From owner-freebsd-questions Mon Aug 5 9:19:43 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A469937B401 for ; Mon, 5 Aug 2002 09:19:27 -0700 (PDT) Received: from web11607.mail.yahoo.com (web11607.mail.yahoo.com [216.136.172.59]) by mx1.FreeBSD.org (Postfix) with SMTP id 5960A43E42 for ; Mon, 5 Aug 2002 09:19:26 -0700 (PDT) (envelope-from hvillalvazo@yahoo.com) Message-ID: <20020805161926.17009.qmail@web11607.mail.yahoo.com> Received: from [148.205.84.202] by web11607.mail.yahoo.com via HTTP; Mon, 05 Aug 2002 09:19:26 PDT Date: Mon, 5 Aug 2002 09:19:26 -0700 (PDT) From: Hector Villalvazo Subject: racoon To: questions@freebsd.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="0-1133668583-1028564366=:16943" Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --0-1133668583-1028564366=:16943 Content-Type: text/plain; charset=us-ascii hi. i have a big problem: my racoon configuration does not work. can you help me? Here are my racoon.conf, psk.txt, the debug of racoon and my setkey configuration: Node A: setkey: spdadd 3ffe:8070:100d:2:203:47ff:fea8:8dee[any] 3ffe:8070:100d:2:203:47ff:fe68:2efe[any] any -P in ipsec esp/transport//require; spdadd 3ffe:8070:100d:2:203:47ff:fe68:2efe[any] 3ffe:8070:100d:2:203:47ff:fea8:8dee[any] any -P out ipsec esp/transport//require; racoon.conf # $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $ # "path" must be placed before it should be used. # You can overwrite which you defined, but it should not use due to confusing. path include "/usr/local/etc/racoon" ; #include "remote.conf" ; # search this file for pre_shared_key with various ID key. path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; # racoon will look for certificate file in the directory, # if the certificate/certificate request payload is received. #path certificate "/usr/local/etc/cert" ; # "log" specifies logging level. It is followed by either "notify", "debug" # or "debug2". log notify; # "padding" defines some parameter of padding. You should not touch these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # if no listen directive is specified, racoon will listen to all # available interface addresses. listen { isakmp 3ffe:8070:100d:2:203:47ff:fe68:2efe [7000]; #isakmp 202.249.11.124 [500]; #admin [7002]; # administrative's port by kmpstat. #strict_address; # required all addresses must be bound. } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 15 sec; } remote anonymous { #exchange_mode main,aggressive; exchange_mode aggressive,main; doi ipsec_doi; situation identity_only; #my_identifier address; #my_identifier user_fqdn "sakane@kame.net"; #peers_identifier user_fqdn "sakane@kame.net"; #certificate_type x509 "mycert" "mypriv"; nonce_size 16; lifetime time 1 min; # sec,min,hour initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } remote 3ffe:8070:100d:2:203:47ff:fea8:8dee [8000] { #exchange_mode main,aggressive; exchange_mode aggressive,main; doi ipsec_doi; situation identity_only; #my_identifier user_fqdn "sakane@kame.net"; #peers_identifier user_fqdn "sakane@kame.net"; #certificate_type x509 "mycert" "mypriv"; nonce_size 16; lifetime time 1 min; # sec,min,hour proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } sainfo anonymous { pfs_group 1; lifetime time 30 sec; encryption_algorithm 3des ; authentication_algorithm hmac_sha1; compression_algorithm deflate ; } sainfo address 203.178.141.209 any address 203.178.141.218 any { pfs_group 1; lifetime time 30 sec; encryption_algorithm des ; authentication_algorithm hmac_md5; compression_algorithm deflate ; } sainfo address 3ffe:8070:100d:2:203:47ff:fe68:2efe any address 3ffe:8070:100d:2:203:47ff:fea8:8dee { pfs_group 1; lifetime time 60 sec; encryption_algorithm 3des ; authentication_algorithm hmac_sha1 ; compression_algorithm deflate ; } psk.txt 3ffe:8070:100d:2:203:47ff:fea8:8dee wolverine Node B: setkey: spdadd 3ffe:8070:100d:2:203:47ff:fe68:2efe[any] 3ffe:8070:100d:2:203:47ff:fea8:8dee[any] any -P in ipsec esp/transport//require; spdadd 3ffe:8070:100d:2:203:47ff:fea8:8dee[any] 3ffe:8070:100d:2:203:47ff:fe68:2efe[any] any -P out ipsec esp/transport//require; racoon.conf: # $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $ # "path" must be placed before it should be used. # You can overwrite which you defined, but it should not use due to confusing. path include "/usr/local/etc/racoon" ; #include "remote.conf" ; # search this file for pre_shared_key with various ID key. path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; # racoon will look for certificate file in the directory, # if the certificate/certificate request payload is received. #path certificate "/usr/local/etc/cert" ; # "log" specifies logging level. It is followed by either "notify", "debug" # or "debug2". log notify; # "padding" defines some parameter of padding. You should not touch these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # if no listen directive is specified, racoon will listen to all # available interface addresses. listen { isakmp 3ffe:8070:100d:2:203:47ff:fea8:8dee [7000]; #isakmp 202.249.11.124 [500]; #admin [7002]; # administrative's port by kmpstat. #strict_address; # required all addresses must be bound. } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 15 sec; } remote anonymous { #exchange_mode main,aggressive; exchange_mode aggressive,main; doi ipsec_doi; situation identity_only; #my_identifier address; #my_identifier user_fqdn "sakane@kame.net"; # peers_identifier user_fqdn "sakane@kame.net"; #certificate_type x509 "mycert" "mypriv"; nonce_size 16; lifetime time 1 min; # sec,min,hour initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } remote 3ffe:8070:100d:2:203:47ff:fe68:2efe [8000] { #exchange_mode main,aggressive; exchange_mode aggressive,main; doi ipsec_doi; situation identity_only; # my_identifier user_fqdn "sakane@kame.net"; #peers_identifier user_fqdn "sakane@kame.net"; #certificate_type x509 "mycert" "mypriv"; nonce_size 16; lifetime time 1 min; # sec,min,hour proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } sainfo anonymous { pfs_group 1; lifetime time 30 sec; encryption_algorithm 3des ; authentication_algorithm hmac_sha1; compression_algorithm deflate ; } sainfo address 203.178.141.209 any address 203.178.141.218 any { pfs_group 1; lifetime time 30 sec; encryption_algorithm des ; authentication_algorithm hmac_md5; compression_algorithm deflate ; } sainfo address 3ffe:8070:100d:2:203:47ff:fea8:8dee any address 3ffe:8070:100d:2:203:47ff:fe68:2efe { pfs_group 1; lifetime time 60 sec; encryption_algorithm 3des ; authentication_algorithm hmac_sha1 ; compression_algorithm deflate ; } psk.txt: 3ffe:8070:100d:2:203:47ff:fe68:2efe wolverine 1) in Node A i write: /usr/local/sbin/racoon -Fd -f /usr/local/etc/racoon/racoon.conf 2) in Node B: /usr/local/sbin/racoon -f /usr/local/etc/racoon/racoon.conf the next file is the output when i make ping from B to A: Foreground mode. 2002-08-05 05:14:39: INFO: main.c:163:main(): @(#)package version 20010831a 2002-08-05 05:14:39: INFO: main.c:165:main(): @(#)internal version 20001216 sakane@ydc.co.jp 2002-08-05 05:14:39: INFO: main.c:166:main(): @(#)This product linked OpenSSL 0.9.6a 5 Apr 2001 (http://www.openssl.org/) 2002-08-05 05:14:39: DEBUG: pfkey.c:368:pfkey_init(): call pfkey_send_register for AH 2002-08-05 05:14:39: DEBUG: pfkey.c:368:pfkey_init(): call pfkey_send_register for ESP 2002-08-05 05:14:39: DEBUG: pfkey.c:368:pfkey_init(): call pfkey_send_register for IPCOMP 2002-08-05 05:14:39: DEBUG: algorithm.c:608:alg_oakley_dhdef(): hmac(modp1024) 2002-08-05 05:14:39: DEBUG: pfkey.c:2230:pk_checkalg(): compression algorithm can not be checked because sadb message doesn't support it. 2002-08-05 05:14:39: DEBUG: pfkey.c:2230:pk_checkalg(): compression algorithm can not be checked because sadb message doesn't support it. 2002-08-05 05:14:39: DEBUG: sainfo.c:99:getsainfo(): anonymous sainfo selected. 2002-08-05 05:14:39: DEBUG: pfkey.c:2230:pk_checkalg(): compression algorithm can not be checked because sadb message doesn't support it. 2002-08-05 05:14:39: DEBUG: sainfo.c:99:getsainfo(): anonymous sainfo selected. 2002-08-05 05:14:39: INFO: isakmp.c:1387:isakmp_open(): 3ffe:8070:100d:2:203:47ff:fe68:2efe[7000] used as isakmp port (fd=6) 2002-08-05 05:14:39: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey X_SPDDUMP message 2002-08-05 05:14:39: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey X_SPDDUMP message 2002-08-05 05:14:39: DEBUG: policy.c:213:cmpspidxstrict(): sub:0xbfbff980: 3ffe:8070:100d:2:203:47ff:fe68:2efe/128[0] 3ffe:8070:100d:2:203:47ff:fea8:8dee/128[0] proto=any dir=out 2002-08-05 05:14:39: DEBUG: policy.c:214:cmpspidxstrict(): db :0x80a3a08: 3ffe:8070:100d:2:203:47ff:fea8:8dee/128[0] 3ffe:8070:100d:2:203:47ff:fe68:2efe/128[0] proto=any dir=in 2002-08-05 05:14:45: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey ACQUIRE message 2002-08-05 05:14:45: DEBUG: policy.c:245:cmpspidxwild(): sub:0xbfbff96c: 3ffe:8070:100d:2:203:47ff:fea8:8dee/128[0] 3ffe:8070:100d:2:203:47ff:fe68:2efe/128[0] proto=any dir=in 2002-08-05 05:14:45: DEBUG: policy.c:246:cmpspidxwild(): db: 0x80a3a08: 3ffe:8070:100d:2:203:47ff:fea8:8dee/128[0] 3ffe:8070:100d:2:203:47ff:fe68:2efe/128[0] proto=any dir=in 2002-08-05 05:14:45: DEBUG: policy.c:274:cmpspidxwild(): 0xbfbff96c masked with /128: 3ffe:8070:100d:2:203:47ff:fea8:8dee[0] 2002-08-05 05:14:45: DEBUG: policy.c:276:cmpspidxwild(): 0x80a3a08 masked with /128: 3ffe:8070:100d:2:203:47ff:fea8:8dee[0] 2002-08-05 05:14:45: DEBUG: policy.c:290:cmpspidxwild(): 0xbfbff96c masked with /128: 3ffe:8070:100d:2:203:47ff:fe68:2efe[0] 2002-08-05 05:14:45: DEBUG: policy.c:292:cmpspidxwild(): 0x80a3a08 masked with /128: 3ffe:8070:100d:2:203:47ff:fe68:2efe[0] 2002-08-05 05:14:45: DEBUG: pfkey.c:1539:pk_recvacquire(): suitable outbound SP found: 3ffe:8070:100d:2:203:47ff:fe68:2efe/128[0] 3ffe:8070:100d:2:203:47ff:fea8:8dee/128[0] proto=any dir=out. 2002-08-05 05:14:45: DEBUG: pfkey.c:1541:pk_recvacquire(): suitable inbound SP found: 3ffe:8070:100d:2:203:47ff:fea8:8dee/128[0] 3ffe:8070:100d:2:203:47ff:fe68:2efe/128[0] proto=any dir=in. 2002-08-05 05:14:45: DEBUG: pfkey.c:1573:pk_recvacquire(): new acquire 3ffe:8070:100d:2:203:47ff:fe68:2efe/128[0] 3ffe:8070:100d:2:203:47ff:fea8:8dee/128[0] proto=any dir=out 2002-08-05 05:14:45: DEBUG: proposal.c:824:printsaproto(): (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Transport reqid=0:0) 2002-08-05 05:14:45: DEBUG: proposal.c:858:printsatrns(): (trns_id=3DES encklen=0 authtype=2) 2002-08-05 05:14:45: DEBUG: remoteconf.c:118:getrmconf(): configuration found for 3ffe:8070:100d:2:203:47ff:fea8:8dee. 2002-08-05 05:14:45: INFO: isakmp.c:1734:isakmp_post_acquire(): IPsec-SA request for 3ffe:8070:100d:2:203:47ff:fea8:8dee queued due to no phase1 found. 2002-08-05 05:14:45: DEBUG: isakmp.c:819:isakmp_ph1begin_i(): === 2002-08-05 05:14:45: INFO: isakmp.c:824:isakmp_ph1begin_i(): initiate new phase 1 negotiation: 3ffe:8070:100d:2:203:47ff:fe68:2efe[7000]<=>3ffe:8070:100d:2:203:47ff:fea8:8dee[8000] 2002-08-05 05:14:45: INFO: isakmp.c:829:isakmp_ph1begin_i(): begin Identity Protection mode. 2002-08-05 05:14:45: DEBUG: isakmp.c:2046:isakmp_newcookie(): new cookie: 40646eeddb80df45 2002-08-05 05:14:45: DEBUG: isakmp.c:2163:set_isakmp_payload(): add payload of len 48, next type 0 2002-08-05 05:14:45: DEBUG: isakmp.c:2298:isakmp_printpacket(): begin. 14:45.999926 3ffe:8070:100d:2:203:47ff:fe68:2efe:7000 -> 3ffe:8070:100d:2:203:47ff:fea8:8dee:8000: isakmp 1.0 msgid 00000000: phase 1 I ident: (sa: doi=ipsec situation=identity (p: #1 protoid=isakmp transform=1 (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=003c)(type=enc value=3des)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024)))) 2002-08-05 05:14:46: DEBUG: sockmisc.c:419:sendfromto(): sockname 3ffe:8070:100d:2:203:47ff:fe68:2efe[7000] 2002-08-05 05:14:46: DEBUG: sockmisc.c:421:sendfromto(): send packet from 3ffe:8070:100d:2:203:47ff:fe68:2efe[7000] 2002-08-05 05:14:46: DEBUG: sockmisc.c:423:sendfromto(): send packet to 3ffe:8070:100d:2:203:47ff:fea8:8dee[8000] 2002-08-05 05:14:46: DEBUG: sockmisc.c:479:sendfromto(): src6 3ffe:8070:100d:2:203:47ff:fe68:2efe[7000] 0 2002-08-05 05:14:46: DEBUG: sockmisc.c:483:sendfromto(): dst6 3ffe:8070:100d:2:203:47ff:fea8:8dee[8000] 0 2002-08-05 05:14:46: DEBUG: isakmp.c:1470:isakmp_send(): 1 times of 80 bytes message will be sent. 2002-08-05 05:14:46: DEBUG: plog.c:209:plogdump(): 40646eed db80df45 00000000 00000000 01100200 00000000 00000050 00000034 00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c003c 80010005 80030001 80020002 80040002 2002-08-05 05:15:06: DEBUG: isakmp.c:1490:isakmp_ph1resend(): resend phase1 packet 40646eeddb80df45:0000000000000000 2002-08-05 05:15:06: DEBUG: sockmisc.c:419:sendfromto(): sockname 3ffe:8070:100d:2:203:47ff:fe68:2efe[7000] 2002-08-05 05:15:06: DEBUG: sockmisc.c:421:sendfromto(): send packet from 3ffe:8070:100d:2:203:47ff:fe68:2efe[7000] 2002-08-05 05:15:06: DEBUG: sockmisc.c:423:sendfromto(): send packet to 3ffe:8070:100d:2:203:47ff:fea8:8dee[8000] 2002-08-05 05:15:06: DEBUG: sockmisc.c:479:sendfromto(): src6 3ffe:8070:100d:2:203:47ff:fe68:2efe[7000] 0 2002-08-05 05:15:06: DEBUG: sockmisc.c:483:sendfromto(): dst6 3ffe:8070:100d:2:203:47ff:fea8:8dee[8000] 0 2002-08-05 05:15:06: DEBUG: isakmp.c:1470:isakmp_send(): 1 times of 80 bytes message will be sent. 2002-08-05 05:15:06: DEBUG: plog.c:209:plogdump(): 40646eed db80df45 00000000 00000000 01100200 00000000 00000050 00000034 00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c003c 80010005 80030001 80020002 80040002 2002-08-05 05:15:06: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey ACQUIRE message 2002-08-05 05:15:06: DEBUG: pfkey.c:1503:pk_recvacquire(): ignore the acquire becuase ph2 found 2002-08-05 05:15:17: ERROR: isakmp.c:1826:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 3ffe:8070:100d:2:203:47ff:fea8:8dee->3ffe:8070:100d:2:203:47ff:fe68:2efe 2002-08-05 05:15:17: INFO: isakmp.c:1831:isakmp_chkph1there(): delete phase 2 handler. 2002-08-05 05:15:18: INFO: session.c:276:check_sigreq(): caught signal 2 2002-08-05 05:15:18: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey FLUSH message 2002-08-05 05:15:19: DEBUG: pfkey.c:268:pfkey_dump_sadb(): call pfkey_send_dump 2002-08-05 05:15:19: INFO: session.c:180:close_session(): racoon shutdown Thanks H.V. --------------------------------- Do You Yahoo!? Yahoo! Health - Feel better, live better --0-1133668583-1028564366=:16943 Content-Type: text/html; charset=us-ascii

hi.

i have a big problem:

my racoon configuration does not work.

can you help me?

Here are my racoon.conf, psk.txt, the debug of racoon and my setkey configuration:

Node A:

setkey:

spdadd 3ffe:8070:100d:2:203:47ff:fea8:8dee[any]
3ffe:8070:100d:2:203:47ff:fe68:2efe[any] any
-P in ipsec esp/transport//require;

spdadd 3ffe:8070:100d:2:203:47ff:fe68:2efe[any]
3ffe:8070:100d:2:203:47ff:fea8:8dee[any] any
-P out ipsec esp/transport//require;

racoon.conf

# $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $

# "path" must be placed before it should be used.
# You can overwrite which you defined, but it should not use due to confusing.
path include "/usr/local/etc/racoon" ;
#include "remote.conf" ;

# search this file for pre_shared_key with various ID key.
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;

# racoon will look for certificate file in the directory,
# if the certificate/certificate request payload is received.
#path certificate "/usr/local/etc/cert" ;

# "log" specifies logging level.  It is followed by either "notify", "debug"
# or "debug2".
log notify;

# "padding" defines some parameter of padding.  You should not touch these.
padding
{
 maximum_length 20; # maximum padding length.
 randomize off;  # enable randomize length.
 strict_check off; # enable strict check.
 exclusive_tail off; # extract last one octet.
}

# if no listen directive is specified, racoon will listen to all
# available interface addresses.
listen
{
 isakmp 3ffe:8070:100d:2:203:47ff:fe68:2efe [7000];
 #isakmp 202.249.11.124 [500];
 #admin [7002];  # administrative's port by kmpstat.
 #strict_address;  # required all addresses must be bound.
}

# Specification of default various timer.
timer
{
 # These value can be changed per remote node.
 counter 5;  # maximum trying count to send.
 interval 20 sec; # maximum interval to resend.
 persend 1;  # the number of packets per a send.

 # timer for waiting to complete each phase.
 phase1 30 sec;
 phase2 15 sec;
}

remote anonymous
{
 #exchange_mode main,aggressive;
 exchange_mode aggressive,main;
 doi ipsec_doi;
 situation identity_only;

 #my_identifier address;
 #my_identifier user_fqdn "sakane@kame.net";
 #peers_identifier user_fqdn "sakane@kame.net";
 #certificate_type x509 "mycert" "mypriv";

 nonce_size 16;
 lifetime time 1 min; # sec,min,hour
 initial_contact on;
 support_mip6 on;
 proposal_check obey; # obey, strict or claim

 proposal {
  encryption_algorithm 3des;
  hash_algorithm sha1;
  authentication_method pre_shared_key ;
  dh_group 2 ;
 }
}

remote 3ffe:8070:100d:2:203:47ff:fea8:8dee [8000]
{
 #exchange_mode main,aggressive;
 exchange_mode aggressive,main;
 doi ipsec_doi;
 situation identity_only;

 #my_identifier user_fqdn "sakane@kame.net";
 #peers_identifier user_fqdn "sakane@kame.net";
 #certificate_type x509 "mycert" "mypriv";

 nonce_size 16;
 lifetime time 1 min; # sec,min,hour

 proposal {
  encryption_algorithm 3des;
  hash_algorithm sha1;
  authentication_method pre_shared_key ;
  dh_group 2 ;
 }
}

sainfo anonymous
{
 pfs_group 1;
 lifetime time 30 sec;
 encryption_algorithm 3des ;
 authentication_algorithm hmac_sha1;
 compression_algorithm deflate ;
}

sainfo address 203.178.141.209 any address 203.178.141.218 any
{
 pfs_group 1;
 lifetime time 30 sec;
 encryption_algorithm des ;
 authentication_algorithm hmac_md5;
 compression_algorithm deflate ;
}

sainfo address 3ffe:8070:100d:2:203:47ff:fe68:2efe any address 3ffe:8070:100d:2:203:47ff:fea8:8dee
{
 pfs_group 1;
 lifetime time 60 sec;
 encryption_algorithm 3des ;
 authentication_algorithm hmac_sha1 ;
 compression_algorithm deflate ;
}

psk.txt

3ffe:8070:100d:2:203:47ff:fea8:8dee wolverine

 

Node B:

setkey:

spdadd 3ffe:8070:100d:2:203:47ff:fe68:2efe[any]
3ffe:8070:100d:2:203:47ff:fea8:8dee[any] any
-P in ipsec esp/transport//require;

spdadd 3ffe:8070:100d:2:203:47ff:fea8:8dee[any]
3ffe:8070:100d:2:203:47ff:fe68:2efe[any] any
-P out ipsec esp/transport//require;

racoon.conf:

# $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $

# "path" must be placed before it should be used.
# You can overwrite which you defined, but it should not use due to confusing.
path include "/usr/local/etc/racoon" ;
#include "remote.conf" ;

# search this file for pre_shared_key with various ID key.
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;

# racoon will look for certificate file in the directory,
# if the certificate/certificate request payload is received.
#path certificate "/usr/local/etc/cert" ;

# "log" specifies logging level.  It is followed by either "notify", "debug"
# or "debug2".
log notify;

# "padding" defines some parameter of padding.  You should not touch these.
padding
{
 maximum_length 20; # maximum padding length.
 randomize off;  # enable randomize length.
 strict_check off; # enable strict check.
 exclusive_tail off; # extract last one octet.
}

# if no listen directive is specified, racoon will listen to all
# available interface addresses.
listen
{
 isakmp 3ffe:8070:100d:2:203:47ff:fea8:8dee [7000];
 #isakmp 202.249.11.124 [500];
 #admin [7002];  # administrative's port by kmpstat.
 #strict_address;  # required all addresses must be bound.
}

# Specification of default various timer.
timer
{
 # These value can be changed per remote node.
 counter 5;  # maximum trying count to send.
 interval 20 sec; # maximum interval to resend.
 persend 1;  # the number of packets per a send.

 # timer for waiting to complete each phase.
 phase1 30 sec;
 phase2 15 sec;
}

remote anonymous
{
 #exchange_mode main,aggressive;
 exchange_mode aggressive,main;
 doi ipsec_doi;
 situation identity_only;

 #my_identifier address;
 #my_identifier user_fqdn "sakane@kame.net";
# peers_identifier user_fqdn "sakane@kame.net";
 #certificate_type x509 "mycert" "mypriv";

 nonce_size 16;
 lifetime time 1 min; # sec,min,hour
 initial_contact on;
 support_mip6 on;
 proposal_check obey; # obey, strict or claim

 proposal {
  encryption_algorithm 3des;
  hash_algorithm sha1;
  authentication_method pre_shared_key ;
  dh_group 2 ;
 }
}

remote 3ffe:8070:100d:2:203:47ff:fe68:2efe [8000]
{
 #exchange_mode main,aggressive;
 exchange_mode aggressive,main;
 doi ipsec_doi;
 situation identity_only;

# my_identifier user_fqdn "sakane@kame.net";
 #peers_identifier user_fqdn "sakane@kame.net";
 #certificate_type x509 "mycert" "mypriv";

 nonce_size 16;
 lifetime time 1 min; # sec,min,hour

 proposal {
  encryption_algorithm 3des;
  hash_algorithm sha1;
  authentication_method pre_shared_key ;
  dh_group 2 ;
 }
}

sainfo anonymous
{
 pfs_group 1;
 lifetime time 30 sec;
 encryption_algorithm 3des ;
 authentication_algorithm hmac_sha1;
 compression_algorithm deflate ;
}

sainfo address 203.178.141.209 any address 203.178.141.218 any
{
 pfs_group 1;
 lifetime time 30 sec;
 encryption_algorithm des ;
 authentication_algorithm hmac_md5;
 compression_algorithm deflate ;
}

sainfo address 3ffe:8070:100d:2:203:47ff:fea8:8dee any address 3ffe:8070:100d:2:203:47ff:fe68:2efe
{
 pfs_group 1;
 lifetime time 60 sec;
 encryption_algorithm 3des ;
 authentication_algorithm hmac_sha1 ;
 compression_algorithm deflate ;
}

 

psk.txt:

3ffe:8070:100d:2:203:47ff:fe68:2efe wolverine

 

1) in Node A i write: /usr/local/sbin/racoon -Fd -f /usr/local/etc/racoon/racoon.conf

2) in Node B: /usr/local/sbin/racoon -f /usr/local/etc/racoon/racoon.conf

the next file is the output when i make ping from B to A:

Foreground mode.
2002-08-05 05:14:39: INFO: main.c:163:main(): @(#)package version 20010831a
2002-08-05 05:14:39: INFO: main.c:165:main(): @(#)internal version 20001216 sakane@ydc.co.jp
2002-08-05 05:14:39: INFO: main.c:166:main(): @(#)This product linked OpenSSL 0.9.6a 5 Apr 2001 (http://www.openssl.org/)
2002-08-05 05:14:39: DEBUG: pfkey.c:368:pfkey_init(): call pfkey_send_register for AH
2002-08-05 05:14:39: DEBUG: pfkey.c:368:pfkey_init(): call pfkey_send_register for ESP
2002-08-05 05:14:39: DEBUG: pfkey.c:368:pfkey_init(): call pfkey_send_register for IPCOMP
2002-08-05 05:14:39: DEBUG: algorithm.c:608:alg_oakley_dhdef(): hmac(modp1024)
2002-08-05 05:14:39: DEBUG: pfkey.c:2230:pk_checkalg(): compression algorithm can not be checked because sadb message doesn't support it.
2002-08-05 05:14:39: DEBUG: pfkey.c:2230:pk_checkalg(): compression algorithm can not be checked because sadb message doesn't support it.
2002-08-05 05:14:39: DEBUG: sainfo.c:99:getsainfo(): anonymous sainfo selected.
2002-08-05 05:14:39: DEBUG: pfkey.c:2230:pk_checkalg(): compression algorithm can not be checked because sadb message doesn't support it.
2002-08-05 05:14:39: DEBUG: sainfo.c:99:getsainfo(): anonymous sainfo selected.
2002-08-05 05:14:39: INFO: isakmp.c:1387:isakmp_open(): 3ffe:8070:100d:2:203:47ff:fe68:2efe[7000] used as isakmp port (fd=6)
2002-08-05 05:14:39: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey X_SPDDUMP message
2002-08-05 05:14:39: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey X_SPDDUMP message
2002-08-05 05:14:39: DEBUG: policy.c:213:cmpspidxstrict(): sub:0xbfbff980: 3ffe:8070:100d:2:203:47ff:fe68:2efe/128[0] 3ffe:8070:100d:2:203:47ff:fea8:8dee/128[0] proto=any dir=out
2002-08-05 05:14:39: DEBUG: policy.c:214:cmpspidxstrict(): db :0x80a3a08: 3ffe:8070:100d:2:203:47ff:fea8:8dee/128[0] 3ffe:8070:100d:2:203:47ff:fe68:2ef e/128[0] proto=any dir=in
2002-08-05 05:14:45: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey ACQUIRE message
2002-08-05 05:14:45: DEBUG: policy.c:245:cmpspidxwild(): sub:0xbfbff96c: 3ffe:8070:100d:2:203:47ff:fea8:8dee/128[0] 3ffe:8070:100d:2:203:47ff:fe68:2efe/128[0] proto=any dir=in
2002-08-05 05:14:45: DEBUG: policy.c:246:cmpspidxwild(): db: 0x80a3a08: 3ffe:8070:100d:2:203:47ff:fea8:8dee/128[0] 3ffe:8070:100d:2:203:47ff:fe68:2efe/128[0] proto=any dir=in
2002-08-05 05:14:45: DEBUG: policy.c:274:cmpspidxwild(): 0xbfbff96c masked with /128: 3ffe:8070:100d:2:203:47ff:fea8:8dee[0]
2002-08-05 05:14:45: DEBUG: policy.c:276:cmpspidxwild(): 0x80a3a08 masked with /128: 3ffe:8070:100d:2:203:47ff:fea8:8dee[0]
2002-08-05 05:14:45: DEBUG: policy.c:290:cmpspidxwild(): 0xbfbff96c masked with /128: 3ffe:8070:100d:2:203:47ff:fe68:2efe[0]
2002-08-05 05:14:45: DEBUG: policy.c:292:cmpspidxwild(): 0x80a3a08 masked with /128: 3ffe:8070:100d:2:203:47ff:fe68:2efe[0]
2002-08 -05 05:14:45: DEBUG: pfkey.c:1539:pk_recvacquire(): suitable outbound SP found: 3ffe:8070:100d:2:203:47ff:fe68:2efe/128[0] 3ffe:8070:100d:2:203:47ff:fea8:8dee/128[0] proto=any dir=out.
2002-08-05 05:14:45: DEBUG: pfkey.c:1541:pk_recvacquire(): suitable inbound SP found: 3ffe:8070:100d:2:203:47ff:fea8:8dee/128[0] 3ffe:8070:100d:2:203:47ff:fe68:2efe/128[0] proto=any dir=in.
2002-08-05 05:14:45: DEBUG: pfkey.c:1573:pk_recvacquire(): new acquire 3ffe:8070:100d:2:203:47ff:fe68:2efe/128[0] 3ffe:8070:100d:2:203:47ff:fea8:8dee/128[0] proto=any dir=out
2002-08-05 05:14:45: DEBUG: proposal.c:824:printsaproto():  (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Transport reqid=0:0)
2002-08-05 05:14:45: DEBUG: proposal.c:858:printsatrns():   (trns_id=3DES encklen=0 authtype=2)
2002-08-05 05:14:45: DEBUG: remoteconf.c:118:getrmconf(): configuration found for 3ffe:8070:100d:2:203:47ff:fea8:8dee.
2002-08-05 05:14:45: INFO: isakmp.c:1734:isakmp_po st_acquire(): IPsec-SA request for 3ffe:8070:100d:2:203:47ff:fea8:8dee queued due to no phase1 found.
2002-08-05 05:14:45: DEBUG: isakmp.c:819:isakmp_ph1begin_i(): ===
2002-08-05 05:14:45: INFO: isakmp.c:824:isakmp_ph1begin_i(): initiate new phase 1 negotiation: 3ffe:8070:100d:2:203:47ff:fe68:2efe[7000]<=>3ffe:8070:100d:2:203:47ff:fea8:8dee[8000]
2002-08-05 05:14:45: INFO: isakmp.c:829:isakmp_ph1begin_i(): begin Identity Protection mode.
2002-08-05 05:14:45: DEBUG: isakmp.c:2046:isakmp_newcookie(): new cookie:
40646eeddb80df45
2002-08-05 05:14:45: DEBUG: isakmp.c:2163:set_isakmp_payload(): add payload of len 48, next type 0
2002-08-05 05:14:45: DEBUG: isakmp.c:2298:isakmp_printpacket(): begin.
14:45.999926 3ffe:8070:100d:2:203:47ff:fe68:2efe:7000 -> 3ffe:8070:100d:2:203:47ff:fea8:8dee:8000: isakmp 1.0 msgid 00000000: phase 1 I ident:
    (sa: doi=ipsec situation=identity
     &nb sp;  (p: #1 protoid=isakmp transform=1
            (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=003c)(type=enc value=3des)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024))))
2002-08-05 05:14:46: DEBUG: sockmisc.c:419:sendfromto(): sockname 3ffe:8070:100d:2:203:47ff:fe68:2efe[7000]
2002-08-05 05:14:46: DEBUG: sockmisc.c:421:sendfromto(): send packet from 3ffe:8070:100d:2:203:47ff:fe68:2efe[7000]
2002-08-05 05:14:46: DEBUG: sockmisc.c:423:sendfromto(): send packet to 3ffe:8070:100d:2:203:47ff:fea8:8dee[8000]
2002-08-05 05:14:46: DEBUG: sockmisc.c:479:sendfromto(): src6 3ffe:8070:100d:2:203:47ff:fe68:2efe[7000] 0
2002-08-05 05:14:46: DEBUG: sockmisc.c:483:sendfromto(): dst6 3ffe:8070:100d:2:203:47ff:fea8:8dee[8000] 0
2002-08-05 05:14:46: DEBUG: isakmp.c:1470:isakmp_send(): 1 times of 80 bytes message will be sent.
2002-08-05 05:14:46: DEBUG: pl og.c:209:plogdump():
40646eed db80df45 00000000 00000000 01100200 00000000 00000050 00000034
00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c003c
80010005 80030001 80020002 80040002
2002-08-05 05:15:06: DEBUG: isakmp.c:1490:isakmp_ph1resend(): resend phase1 packet 40646eeddb80df45:0000000000000000
2002-08-05 05:15:06: DEBUG: sockmisc.c:419:sendfromto(): sockname 3ffe:8070:100d:2:203:47ff:fe68:2efe[7000]
2002-08-05 05:15:06: DEBUG: sockmisc.c:421:sendfromto(): send packet from 3ffe:8070:100d:2:203:47ff:fe68:2efe[7000]
2002-08-05 05:15:06: DEBUG: sockmisc.c:423:sendfromto(): send packet to 3ffe:8070:100d:2:203:47ff:fea8:8dee[8000]
2002-08-05 05:15:06: DEBUG: sockmisc.c:479:sendfromto(): src6 3ffe:8070:100d:2:203:47ff:fe68:2efe[7000] 0
2002-08-05 05:15:06: DEBUG: sockmisc.c:483:sendfromto(): dst6 3ffe:8070:100d:2:203:47ff:fea8:8dee[8000] 0
2002-08-05 05:15:06: DEBUG: isakmp.c:1470:isakmp_send(): 1 times of 80 bytes message will be sent.
2002-08-05 05:15:06: DEBUG: plog.c:209:plogdump():
40646eed db80df45 00000000 00000000 01100200 00000000 00000050 00000034
00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c003c
80010005 80030001 80020002 80040002
2002-08-05 05:15:06: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey ACQUIRE message
2002-08-05 05:15:06: DEBUG: pfkey.c:1503:pk_recvacquire(): ignore the acquire becuase ph2 found
2002-08-05 05:15:17: ERROR: isakmp.c:1826:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 3ffe:8070:100d:2:203:47ff:fea8:8dee->3ffe:8070:100d:2:203:47ff:fe68:2efe
2002-08-05 05:15:17: INFO: isakmp.c:1831:isakmp_chkph1there(): delete phase 2 handler.
2002-08-05 05:15:18: INFO: session.c:276:check_sigreq(): caught signal 2
2002-08-05 05:15:18: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey FLUSH message
2002-08-05 05:15:19: DEBUG: pfkey.c:268:pfkey_dump_sadb(): call pfkey_send_dump
2002-0 8-05 05:15:19: INFO: session.c:180:close_session(): racoon shutdown

Thanks

H.V.


Do You Yahoo!?
Yahoo! Health - Feel better, live better --0-1133668583-1028564366=:16943-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message