From owner-freebsd-security Fri Oct 19 11:14:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from sudz.ns3g.com (196.40.220-216.q9.net [216.220.40.196]) by hub.freebsd.org (Postfix) with ESMTP id 6397637B401 for ; Fri, 19 Oct 2001 11:14:15 -0700 (PDT) Received: from cooler (cr768924-a.etob1.on.wave.home.com [24.42.29.172]) by sudz.ns3g.com (8.11.6/8.11.6) with SMTP id f9JIF5i82842; Fri, 19 Oct 2001 14:15:06 -0400 (EDT) (envelope-from sudz@ns3g.com) Reply-To: From: "Colin Legendre" To: , , Subject: RE: Racoon IPSEC issues Date: Fri, 19 Oct 2001 14:15:40 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org What version of racoon you running? Colin Legendre CCNA, MCP sudz@ns3g.com http://www.ns3g.com -----Original Message----- From: Colin Legendre [mailto:sudz@ns3g.com] Sent: Friday, October 19, 2001 1:49 PM To: anderson@centtech.com; freebsd-security@FreeBSD.ORG Subject: RE: Racoon IPSEC issues I started having this problem with a win2k-freebsd4.4 setup. It was working fine until I upgraded racoon from 20010831a to 20011016a then this problem started. BTW any idea how to roll back to racoon 20010831a? Colin Legendre CCNA, MCP sudz@ns3g.com http://www.ns3g.com -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Eric Anderson Sent: Thursday, September 06, 2001 10:03 AM To: freebsd-security@FreeBSD.ORG Subject: Racoon IPSEC issues Ok, I have been setting up VPN's using IPSEC tunnel mode (ESP) with Racoon on FreeBSD 4.2 for some time now. I have 4 currently running just fine, and the 3 newest VPN don't work. It appears as though the Racoon's aren't talking to each other correctly. I have 1 VPN "server" that all the clients connect to, and the clients are small machines running from compact flash cards (a stripped down 30Mb freebsd 4.2 setup). I use the GIF interfaces to connect the vpn's together. I have gif0,1,3,4 are connected to VPN's that are up and running. Not that the gif's have anything to do with it, just extra info. Is there something I'm missing? I have tried configuring the non-working boxes just like the working ones, etc. I'm out of ideas! Here are some blurps from my logs on the vpn "server" box: 2001-09-06 08:51:55: INFO: isakmp.c:965:isakmp_ph2begin_r(): responde new phase 2 negotiation: xx.yy.zz.60[0]<=>xx.yy.zz.128[0] 2001-09-06 08:51:55: ERROR: proposal.c:951:set_proposal_from_policy(): not supported nested SA. Ignore. 2001-09-06 08:51:55: ERROR: proposal.c:999:set_proposal_from_policy(): There is a difference between the in/out bound policies. 2001-09-06 08:51:55: ERROR: isakmp_quick.c:1901:get_proposal_r(): failed to create saprop. 2001-09-06 08:51:55: ERROR: isakmp_quick.c:1025:quick_r1recv(): failed to get proposal for responder. 2001-09-06 08:51:55: ERROR: isakmp.c:975:isakmp_ph2begin_r(): failed to pre-process packet. 2001-09-06 08:52:00: INFO: isakmp.c:1618:isakmp_post_acquire(): request for establishing IPsec-SA was queued due to no phase1 found. 2001-09-06 08:52:19: INFO: isakmp.c:854:isakmp_ph1begin_r(): responde new phase 1 negotiation: xx.yy.zz.60[500]<=>xx.yy.zz.128[500] 2001-09-06 08:52:19: INFO: isakmp.c:859:isakmp_ph1begin_r(): begin Aggressive mode. 2001-09-06 08:52:20: INFO: isakmp.c:2313:log_ph1established(): ISAKMP-SA established xx.yy.zz.60[500]-xx.yy.zz.128[500] spi:9c0e0730a89724fc:3 4e869a34c12cf49 2001-09-06 08:52:21: INFO: isakmp.c:965:isakmp_ph2begin_r(): responde new phase 2 negotiation: xx.yy.zz.60[0]<=>xx.yy.zz.128[0] 2001-09-06 08:52:21: ERROR: proposal.c:951:set_proposal_from_policy(): not supported nested SA. Ignore. 2001-09-06 08:52:21: ERROR: proposal.c:999:set_proposal_from_policy(): There is a difference between the in/out bound policies. 2001-09-06 08:52:21: ERROR: isakmp_quick.c:1901:get_proposal_r(): failed to create saprop. 2001-09-06 08:52:21: ERROR: isakmp_quick.c:1025:quick_r1recv(): failed to get proposal for responder. 2001-09-06 08:52:21: ERROR: isakmp.c:975:isakmp_ph2begin_r(): failed to pre-process packet. 2001-09-06 08:52:32: INFO: isakmp.c:1618:isakmp_post_acquire(): request for establishing IPsec-SA was queued due to no phase1 found. 2001-09-06 08:52:32: ERROR: isakmp.c:1676:isakmp_chkph1there(): phase1 negotiation failed due to time up. 2001-09-06 08:52:32: INFO: isakmp.c:1678:isakmp_chkph1there(): delete phase 2 handler. Help please! -- ---------------------------------------------------------------------------- --- Eric Anderson anderson@centtech.com Centaur Technology (512) 418-5792 Truth is more marvelous than mystery. ---------------------------------------------------------------------------- --- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message