Date: Mon, 29 Mar 2004 00:06:21 +0200 From: =?ISO-8859-1?Q?Cyrill_R=FCttimann?= <ruettimac@mac.com> To: freebsd-net@freebsd.org Subject: IPSec troubles Message-ID: <257C203C-8104-11D8-9902-00039303AB38@mac.com>
next in thread | raw e-mail | index | archive | help
Hello,
I have troubles setting up an IPSec Host-to-Host connection between
FreeBSD 5.2.1 and MacOS X 10.3.3:
Network Setup:
Cable-Modem-->FreeBSD Box, 192.168.0.1-->Apple Airport Station running
in Bridge Mode-->MacOS X Box, 192.168.0.10
/etc/ipsec.conf (FreeBSD)
spdadd 192.168.0.1/24 192.168.0.10/24 any -P out ipsec
esp/transport/192.168.0.1-192.168.0.10/require;
spdadd 192.168.0.10/24 192.168.0.1/24 any -P in ipsec
esp/transport/192.168.0.10-192.168.0.1/require;
/etc/ipsec.conf (MacOS X)
spdadd 192.168.0.10/24 192.168.0.1/24 any -P out ipsec
esp/transport/192.168.0.10-192.168.0.1/require;
spdadd 192.168.0.1/24 192.168.0.10/24 any -P in ipsec
esp/transport/192.168.0.1-192.168.0.10/require;
/usr/local/etc/racoon/racoon.conf (FreeBSD)
remote anonymous
{
#exchange_mode main,aggressive;
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
#my_identifier address;
my_identifier user_fqdn "root@ruettimac.ch";
peers_identifier user_fqdn "root@ruettimac.ch";
#certificate_type x509 "mycert" "mypriv";
nonce_size 16;
lifetime time 1 min; # sec,min,hour
initial_contact on;
support_mip6 on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
sainfo anonymous
{
pfs_group 1;
lifetime time 30 sec;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}
/etc/racoon/remote/anonymous.conf (MacOS X)
remote anonymous
{
#exchange_mode main,aggressive;
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
#my_identifier address;
my_identifier user_fqdn "root@ruettimac.ch";
peers_identifier user_fqdn "root@ruettimac.ch";
#certificate_type x509 "mycert" "mypriv";
nonce_size 16;
lifetime time 1 min; # sec,min,hour
initial_contact on;
support_mip6 on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
sainfo anonymous
{
pfs_group 1;
lifetime time 30 sec;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}
/usr/local/etc/racoon/psk.txt (FreeBSD)
192.168.0.1 7HdopoY72bNmewP
192.168.0.10 7HdopoY72bNmewP
/etc/racoon/psk.txt (MacOS X)
192.168.0.1 7HdopoY72bNmewP
192.168.0.10 7HdopoY72bNmewP
Debug output (FreeBSD)
Mar 28 22:55:54 protos racoon: DEBUG:
algorithm.c:614:alg_oakley_dhdef(): hmac(modp1024)
Mar 28 22:55:54 protos racoon: DEBUG: pfkey.c:2379:pk_checkalg():
compression algorithm can not be checked because sadb message doesn't
support it.
Mar 28 22:55:54 protos racoon: DEBUG: pfkey.c:197:pfkey_handler(): get
pfkey X_SPDDUMP message
Mar 28 22:55:54 protos racoon: DEBUG: pfkey.c:197:pfkey_handler(): get
pfkey X_SPDDUMP message
Mar 28 22:55:54 protos racoon: DEBUG: policy.c:184:cmpspidxstrict():
sub:0xbfbfec40: 192.168.0.1/24[0] 192.168.0.10/24[0] proto=any dir=out
Mar 28 22:55:54 protos racoon: DEBUG: policy.c:185:cmpspidxstrict(): db
:0x80a2c08: 192.168.0.10/24[0] 192.168.0.1/24[0] proto=any dir=in
Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:221:isakmp_handler(): ===
Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:222:isakmp_handler():
277 bytes message received from 192.168.0.10[500]
Mar 28 22:57:11 protos racoon: DEBUG: plog.c:193:plogdump(): a8d6f8dc
8b9041c1 00000000 00000000 01100400 00000000 00000115 04000034 00000001
00000001 00000028 01010
001 00000020 01010000 800b0001 800c003c 80010005 80030001 80020002
80040002 0a000084 f23e0504 edb10453 8212421a f817e04d 148782fb 81436b89
f73240d1 a69d3662 5cbb7e5a
cb234c8a 764c6357 87b6c7ee 6606ad2b daf088dc 27dfbac8 5c8ca5f5 20b7c274
4e6f22d7 a85e4237 36291558 2cc68a6e fc9f449c 9d9463e3 ebb1536b 068063f7
ac6f290e 6160f975 b059
aa6c dcccf25d ee5361aa d18ba202 b567ff46 05000014 d2b5d6de f4860836
93be994d 10fb9d3a 0d000019 03000000 726f6f74 40727565 7474696d 61632e63
68000000 144df379 28e9fc4f
d1b32621 70d515c6 62
Mar 28 22:57:11 protos racoon: DEBUG:
isakmp.c:2246:isakmp_printpacket(): begin.
Mar 28 22:57:11 protos racoon: DEBUG: remoteconf.c:129:getrmconf():
anonymous configuration selected for 192.168.0.10[500].
Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:887:isakmp_ph1begin_r():
===
Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:1110:isakmp_parsewoh():
begin.
Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:1137:isakmp_parsewoh():
seen nptype=1(sa)
Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:1137:isakmp_parsewoh():
seen nptype=4(ke)
Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:1137:isakmp_parsewoh():
seen nptype=10(nonce)
Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:1137:isakmp_parsewoh():
seen nptype=5(id)
Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:1137:isakmp_parsewoh():
seen nptype=13(vid)
Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:1176:isakmp_parsewoh():
succeed.
Mar 28 22:57:11 protos racoon: DEBUG: isakmp_agg.c:646:agg_r1recv():
received payload of type ke
Mar 28 22:57:11 protos racoon: DEBUG: isakmp_agg.c:646:agg_r1recv():
received payload of type nonce
Mar 28 22:57:11 protos racoon: DEBUG: isakmp_agg.c:646:agg_r1recv():
received payload of type id
Mar 28 22:57:11 protos racoon: DEBUG: isakmp_agg.c:646:agg_r1recv():
received payload of type vid
Mar 28 22:57:11 protos racoon: DEBUG: vendorid.c:137:check_vendorid():
received unknown Vendor ID
Mar 28 22:57:11 protos racoon: DEBUG: ipsec_doi.c:1117:get_proppair():
total SA len=48
Mar 28 22:57:11 protos racoon: DEBUG: plog.c:193:plogdump(): 00000001
00000001 00000028 01010001 00000020 01010000 800b0001 800c003c 80010005
80030001 80020002 80040
002
Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:1110:isakmp_parsewoh():
begin.
Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:1137:isakmp_parsewoh():
seen nptype=2(prop)
Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:1176:isakmp_parsewoh():
succeed.
Mar 28 22:57:11 protos racoon: DEBUG: ipsec_doi.c:1170:get_proppair():
proposal #1 len=40
Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:1110:isakmp_parsewoh():
begin.
Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:1137:isakmp_parsewoh():
seen nptype=3(trns)
Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:1176:isakmp_parsewoh():
succeed.
Mar 28 22:57:11 protos racoon: DEBUG: ipsec_doi.c:1311:get_transform():
transform #1 len=32
Mar 28 22:57:11 protos racoon: DEBUG:
ipsec_doi.c:1870:check_attr_isakmp(): type=Life Type, flag=0x8000,
lorv=seconds
Mar 28 22:57:11 protos racoon: DEBUG:
ipsec_doi.c:1870:check_attr_isakmp(): type=Life Duration, flag=0x8000,
lorv=60
Mar 28 22:57:11 protos racoon: DEBUG:
ipsec_doi.c:1870:check_attr_isakmp(): type=Encryption Algorithm,
flag=0x8000, lorv=3DES-CBC
Mar 28 22:57:11 protos racoon: DEBUG:
algorithm.c:386:alg_oakley_encdef(): encription(3des)
Mar 28 22:57:11 protos racoon: DEBUG:
ipsec_doi.c:1870:check_attr_isakmp(): type=Authentication Method,
flag=0x8000, lorv=pre-shared key
Mar 28 22:57:11 protos racoon: DEBUG:
ipsec_doi.c:1870:check_attr_isakmp(): type=Hash Algorithm, flag=0x8000,
lorv=SHA
Mar 28 22:57:11 protos racoon: DEBUG:
algorithm.c:256:alg_oakley_hashdef(): hash(sha1)
Mar 28 22:57:11 protos racoon: DEBUG:
ipsec_doi.c:1870:check_attr_isakmp(): type=Group Description,
flag=0x8000, lorv=1024-bit MODP group
Mar 28 22:57:11 protos racoon: DEBUG:
algorithm.c:614:alg_oakley_dhdef(): hmac(modp1024)
Mar 28 22:57:11 protos racoon: DEBUG: ipsec_doi.c:1213:get_proppair():
pair 1:
Mar 28 22:57:11 protos racoon: DEBUG: proposal.c:895:print_proppair0():
0x80a8dc0: next=0x0 tnext=0x0
Mar 28 22:57:11 protos racoon: DEBUG: ipsec_doi.c:1248:get_proppair():
proposal #1: 1 transform
Mar 28 22:57:11 protos racoon: DEBUG:
ipsec_doi.c:322:get_ph1approvalx(): prop#=1, prot-id=ISAKMP,
spi-size=0, #trns=1
Mar 28 22:57:11 protos racoon: DEBUG:
ipsec_doi.c:327:get_ph1approvalx(): trns#=1, trns-id=IKE
Mar 28 22:57:11 protos racoon: DEBUG: ipsec_doi.c:491:t2isakmpsa():
type=Life Type, flag=0x8000, lorv=seconds
Mar 28 22:57:11 protos racoon: DEBUG: ipsec_doi.c:491:t2isakmpsa():
type=Life Duration, flag=0x8000, lorv=60
Mar 28 22:57:11 protos racoon: DEBUG: ipsec_doi.c:491:t2isakmpsa():
type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
Mar 28 22:57:11 protos racoon: DEBUG: ipsec_doi.c:491:t2isakmpsa():
type=Authentication Method, flag=0x8000, lorv=pre-shared key
Mar 28 22:57:11 protos racoon: DEBUG: ipsec_doi.c:491:t2isakmpsa():
type=Hash Algorithm, flag=0x8000, lorv=SHA
Mar 28 22:57:11 protos racoon: DEBUG: ipsec_doi.c:491:t2isakmpsa():
type=Group Description, flag=0x8000, lorv=1024-bit MODP group
Mar 28 22:57:11 protos racoon: DEBUG:
ipsec_doi.c:338:get_ph1approvalx(): Compared: DB:Peer
Mar 28 22:57:11 protos racoon: DEBUG:
ipsec_doi.c:339:get_ph1approvalx(): (lifetime = 60:60)
Mar 28 22:57:11 protos racoon: DEBUG:
ipsec_doi.c:341:get_ph1approvalx(): (lifebyte = 0:0)
Mar 28 22:57:11 protos racoon: DEBUG:
ipsec_doi.c:343:get_ph1approvalx(): enctype = 3DES-CBC:3DES-CBC
Mar 28 22:57:11 protos racoon: DEBUG:
ipsec_doi.c:348:get_ph1approvalx(): (encklen = 0:0)
Mar 28 22:57:11 protos racoon: DEBUG:
ipsec_doi.c:350:get_ph1approvalx(): hashtype = SHA:SHA
Mar 28 22:57:11 protos racoon: DEBUG:
ipsec_doi.c:355:get_ph1approvalx(): authmethod = pre-shared
key:pre-shared key
Mar 28 22:57:11 protos racoon: DEBUG:
ipsec_doi.c:360:get_ph1approvalx(): dh_group = 1024-bit MODP
group:1024-bit MODP group
Mar 28 22:57:11 protos racoon: DEBUG:
ipsec_doi.c:248:get_ph1approval(): an acceptable proposal found.
Mar 28 22:57:11 protos racoon: DEBUG:
algorithm.c:614:alg_oakley_dhdef(): hmac(modp1024)
Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:1994:isakmp_newcookie():
new cookie: 0ad0e291b31fe9c0
Mar 28 22:57:11 protos racoon: DEBUG:
ipsec_doi.c:3238:ipsecdoi_setid1(): use ID type of User_FQDN
Mar 28 22:57:11 protos racoon: DEBUG:
oakley.c:300:oakley_dh_generate(): compute DH's private.
Mar 28 22:57:11 protos racoon: DEBUG: plog.c:193:plogdump(): 6753fee8
60c3a0f2 ae75b8f8 b01a3ebb 077d1c3d 32079cb0 a85027bc ce546f9a ba3f7f1d
3621cdc7 846570e1 5f9ea
ef5 ece52b65 8c704ae1 01ae7444 7490a9bd 72d9c58c 0366a656 38261e4e
fa4b56ce 10d8544a 8e86344d 32b78168 909a5847 c118c017 a17cd78a cbb543b7
98e1cb8e 5e8faed4 f28ddb5b
1783717e 244b075f
Mar 28 22:57:11 protos racoon: DEBUG:
oakley.c:302:oakley_dh_generate(): compute DH's public.
Mar 28 22:57:11 protos racoon: DEBUG: plog.c:193:plogdump(): 188b2e30
9cf45135 c1dc28fb 44f75b0b 0d6511c2 2d615c1c 032790c7 3a154392 582a65cf
3535dabc cd858f07 11b1d
229 e9a49744 aa3a1935 c9bff6cc 2a060706 6af1b688 0ca5f0e4 c8085d7d
de7a24db 7e70369f c913691a b4de01fe b98f3218 35480394 ac9ec110 33431e8c
a6098b94 0d29ad67 7be9cd11
059569db 7523ea0d
Mar 28 22:57:11 protos racoon: DEBUG: oakley.c:250:oakley_dh_compute():
compute DH's shared.
Mar 28 22:57:11 protos racoon: DEBUG: plog.c:193:plogdump(): 3a7b7282
97f70a35 423f1b4b cd893507 23188260 bb366f00 02bd5d60 1f85d97f ab60ce35
e4d1a4e8 975daf7a 34ba3
393 4282dba6 e30885e8 c8459602 f0d9f8dc 72048742 295d0035 5611342c
e51c20c0 17d2a64b 7c985bd4 c5424535 e9cb8e05 900484a4 2838807a b2656122
be5e1bb6 5b0e1003 e1087aa2
ab448b19 fb5bdf3b
Mar 28 22:57:21 protos racoon: DEBUG: isakmp.c:221:isakmp_handler(): ===
Mar 28 22:57:21 protos racoon: DEBUG: isakmp.c:222:isakmp_handler():
277 bytes message received from 192.168.0.10[500]
Mar 28 22:57:21 protos racoon: DEBUG: plog.c:193:plogdump(): a8d6f8dc
8b9041c1 00000000 00000000 01100400 00000000 00000115 04000034 00000001
00000001 00000028 01010
001 00000020 01010000 800b0001 800c003c 80010005 80030001 80020002
80040002 0a000084 f23e0504 edb10453 8212421a f817e04d 148782fb 81436b89
f73240d1 a69d3662 5cbb7e5a
cb234c8a 764c6357 87b6c7ee 6606ad2b daf088dc 27dfbac8 5c8ca5f5 20b7c274
4e6f22d7 a85e4237 36291558 2cc68a6e fc9f449c 9d9463e3 ebb1536b 068063f7
ac6f290e 6160f975 b059
aa6c dcccf25d ee5361aa d18ba202 b567ff46 05000014 d2b5d6de f4860836
93be994d 10fb9d3a 0d000019 03000000 726f6f74 40727565 7474696d 61632e63
68000000 144df379 28e9fc4f
d1b32621 70d515c6 62
Debug output (MacOS X)
Mar 28 23:05:24 localhost racoon: INFO:
isakmp.c:2038:isakmp_chkph1there(): delete phase 2 handler.
Mar 28 23:05:53 localhost racoon: ERROR:
isakmp.c:1694:isakmp_ph1resend(): phase1 negotiation failed due to time
up. 4445e17f3009917d:0000000000000000
Mar 28 23:06:13 localhost racoon: INFO:
isakmp.c:1941:isakmp_post_acquire(): IPsec-SA request for 192.168.0.1
queued due to no phase1 found.
Mar 28 23:06:13 localhost racoon: INFO:
isakmp.c:994:isakmp_ph1begin_i(): initiate new phase 1 negotiation:
192.168.0.10[500]<=>192.168.0.1[500]
Mar 28 23:06:13 localhost racoon: INFO:
isakmp.c:999:isakmp_ph1begin_i(): begin Aggressive mode.
Mar 28 23:06:44 localhost racoon: ERROR:
isakmp.c:2033:isakmp_chkph1there(): phase2 negotiation failed due to
time up waiting for phase1. ESP 192.168.0.1->192.168.0.1
0
Mar 28 23:06:44 localhost racoon: INFO:
isakmp.c:2038:isakmp_chkph1there(): delete phase 2 handler.
Something wrong with the setup?
Maybe incompatible versions of racoon (tip found in a FreeBSD
Mailinglist)?
racoon-20040116a <-----> racoon-20040114 (Big Endian)
Thanks for any help!
Cyrill
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?257C203C-8104-11D8-9902-00039303AB38>