Date: Tue, 29 Mar 2005 16:08:28 +0200 From: "emilio mastriani" <emilio.mastriani@comunicando.biz> To: <freebsd-net@freebsd.org> Subject: Racoon(8) Deleting SPD Entries Message-ID: <000001c53468$c90a3660$0900a8c0@ctdevd01>
next in thread | raw e-mail | index | archive | help
Hi, I have a similar problem. I=92m using native kernel 2.6.9-1.667 in fedora core3 and ipsec-tools -0.3.3-5.6=20 My peer (84.222.18.181) is a zyxel series 600 and I=92m natted behind a same router. The network is: =20 Ipsec-sever (fc3) zyxel/NAT internet zyxel ipsec ipsec client 192.168.0.71------------------192.168.0.1/80.19.213.28------------------ ---------------84.222.18.181/192.168.254.254-------------192.168.254.123 =20 The dialog start, the connection is established, but I can=92t ping and after 360 sec, it go down. =20 The ipsec.conf: #!/usr/bin/setkey -f =20 #configurazione per 192.168.0.71 =20 #svuoto il SAD e SPD flush; spdflush; =20 #security policy spdadd 192.168.0.71 192.168.254.123 any -P out ipsec esp/tunnel/80.19.213.28-84.222.18.181/require; spdadd 192.168.254.123 192.168.0.71 any -P in ipsec esp/tunnel/84.222.18.181-80.19.213.28/require; =20 The racoon.conf =20 # Racoon IKE daemon configuration file. # See 'man racoon.conf' for a description of the format and entries. =20 path include "/etc/racoon"; path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; =20 log debug3; =20 padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } =20 listen { #isakmp ::1 [7000]; isakmp 192.168.0.71 [500]; isakmp_natt 192.168.0.71 [4500]; #admin [7002]; #administrative's port by kmpstat strict_address; #required all addresses must be found } =20 #specification of default various timer timer { #these values can be changed per remote node counter 5; #maximum trying count to send interval 20 sec; #maximum interval to resend persend 1; #the number of packets per a send =20 #timer for a waiting to complete each phase phase1 180 sec; phase2 360 sec; } =20 remote anonymous { exchange_mode main; lifetime time 28800 sec; #sec,min,hour nat_traversal on; proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key; dh_group 1; } } =20 sainfo anonymous { lifetime time 28800 sec; encryption_algorithm 3des; authentication_algorithm hmac_md5; compression_algorithm deflate; } =20 =20 psk.txt is correctly setted ;-) =20 =20 The racoon_start.sh #!/bin/sh /sbin/setkey -FP sleep 1 /sbin/setkey -F sleep 1 /sbin/setkey -f /etc/ipsec.conf sleep 1 /sbin/setkey -DP sleep 1 killall racoon sleep 1 /usr/sbin/racoon -d -f /etc/racoon/racoon.conf =20 The short trace : Mar 29 15:36:12 laptopemy kernel: device eth0 left promiscuous mode Mar 29 15:36:14 laptopemy kernel: eth0: Promiscuous mode enabled. Mar 29 15:36:14 laptopemy kernel: device eth0 entered promiscuous mode Mar 29 15:36:47 laptopemy kernel: device eth0 left promiscuous mode Mar 29 15:36:52 laptopemy kernel: eth0: Promiscuous mode enabled. Mar 29 15:36:52 laptopemy kernel: device eth0 entered promiscuous mode Mar 29 15:37:58 laptopemy kernel: device eth0 left promiscuous mode Mar 29 15:38:08 laptopemy kernel: eth0: Promiscuous mode enabled. Mar 29 15:38:08 laptopemy kernel: device eth0 entered promiscuous mode Mar 29 15:48:07 laptopemy racoon: INFO: @(#)ipsec-tools 0.3.3 (http://ipsec-tools.sourceforge.net) Mar 29 15:48:07 laptopemy racoon: INFO: @(#)This product linked OpenSSL 0.9.7a Feb 19 2003 (http://www.openssl.org/) Mar 29 15:48:08 laptopemy racoon: WARNING: /etc/racoon/racoon.conf:9: "debug3" it is osboleted. use "debug2" Mar 29 15:48:08 laptopemy racoon: INFO: 192.168.0.71[4500] used as isakmp port (fd=3D8) Mar 29 15:48:08 laptopemy racoon: INFO: 192.168.0.71[4500] used for NAT-T Mar 29 15:48:08 laptopemy racoon: INFO: 192.168.0.71[500] used as isakmp port (fd=3D9) Mar 29 15:48:24 laptopemy racoon: INFO: IPsec-SA request for 84.222.18.181 queued due to no phase1 found. Mar 29 15:48:24 laptopemy racoon: INFO: initiate new phase 1 negotiation: 80.19.213.28[500]<=3D>84.222.18.181[500] Mar 29 15:48:24 laptopemy racoon: INFO: begin Identity Protection mode. Mar 29 15:48:48 laptopemy racoon: INFO: ISAKMP-SA established 80.19.213.28[500]-84.222.18.181[500] spi:5751c3384413cdd1:32fa62bc06fe123c Mar 29 15:48:48 laptopemy racoon: INFO: initiate new phase 2 negotiation: 80.19.213.28[0]<=3D>84.222.18.181[0] Mar 29 15:48:51 laptopemy racoon: WARNING: attribute has been modified. Mar 29 15:48:52 laptopemy racoon: INFO: IPsec-SA established: ESP/Tunnel 84.222.18.181->80.19.213.28 spi=3D113195563(0x6bf3a2b) Mar 29 15:48:52 laptopemy racoon: INFO: IPsec-SA established: ESP/Tunnel 80.19.213.28->84.222.18.181 spi=3D3612357826(0xd75034c2) Mar 29 15:50:27 laptopemy racoon: INFO: purged IPsec-SA proto_id=3DESP spi=3D3612357826. Mar 29 15:50:28 laptopemy racoon: INFO: purged ISAKMP-SA = proto_id=3DISAKMP spi=3D5751c3384413cdd1:32fa62bc06fe123c. Mar 29 15:50:29 laptopemy racoon: INFO: ISAKMP-SA deleted 80.19.213.28[500]-84.222.18.181[500] spi:5751c3384413cdd1:32fa62bc06fe123c =20 Any idea? I don=92t know how to continue. =20 Thanks for all. =20 =20 Dott. Emilio mastriani
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000001c53468$c90a3660$0900a8c0>