From owner-freebsd-security Tue Jul 9 21:23: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3FA5B37B4D1 for ; Tue, 9 Jul 2002 21:22:52 -0700 (PDT) Received: from mail.npubs.com (npubs.com [207.111.208.224]) by mx1.FreeBSD.org (Postfix) with ESMTP id B3ADE43E3B for ; Tue, 9 Jul 2002 21:22:51 -0700 (PDT) (envelope-from nielsen@memberwebs.com) From: "Nielsen" To: "Dru" , References: <20020709190806.J143-100000@x1-6-00-80-c8-3a-b8-46.kico2.on.cogeco.ca> Subject: Re: no phase2 handle found (fwd) MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-Id: <20020710042347.9CCE043B9FA@mail.npubs.com> Date: Wed, 10 Jul 2002 04:23:47 +0000 (GMT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org To be honest (and this is difficult to admit) I gave up on racoon recently. I have a bit of an arcane setup as well. I had it working perfectly with FreeBSD 4.3 but for some reason with 4.5 I couldn't for the life of me get it running. Will try again in the future. My sympathies all the way. I use static SADs now. I guess you would have tried that if it was a viable option. Nate Nielsen ----- Original Message ----- From: "Dru" To: Sent: Tuesday, July 09, 2002 17:15 Subject: no phase2 handle found (fwd) > > Noone willing to give a stab at this? :( > > I've tried enabling/disabling every feature combination possible in > racoon.conf, I've tried transport and tunnel modes, I've read the RFCs > and scoured the Net (and learned more about IPSEC than a person should be > allowed to know), I've created a bazillion phase one SAs, but nothing I've > tried gets me past that "unknown notify message" in phase 2. I'd give my hen's > teeth to see a phase 2 SA.... > > The bit of code the error message refers to deals with a potential of dos > attack so it looks like racoon is the one that's baling out and deleting > the phase 1 SA. I'm not good enough with C to want to try mucking with the > source code. Anyone willing to reply to me off list? I'll buy you a beer > if you ever come to Canada :) > > Dru > > > > > ---------- Forwarded message ---------- > Date: Sat, 6 Jul 2002 10:56:03 -0400 (EDT) > From: Dru > To: security@freebsd.org > Subject: no phase2 handle found > > > Didn't get any response from questions, so I'll try here. > > Trying to setup an IPSEC tunnel between a PIX 501 and FreeBSD 4.6 using > the latest racoon. Phase 1 is successful and an ethereal analysis shows > that both are negotiating the same policy parameters. However, Phase 2 > repeats endlessly with this message in /var/log/racoon.conf: > > ERROR: isakmp_inf.c:776:isakmp_info_recv_n(): unknown notify message, no > phase2 handle found. > > The Phase 2 parameters on the PIX: > > crypto ipsec transform-set vpn esp-des esp-md5-hmac > crypto dynamic-map bsd 100 set transform-set vpn > crypto dynamic-map bsd 100 set pfs group2 > crypto dynamic-map bsd 100 set security-association lifetime seconds 3600 > kilobytes 4608000 > > and in racoon: > > pfs_group 2; > lifetime time 3600 sec; > encryption_algorithm des ; > authentication_algorithm hmac_md5; > compression_algorithm deflate; > > I can only guess that negotiations are failing because of the compression > algorithm; from what I can gather PIX only supports lzs but I'm unsure if > compression is enabled or disabled by default. There are no (documented) knobs > in the PIX IOS to enable/disable compression in the transform set. > > I haven't had any luck getting setkey to use lzs and a google search shows > one mailing list query which never received an answer. If I try: > > add bsd_ip pix_ip 666 -C lzs; > > I get a syntax error. > > I've been able to set the SPD to accept this as part of the policy > > ipcomp/tunnel/pix_ip-bsd_ip/require; > > but that still doesn't tell it to use lsz. > > racoon.conf accepts the lsz keyword but that didn't help either. > > Any suggestions on where to go from here? > > Also, the manpage for tcpdump has a -E option that works if tcpdump was > compiled with cryptography enabled. How do I do this? > > TIA, > > Dru > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message