From owner-freebsd-net@FreeBSD.ORG Sat Dec 30 17:52:22 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 36E5916A403 for ; Sat, 30 Dec 2006 17:52:22 +0000 (UTC) (envelope-from robertusn@gmail.com) Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.232]) by mx1.freebsd.org (Postfix) with ESMTP id EEE0513C45D for ; Sat, 30 Dec 2006 17:52:21 +0000 (UTC) (envelope-from robertusn@gmail.com) Received: by nz-out-0506.google.com with SMTP id i11so2282604nzh for ; Sat, 30 Dec 2006 09:52:21 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=rDwpEKiR6bue7dRN3rRkXyAyR4bgY2JSS7aBXWtzB3uz4wqXmhtHhXKTyMjUeobfIqmJCer3Tb/xVX4ibjn0le9ypEeHw91D7laN1j79qeruj/41Tnc5sjQ6sOc82nKNTBTyb+qoVfgx3yMGZCCIWv4c7EOIR4NTY/F0CQjSOgE= Received: by 10.65.204.7 with SMTP id g7mr11934842qbq.1167501141356; Sat, 30 Dec 2006 09:52:21 -0800 (PST) Received: by 10.65.59.8 with HTTP; Sat, 30 Dec 2006 09:52:21 -0800 (PST) Message-ID: <3713853f0612300952i7180b1daw1dbd7af01bc75c72@mail.gmail.com> Date: Sat, 30 Dec 2006 18:52:21 +0100 From: "Robert Usle" Sender: robertusn@gmail.com To: "VANHULLEBUS Yvan" In-Reply-To: <20061230152859.GA1519@jayce.zen.inc> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <3713853f0612280851m243f9e75u918c0969b038a865@mail.gmail.com> <20061230152859.GA1519@jayce.zen.inc> X-Google-Sender-Auth: 6832a37dc421c8d9 Cc: freebsd-net@freebsd.org Subject: Re: ipsec-tools 0.6.6 problem X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Dec 2006 17:52:22 -0000 On 12/30/06, VANHULLEBUS Yvan wrote: > On Thu, Dec 28, 2006 at 05:51:42PM +0100, Robert Usle wrote: > > Hello list & Yvan. > > Hi. > > > > [...] > > listen > > { > > #isakmp ::1 [7000]; > > isakmp 89.217.11.250 [500]; > > isakmp 10.0.5.1 [500]; > > #admin [7002]; # administrative port for racoonctl. > > #strict_address; # requires that all addresses must be bound. > > } > > Those addresses don't match the ifconfig output you sent in your > previous mail, is that normal ? Yes, sorry. I was trying to mask a real IP.. that's not the one I have attached to my interface. For security reasons. > [....] > > remote anonymous { > > exchange_mode aggressive,main,base; > > This is a quite ugly config (I fear it comes from ipsec-tools > examples....), but it is not related to your problem. Tried many others. > [....] > > 2006-12-28 17:30:49: INFO: 10.0.5.1[500] used as isakmp port (fd=5) > > 2006-12-28 17:30:49: INFO: 89.217.11.250[500] used as isakmp port (fd=6) > > 2006-12-28 17:30:49: DEBUG: get pfkey X_SPDDUMP message > > 2006-12-28 17:30:49: DEBUG: get pfkey X_SPDDUMP message > > 2006-12-28 17:30:49: DEBUG: sub:0xbfbff524: 0.0.0.0/0[0] > > 192.168.2.0/24[0] proto=any dir=out > > 2006-12-28 17:30:49: DEBUG: db :0x80a5408: 192.168.2.0/24[0] > > 0.0.0.0/0[0] proto=any dir=in > > Could you also give us the output of "setkey -D -P" Sure. 192.168.2.0/24[any] 0.0.0.0/0[any] any in ipsec esp/tunnel/10.0.5.40-10.0.5.1/require spid=53 seq=1 pid=7738 refcnt=1 0.0.0.0/0[any] 192.168.2.0/24[any] any out ipsec esp/tunnel/10.0.5.1-10.0.5.40/require spid=54 seq=0 pid=7738 refcnt=1 > > 2006-12-28 17:30:49: DEBUG: msg 1 not interesting > > 2006-12-28 17:30:49: DEBUG: caught rtm:2, need update interface address list > > 2006-12-28 17:30:49: DEBUG: msg 1 not interesting > > 2006-12-28 17:30:49: DEBUG: caught rtm:2, need update interface address list > > 2006-12-28 17:30:49: DEBUG: msg 1 not interesting > > 2006-12-28 17:30:49: DEBUG: caught rtm:2, need update interface address list > > 2006-12-28 17:30:50: DEBUG: msg 5 not interesting > > 2006-12-28 17:30:50: DEBUG: msg 1 not interesting > > 2006-12-28 17:30:50: DEBUG: caught rtm:2, need update interface address list > > 2006-12-28 17:30:50: DEBUG: msg 1 not interesting > > and so on..... infinite loop with 'caught rtm;2, need update interface > > address list > > Strange. The most common reason for an interface update is > entering/leaving promiscous mode, or changing IP configuration, but I > guess you don't do that many times per second.... I am not aware of any changes made. I am running snort, but even if I shutdown it, racoon still makes the loop. here's my ifconfig output: fxp0: flags=8843 mtu 1500 options=40 inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255 ether 00:03:47:c6:af:e6 media: Ethernet autoselect (100baseTX ) status: active xl0: flags=8843 mtu 1500 options=1 inet 89.217.11.250 netmask 0xfffffff8 broadcast 89.217.11.255 ether 00:04:75:c1:d7:76 media: Ethernet autoselect (10baseT/UTP) status: active xl1: flags=8843 mtu 1500 options=1 inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 ether 00:01:02:e2:40:78 media: Ethernet autoselect (100baseTX ) status: active rl0: flags=8843 mtu 1500 options=40 inet 10.0.5.1 netmask 0xffffff00 broadcast 10.0.5.255 ether 00:e0:4c:e9:ec:83 media: Ethernet autoselect (100baseTX ) status: active rl1: flags=8843 mtu 1500 options=40 inet 10.0.6.1 netmask 0xffffff00 broadcast 10.0.6.255 ether 00:0a:cd:08:61:7d media: Ethernet autoselect (100baseTX ) status: active rl2: flags=8843 mtu 1500 options=40 inet 192.168.10.1 netmask 0xffffff00 broadcast 192.168.10.255 ether 00:0a:cd:08:61:6d media: Ethernet autoselect (none) status: no carrier lo0: flags=8049 mtu 16384 inet 127.0.0.1 netmask 0xff000000 tun0: flags=8010 mtu 1500 inet 10.0.8.1 --> 10.0.8.2 netmask 0xffffffff tun0 (is an openvpn interface) As you can see POLLING is enabled on some of them. > Just to ba sure: do you have strange messages on console related to IP > configuration ? > > > [...] > > There are 2 setkey commands now, (/usr/sbin/ & /usr/local/sbin) > > can I use both ? > > For very basic usage, yes, but as you are using ipsec-tool's racoon, > it is better to also use ipsec-tool's setkey, which is the > /usr/local/sbin one. > > > > Also, sometimes I'm getting 'unsupported PF_KEY message REGISTER' > > after running setkey > > ? > > Are you sure your kernel has been correctly compiled/installed ??? I compiled it twice. No errors, standard make buildkernel/installkernel KERNCONF=TUNED Actually, I've managed to create an ipsec connection between this box & other FreeBSD box.. The problem appears when I'm trying to connect it with asmax br-604g router, which in fact is a piece of sh... I've already trashed it. The main problem is that the racoon dies from time to time, and that it puts so many interface related messages. Maybe I should reestablish the VPN connection between these 2 bsd boxes, and check if problems occur. Thanks and Hapy New Year ! -- Robert