Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 29 Mar 2005 16:08:28 +0200
From:      "emilio mastriani" <emilio.mastriani@comunicando.biz>
To:        <freebsd-net@freebsd.org>
Subject:   Racoon(8) Deleting SPD Entries
Message-ID:  <000001c53468$c90a3660$0900a8c0@ctdevd01>

next in thread | raw e-mail | index | archive | help
Hi,
I have a similar problem.
I=92m using native kernel 2.6.9-1.667 in fedora core3 and ipsec-tools
-0.3.3-5.6=20
My peer (84.222.18.181) is a zyxel series 600 and I=92m natted behind a
same router.
The network is:
=20
Ipsec-sever (fc3)                        zyxel/NAT
internet                         zyxel ipsec
ipsec client
192.168.0.71------------------192.168.0.1/80.19.213.28------------------
---------------84.222.18.181/192.168.254.254-------------192.168.254.123
=20
The dialog start, the connection is established, but I can=92t ping
and after 360 sec, it go down.
=20
The ipsec.conf:
#!/usr/bin/setkey -f
=20
#configurazione per 192.168.0.71
=20
#svuoto il SAD e SPD
flush;
spdflush;
=20
#security policy
spdadd 192.168.0.71 192.168.254.123 any -P out ipsec
esp/tunnel/80.19.213.28-84.222.18.181/require;
spdadd 192.168.254.123 192.168.0.71 any -P in ipsec
esp/tunnel/84.222.18.181-80.19.213.28/require;
=20
The racoon.conf
=20
# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.
=20
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
=20
log debug3;
=20
padding
{
        maximum_length 20;      # maximum padding length.
        randomize off;          # enable randomize length.
        strict_check off;       # enable strict check.
        exclusive_tail off;     # extract last one octet.
}
=20
listen
{
        #isakmp ::1 [7000];
        isakmp 192.168.0.71     [500];
        isakmp_natt 192.168.0.71        [4500];
        #admin  [7002]; #administrative's port by kmpstat
        strict_address; #required all addresses must be found
}
=20
#specification of default various timer
timer
{
        #these values can be changed per remote node
        counter 5;      #maximum trying count to send
        interval        20      sec;    #maximum interval to resend
        persend 1;      #the number of packets per a send
=20
        #timer for a waiting to complete each phase
        phase1  180     sec;
        phase2  360     sec;
}
=20
remote anonymous
{
        exchange_mode   main;
        lifetime        time    28800   sec;    #sec,min,hour
        nat_traversal on;
        proposal        {
                encryption_algorithm    3des;
                hash_algorithm          md5;
                authentication_method   pre_shared_key;
                dh_group        1;
        }
}
=20
sainfo anonymous
{
                lifetime time   28800 sec;
                encryption_algorithm    3des;
                authentication_algorithm   hmac_md5;
                compression_algorithm   deflate;
}
=20
=20
psk.txt is correctly setted ;-)
=20
=20
The racoon_start.sh
#!/bin/sh
/sbin/setkey -FP
sleep 1
/sbin/setkey -F
sleep 1
/sbin/setkey -f /etc/ipsec.conf
sleep 1
/sbin/setkey -DP
sleep 1
killall racoon
sleep 1
/usr/sbin/racoon -d -f /etc/racoon/racoon.conf
=20
The short trace :
Mar 29 15:36:12 laptopemy kernel: device eth0 left promiscuous mode
Mar 29 15:36:14 laptopemy kernel: eth0: Promiscuous mode enabled.
Mar 29 15:36:14 laptopemy kernel: device eth0 entered promiscuous mode
Mar 29 15:36:47 laptopemy kernel: device eth0 left promiscuous mode
Mar 29 15:36:52 laptopemy kernel: eth0: Promiscuous mode enabled.
Mar 29 15:36:52 laptopemy kernel: device eth0 entered promiscuous mode
Mar 29 15:37:58 laptopemy kernel: device eth0 left promiscuous mode
Mar 29 15:38:08 laptopemy kernel: eth0: Promiscuous mode enabled.
Mar 29 15:38:08 laptopemy kernel: device eth0 entered promiscuous mode
Mar 29 15:48:07 laptopemy racoon: INFO: @(#)ipsec-tools 0.3.3
(http://ipsec-tools.sourceforge.net)
Mar 29 15:48:07 laptopemy racoon: INFO: @(#)This product linked OpenSSL
0.9.7a Feb 19 2003 (http://www.openssl.org/)
Mar 29 15:48:08 laptopemy racoon: WARNING: /etc/racoon/racoon.conf:9:
"debug3" it is osboleted.  use "debug2"
Mar 29 15:48:08 laptopemy racoon: INFO: 192.168.0.71[4500] used as
isakmp port (fd=3D8)
Mar 29 15:48:08 laptopemy racoon: INFO: 192.168.0.71[4500] used for
NAT-T
Mar 29 15:48:08 laptopemy racoon: INFO: 192.168.0.71[500] used as isakmp
port (fd=3D9)
Mar 29 15:48:24 laptopemy racoon: INFO: IPsec-SA request for
84.222.18.181 queued due to no phase1 found.
Mar 29 15:48:24 laptopemy racoon: INFO: initiate new phase 1
negotiation: 80.19.213.28[500]<=3D>84.222.18.181[500]
Mar 29 15:48:24 laptopemy racoon: INFO: begin Identity Protection mode.
Mar 29 15:48:48 laptopemy racoon: INFO: ISAKMP-SA established
80.19.213.28[500]-84.222.18.181[500]
spi:5751c3384413cdd1:32fa62bc06fe123c
Mar 29 15:48:48 laptopemy racoon: INFO: initiate new phase 2
negotiation: 80.19.213.28[0]<=3D>84.222.18.181[0]
Mar 29 15:48:51 laptopemy racoon: WARNING: attribute has been modified.
Mar 29 15:48:52 laptopemy racoon: INFO: IPsec-SA established: ESP/Tunnel
84.222.18.181->80.19.213.28 spi=3D113195563(0x6bf3a2b)
Mar 29 15:48:52 laptopemy racoon: INFO: IPsec-SA established: ESP/Tunnel
80.19.213.28->84.222.18.181 spi=3D3612357826(0xd75034c2)
Mar 29 15:50:27 laptopemy racoon: INFO: purged IPsec-SA proto_id=3DESP
spi=3D3612357826.
Mar 29 15:50:28 laptopemy racoon: INFO: purged ISAKMP-SA =
proto_id=3DISAKMP
spi=3D5751c3384413cdd1:32fa62bc06fe123c.
Mar 29 15:50:29 laptopemy racoon: INFO: ISAKMP-SA deleted
80.19.213.28[500]-84.222.18.181[500]
spi:5751c3384413cdd1:32fa62bc06fe123c
=20
Any idea?
I don=92t know how to continue.
=20
Thanks for all.
=20
=20
Dott. Emilio mastriani



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000001c53468$c90a3660$0900a8c0>