From owner-freebsd-security  Mon Jul 29 16:36:52 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id DE9C237B400
	for <freebsd-security@FreeBSD.ORG>; Mon, 29 Jul 2002 16:36:46 -0700 (PDT)
Received: from localhost.neotext.ca (h24-70-64-200.ed.shawcable.net [24.70.64.200])
	by mx1.FreeBSD.org (Postfix) with ESMTP id BF44943E4A
	for <freebsd-security@FreeBSD.ORG>; Mon, 29 Jul 2002 16:36:45 -0700 (PDT)
	(envelope-from campbell@babayaga.neotext.ca)
Received: from babayaga.neotext.ca (localhost.neotext.ca [127.0.0.1])
	by localhost.neotext.ca (8.11.6/8.11.0) with ESMTP id g6TNb2u32377;
	Mon, 29 Jul 2002 17:37:02 -0600 (MDT)
	(envelope-from campbell@babayaga.neotext.ca)
From: "Duncan Patton a Campbell is Dhu" <campbell@neotext.ca>
To: Trish Lynch <trish@egobsd.org>, <freebsd-security@FreeBSD.ORG>
Subject: Re: racoon and weirdness....
Date: Mon, 29 Jul 2002 17:37:02 -0600
Message-Id: <20020729233702.M411@babayaga.neotext.ca>
In-Reply-To: <20020729103029.R484-100000@trish.dyn.magenet.com>
References: <20020729103029.R484-100000@trish.dyn.magenet.com>
X-Mailer: Open WebMail 1.70 20020712
X-OriginatingIP: 127.0.0.1 (campbell)
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

I was never able to get racoon to actually re-establish:
that is if one of my machines went down, all the racoon
daemons needed to be restarted.  As a first-order observation
of what others have been saying, racoon has or exposes
problems if all the communicant boxes are not the same.

So for now I'm running a manual ipsec config.

Dhu

Duncan Patton a Campbell is Duibh ;-)

---------- Original Message -----------
From: Trish Lynch <trish@egobsd.org>
To: <freebsd-security@FreeBSD.ORG>
Sent: Mon, 29 Jul 2002 10:46:30 -0400 (EDT)
Subject: racoon and weirdness....

> I'm working on setting up IPSEC tunnels between a
> KAME/racoon/FreeBSD-STABLE box and a Ravlin unit at a client's
> 
> WHat is happening with the one tunnel is this:
> 
> after a couple days, it times out, and neither side 
> can reestablish traffic between, the log in 
> /var/log/daemon for racoon tells me the tunnel *is* 
> established, but I can;t ping through it. If I restart 
> racoon, it all starts working fine again.
> 
> The second issue is a second machine, with a 
> cut/pasted config into racoon.conf, with simply the 
> endpoints changed, does not work at all.
> 
> I can ping the external interface of the Ravlin, but 
> it doesn;t even *begin* phase 1.
> 
> Here is the racoon.conf:
> 
> remote ravlin-ext-ip [500]
> {
>         exchange_mode main,aggressive;
>         my_identifier address my-ext-ip;
>         peers_identifier address ravlin-ext-ip;
>         generate_policy on;
>         nonce_size 16;
>         lifetime time 3 hour;   # sec,min,hour
> 
>         proposal {
>                 encryption_algorithm 3des;
>                 hash_algorithm md5;
>                 authentication_method pre_shared_key ;
>                 dh_group 1 ;
>         }
> }
> 
> remote ravlin-int-ip [500]
> {
>         exchange_mode main,aggressive;
>         my_identifier address my-int-ip;
>         peers_identifier address ravlin-int-ip;
>         generate_policy on;
>         nonce_size 16;
>         lifetime time 3 hour;   # sec,min,hour
> 
>         proposal {
>                 encryption_algorithm 3des;
>                 hash_algorithm sha1;
>                 authentication_method pre_shared_key ;
>                 dh_group 2 ;
>         }
> }
> 
> sainfo address my-ext-ip/32[0] any address ravlin-ext-
> ip/32[0] any {
> #       pfs_group 2;
>         lifetime time 10800 sec;
>         encryption_algorithm 3des ;
>         authentication_algorithm hmac_md5,hmac_sha1;
>         compression_algorithm deflate ;
> }
> 
> sainfo address my-int-net/23[0] any address ravlin-int-
> net/24[0] any {       # pfs_group 2;        lifetime 
> time 10800 sec;        encryption_algorithm 3des ;     
>    authentication_algorithm hmac_md5,hmac_sha1;        
> compression_algorithm deflate ; }
> 
> the gif interface is set up as such:
> 
> BSD2 == my machine BSD5 == Ravlin
> 
>             $IFCONFIG $GIF3 plumb
>             $IFCONFIG $GIF3 mtu 1500
>             $IFCONFIG $GIF3 inet $BSD2_IP $BSD5_IP 
> netmask $NETMASK            /usr/sbin/setkey -FP       
>      /usr/sbin/setkey -F            /usr/sbin/setkey 
> -c << EOF            spdadd $BSD2_PUB_NET 
> $BSD5_PUB_NET any -P out ipsec           
>  esp/tunnel/${BSD2_PUB_IP}-${BSD5_PUB_IP}/require;     
>        spdadd $BSD5_PUB_NET $BSD2_PUB_NET any -P in ipsec
>             esp/tunnel/${BSD5_PUB_IP}-${BSD2_PUB_IP}/require;
> EOF
> 
> Anyone wanna hit me with a cluebat?
> 
> -Trish
> 
> --
> Trish Lynch				            trish@egobsd.org
> 			Ecartis Core Team
> Key fingerprint = B04E 67CA 3A12 9930 E91C  7730 4606 
> 3618 B74A 2493
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the 
> message
------- End of Original Message -------


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message