Date: Fri, 18 May 2001 12:22:04 -0500 (EST) From: Jonathan Smith <jonsmith@dragonstar.dhs.org> To: questions@freebsd.org Subject: IPsec difficulties Message-ID: <Pine.BSF.4.21.0105181217001.7840-600000@dragonstar.dhs.org>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] I'm attempting to get IPsec running in tunnel mode. Most of the info I have is in the README file. save these files in a temp directory. edit ipsec.sh's top several lines to set the right IP's and such. 'ipsec.sh && make all' will make ipsec1.sh and ipsec2.sh which are the commands to fully setup (to my understanding from the reference files listed in README) the tunneling. racoon.conf is the config file I'm using on both machines. 1.log is the racoon.log on the first machine and 2.log is the racoon.log from the second machine while attempting to telnet to the internal ip of the second machine fromt the first machine. Kernel info, uname info, etc. is in the README. I'm using the ipsec.sh to really try to make sure I've not made any mistakes.... I can get the gif's to work just fine without IPsec... Add it and they fail. If anyone can find the problem, I'd appreciate it. Thanks, j. -- When you get the choice to sit it out or dance, I hope you dance -- I Hope You Dance, Lee Ann Womack Jon Smith -- Senior Math Major, Purdue [-- Attachment #2 --] References: http://www.daemonnews.org/200101/ipsec-howto.html http://www.freebsd.org/doc/en_US.ISO_8859-1/books/handbook/ipsec.html http://www.kame.net/newsletter/20001119/ Atleast one page contains an error. The first, in an explanation of tunnel mode, says that "if your goal is to set up a VPN, that is, link 2 widely-separated networks together over the Internet, then you'll probably want to use ESP/tunnel mode." It then proceeds to give the example using ESP/transport. The second and third use ESP/tunnel in their examples for tunnel mode (which I believe is correct). I have tried using the default racoon.conf that was installed with the racoon port and the one given in the third URL above. Further, the second URL says nothing of using gif(4)s. One machine is 4.2-STABLE (April 22) the other is 4.3-STABLE (May 10). From the kernel (same used on both machines): options IPSEC options IPSEC_ESP options IPSEC_DEBUG pseudo-device gif 4 # Tunneling device Racoon version on both machines: racoon-20010322a [-- Attachment #3 --] #!/bin/sh # Use '\\/' for any '/'s since it must be escaped in sed, so it must be # double escaped here -- we're sorry for the inconvenience # # 1 is the first machine, 2 is the second. # # Will generate ipsec1.sh and ipsec2.sh -- run the first on the first machien # and the second on the second.... In those files A is always the machine # you are on and B is always the other machine. ipsec1.sh is generated where # 1 is A and 2 is B. ispec2.sh is generated where 1 is B and 2 is A. # ext_1="1.2.3.4" int_1="10.0.1.1" net_1="10.0.1.0\\/24" ext_2="1.2.3.5" int_2="10.0.2.1" net_2="10.0.2.0\\/24" nmask="255.255.255.0" cat << FEOF ======== ESP ========= | | ${ext_1} ${ext_2} ${net_1} ---- ${int_1} ${int_2} ---- ${net_2} FEOF rm Makefile cat > Makefile << FEOF SHELL=/bin/sh first_files=ipsec1.sh second_files=ipsec2.sh all: \${first_files} \${second_files} @echo "Don't forget to the other hosts's IP and the first key to use" @echo "to the psk.txt file!!!!" ipsec1.sh: ipsecn.sh.in subst_file_1 sed -f subst_file_1 < ipsecn.sh.in > ipsec1.sh chmod 700 ipsec1.sh ipsec2.sh: ipsecn.sh.in subst_file_2 sed -f subst_file_2 < ipsecn.sh.in > ipsec2.sh chmod 700 ipsec2.sh subst_file_1: Makefile -rm subst_file_1 echo "s/%%A_ext%%/${ext_1}/" >> subst_file_1 echo "s/%%A_int%%/${int_1}/" >> subst_file_1 echo "s/%%A_net%%/${net_1}/" >> subst_file_1 echo "s/%%B_ext%%/${ext_2}/" >> subst_file_1 echo "s/%%B_int%%/${int_2}/" >> subst_file_1 echo "s/%%B_net%%/${net_2}/" >> subst_file_1 echo "s/%%nmask%%/${nmask}/" >> subst_file_1 subst_file_2: Makefile -rm subst_file_2 echo "s/%%A_ext%%/${ext_2}/" >> subst_file_2 echo "s/%%A_int%%/${int_2}/" >> subst_file_2 echo "s/%%A_net%%/${net_2}/" >> subst_file_2 echo "s/%%B_ext%%/${ext_1}/" >> subst_file_2 echo "s/%%B_int%%/${int_1}/" >> subst_file_2 echo "s/%%B_net%%/${net_1}/" >> subst_file_2 echo "s/%%nmask%%/${nmask}/" >> subst_file_2 FEOF rm ipsecn.sh.in cat > ipsecn.sh.in << FEOF #!/bin/sh A_ext=%%A_ext%% A_int=%%A_int%% A_net=%%A_net%% B_ext=%%B_ext%% B_int=%%B_int%% B_net=%%B_net%% nmask=%%nmask%% # Attempt to clear the network route so I can set it #route delete \${B_net} # Set up the tunnel device. This presumes you have gif(4) support # gif0 connects my external IP to the other external IP gifconfig gif0 \${A_ext} \${B_ext} # The 'internal' side of the tunnel connects my internal IP to the # other interal IP ifconfig gif0 inet \${A_int} \${B_int} netmask \${nmask} # Attempt to setup the network route #route add \${B_net} \${B_int} # The next 2 lines delete all existing entries from the SPD and SAD setkey -FP setkey -F # Now add the policy setkey -c << EOF spdadd \${A_net} \${B_net} any -P out ipsec esp/tunnel/\${A_ext}-\${B_ext}/require ; spdadd \${B_net} \${A_net} any -P in ipsec esp/tunnel/\${B_ext}-\${A_ext}/require ; EOF FEOF [-- Attachment #4 --] # $KAME: racoon.conf.in,v 1.16 2000/12/17 21:17:53 sakane Exp $ # "path" must be placed before it should be used. # You can overwrite which you defined, but it should not use due to confusing. path include "/usr/local/etc/racoon" ; #include "remote.conf" ; # search this file for pre_shared_key with various ID key. path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; # racoon will look for certificate file in the directory, # if the certificate/certificate request payload is received. path certificate "/usr/local/etc/cert" ; # "log" specifies logging level. It is followed by either "notify", "debug" # or "debug2". #log debug; # "padding" defines some parameter of padding. You should not touch these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # if no listen directive is specified, racoon will listen to all # available interface addresses. listen { #isakmp ::1 [7000]; #isakmp 202.249.11.124 [500]; #admin [7002]; # administrative's port by kmpstat. #strict_address; # required all addresses must be bound. } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 15 sec; } remote anonymous { #exchange_mode main,aggressive; exchange_mode aggressive,main; doi ipsec_doi; situation identity_only; #my_identifier address; my_identifier user_fqdn "sakane@kame.net"; peers_identifier user_fqdn "sakane@kame.net"; #certificate_type x509 "mycert" "mypriv"; nonce_size 16; lifetime time 1 min; # sec,min,hour lifetime byte 5 MB; # B,KB,GB initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } remote ::1 [8000] { #exchange_mode main,aggressive; exchange_mode aggressive,main; doi ipsec_doi; situation identity_only; my_identifier user_fqdn "sakane@kame.net"; peers_identifier user_fqdn "sakane@kame.net"; #certificate_type x509 "mycert" "mypriv"; nonce_size 16; lifetime time 1 min; # sec,min,hour lifetime byte 5 MB; # B,KB,GB proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } sainfo anonymous { pfs_group 1; lifetime time 30 sec; lifetime byte 5000 KB; encryption_algorithm 3des ; authentication_algorithm hmac_sha1; compression_algorithm deflate ; } sainfo address 203.178.141.209 any address 203.178.141.218 any { pfs_group 1; lifetime time 30 sec; lifetime byte 5000 KB; encryption_algorithm des ; authentication_algorithm hmac_md5; compression_algorithm deflate ; } sainfo address ::1 icmp6 address ::1 icmp6 { pfs_group 1; lifetime time 60 sec; lifetime byte 5000 KB; encryption_algorithm 3des, cast128, blowfish, des ; authentication_algorithm hmac_sha1, hmac_md5 ; compression_algorithm deflate ; } [-- Attachment #5 --] 2001-05-18 12:05:13: INFO: main.c:146:main(): @(#)racoon 20001216 sakane@ydc.co.jp 2001-05-18 12:05:13: INFO: main.c:147:main(): @(#)This product linked software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/) 2001-05-18 12:05:13: WARNING: cftoken.l:498:yywarn(): /usr/local/etc/racoon/racoon.conf:65: "MB" the lifetime of bytes in phase 1 will be ignored at the moment. 2001-05-18 12:05:13: WARNING: cftoken.l:498:yywarn(): /usr/local/etc/racoon/racoon.conf:91: "MB" the lifetime of bytes in phase 1 will be ignored at the moment. 2001-05-18 12:05:13: WARNING: pfkey.c:1949:pk_checkalg(): compression algorithm can not be checked. 2001-05-18 12:05:13: WARNING: pfkey.c:1949:pk_checkalg(): compression algorithm can not be checked. 2001-05-18 12:05:13: WARNING: pfkey.c:1949:pk_checkalg(): compression algorithm can not be checked. 2001-05-18 12:05:13: INFO: isakmp.c:1267:isakmp_open(): 127.0.0.1[500] used as isakmp port (fd=6) 2001-05-18 12:05:13: INFO: isakmp.c:1267:isakmp_open(): 10.0.1.1[500] used as isakmp port (fd=7) 2001-05-18 12:05:13: ERROR: isakmp.c:1259:isakmp_open(): failed to bind (Address already in use). 2001-05-18 12:05:13: INFO: isakmp.c:1267:isakmp_open(): 1.2.3.4[500] used as isakmp port (fd=8) 2001-05-18 12:05:23: INFO: isakmp.c:1599:isakmp_post_acquire(): IPsec-SA request for 1.2.3.5 queued due to no phase1 found. 2001-05-18 12:05:23: INFO: isakmp.c:771:isakmp_ph1begin_i(): initiate new phase 1 negotiation: 1.2.3.4[500]<=>1.2.3.5[500] 2001-05-18 12:05:23: INFO: isakmp.c:776:isakmp_ph1begin_i(): begin Aggressive mode. 2001-05-18 12:05:24: INFO: vendorid.c:91:check_vendorid(): Vendor ID matched. 2001-05-18 12:05:24: INFO: isakmp.c:2313:log_ph1established(): ISAKMP-SA established 1.2.3.4[500]-1.2.3.5[500] spi:0b8623193d842daf:17cf22eff856c7be 2001-05-18 12:05:25: INFO: pfkey.c:1126:pk_recvupdate(): IPsec-SA established: ESP/Tunnel 1.2.3.5->1.2.3.4 spi=170336607(0xa27215f) 2001-05-18 12:05:25: INFO: pfkey.c:1312:pk_recvadd(): IPsec-SA established: ESP/Tunnel 1.2.3.4->1.2.3.5 spi=163543534(0x9bf79ee) 2001-05-18 12:05:50: INFO: pfkey.c:1359:pk_recvexpire(): IPsec-SA expired: ESP/Tunnel 1.2.3.4->1.2.3.5 spi=163543534(0x9bf79ee) 2001-05-18 12:05:50: INFO: pfkey.c:1359:pk_recvexpire(): IPsec-SA expired: ESP/Tunnel 1.2.3.5->1.2.3.4 spi=170336607(0xa27215f) 2001-05-18 12:05:50: INFO: pfkey.c:1126:pk_recvupdate(): IPsec-SA established: ESP/Tunnel 1.2.3.5->1.2.3.4 spi=184555329(0xb001741) 2001-05-18 12:05:50: INFO: pfkey.c:1312:pk_recvadd(): IPsec-SA established: ESP/Tunnel 1.2.3.4->1.2.3.5 spi=49241960(0x2ef5f68) 2001-05-18 12:06:15: INFO: pfkey.c:1359:pk_recvexpire(): IPsec-SA expired: ESP/Tunnel 1.2.3.4->1.2.3.5 spi=49241960(0x2ef5f68) 2001-05-18 12:06:15: INFO: pfkey.c:1359:pk_recvexpire(): IPsec-SA expired: ESP/Tunnel 1.2.3.5->1.2.3.4 spi=184555329(0xb001741) 2001-05-18 12:06:15: INFO: pfkey.c:1126:pk_recvupdate(): IPsec-SA established: ESP/Tunnel 1.2.3.5->1.2.3.4 spi=97791234(0x5d42d02) 2001-05-18 12:06:15: INFO: pfkey.c:1312:pk_recvadd(): IPsec-SA established: ESP/Tunnel 1.2.3.4->1.2.3.5 spi=174451277(0xa65ea4d) 2001-05-18 12:06:24: INFO: isakmp.c:1446:isakmp_ph1expire(): ISAKMP-SA expired 1.2.3.4[500]-1.2.3.5[500] spi:0b8623193d842daf:17cf22eff856c7be 2001-05-18 12:06:25: INFO: isakmp.c:1488:isakmp_ph1delete(): ISAKMP-SA deleted 1.2.3.4[500]-1.2.3.5[500] spi:0b8623193d842daf:17cf22eff856c7be 2001-05-18 12:06:31: INFO: isakmp.c:1267:isakmp_open(): 127.0.0.1[500] used as isakmp port (fd=6) 2001-05-18 12:06:31: INFO: isakmp.c:1267:isakmp_open(): 10.0.1.1[500] used as isakmp port (fd=7) 2001-05-18 12:06:31: ERROR: isakmp.c:1259:isakmp_open(): failed to bind (Address already in use). 2001-05-18 12:06:31: INFO: isakmp.c:1267:isakmp_open(): 1.2.3.4[500] used as isakmp port (fd=8) 2001-05-18 12:06:39: INFO: isakmp.c:1267:isakmp_open(): 127.0.0.1[500] used as isakmp port (fd=6) 2001-05-18 12:06:39: INFO: isakmp.c:1267:isakmp_open(): 10.0.1.1[500] used as isakmp port (fd=7) 2001-05-18 12:06:39: ERROR: isakmp.c:1259:isakmp_open(): failed to bind (Address already in use). 2001-05-18 12:06:39: INFO: isakmp.c:1267:isakmp_open(): 1.2.3.4[500] used as isakmp port (fd=8) 2001-05-18 12:06:45: INFO: isakmp.c:1524:isakmp_ph2expire(): phase2 sa expired 1.2.3.4-1.2.3.5 2001-05-18 12:06:45: WARNING: cftoken.l:498:yywarn(): /usr/local/etc/racoon/racoon.conf:65: "MB" the lifetime of bytes in phase 1 will be ignored at the moment. 2001-05-18 12:06:45: WARNING: cftoken.l:498:yywarn(): /usr/local/etc/racoon/racoon.conf:91: "MB" the lifetime of bytes in phase 1 will be ignored at the moment. 2001-05-18 12:06:45: WARNING: pfkey.c:1949:pk_checkalg(): compression algorithm can not be checked. 2001-05-18 12:06:45: ERROR: cftoken.l:478:yyerror(): /usr/local/etc/racoon/racoon.conf:109: "}" duplicated sainfo: anonymous 2001-05-18 12:06:45: ERROR: cfparse.y:1521:cfparse(): fatal parse failure (1 errors) 2001-05-18 12:06:45: ERROR: session.c:268:check_sigreq(): configuration read failed [-- Attachment #6 --] 2001-05-18 12:04:58: INFO: main.c:146:main(): @(#)racoon 20001216 sakane@ydc.co.jp 2001-05-18 12:04:58: INFO: main.c:147:main(): @(#)This product linked software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/) 2001-05-18 12:04:58: WARNING: cftoken.l:498:yywarn(): /usr/local/etc/racoon/racoon.conf:65: "MB" the lifetime of bytes in phase 1 will be ignored at the moment. 2001-05-18 12:04:58: WARNING: cftoken.l:498:yywarn(): /usr/local/etc/racoon/racoon.conf:91: "MB" the lifetime of bytes in phase 1 will be ignored at the moment. 2001-05-18 12:04:58: WARNING: pfkey.c:1949:pk_checkalg(): compression algorithm can not be checked. 2001-05-18 12:04:58: WARNING: pfkey.c:1949:pk_checkalg(): compression algorithm can not be checked. 2001-05-18 12:04:58: WARNING: pfkey.c:1949:pk_checkalg(): compression algorithm can not be checked. 2001-05-18 12:04:58: INFO: isakmp.c:1267:isakmp_open(): 10.0.2.1[500] used as isakmp port (fd=6) 2001-05-18 12:04:58: INFO: isakmp.c:1267:isakmp_open(): 127.0.0.1[500] used as isakmp port (fd=7) 2001-05-18 12:04:58: INFO: isakmp.c:1267:isakmp_open(): 1.2.3.5[500] used as isakmp port (fd=8) 2001-05-18 12:04:58: ERROR: isakmp.c:1259:isakmp_open(): failed to bind (Address already in use). 2001-05-18 12:05:07: INFO: isakmp.c:854:isakmp_ph1begin_r(): responde new phase 1 negotiation: 1.2.3.5[500]<=>1.2.3.4[500] 2001-05-18 12:05:07: INFO: isakmp.c:859:isakmp_ph1begin_r(): begin Aggressive mode. 2001-05-18 12:05:08: INFO: isakmp.c:2313:log_ph1established(): ISAKMP-SA established 1.2.3.5[500]-1.2.3.4[500] spi:0b8623193d842daf:17cf22eff856c7be 2001-05-18 12:05:09: INFO: isakmp.c:965:isakmp_ph2begin_r(): responde new phase 2 negotiation: 1.2.3.5[0]<=>1.2.3.4[0] 2001-05-18 12:05:09: INFO: pfkey.c:1126:pk_recvupdate(): IPsec-SA established: ESP/Tunnel 1.2.3.4->1.2.3.5 spi=163543534(0x9bf79ee) 2001-05-18 12:05:09: INFO: pfkey.c:1312:pk_recvadd(): IPsec-SA established: ESP/Tunnel 1.2.3.5->1.2.3.4 spi=170336607(0xa27215f) 2001-05-18 12:05:33: INFO: pfkey.c:1359:pk_recvexpire(): IPsec-SA expired: ESP/Tunnel 1.2.3.5->1.2.3.4 spi=170336607(0xa27215f) 2001-05-18 12:05:33: INFO: pfkey.c:1359:pk_recvexpire(): IPsec-SA expired: ESP/Tunnel 1.2.3.4->1.2.3.5 spi=163543534(0x9bf79ee) 2001-05-18 12:05:34: INFO: isakmp.c:965:isakmp_ph2begin_r(): responde new phase 2 negotiation: 1.2.3.5[0]<=>1.2.3.4[0] 2001-05-18 12:05:34: INFO: pfkey.c:1126:pk_recvupdate(): IPsec-SA established: ESP/Tunnel 1.2.3.4->1.2.3.5 spi=49241960(0x2ef5f68) 2001-05-18 12:05:34: INFO: pfkey.c:1312:pk_recvadd(): IPsec-SA established: ESP/Tunnel 1.2.3.5->1.2.3.4 spi=184555329(0xb001741) 2001-05-18 12:05:58: INFO: pfkey.c:1359:pk_recvexpire(): IPsec-SA expired: ESP/Tunnel 1.2.3.5->1.2.3.4 spi=184555329(0xb001741) 2001-05-18 12:05:58: INFO: pfkey.c:1359:pk_recvexpire(): IPsec-SA expired: ESP/Tunnel 1.2.3.4->1.2.3.5 spi=49241960(0x2ef5f68) 2001-05-18 12:05:59: INFO: isakmp.c:965:isakmp_ph2begin_r(): responde new phase 2 negotiation: 1.2.3.5[0]<=>1.2.3.4[0] 2001-05-18 12:05:59: INFO: pfkey.c:1126:pk_recvupdate(): IPsec-SA established: ESP/Tunnel 1.2.3.4->1.2.3.5 spi=174451277(0xa65ea4d) 2001-05-18 12:05:59: INFO: pfkey.c:1312:pk_recvadd(): IPsec-SA established: ESP/Tunnel 1.2.3.5->1.2.3.4 spi=97791234(0x5d42d02) 2001-05-18 12:06:08: INFO: isakmp.c:1446:isakmp_ph1expire(): ISAKMP-SA expired 1.2.3.5[500]-1.2.3.4[500] spi:0b8623193d842daf:17cf22eff856c7be 2001-05-18 12:06:09: INFO: isakmp.c:1488:isakmp_ph1delete(): ISAKMP-SA deleted 1.2.3.5[500]-1.2.3.4[500] spi:0b8623193d842daf:17cf22eff856c7be 2001-05-18 12:06:29: INFO: isakmp.c:1524:isakmp_ph2expire(): phase2 sa expired 1.2.3.5-1.2.3.4 2001-05-18 12:06:30: INFO: isakmp.c:1555:isakmp_ph2delete(): phase2 sa deleted 1.2.3.5-1.2.3.4 2001-05-18 12:06:32: INFO: session.c:276:check_sigreq(): caught signal 15 2001-05-18 12:06:33: ERROR: backupsa.c:355:backupsa_clean(): failed to clean the backup file (null). 2001-05-18 12:06:33: INFO: session.c:180:close_session(): racoon shutdown
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0105181217001.7840-600000>