From owner-freebsd-net@FreeBSD.ORG Thu Dec 28 17:20:26 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 259A816A403 for ; Thu, 28 Dec 2006 17:20:26 +0000 (UTC) (envelope-from robertusn@gmail.com) Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.236]) by mx1.freebsd.org (Postfix) with ESMTP id E237713C473 for ; Thu, 28 Dec 2006 17:20:25 +0000 (UTC) (envelope-from robertusn@gmail.com) Received: by nz-out-0506.google.com with SMTP id i11so2003310nzh for ; Thu, 28 Dec 2006 09:20:25 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; b=h10T1Vhni1VFf4m+4piJmOce6rycoaf8yi/+hszVGMOv0TquHOiLfhFWm+AEKYZQvC8kvY208/Mq6ABy4w73KVGD20GRjkRNV380KRxH1EUEgTsaYqxSdaDTzAOD4GSMA6UBMr3FlQqthGMF9u7oCmkEO7G8SXHw76LF6N6rLO4= Received: by 10.65.100.14 with SMTP id c14mr21290618qbm.1167324702496; Thu, 28 Dec 2006 08:51:42 -0800 (PST) Received: by 10.65.81.17 with HTTP; Thu, 28 Dec 2006 08:51:42 -0800 (PST) Message-ID: <3713853f0612280851m243f9e75u918c0969b038a865@mail.gmail.com> Date: Thu, 28 Dec 2006 17:51:42 +0100 From: "Robert Usle" Sender: robertusn@gmail.com To: freebsd-net@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Google-Sender-Auth: 472bba6669352cf1 Subject: ipsec-tools 0.6.6 problem X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Dec 2006 17:20:26 -0000 Hello list & Yvan. This is my second post regarding the one from: http://osdir.com/ml/freebsd-net@freebsd.org/msg20572.html Sorry for not replying, but my email provider simply sucks. Here's more info. --------------------------------- racoon.conf path include "/usr/local/etc/racoon"; path pre_shared_key "/usr/local/etc/racoon/psk.txt"; path certificate "/usr/local/etc/racoon/cert"; log debug; padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } listen { #isakmp ::1 [7000]; isakmp 89.217.11.250 [500]; isakmp 10.0.5.1 [500]; #admin [7002]; # administrative port for racoonctl. #strict_address; # requires that all addresses must be bound. } timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 2 sec; # maximum interval to resend. persend 1; # the number of packets per send. # maximum time to wait for completing each phase. phase1 60 sec; phase2 15 sec; } remote anonymous { exchange_mode aggressive,main,base; lifetime time 24 hour; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } } sainfo anonymous { lifetime time 12 hour ; encryption_algorithm des, 3des, des_iv64, des_iv32, null_enc, rijndael, blowfish; authentication_algorithm hmac_sha1, hmac_md5; compression_algorithm deflate ; } ----- kernel config: machine i386 cpu I686_CPU ident TUNED maxusers 512 makeoptions COPTFLAGS="-O2 -pipe" # FIREWALL and TrafficShaper options IPFIREWALL options IPFIREWALL_FORWARD options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=100 options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFW2 options IPDIVERT options DUMMYNET options DEVICE_POLLING options HZ=2000 options MATH_EMULATE #Support for x87 emulation options INET #InterNETworking #options INET6 #IPv6 communications protocols options FFS #Berkeley Fast Filesystem options FFS_ROOT #FFS usable as root device [keep this!] options SOFTUPDATES #Enable FFS soft updates support options UFS_DIRHASH #Improve performance on big directories options MFS #Memory Filesystem #options MD_ROOT #MD is a potential root device #options NFS #Network Filesystem #options NFS_ROOT #NFS usable as root device, NFS required #options MSDOSFS #MSDOS Filesystem options CD9660 #ISO 9660 Filesystem options CD9660_ROOT #CD-ROM usable as root, CD9660 required options PROCFS #Process filesystem ...skipping... pseudo-device ether # Ethernet support #pseudo-device sl 1 # Kernel SLIP #pseudo-device ppp 1 # Kernel PPP #pseudo-device tun # Packet tunnel. pseudo-device pty # Pseudo-ttys (telnet etc) pseudo-device md # Memory "disks" pseudo-device gif # IPv6 and IPv4 tunneling #pseudo-device faith 1 # IPv6-to-IPv4 relaying (translation) # The `bpf' pseudo-device enables the Berkeley Packet Filter. # Be aware of the administrative consequences of enabling this! pseudo-device bpf #Berkeley packet filter # USB support #device uhci # UHCI PCI->USB interface #device ohci # OHCI PCI->USB interface #device usb # USB Bus (required) #device ugen # Generic #device uhid # "Human Interface Devices" #device ukbd # Keyboard #device ulpt # Printer #device umass # Disks/Mass storage - Requires scbus and da #device ums # Mouse #device uscanner # Scanners #device urio # Diamond Rio MP3 Player ## USB Ethernet, requires mii #device aue # ADMtek USB ethernet #device cue # CATC USB ethernet #device kue # Kawasaki LSI USB ethernet # # FireWire support #device firewire # FireWire bus code #device sbp # SCSI over FireWire (Requires scbus and da) #device fwe # Ethernet over FireWire (non-standard!) #options DISABLE_PSE # Quota options QUOTA #enable disk quotas options IPSEC #IP security options IPSEC_ESP #IP security (crypto; define w/ IPSEC) ---------------------------------------------------------------------------------------- ----uname -a FreeBSD wall.s93l.pl 4.11-STABLE FreeBSD 4.11-STABLE #5: Sat Nov 18 09:14:30 CET 2006 root@wall.s93l.pl:/usr/obj/usr/src/sys/TUNED i386 --- /var/log/racoon.log 2006-12-28 17:30:49: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net) 2006-12-28 17:30:49: INFO: @(#)This product linked OpenSSL 0.9.7d-p1 17 Mar 2004 (http://www.openssl.org/) 2006-12-28 17:30:49: DEBUG: hmac(modp1024) 2006-12-28 17:30:49: DEBUG: compression algorithm can not be checked because sadb message doesn't support it. 2006-12-28 17:30:49: INFO: 10.0.5.1[500] used as isakmp port (fd=5) 2006-12-28 17:30:49: INFO: 89.217.11.250[500] used as isakmp port (fd=6) 2006-12-28 17:30:49: DEBUG: get pfkey X_SPDDUMP message 2006-12-28 17:30:49: DEBUG: get pfkey X_SPDDUMP message 2006-12-28 17:30:49: DEBUG: sub:0xbfbff524: 0.0.0.0/0[0] 192.168.2.0/24[0] proto=any dir=out 2006-12-28 17:30:49: DEBUG: db :0x80a5408: 192.168.2.0/24[0] 0.0.0.0/0[0] proto=any dir=in 2006-12-28 17:30:49: DEBUG: msg 1 not interesting 2006-12-28 17:30:49: DEBUG: caught rtm:2, need update interface address list 2006-12-28 17:30:49: DEBUG: msg 1 not interesting 2006-12-28 17:30:49: DEBUG: caught rtm:2, need update interface address list 2006-12-28 17:30:49: DEBUG: msg 1 not interesting 2006-12-28 17:30:49: DEBUG: caught rtm:2, need update interface address list 2006-12-28 17:30:50: DEBUG: msg 5 not interesting 2006-12-28 17:30:50: DEBUG: msg 1 not interesting 2006-12-28 17:30:50: DEBUG: caught rtm:2, need update interface address list 2006-12-28 17:30:50: DEBUG: msg 1 not interesting and so on..... infinite loop with 'caught rtm;2, need update interface address list --------------------------------------- I was trying to establish a vpn connection with Win XP host, now trying with asmax br-604G. There are 2 setkey commands now, (/usr/sbin/ & /usr/local/sbin) can I use both ? Also, sometimes I'm getting 'unsupported PF_KEY message REGISTER' after running setkey Let me know if you need more info, -- Robert