From owner-freebsd-security Wed Jul 10 21:49: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7069337B400 for ; Wed, 10 Jul 2002 21:49:04 -0700 (PDT) Received: from host185.dolanmedia.com (host185.dolanmedia.com [209.98.197.185]) by mx1.FreeBSD.org (Postfix) with SMTP id A9BC843E42 for ; Wed, 10 Jul 2002 21:49:03 -0700 (PDT) (envelope-from greg.panula@dolaninformation.com) Received: (qmail 42139 invoked by uid 0); 11 Jul 2002 04:49:03 -0000 Received: from greg.panula@dolaninformation.com by proxy with qmail-scanner-0.96 (. Clean. Processed in 0.336474 secs); 11 Jul 2002 04:49:03 -0000 X-Qmail-Scanner-Mail-From: greg.panula@dolaninformation.com via proxy X-Qmail-Scanner-Rcpt-To: dlavigne6@cogeco.ca,security@freebsd.org X-Qmail-Scanner: 0.96 (No viruses found. Processed in 0.336474 secs) Received: from unknown (HELO mail.dolanmedia.com) (10.1.1.23) by host185.dolanmedia.com with SMTP; 11 Jul 2002 04:49:02 -0000 Received: from dolaninformation.com (10.1.1.135) by mail.dolanmedia.com (Worldmail 1.3.167); 10 Jul 2002 23:49:02 -0500 Message-ID: <3D2D0E3E.3AE08B84@dolaninformation.com> Date: Wed, 10 Jul 2002 23:49:02 -0500 From: Greg Panula Reply-To: greg.panula@dolaninformation.com Organization: Dolan Information Center Inc X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Dru Cc: security@freebsd.org Subject: Re: no phase2 handle found (fwd) References: <20020709190806.J143-100000@x1-6-00-80-c8-3a-b8-46.kico2.on.cogeco.ca> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dru wrote: > ---------- Forwarded message ---------- > Date: Sat, 6 Jul 2002 10:56:03 -0400 (EDT) > From: Dru > To: security@freebsd.org > Subject: no phase2 handle found > > Didn't get any response from questions, so I'll try here. > > Trying to setup an IPSEC tunnel between a PIX 501 and FreeBSD 4.6 using > the latest racoon. Phase 1 is successful and an ethereal analysis shows > that both are negotiating the same policy parameters. However, Phase 2 > repeats endlessly with this message in /var/log/racoon.conf: > > ERROR: isakmp_inf.c:776:isakmp_info_recv_n(): unknown notify message, no > phase2 handle found. > > The Phase 2 parameters on the PIX: > > crypto ipsec transform-set vpn esp-des esp-md5-hmac > crypto dynamic-map bsd 100 set transform-set vpn > crypto dynamic-map bsd 100 set pfs group2 > crypto dynamic-map bsd 100 set security-association lifetime seconds 3600 > kilobytes 4608000 > > and in racoon: > > pfs_group 2; > lifetime time 3600 sec; > encryption_algorithm des ; > authentication_algorithm hmac_md5; > compression_algorithm deflate; > > I can only guess that negotiations are failing because of the compression > algorithm; from what I can gather PIX only supports lzs but I'm unsure if > compression is enabled or disabled by default. There are no (documented) knobs > in the PIX IOS to enable/disable compression in the transform set. > > I haven't had any luck getting setkey to use lzs and a google search shows > one mailing list query which never received an answer. If I try: > > add bsd_ip pix_ip 666 -C lzs; > > I get a syntax error. > > I've been able to set the SPD to accept this as part of the policy > > ipcomp/tunnel/pix_ip-bsd_ip/require; > Have you recently upgraded to OpenSSH3.4p1 via ports and also upgraded OpenSSL(required by the openssh port)? Maybe did this after installing racoon? Maybe try deleting racoon and reinstalling openssl... maybe even with the overwrite_base option set to yes, be careful with it and read /etc/default/make.conf. After reinstalling openssl, recompile&install racoon. And try again. I had a similar error in my raccon.log and recompiling racoon against the latest openssl corrected it for me. The equipment involved was a freebsd box and a linksys box... so your milage may vary. If you have a spare box, you might try establishing an ipsec between your current freebsd box and the spare box(freebsd) just to confirm raccon is behaving semi-properly and the problem really is the interaction between the pix box and the fbsd box. Good Luck, Greg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message