Date: Wed, 10 Jul 2002 04:23:47 +0000 (GMT) From: "Nielsen" <nielsen@memberwebs.com> To: "Dru" <dlavigne6@cogeco.ca>, <security@freebsd.org> Subject: Re: no phase2 handle found (fwd) Message-ID: <20020710042347.9CCE043B9FA@mail.npubs.com> References: <20020709190806.J143-100000@x1-6-00-80-c8-3a-b8-46.kico2.on.cogeco.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
To be honest (and this is difficult to admit) I gave up on racoon recently. I have a bit of an arcane setup as well. I had it working perfectly with FreeBSD 4.3 but for some reason with 4.5 I couldn't for the life of me get it running. Will try again in the future. My sympathies all the way. I use static SADs now. I guess you would have tried that if it was a viable option. Nate Nielsen ----- Original Message ----- From: "Dru" <dlavigne6@cogeco.ca> To: <security@freebsd.org> Sent: Tuesday, July 09, 2002 17:15 Subject: no phase2 handle found (fwd) > > Noone willing to give a stab at this? :( > > I've tried enabling/disabling every feature combination possible in > racoon.conf, I've tried transport and tunnel modes, I've read the RFCs > and scoured the Net (and learned more about IPSEC than a person should be > allowed to know), I've created a bazillion phase one SAs, but nothing I've > tried gets me past that "unknown notify message" in phase 2. I'd give my hen's > teeth to see a phase 2 SA.... > > The bit of code the error message refers to deals with a potential of dos > attack so it looks like racoon is the one that's baling out and deleting > the phase 1 SA. I'm not good enough with C to want to try mucking with the > source code. Anyone willing to reply to me off list? I'll buy you a beer > if you ever come to Canada :) > > Dru > > > > > ---------- Forwarded message ---------- > Date: Sat, 6 Jul 2002 10:56:03 -0400 (EDT) > From: Dru <dlavigne6@cogeco.ca> > To: security@freebsd.org > Subject: no phase2 handle found > > > Didn't get any response from questions, so I'll try here. > > Trying to setup an IPSEC tunnel between a PIX 501 and FreeBSD 4.6 using > the latest racoon. Phase 1 is successful and an ethereal analysis shows > that both are negotiating the same policy parameters. However, Phase 2 > repeats endlessly with this message in /var/log/racoon.conf: > > ERROR: isakmp_inf.c:776:isakmp_info_recv_n(): unknown notify message, no > phase2 handle found. > > The Phase 2 parameters on the PIX: > > crypto ipsec transform-set vpn esp-des esp-md5-hmac > crypto dynamic-map bsd 100 set transform-set vpn > crypto dynamic-map bsd 100 set pfs group2 > crypto dynamic-map bsd 100 set security-association lifetime seconds 3600 > kilobytes 4608000 > > and in racoon: > > pfs_group 2; > lifetime time 3600 sec; > encryption_algorithm des ; > authentication_algorithm hmac_md5; > compression_algorithm deflate; > > I can only guess that negotiations are failing because of the compression > algorithm; from what I can gather PIX only supports lzs but I'm unsure if > compression is enabled or disabled by default. There are no (documented) knobs > in the PIX IOS to enable/disable compression in the transform set. > > I haven't had any luck getting setkey to use lzs and a google search shows > one mailing list query which never received an answer. If I try: > > add bsd_ip pix_ip 666 -C lzs; > > I get a syntax error. > > I've been able to set the SPD to accept this as part of the policy > > ipcomp/tunnel/pix_ip-bsd_ip/require; > > but that still doesn't tell it to use lsz. > > racoon.conf accepts the lsz keyword but that didn't help either. > > Any suggestions on where to go from here? > > Also, the manpage for tcpdump has a -E option that works if tcpdump was > compiled with cryptography enabled. How do I do this? > > TIA, > > Dru > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020710042347.9CCE043B9FA>