From owner-freebsd-security  Sat Jul  6  7:51:44 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3BE9E37B401
	for <security@freebsd.org>; Sat,  6 Jul 2002 07:51:40 -0700 (PDT)
Received: from fep3.cogeco.net (smtp.cogeco.net [216.221.81.25])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 761A543E09
	for <security@freebsd.org>; Sat,  6 Jul 2002 07:51:39 -0700 (PDT)
	(envelope-from dlavigne6@cogeco.ca)
Received: from d226-33-213.home.cgocable.net (d226-33-213.home.cgocable.net [24.226.33.213])
	by fep3.cogeco.net (Postfix) with ESMTP id C33C87546
	for <security@freebsd.org>; Sat,  6 Jul 2002 10:51:35 -0400 (EDT)
Date: Sat, 6 Jul 2002 10:56:03 -0400 (EDT)
From: Dru <dlavigne6@cogeco.ca>
X-X-Sender: dlavigne6@x1-6-00-80-c8-3a-b8-46.kico2.on.cogeco.ca
To: security@freebsd.org
Subject: no phase2 handle found
Message-ID: <20020706103414.X253-100000@x1-6-00-80-c8-3a-b8-46.kico2.on.cogeco.ca>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


Didn't get any response from questions, so I'll try here.

Trying to setup an IPSEC tunnel between a PIX 501 and FreeBSD 4.6 using
the latest racoon. Phase 1 is successful and an ethereal analysis shows
that both are negotiating the same policy parameters. However, Phase 2
repeats endlessly with this message in /var/log/racoon.conf:

ERROR: isakmp_inf.c:776:isakmp_info_recv_n(): unknown notify message, no
phase2 handle found.

The Phase 2 parameters on the PIX:

crypto ipsec transform-set vpn esp-des esp-md5-hmac
crypto dynamic-map bsd 100 set transform-set vpn
crypto dynamic-map bsd 100 set pfs group2
crypto dynamic-map bsd 100 set security-association lifetime seconds 3600
kilobytes 4608000

and in racoon:

pfs_group 2;
lifetime time 3600 sec;
encryption_algorithm des ;
authentication_algorithm hmac_md5;
compression_algorithm deflate;

I can only guess that negotiations are failing because of the compression
algorithm; from what I can gather PIX only supports lzs but I'm unsure if
compression is enabled or disabled by default. There are no (documented) knobs
in the PIX IOS to enable/disable compression in the transform set.

I haven't had any luck getting setkey to use lzs and a google search shows
one mailing list query which never received an answer. If I try:

add bsd_ip pix_ip 666 -C lzs;

I get a syntax error.

I've been able to set the SPD to accept this as part of the policy

ipcomp/tunnel/pix_ip-bsd_ip/require;

but that still doesn't tell it to use lsz.

racoon.conf accepts the lsz keyword but that didn't help either.

Any suggestions on where to go from here?

Also, the manpage for tcpdump has a -E option that works if tcpdump was
compiled with cryptography enabled. How do I do this?

TIA,

Dru


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message