Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 26 Jun 2004 17:36:13 +0200 (CEST)
From:      Lupe Christoph <lupe@lupe-christoph.de>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   ports/68396: Racoon racoon-20040617a Interoperability with Free/OpenSWAN
Message-ID:  <20040626153613.0F9A5154@firewally.lupe-christoph.de>
Resent-Message-ID: <200406261550.i5QFoLuv060614@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         68396
>Category:       ports
>Synopsis:       Racoon racoon-20040617a Interoperability with Free/OpenSWAN
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jun 26 15:50:21 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator:     Lupe Christoph
>Release:        FreeBSD 4.10-RELEASE i386
>Organization:
>Environment:
System: FreeBSD firewally.lupe-christoph.de 4.10-RELEASE FreeBSD 4.10-RELEASE #1: Mon Jun 7 12:30:40 CEST 2004 root@firewally.lupe-christoph.de:/usr/obj/usr/src/sys/FIREWALLY i386


	
>Description:
	I just upgraded from racoon-20040408a to racoon-20040617a.
	Two of my tunnels with FreeS/WAN or OpenSWAN machines ceased to operate.
	Error is:
		DEBUG: isakmp.c:1143:isakmp_parsewoh(): invalid length of payload
		ERROR: isakmp.c:1061:isakmp_ph2begin_r(): failed to pre-process packet.
	The only FreeS/WAN tunnel that works with racoon-20040617a is the one that
	uses CA-signed certificates. The ones that do not operate use self-signed
	certificates and PSKs.

	I have also a zoo of versions (pluto versions below):
		CA-signed certificates	 FreeS/WAN 1.96
		self-signed certificates Linux FreeS/WAN 2.1.3
		PSKs                     FreeS/WAN 1.95
	So it is unlikely that this is a bug in Free/OpenSWAN - the non-working
	versions bracket the working one.

	From what I understand from the packet dumps, the decryption fails. Here is
	a decrypted packet from racoon-20040617a:

	34b8e3aa 257dd793 e0150c9b b835f3b1 05100201 00000000 00000134 40621e14
	c67ac9b0 62756578 652e622d 352e6465 00000104 1d3029b9 8349f993 e8a29377
	6241c9be 74023533 cd262968 47673407 b64ef047 82757682 86592393 4d01f5af
	76b949e0 5ca485df 332865fd 213af245 cc57671b 1adb295e c4aef1a4 2e5388fc
	e939e763 a22660b8 a6524dff e91d5a04 78f7c054 aa21fe0a a3597463 dc537be1
	edc7d1d9 d196c048 c75493c5 9478d3fb b780aa58 ffdfd20f 57b3cf77 ec0c66ca
	357cf5f7 a44745a6 29d6c43a 8bcea1c2 50efa970 0e364fec 1aca2d62 662eaa7a
	45d86331 921b3440 ade57f6b 0b14fd32 406bf7f8 e7f51cf9 5008f1e0 d9b30379
	67d45bda d6174e91 57856637 462163d7 4eb93ab5 b74818e6 bfea0817 73702f04
	c15add31 11054e58 19a92161 f174b05b 09367861

	and here is probably the same thing decoded by racoon-20040408a:

	e637e4fe 805a1ec2 22eac8ab ba9d8f8b 05100201 00000000 00000134 09000014
	02000000 62756578 652e622d 352e6465 00000104 02024668 9a977225 0f016ba6
	6e304bdd c3779703 8342e7d1 6395ea79 621d4f16 fa8788db 7f8ff93b 2e7639c5
	8e2879be c11dfbf5 0130bbe3 10a52893 65348112 13a82ca4 90fee998 fe2b9e06
	1d8313d3 380c60d3 2c0d13fd 6dac45c6 75ad210f 91b2e998 6851521f d182878a
	5851b979 5b4a9a4d 9a39f696 a7829acb f49d9a90 80bc0f29 98edfe36 246026c4
	1f0c808e bc4bbd30 9ba07af6 5b68d985 6f69bf87 32794d36 9af05dc1 a3e00041
	5c4b8301 50f6a87f acf2e114 0700f66d 1c07b2b5 00afec4e 3305181a d89b4565
	d0de58cb 7c24cd31 ddab7b79 ab0674fa 71d9b8c2 256bbffa 07a09a12 716a138c
	a753d48f 2445d869 842fa0ee 6f2d4fd6 674617cd

	The first packet looks like IPSec gibberish to me. 40621e14 is not a valid
	Payload Header. What is a payload of 0x40? And the RESERVED is not zero.

	While the second packet decodes fine.
		28 bytes of header
		20 bytes of Identification "buexe.b-5.de"
		260 bytes of signature
		---
		308 bytes packet

>How-To-Repeat:
	I have no easy way of repeating this. Set up a Linux box with <any>SWAN,
	use Certificates.
>Fix:

	


>Release-Note:
>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040626153613.0F9A5154>