From owner-freebsd-security@FreeBSD.ORG Thu Jan 8 12:37:24 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 888F216A4D0 for ; Thu, 8 Jan 2004 12:37:24 -0800 (PST) Received: from mx01.bos.ma.towardex.com (a65-124-16-8.svc.towardex.com [65.124.16.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 14CD543D1D for ; Thu, 8 Jan 2004 12:37:18 -0800 (PST) (envelope-from haesu@mx01.bos.ma.towardex.com) Received: by mx01.bos.ma.towardex.com (TowardEX ESMTP 3.0p11_DAKN, from userid 1001) id 4027A2F8FA; Thu, 8 Jan 2004 15:37:28 -0500 (EST) Date: Thu, 8 Jan 2004 15:37:28 -0500 From: haesu@towardex.com To: freebsd-security@freebsd.org Message-ID: <20040108203728.GA84999@scylla.towardex.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i Subject: Windows 2000 <-> FreeBSD IPsec problem X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jan 2004 20:37:24 -0000 Hi, I am trying to setup an IPSEC transport between a Windows 2000 box and a FreeBSD server for a customer... Both systems are on live public IP's and packets are not filtered by any intermediate systems or firewalls/routers in between. I have the following setup: Windows 2000 box: 1.1.1.2 FreeBSD Server: 2.2.2.3 (The actual IP's have been changed to above to protect the innocent..) I have racoon setup on the FreeBSD server with following configuration[1] And I have Windows configured correctly (verified many times after Googling and looking at various howto docs...) as well. I will provide more info about how its setup on Windows if anyone wants specific detail. But basically its set using the howto from http://asherah.dyndns.org/~josh/ipsec-howto.txt But when I try to have Windows box ping 2.2.2.3 (going over ipsec that is), I get the following error in the freebsd server running racoon[2]. If anyone can assist with this, I would really appreciate it. I've been scratching my head for a day trying to figure out what's going on.. Thanks! -J !<-------- [1] Racoon Configuration below ---------> path include "/usr/local/etc/racoon" ; path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; # "log" specifies logging level. It is followed by either "notify", "debug" # or "debug2". #log debug; # "padding" defines some parameter of padding. You should not touch these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # if no listen directive is specified, racoon will listen to all # available interface addresses. listen { isakmp 1.1.1.2 [500]; } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 15 sec; phase2 30 sec; } remote anonymous { #exchange_mode aggressive,main; doi ipsec_doi; exchange_mode main,aggressive; nonce_size 32; situation identity_only; lifetime time 1 min; # sec,min,hour initial_contact on; support_mip6 on; passive on; proposal_check claim; # obey, strict or claim proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key ; dh_group 2 ; } } sainfo anonymous { pfs_group 1; lifetime time 36000 sec; encryption_algorithm 3des,des,cast128,blowfish ; authentication_algorithm hmac_sha1,hmac_md5; compression_algorithm deflate ; } !<--- End of [1]---> !<-------- [2] Racoon Debug/Error msgs below ---------> # racoon -v -F -f /usr/local/etc/racoon/racoon.conf Foreground mode. 2004-01-08 15:26:03: INFO: main.c:172:main(): @(#)package version freebsd-20030826a 2004-01-08 15:26:03: INFO: main.c:174:main(): @(#)internal version 20001216 sakane@kame.net 2004-01-08 15:26:03: INFO: main.c:175:main(): @(#)This product linked OpenSSL 0.9.7c 30 Sep 2003 (http://www.openssl.org/) 2004-01-08 15:26:03: WARNING: cftoken.l:514:yywarn(): racoon.conf:49: "support_mip6" it is obsoleted. use "support_proxy". 2004-01-08 15:26:03: INFO: isakmp.c:1358:isakmp_open(): 1.1.1.2[500] used as isakmp port (fd=5) 2004-01-08 15:26:17: INFO: isakmp.c:894:isakmp_ph1begin_r(): respond new phase 1 negotiation: 1.1.1.2[500]<=>2.2.2.3[500] 2004-01-08 15:26:17: INFO: isakmp.c:899:isakmp_ph1begin_r(): begin Identity Protection mode. 2004-01-08 15:26:17: INFO: vendorid.c:128:check_vendorid(): received Vendor ID: MS NT5 ISAKMPOAKLEY 2004-01-08 15:26:17: ERROR: ipsec_doi.c:1318:get_transform(): Only a single transform payload is allowed during phase 1 processing. 2004-01-08 15:26:18: NOTIFY: isakmp.c:255:isakmp_handler(): the packet is retransmitted by 2.2.2.3[500]. 2004-01-08 15:26:20: NOTIFY: isakmp.c:255:isakmp_handler(): the packet is retransmitted by 2.2.2.3[500]. 2004-01-08 15:26:24: NOTIFY: isakmp.c:255:isakmp_handler(): the packet is retransmitted by 2.2.2.3[500].