Date: Fri, 24 Jan 2003 09:20:37 +0600 From: "????????" <techlists@stack.ru> To: <freebsd-isp@freebsd.org> Subject: racoon dumps core Message-ID: <CA28026327658B478F964AD08A46D413EE62AD@exch2k.stack.firm>
next in thread | raw e-mail | index | archive | help
Hello everyone.
I have IPSec connection between FreeBSD and w2k. When I run the
racoon and there is no any SA in SAD, I begin
to ping w2k machin. Firs 1-3 packets are lost, then IPSec brings
up ... arter few seconds racoon recive something
strange information from w2k and dumps core. SA is staying in
SAD for its timeout, after this timeout nobody listens
port 500 to negotiate IPSec connection. I have try last racoon
from ports collection (racoon-20021120a).
Here is my configurations:
racoon.conf:
path certificate "/usr/local/etc/racoon/certs" ;
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
listen
{
isakmp 217.106.120.253 [500];
#admin [7002]; # administrative's port by
kmpstat.
#strict_address; # required all addresses must be
bound.
}
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a
send.
# timer for waiting to complete each phase.
phase1 90 sec;
phase2 60 sec;
}
remote 192.168.10.110
{ exchange_mode main, aggressive;#
certificate_type x509 "hare2.stack.ru.crt"
"hare2.stack.ru.key.unsecure";
my_identifier asn1dn "C=3DRU, ST=3DRussia, L=3DTomsk, O=3Dhare2,
CN=3Dhare2.stack.ru";
peers_identifier asn1dn "C=3DRU, ST=3DRussia, O=3Dhome,
CN=3Dwarm.stack.firm";
verify_identifier on ;
nonce_size 16;
support_mip6 on; #
#lifetime time 10 min ;
#proposal_check obey ;
initial_contact on ;
proposal { encryption_algorithm des; hash_algorithm md5;
#lifetime time 10 min ;
authentication_method rsasig; dh_group
modp768;}}
# SA for test.my.firm (me - FBSD, she - windows 2000)
sainfo address 217.106.120.253 any address 192.168.10.110 any
{ pfs_group 1;
encryption_algorithm null_enc, 3des; lifetime time 720 sec ;
authentication_algorithm hmac_md5, hmac_sha1;
compression_algorithm deflate; }
So, I need no encryption, only AH.
log message (not full log):
test2:/usr/local/etc/racoon# racoon -f
/usr/local/etc/racoon/racoon.conf -F
....
....
.....=20
2003-01-23 15:31:54: INFO: isakmp.c:2412:log_ph1established():
ISAKMP-SA established 217.106.120.253[500]-192.168.10.110[500]
spi:f33aaf10101058b9:45646c35dbb70ba7
2003-01-23 15:31:55: INFO: isakmp.c:942:isakmp_ph2begin_i():
initiate new phase 2 negotiation: =
217.106.120.253[0]<=3D>192.168.10.110[0]
2003-01-23 15:31:56: WARNING:
isakmp_inf.c:1273:isakmp_check_notify(): ignore RESPONDER-LIFETIME
notification.
2003-01-23 15:31:56: WARNING: ipsec_doi.c:919:cmp_aproppair_i():
attribute has been modified.
2003-01-23 15:31:56: WARNING:
isakmp_inf.c:1269:isakmp_check_notify(): ignore CONNECTED notification.
2003-01-23 15:31:56: INFO: pfkey.c:1110:pk_recvupdate():
IPsec-SA established: AH/Transport 192.168.10.110->217.106.120.253
spi=3D174279017(0xa634969)
2003-01-23 15:31:56: INFO: pfkey.c:1322:pk_recvadd(): IPsec-SA
established: AH/Transport 217.106.120.253->192.168.10.110
spi=3D864833796(0x338c5104)
Segmentation fault (core dumped)
test2:/usr/local/etc/racoon#
Anton.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA28026327658B478F964AD08A46D413EE62AD>