Date: Sat, 18 Aug 2007 23:38:03 +0400 From: "Alexey Vlasov" <renton@1gb.ru> To: <freebsd-questions@freebsd.org> Subject: The problem of connection between Windows and FreeBSD when using IPSec transport. Message-ID: <3268376E6641@mail-s20-aux2.in-solve.hidden>
next in thread | raw e-mail | index | archive | help
Hi, On one side there's FreeBSD 6.2, ipsec-tools-0.6.7; on the other Windows 2003 Server. If I start pinging under Windows everything works ok, C:\Documents and Settings>ping 111.111.111.2 Pinging 111.111.111.2 with 32 bytes of data: Negotiating IP Security. Reply from 111.111.111.2: bytes=32 time<1ms TTL=63 Reply from 111.111.111.2: bytes=32 time<1ms TTL=63 /var/log/racoon.log 2007-08-17 12:10:18: INFO: @(#)ipsec-tools 0.6.7 (http://ipsec-tools.sourceforge.net) 2007-08-17 12:10:18: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) 2007-08-17 12:10:18: INFO: 111.111.111.2[500] used as isakmp port (fd=5) 2007-08-17 12:29:16: INFO: respond new phase 1 negotiation: 111.111.111.2[500]<=>111.111.111.1[500] 2007-08-17 12:29:16: INFO: begin Identity Protection mode. 2007-08-17 12:29:16: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY 2007-08-17 12:29:16: INFO: received Vendor ID: FRAGMENTATION 2007-08-17 12:29:16: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 2007-08-17 12:29:16: INFO: ISAKMP-SA established 111.111.111.2[500]-111.111.111.1[500] spi:ceb3ba2040683da6:f80fc5ab1e3d931e 2007-08-17 12:29:16: INFO: respond new phase 2 negotiation: 111.111.111.2[0]<=>111.111.111.1[0] 2007-08-17 12:29:16: INFO: IPsec-SA established: ESP/Transport 111.111.111.1[0]->111.111.111.2[0] spi=36304726(0x229f756) 2007-08-17 12:29:16: INFO: IPsec-SA established: ESP/Transport 111.111.111.2[0]->111.111.111.1[0] spi=3194585143(0xbe698037) >From FreeBSD: # ping 111.111.111.1 PING 111.111.111.1 (111.111.111.1): 56 data bytes 64 bytes from 111.111.111.1: icmp_seq=6 ttl=127 time=0.526 ms 64 bytes from 111.111.111.1: icmp_seq=7 ttl=127 time=6.382 ms and ping works for 2 sides. But if I initiate ping under FreeBSD (after restart racoon daemon), # ping 111.111.111.1 PING 111.111.111.1 (111.111.111.1): 56 data bytes ^C --- 111.111.111.1 ping statistics --- 5 packets transmitted, 0 packets received, 100% packet loss I see in the log the following: 2007-08-17 12:44:16: INFO: @(#)ipsec-tools 0.6.7 (http://ipsec-tools.sourceforge.net) 2007-08-17 12:44:16: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) 2007-08-17 12:44:16: INFO: 111.111.111.2[500] used as isakmp port (fd=5) 2007-08-17 12:44:21: INFO: IPsec-SA request for 111.111.111.1 queued due to no phase1 found. 2007-08-17 12:44:21: INFO: initiate new phase 1 negotiation: 111.111.111.2[500]<=>111.111.111.1[500] 2007-08-17 12:44:21: INFO: begin Identity Protection mode. 2007-08-17 12:44:21: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY 2007-08-17 12:44:21: INFO: received Vendor ID: FRAGMENTATION 2007-08-17 12:44:21: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 2007-08-17 12:44:21: INFO: ISAKMP-SA established 111.111.111.2[500]-111.111.111.1[500] spi:94372eb384516aef:bccacea73409cfc6 2007-08-17 12:44:22: INFO: initiate new phase 2 negotiation: 111.111.111.2[0]<=>111.111.111.1[0] 2007-08-17 12:44:22: ERROR: unknown notify message, no phase2 handle found. 2007-08-17 12:44:38: ERROR: 111.111.111.1 give up to get IPsec-SA due to time up to wait. 2007-08-17 12:45:21: INFO: ISAKMP-SA expired 111.111.111.2[500]-111.111.111.1[500] spi:94372eb384516aef:bccacea73409cfc6 2007-08-17 12:45:21: ERROR: unknown Informational exchange received. 2007-08-17 12:45:22: INFO: ISAKMP-SA deleted 111.111.111.2[500]-111.111.111.1[500] spi:94372eb384516aef:bccacea73409cfc6 My configs: # cat /etc/ipsec.conf spdadd 111.111.111.2 111.111.111.1 any -P out ipsec esp/transport//require; spdadd 111.111.111.1 111.111.111.2 any -P in ipsec esp/transport//require; path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; log notify; padding { maximum_length 20; randomize off; strict_check off; exclusive_tail off; } timer { counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. phase1 30 sec; phase2 15 sec; } remote anonymous { # exchange_mode aggressive,main; exchange_mode main, base; doi ipsec_doi; situation identity_only; nonce_size 16; lifetime time 1 min; # sec, min, hour initial_contact on; support_proxy on; proposal_check obey; # obey, strict or claim proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } sainfo anonymous { pfs_group 1; lifetime time 36000 sec; encryption_algorithm 3des,des,cast128,blowfish ; authentication_algorithm hmac_sha1,hmac_md5; compression_algorithm deflate ; } What do I have to change in conf files, to make IPSec properly work no matter from which server I initiate the connection? Thank you for any answers. -- BRGDS. Alesha
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3268376E6641>