From owner-freebsd-questions@FreeBSD.ORG Mon Aug 20 15:49:05 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 913CA16A479 for ; Mon, 20 Aug 2007 15:49:05 +0000 (UTC) (envelope-from renton@df.ru) Received: from cannabis.dataforce.net (cannabis.dataforce.net [195.42.160.18]) by mx1.freebsd.org (Postfix) with ESMTP id 1B81413C48E for ; Mon, 20 Aug 2007 15:49:05 +0000 (UTC) (envelope-from renton@df.ru) Received: by cannabis.dataforce.net (Postfix, from userid 46126) id EDAB911AEEC; Mon, 20 Aug 2007 19:28:53 +0400 (MSD) Date: Mon, 20 Aug 2007 19:28:53 +0400 From: Alesha To: freebsd-questions@freebsd.org Message-ID: <20070820152853.GA6528@cannabis.dataforce.net> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline User-Agent: Mutt/1.5.16 (2007-06-09) Subject: The problem of connection between Windows and FreeBSD when using IPSec transport. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Aug 2007 15:49:05 -0000 Hi, On one side there's FreeBSD 6.2, ipsec-tools-0.6.7; on the other Windows 2003 Server. If I start pinging under Windows everything works ok, C:\Documents and Settings>ping 111.111.111.2 Pinging 111.111.111.2 with 32 bytes of data: Negotiating IP Security. Reply from 111.111.111.2: bytes=32 time<1ms TTL=63 Reply from 111.111.111.2: bytes=32 time<1ms TTL=63 /var/log/racoon.log 2007-08-17 12:10:18: INFO: @(#)ipsec-tools 0.6.7 (http://ipsec-tools.sourceforge.net) 2007-08-17 12:10:18: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) 2007-08-17 12:10:18: INFO: 111.111.111.2[500] used as isakmp port (fd=5) 2007-08-17 12:29:16: INFO: respond new phase 1 negotiation: 111.111.111.2[500]<=>111.111.111.1[500] 2007-08-17 12:29:16: INFO: begin Identity Protection mode. 2007-08-17 12:29:16: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY 2007-08-17 12:29:16: INFO: received Vendor ID: FRAGMENTATION 2007-08-17 12:29:16: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 2007-08-17 12:29:16: INFO: ISAKMP-SA established 111.111.111.2[500]-111.111.111.1[500] spi:ceb3ba2040683da6:f80fc5ab1e3d931e 2007-08-17 12:29:16: INFO: respond new phase 2 negotiation: 111.111.111.2[0]<=>111.111.111.1[0] 2007-08-17 12:29:16: INFO: IPsec-SA established: ESP/Transport 111.111.111.1[0]->111.111.111.2[0] spi=36304726(0x229f756) 2007-08-17 12:29:16: INFO: IPsec-SA established: ESP/Transport 111.111.111.2[0]->111.111.111.1[0] spi=3194585143(0xbe698037) >From FreeBSD: # ping 111.111.111.1 PING 111.111.111.1 (111.111.111.1): 56 data bytes 64 bytes from 111.111.111.1: icmp_seq=6 ttl=127 time=0.526 ms 64 bytes from 111.111.111.1: icmp_seq=7 ttl=127 time=6.382 ms and ping works for 2 sides. But if I initiate ping under FreeBSD (after restart racoon daemon), # ping 111.111.111.1 PING 111.111.111.1 (111.111.111.1): 56 data bytes ^C --- 111.111.111.1 ping statistics --- 5 packets transmitted, 0 packets received, 100% packet loss I see in the log the following: 2007-08-17 12:44:16: INFO: @(#)ipsec-tools 0.6.7 (http://ipsec-tools.sourceforge.net) 2007-08-17 12:44:16: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) 2007-08-17 12:44:16: INFO: 111.111.111.2[500] used as isakmp port (fd=5) 2007-08-17 12:44:21: INFO: IPsec-SA request for 111.111.111.1 queued due to no phase1 found. 2007-08-17 12:44:21: INFO: initiate new phase 1 negotiation: 111.111.111.2[500]<=>111.111.111.1[500] 2007-08-17 12:44:21: INFO: begin Identity Protection mode. 2007-08-17 12:44:21: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY 2007-08-17 12:44:21: INFO: received Vendor ID: FRAGMENTATION 2007-08-17 12:44:21: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 2007-08-17 12:44:21: INFO: ISAKMP-SA established 111.111.111.2[500]-111.111.111.1[500] spi:94372eb384516aef:bccacea73409cfc6 2007-08-17 12:44:22: INFO: initiate new phase 2 negotiation: 111.111.111.2[0]<=>111.111.111.1[0] 2007-08-17 12:44:22: ERROR: unknown notify message, no phase2 handle found. 2007-08-17 12:44:38: ERROR: 111.111.111.1 give up to get IPsec-SA due to time up to wait. 2007-08-17 12:45:21: INFO: ISAKMP-SA expired 111.111.111.2[500]-111.111.111.1[500] spi:94372eb384516aef:bccacea73409cfc6 2007-08-17 12:45:21: ERROR: unknown Informational exchange received. 2007-08-17 12:45:22: INFO: ISAKMP-SA deleted 111.111.111.2[500]-111.111.111.1[500] spi:94372eb384516aef:bccacea73409cfc6 My configs: # cat /etc/ipsec.conf spdadd 111.111.111.2 111.111.111.1 any -P out ipsec esp/transport//require; spdadd 111.111.111.1 111.111.111.2 any -P in ipsec esp/transport//require; path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; log notify; padding { maximum_length 20; randomize off; strict_check off; exclusive_tail off; } timer { counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. phase1 30 sec; phase2 15 sec; } remote anonymous { # exchange_mode aggressive,main; exchange_mode main, base; doi ipsec_doi; situation identity_only; nonce_size 16; lifetime time 1 min; # sec, min, hour initial_contact on; support_proxy on; proposal_check obey; # obey, strict or claim proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } sainfo anonymous { pfs_group 1; lifetime time 36000 sec; encryption_algorithm 3des,des,cast128,blowfish ; authentication_algorithm hmac_sha1,hmac_md5; compression_algorithm deflate ; } What do I have to change in conf files, to make IPSec properly work no matter from which server I initiate the connection? Thank you for any answers. -- BRGDS. Alesha