Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 18 Aug 2007 23:38:03 +0400
From:      "Alexey Vlasov" <renton@1gb.ru>
To:        <freebsd-questions@freebsd.org>
Subject:   The problem of connection between Windows and FreeBSD when using IPSec transport.
Message-ID:  <3268376E6641@mail-s20-aux2.in-solve.hidden>

next in thread | raw e-mail | index | archive | help
Hi,

On one side there's FreeBSD 6.2, ipsec-tools-0.6.7; on the other Windows
2003 Server.

If I start pinging under Windows everything works ok,

C:\Documents and Settings>ping 111.111.111.2

Pinging 111.111.111.2 with 32 bytes of data:

Negotiating IP Security.
Reply from 111.111.111.2: bytes=32 time<1ms TTL=63
Reply from 111.111.111.2: bytes=32 time<1ms TTL=63

/var/log/racoon.log

2007-08-17 12:10:18: INFO: @(#)ipsec-tools 0.6.7
(http://ipsec-tools.sourceforge.net)
2007-08-17 12:10:18: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25
Oct 2004 (http://www.openssl.org/)
2007-08-17 12:10:18: INFO: 111.111.111.2[500] used as isakmp port
(fd=5)

2007-08-17 12:29:16: INFO: respond new phase 1 negotiation:
111.111.111.2[500]<=>111.111.111.1[500]
2007-08-17 12:29:16: INFO: begin Identity Protection mode.
2007-08-17 12:29:16: INFO: received broken Microsoft ID: MS NT5
ISAKMPOAKLEY
2007-08-17 12:29:16: INFO: received Vendor ID: FRAGMENTATION
2007-08-17 12:29:16: INFO: received Vendor ID:
draft-ietf-ipsec-nat-t-ike-02
2007-08-17 12:29:16: INFO: ISAKMP-SA established
111.111.111.2[500]-111.111.111.1[500]
spi:ceb3ba2040683da6:f80fc5ab1e3d931e
2007-08-17 12:29:16: INFO: respond new phase 2 negotiation:
111.111.111.2[0]<=>111.111.111.1[0]
2007-08-17 12:29:16: INFO: IPsec-SA established: ESP/Transport
111.111.111.1[0]->111.111.111.2[0] spi=36304726(0x229f756)
2007-08-17 12:29:16: INFO: IPsec-SA established: ESP/Transport
111.111.111.2[0]->111.111.111.1[0] spi=3194585143(0xbe698037)

>From FreeBSD:

# ping 111.111.111.1
PING 111.111.111.1 (111.111.111.1): 56 data bytes
64 bytes from 111.111.111.1: icmp_seq=6 ttl=127 time=0.526 ms
64 bytes from 111.111.111.1: icmp_seq=7 ttl=127 time=6.382 ms

and ping works for 2 sides.


But if I initiate ping under FreeBSD (after restart racoon daemon),

# ping 111.111.111.1
PING 111.111.111.1 (111.111.111.1): 56 data bytes
^C
--- 111.111.111.1 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

I see in the log the following:
2007-08-17 12:44:16: INFO: @(#)ipsec-tools 0.6.7
(http://ipsec-tools.sourceforge.net)
2007-08-17 12:44:16: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25
Oct 2004 (http://www.openssl.org/)
2007-08-17 12:44:16: INFO: 111.111.111.2[500] used as isakmp port
(fd=5)
2007-08-17 12:44:21: INFO: IPsec-SA request for 111.111.111.1 queued
due to no phase1 found.
2007-08-17 12:44:21: INFO: initiate new phase 1 negotiation:
111.111.111.2[500]<=>111.111.111.1[500]
2007-08-17 12:44:21: INFO: begin Identity Protection mode.
2007-08-17 12:44:21: INFO: received broken Microsoft ID: MS NT5
ISAKMPOAKLEY
2007-08-17 12:44:21: INFO: received Vendor ID: FRAGMENTATION
2007-08-17 12:44:21: INFO: received Vendor ID:
draft-ietf-ipsec-nat-t-ike-02

2007-08-17 12:44:21: INFO: ISAKMP-SA established
111.111.111.2[500]-111.111.111.1[500]
spi:94372eb384516aef:bccacea73409cfc6
2007-08-17 12:44:22: INFO: initiate new phase 2 negotiation:
111.111.111.2[0]<=>111.111.111.1[0]
2007-08-17 12:44:22: ERROR: unknown notify message, no phase2 handle
found.
2007-08-17 12:44:38: ERROR: 111.111.111.1 give up to get IPsec-SA due
to time up to wait.
2007-08-17 12:45:21: INFO: ISAKMP-SA expired
111.111.111.2[500]-111.111.111.1[500]
spi:94372eb384516aef:bccacea73409cfc6
2007-08-17 12:45:21: ERROR: unknown Informational exchange received.
2007-08-17 12:45:22: INFO: ISAKMP-SA deleted
111.111.111.2[500]-111.111.111.1[500]
spi:94372eb384516aef:bccacea73409cfc6

My configs:

# cat /etc/ipsec.conf
spdadd 111.111.111.2 111.111.111.1 any -P out ipsec
esp/transport//require;

spdadd 111.111.111.1 111.111.111.2 any -P in ipsec
esp/transport//require;

path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
log notify;

padding
{
    maximum_length 20;
    randomize off;
    strict_check off;
    exclusive_tail off;
}

timer
{
    counter 5; # maximum trying count to send.
    interval 20 sec; # maximum interval to resend.
    persend 1; # the number of packets per a send.
    phase1 30 sec;
    phase2 15 sec;
}

remote anonymous
{
    # exchange_mode aggressive,main;
    exchange_mode main, base;
    doi ipsec_doi;
    situation identity_only;
    nonce_size 16;
    lifetime time 1 min; # sec, min, hour
    initial_contact on;
    support_proxy on;
    proposal_check obey; # obey, strict or claim

    proposal {
        encryption_algorithm 3des;
        hash_algorithm sha1;
        authentication_method pre_shared_key ;
        dh_group 2 ;
    }
}

sainfo anonymous
{
    pfs_group 1;
    lifetime time 36000 sec;
    encryption_algorithm 3des,des,cast128,blowfish ;
    authentication_algorithm hmac_sha1,hmac_md5;
    compression_algorithm deflate ;
}

What do I have to change in conf files, to make
IPSec properly work no matter from which server I initiate the
connection?
Thank you for any answers.

--
BRGDS. Alesha




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3268376E6641>