From owner-freebsd-questions@FreeBSD.ORG  Sat Aug 18 20:10:02 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 7395416A417
	for <freebsd-questions@freebsd.org>;
	Sat, 18 Aug 2007 20:10:02 +0000 (UTC) (envelope-from renton@1gb.ru)
Received: from rx.in-solve.ru (rx.in-solve.ru [81.176.69.156])
	by mx1.freebsd.org (Postfix) with ESMTP id B06FB13C46E
	for <freebsd-questions@freebsd.org>;
	Sat, 18 Aug 2007 20:10:01 +0000 (UTC) (envelope-from renton@1gb.ru)
Received: from Spooler by rx.in-solve.ru (Mercury/32 v4.1 beta 6) ID MO000108; 
	19 Aug 2007 00:10:02 +0400
Received: from spooler by mail-aux2.in-solve.hidden (Mercury/32 v4.1 beta 6);
	18 Aug 2007 23:39:41 +0400
Received: from mail-s20 (10.0.1.20) by mail.1gb.ru (Mercury/32 v4.1 beta 6)
	with ESMTP ID MG000107; 18 Aug 2007 23:39:41 +0400
Received: from Spooler by mail-s20 (Mercury/32 v4.1 beta 6) ID MO005481;
	18 Aug 2007 23:39:41 +0400
Received: from spooler by mail-s20-aux2.in-solve.hidden (Mercury/32 v4.1 beta
	6); 18 Aug 2007 23:39:35 +0400
Received: from froggy (195.42.178.1) by mail-s20.1gb.ru (Mercury/32 v4.1 beta
	6) with ESMTP ID MG00547D; 18 Aug 2007 23:39:30 +0400
From: "Alexey Vlasov" <renton@1gb.ru>
To: <freebsd-questions@freebsd.org>
Date: Sat, 18 Aug 2007 23:38:03 +0400
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028
Thread-Index: Acfhzsb7qM5F6iNpRdGT2QMc028huw==
x-mailer-addon: Potolook v.4.1.0.290
Message-ID: <3268376E6641@mail-s20-aux2.in-solve.hidden>
Subject: The problem of connection between Windows and FreeBSD when using
	IPSec transport.
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Alexey Vlasov <renton@1gb.ru>
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Aug 2007 20:10:02 -0000

Hi,

On one side there's FreeBSD 6.2, ipsec-tools-0.6.7; on the other Windows
2003 Server.

If I start pinging under Windows everything works ok,

C:\Documents and Settings>ping 111.111.111.2

Pinging 111.111.111.2 with 32 bytes of data:

Negotiating IP Security.
Reply from 111.111.111.2: bytes=32 time<1ms TTL=63
Reply from 111.111.111.2: bytes=32 time<1ms TTL=63

/var/log/racoon.log

2007-08-17 12:10:18: INFO: @(#)ipsec-tools 0.6.7
(http://ipsec-tools.sourceforge.net)
2007-08-17 12:10:18: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25
Oct 2004 (http://www.openssl.org/)
2007-08-17 12:10:18: INFO: 111.111.111.2[500] used as isakmp port
(fd=5)

2007-08-17 12:29:16: INFO: respond new phase 1 negotiation:
111.111.111.2[500]<=>111.111.111.1[500]
2007-08-17 12:29:16: INFO: begin Identity Protection mode.
2007-08-17 12:29:16: INFO: received broken Microsoft ID: MS NT5
ISAKMPOAKLEY
2007-08-17 12:29:16: INFO: received Vendor ID: FRAGMENTATION
2007-08-17 12:29:16: INFO: received Vendor ID:
draft-ietf-ipsec-nat-t-ike-02
2007-08-17 12:29:16: INFO: ISAKMP-SA established
111.111.111.2[500]-111.111.111.1[500]
spi:ceb3ba2040683da6:f80fc5ab1e3d931e
2007-08-17 12:29:16: INFO: respond new phase 2 negotiation:
111.111.111.2[0]<=>111.111.111.1[0]
2007-08-17 12:29:16: INFO: IPsec-SA established: ESP/Transport
111.111.111.1[0]->111.111.111.2[0] spi=36304726(0x229f756)
2007-08-17 12:29:16: INFO: IPsec-SA established: ESP/Transport
111.111.111.2[0]->111.111.111.1[0] spi=3194585143(0xbe698037)

>From FreeBSD:

# ping 111.111.111.1
PING 111.111.111.1 (111.111.111.1): 56 data bytes
64 bytes from 111.111.111.1: icmp_seq=6 ttl=127 time=0.526 ms
64 bytes from 111.111.111.1: icmp_seq=7 ttl=127 time=6.382 ms

and ping works for 2 sides.


But if I initiate ping under FreeBSD (after restart racoon daemon),

# ping 111.111.111.1
PING 111.111.111.1 (111.111.111.1): 56 data bytes
^C
--- 111.111.111.1 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

I see in the log the following:
2007-08-17 12:44:16: INFO: @(#)ipsec-tools 0.6.7
(http://ipsec-tools.sourceforge.net)
2007-08-17 12:44:16: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25
Oct 2004 (http://www.openssl.org/)
2007-08-17 12:44:16: INFO: 111.111.111.2[500] used as isakmp port
(fd=5)
2007-08-17 12:44:21: INFO: IPsec-SA request for 111.111.111.1 queued
due to no phase1 found.
2007-08-17 12:44:21: INFO: initiate new phase 1 negotiation:
111.111.111.2[500]<=>111.111.111.1[500]
2007-08-17 12:44:21: INFO: begin Identity Protection mode.
2007-08-17 12:44:21: INFO: received broken Microsoft ID: MS NT5
ISAKMPOAKLEY
2007-08-17 12:44:21: INFO: received Vendor ID: FRAGMENTATION
2007-08-17 12:44:21: INFO: received Vendor ID:
draft-ietf-ipsec-nat-t-ike-02

2007-08-17 12:44:21: INFO: ISAKMP-SA established
111.111.111.2[500]-111.111.111.1[500]
spi:94372eb384516aef:bccacea73409cfc6
2007-08-17 12:44:22: INFO: initiate new phase 2 negotiation:
111.111.111.2[0]<=>111.111.111.1[0]
2007-08-17 12:44:22: ERROR: unknown notify message, no phase2 handle
found.
2007-08-17 12:44:38: ERROR: 111.111.111.1 give up to get IPsec-SA due
to time up to wait.
2007-08-17 12:45:21: INFO: ISAKMP-SA expired
111.111.111.2[500]-111.111.111.1[500]
spi:94372eb384516aef:bccacea73409cfc6
2007-08-17 12:45:21: ERROR: unknown Informational exchange received.
2007-08-17 12:45:22: INFO: ISAKMP-SA deleted
111.111.111.2[500]-111.111.111.1[500]
spi:94372eb384516aef:bccacea73409cfc6

My configs:

# cat /etc/ipsec.conf
spdadd 111.111.111.2 111.111.111.1 any -P out ipsec
esp/transport//require;

spdadd 111.111.111.1 111.111.111.2 any -P in ipsec
esp/transport//require;

path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
log notify;

padding
{
    maximum_length 20;
    randomize off;
    strict_check off;
    exclusive_tail off;
}

timer
{
    counter 5; # maximum trying count to send.
    interval 20 sec; # maximum interval to resend.
    persend 1; # the number of packets per a send.
    phase1 30 sec;
    phase2 15 sec;
}

remote anonymous
{
    # exchange_mode aggressive,main;
    exchange_mode main, base;
    doi ipsec_doi;
    situation identity_only;
    nonce_size 16;
    lifetime time 1 min; # sec, min, hour
    initial_contact on;
    support_proxy on;
    proposal_check obey; # obey, strict or claim

    proposal {
        encryption_algorithm 3des;
        hash_algorithm sha1;
        authentication_method pre_shared_key ;
        dh_group 2 ;
    }
}

sainfo anonymous
{
    pfs_group 1;
    lifetime time 36000 sec;
    encryption_algorithm 3des,des,cast128,blowfish ;
    authentication_algorithm hmac_sha1,hmac_md5;
    compression_algorithm deflate ;
}

What do I have to change in conf files, to make
IPSec properly work no matter from which server I initiate the
connection?
Thank you for any answers.

--
BRGDS. Alesha