():  (proto_id=ESP
spisize=4 spi=05db09a5 spi_p=00000000 encmode=Tunnel reqid=0:0)
2003-01-23 14:57:18: DEBUG: proposal.c:859:printsatrns():   (trns_id=3DES
encklen=0 authtype=2)
2003-01-23 14:57:18: DEBUG: ipsec_doi.c:993:get_ph2approvalx(): my single
bundle:
2003-01-23 14:57:18: DEBUG: proposal.c:825:printsaproto():  (proto_id=ESP
spisize=4 spi=0e714a25 spi_p=00000000 encmode=Tunnel reqid=16390:16389)
2003-01-23 14:57:18: DEBUG: proposal.c:859:printsatrns():   (trns_id=3DES
encklen=0 authtype=2)
2003-01-23 14:57:18: DEBUG: proposal.c:859:printsatrns():   (trns_id=3DES
encklen=0 authtype=1)
2003-01-23 14:57:18: DEBUG: proposal.c:859:printsatrns():   (trns_id=DES
encklen=0 authtype=2)
2003-01-23 14:57:18: DEBUG: proposal.c:859:printsatrns():   (trns_id=DES
encklen=0 authtype=1)
2003-01-23 14:57:18: DEBUG: ipsec_doi.c:1012:get_ph2approvalx(): matched
2003-01-23 14:57:18: DEBUG: isakmp.c:733:quick_main(): ===
2003-01-23 14:57:18: DEBUG: isakmp_quick.c:562:quick_i2send(): HASH(3)
generate
2003-01-23 14:57:18: DEBUG: oakley.c:689:oakley_compute_hash3(): HASH with:
2003-01-23 14:57:18: DEBUG: plog.c:193:plogdump():
00098b55 4f983c7d c8c3231f 03b4fe3d 30d773fa b1dcb571 d43faad5 505707b5
78e247c4 c2
2003-01-23 14:57:18: DEBUG: algorithm.c:322:alg_oakley_hmacdef():
hmac(hmac_sha1)
2003-01-23 14:57:18: DEBUG: oakley.c:699:oakley_compute_hash3(): HASH
computed:
2003-01-23 14:57:18: DEBUG: plog.c:193:plogdump():
d00d9ce1 f536f9b8 d5238936 753da903 36981eed
2003-01-23 14:57:18: DEBUG: isakmp.c:2110:set_isakmp_payload(): add payload
of len 20, next type 0
2003-01-23 14:57:18: DEBUG: isakmp.c:2245:isakmp_printpacket(): begin.
57:18.332864 a.b.c.d:500 -> w.x.y.z:500: isakmp 1.0 msgid 098b554f cookie
f35babe69ec702d4->69c1401fbb220e73: phase 2/others ? oakley-quick:
    (hash: len=20)
2003-01-23 14:57:18: DEBUG: oakley.c:2742:oakley_do_encrypt(): begin
encryption.
2003-01-23 14:57:18: DEBUG: algorithm.c:382:alg_oakley_encdef():
encription(3des)
2003-01-23 14:57:18: DEBUG: oakley.c:2758:oakley_do_encrypt(): pad length =
8
2003-01-23 14:57:18: DEBUG: plog.c:193:plogdump():
00000018 d00d9ce1 f536f9b8 d5238936 753da903 36981eed 00000000 00000008
2003-01-23 14:57:18: DEBUG: algorithm.c:382:alg_oakley_encdef():
encription(3des)
2003-01-23 14:57:18: DEBUG: oakley.c:2793:oakley_do_encrypt(): with key:
2003-01-23 14:57:18: DEBUG: plog.c:193:plogdump():
a7447cba 77fa15bd bacfdc4b 984e19ff 54a63f68 b054e7ed
2003-01-23 14:57:18: DEBUG: oakley.c:2801:oakley_do_encrypt(): encrypted
payload by IV:
2003-01-23 14:57:18: DEBUG: plog.c:193:plogdump():
520a8fcc feb7ce57
2003-01-23 14:57:18: DEBUG: oakley.c:2808:oakley_do_encrypt(): save IV for
next:
2003-01-23 14:57:18: DEBUG: plog.c:193:plogdump():
520a8fcc feb7ce57
2003-01-23 14:57:18: DEBUG: oakley.c:2825:oakley_do_encrypt(): encrypted.
2003-01-23 14:57:18: DEBUG: sockmisc.c:421:sendfromto(): sockname
a.b.c.d[500]
2003-01-23 14:57:18: DEBUG: sockmisc.c:423:sendfromto(): send packet from
a.b.c.d[500]
2003-01-23 14:57:18: DEBUG: sockmisc.c:425:sendfromto(): send packet to
w.x.y.z[500]
2003-01-23 14:57:18: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 60 bytes
message will be sent to a.b.c.d[500]
2003-01-23 14:57:18: DEBUG: plog.c:193:plogdump():
f35babe6 9ec702d4 69c1401f bb220e73 08102001 098b554f 0000003c b96f5208
d71703e4 37671071 2d655e22 dab2842f ab91733a 520a8fcc feb7ce57
2003-01-23 14:57:18: DEBUG: oakley.c:207:oakley_dh_compute(): compute DH's
shared.
2003-01-23 14:57:18: DEBUG: plog.c:193:plogdump():
10bcd096 5ee29182 519424ae ce6b5972 b4eb62c0 bf994198 c44ceb59 5e3c938e
c340c8f8 a90306cd f2e1700f 3f24c96e 0f547d5e e2da39e3 f0a5d812 fe4b3a52
5227db6e 243899e1 0d8e6940 f2bedc21 034bbd39 2107f23d 79a453b9 d14cfd13
2003-01-23 14:57:18: DEBUG: oakley.c:461:oakley_compute_keymat_x(): KEYMAT
compute with
2003-01-23 14:57:18: DEBUG: plog.c:193:plogdump():
10bcd096 5ee29182 519424ae ce6b5972 b4eb62c0 bf994198 c44ceb59 5e3c938e
c340c8f8 a90306cd f2e1700f 3f24c96e 0f547d5e e2da39e3 f0a5d812 fe4b3a52
5227db6e 243899e1 0d8e6940 f2bedc21 034bbd39 2107f23d 79a453b9 d14cfd13
030e714a 25983c7d c8c3231f 03b4fe3d 30d773fa b1dcb571 d43faad5 505707b5
78e247c4 c2
2003-01-23 14:57:18: DEBUG: algorithm.c:322:alg_oakley_hmacdef():
hmac(hmac_sha1)
2003-01-23 14:57:18: DEBUG: algorithm.c:509:alg_ipsec_encdef():
encription(3des)
2003-01-23 14:57:18: DEBUG: algorithm.c:552:alg_ipsec_hmacdef():
hmac(hmac_sha1)
2003-01-23 14:57:18: DEBUG: oakley.c:494:oakley_compute_keymat_x():
encklen=192 authklen=160
2003-01-23 14:57:18: DEBUG: oakley.c:501:oakley_compute_keymat_x():
generating 640 bits of key (dupkeymat=4)
2003-01-23 14:57:18: DEBUG: oakley.c:519:oakley_compute_keymat_x():
generating K1...K4 for KEYMAT.
2003-01-23 14:57:18: DEBUG: algorithm.c:322:alg_oakley_hmacdef():
hmac(hmac_sha1)
2003-01-23 14:57:18: DEBUG: algorithm.c:322:alg_oakley_hmacdef():
hmac(hmac_sha1)
2003-01-23 14:57:18: DEBUG: algorithm.c:322:alg_oakley_hmacdef():
hmac(hmac_sha1)
2003-01-23 14:57:18: DEBUG: plog.c:193:plogdump():
681258fa d8aa6d62 7c529b32 36820f0d d174614d 3a709c98 da785ed5 b2a1677e
a569b4dc da9b24a4 e2e29deb e337ba6c 2b01691d ad06068f 5301495a 9efb43f9
66f97df8 65ec39cb d88fefaf 4db1f878
2003-01-23 14:57:18: DEBUG: oakley.c:461:oakley_compute_keymat_x(): KEYMAT
compute with
2003-01-23 14:57:18: DEBUG: plog.c:193:plogdump():
10bcd096 5ee29182 519424ae ce6b5972 b4eb62c0 bf994198 c44ceb59 5e3c938e
c340c8f8 a90306cd f2e1700f 3f24c96e 0f547d5e e2da39e3 f0a5d812 fe4b3a52
5227db6e 243899e1 0d8e6940 f2bedc21 034bbd39 2107f23d 79a453b9 d14cfd13
0305db09 a5983c7d c8c3231f 03b4fe3d 30d773fa b1dcb571 d43faad5 505707b5
78e247c4 c2
2003-01-23 14:57:18: DEBUG: algorithm.c:322:alg_oakley_hmacdef():
hmac(hmac_sha1)
2003-01-23 14:57:18: DEBUG: algorithm.c:509:alg_ipsec_encdef():
encription(3des)
2003-01-23 14:57:18: DEBUG: algorithm.c:552:alg_ipsec_hmacdef():
hmac(hmac_sha1)
2003-01-23 14:57:18: DEBUG: oakley.c:494:oakley_compute_keymat_x():
encklen=192 authklen=160
2003-01-23 14:57:18: DEBUG: oakley.c:501:oakley_compute_keymat_x():
generating 640 bits of key (dupkeymat=4)
2003-01-23 14:57:18: DEBUG: oakley.c:519:oakley_compute_keymat_x():
generating K1...K4 for KEYMAT.
2003-01-23 14:57:18: DEBUG: algorithm.c:322:alg_oakley_hmacdef():
hmac(hmac_sha1)
2003-01-23 14:57:18: DEBUG: algorithm.c:322:alg_oakley_hmacdef():
hmac(hmac_sha1)
2003-01-23 14:57:18: DEBUG: algorithm.c:322:alg_oakley_hmacdef():
hmac(hmac_sha1)
2003-01-23 14:57:18: DEBUG: plog.c:193:plogdump():
528d67dd 9d9e19de 4b120caf 00dbb0c1 6725317a 7de31724 e1322e2f bef48fe8
2d45549c 5285a8dc 0ebec52e 2820ba5f a3b954af 42e67ef9 6a39629e 67f8945c
fb2a6a11 cb6247b1 90d18519 194f51a8
2003-01-23 14:57:18: DEBUG: oakley.c:389:oakley_compute_keymat(): KEYMAT
computed.
2003-01-23 14:57:18: DEBUG: isakmp_quick.c:647:quick_i2send(): call
pk_sendupdate
2003-01-23 14:57:18: DEBUG: algorithm.c:509:alg_ipsec_encdef():
encription(3des)
2003-01-23 14:57:18: DEBUG: algorithm.c:552:alg_ipsec_hmacdef():
hmac(hmac_sha1)
2003-01-23 14:57:18: DEBUG: pfkey.c:971:pk_sendupdate(): call
pfkey_send_update
2003-01-23 14:57:18: DEBUG: isakmp_quick.c:652:quick_i2send(): pfkey update
sent.
2003-01-23 14:57:18: DEBUG: algorithm.c:509:alg_ipsec_encdef():
encription(3des)
2003-01-23 14:57:18: DEBUG: algorithm.c:552:alg_ipsec_hmacdef():
hmac(hmac_sha1)
2003-01-23 14:57:18: DEBUG: pfkey.c:1212:pk_sendadd(): call pfkey_send_add
2003-01-23 14:57:18: DEBUG: isakmp_quick.c:659:quick_i2send(): pfkey add
sent.
2003-01-23 14:57:18: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey UPDATE
message
2003-01-23 14:57:18: DEBUG2: plog.c:193:plogdump():
02020003 14000000 16000000 fc4e0000 02000100 0e714a25 04000202 00000000
02001300 02000000 00000000 06400000 03000500 ff200000 10020000 d232027c
00000000 00000000 03000600 ff200000 10020000 90841fa0 00000000 00000000
04000300 00000000 00000000 00000000 80510100 00000000 00000000 00000000
04000400 00000000 00000000 00000000 000e0100 00000000 00000000 00000000
2003-01-23 14:57:18: DEBUG: pfkey.c:1100:pk_recvupdate(): pfkey UPDATE
succeeded: ESP/Tunnel w.x.y.z->a.b.c.d spi=242305573(0xe714a25)
2003-01-23 14:57:18: INFO: pfkey.c:1107:pk_recvupdate(): IPsec-SA
established: ESP/Tunnel w.x.y.z->a.b.c.d spi=242305573(0xe714a25)
2003-01-23 14:57:18: DEBUG: pfkey.c:1145:pk_recvupdate(): ===
2003-01-23 14:57:18: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey ADD
message
2003-01-23 14:57:18: DEBUG2: plog.c:193:plogdump():
02030003 14000000 16000000 fc4e0000 02000100 05db09a5 04000202 00000000
02001300 02000000 00000000 05400000 03000500 ff200000 10020000 90841fa0
00000000 00000000 03000600 ff200000 10020000 d232027c 00000000 00000000
04000300 00000000 00000000 00000000 80510100 00000000 00000000 00000000
04000400 00000000 00000000 00000000 000e0100 00000000 00000000 00000000
2003-01-23 14:57:18: INFO: pfkey.c:1319:pk_recvadd(): IPsec-SA established:
ESP/Tunnel a.b.c.d->w.x.y.z spi=98240933(0x5db09a5)
2003-01-23 14:57:18: DEBUG: pfkey.c:1324:pk_recvadd(): ===


----- Original Message -----
From: "Dru" <dlavigne6@cogeco.ca>
To: "Scott Penno" <scott.penno@gennex.com.au>
Cc: <freebsd-questions@FreeBSD.ORG>
Sent: Thursday, January 23, 2003 11:37 AM
Subject: Re: Problems with IPSec




On Fri, 3 Jan 2003, Scott Penno wrote:

> Hi all,
>
> Wasn't sure where I should ask for help with this problem, so I'm starting
> here.  If there's a more appropriate place, please let me know.
>
> I have a FreeBSD box running -STABLE which has had IPSec working with
other
> hosts for quite some time without a problem.  I've just setup another
> FreeBSD box running 5.0-RC1 and am trying to establish a VPN tunnel but am
> not getting too far.  I'm using racoon and when attempting the negotiation
> with debugging enabled, the following message appears:
> 2003-01-20 12:00:23: ERROR: pfkey.c:207:pfkey_handler(): pfkey ADD failed:
> Invalid argument
> and the following message is logged via syslog:
> Jan 20 12:00:23 atlas kernel: key_mature: invalid AH key length 160
(128-128
> allowed)
>
> The relevant section of racoon.conf which is identical on both boxes is:
> sainfo anonymous
> {
>         pfs_group 1;
>         lifetime time 86400 sec;
>         encryption_algorithm 3des ;
>         authentication_algorithm hmac_sha1 ;
>         compression_algorithm deflate ;
> }
>
> The box running -STABLE has been working fine with this configuration so
I'm
> assuming the problem is with the box running 5.0-RC1.  Interestingly, I've
> also tried using des as the encryption algorithm and hmac_md5 as the
> authentication algorithm and I receive the following error message:
> racoon: failed to parse configuration file.
>
> If anyone has any suggestions for a fix, or how I go about further
> diagnosing this problem, I'd love to hear from you.


What's the result of setkey -PD on both boxes?

Sanitize the addresses of the public IPs, but leave the private IPs as is.

Dru




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?009901c2c298$5a02b6a0$0128a8c0>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact