FreeBSD Mail Archives

Date:      Mon, 5 Aug 2002 09:19:26 -0700 (PDT)
From:      Hector Villalvazo <hvillalvazo@yahoo.com>
To:        questions@freebsd.org
Subject:   racoon
Message-ID:  <20020805161926.17009.qmail@web11607.mail.yahoo.com>

next in thread | raw e-mail | index | archive | help

--0-1133668583-1028564366=:16943
Content-Type: text/plain; charset=us-ascii


hi.

i have a big problem:

my racoon configuration does not work.

can you help me?

Here are my racoon.conf, psk.txt, the debug of racoon and my setkey configuration:

Node A:

setkey:

spdadd 3ffe:8070:100d:2:203:47ff:fea8:8dee[any]
3ffe:8070:100d:2:203:47ff:fe68:2efe[any] any
-P in ipsec esp/transport//require; 

spdadd 3ffe:8070:100d:2:203:47ff:fe68:2efe[any]
3ffe:8070:100d:2:203:47ff:fea8:8dee[any] any
-P out ipsec esp/transport//require;


racoon.conf

# $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $

# "path" must be placed before it should be used.
# You can overwrite which you defined, but it should not use due to confusing.
path include "/usr/local/etc/racoon" ;
#include "remote.conf" ;

# search this file for pre_shared_key with various ID key.
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;

# racoon will look for certificate file in the directory,
# if the certificate/certificate request payload is received.
#path certificate "/usr/local/etc/cert" ;

# "log" specifies logging level.  It is followed by either "notify", "debug"
# or "debug2".
log notify;

# "padding" defines some parameter of padding.  You should not touch these.
padding
{
 maximum_length 20; # maximum padding length.
 randomize off;  # enable randomize length.
 strict_check off; # enable strict check.
 exclusive_tail off; # extract last one octet.
}

# if no listen directive is specified, racoon will listen to all
# available interface addresses.
listen
{
 isakmp 3ffe:8070:100d:2:203:47ff:fe68:2efe [7000];
 #isakmp 202.249.11.124 [500];
 #admin [7002];  # administrative's port by kmpstat.
 #strict_address;  # required all addresses must be bound.
}

# Specification of default various timer.
timer
{
 # These value can be changed per remote node.
 counter 5;  # maximum trying count to send.
 interval 20 sec; # maximum interval to resend.
 persend 1;  # the number of packets per a send.

 # timer for waiting to complete each phase.
 phase1 30 sec;
 phase2 15 sec;
}

remote anonymous
{
 #exchange_mode main,aggressive;
 exchange_mode aggressive,main;
 doi ipsec_doi;
 situation identity_only;

 #my_identifier address;
 #my_identifier user_fqdn "sakane@kame.net";
 #peers_identifier user_fqdn "sakane@kame.net";
 #certificate_type x509 "mycert" "mypriv";

 nonce_size 16;
 lifetime time 1 min; # sec,min,hour
 initial_contact on;
 support_mip6 on;
 proposal_check obey; # obey, strict or claim

 proposal {
  encryption_algorithm 3des;
  hash_algorithm sha1;
  authentication_method pre_shared_key ;
  dh_group 2 ;
 }
}

remote 3ffe:8070:100d:2:203:47ff:fea8:8dee [8000]
{
 #exchange_mode main,aggressive;
 exchange_mode aggressive,main;
 doi ipsec_doi;
 situation identity_only;

 #my_identifier user_fqdn "sakane@kame.net";
 #peers_identifier user_fqdn "sakane@kame.net";
 #certificate_type x509 "mycert" "mypriv";

 nonce_size 16;
 lifetime time 1 min; # sec,min,hour

 proposal {
  encryption_algorithm 3des;
  hash_algorithm sha1;
  authentication_method pre_shared_key ;
  dh_group 2 ;
 }
}

sainfo anonymous
{
 pfs_group 1;
 lifetime time 30 sec;
 encryption_algorithm 3des ;
 authentication_algorithm hmac_sha1;
 compression_algorithm deflate ;
}

sainfo address 203.178.141.209 any address 203.178.141.218 any
{
 pfs_group 1;
 lifetime time 30 sec;
 encryption_algorithm des ;
 authentication_algorithm hmac_md5;
 compression_algorithm deflate ;
}

sainfo address 3ffe:8070:100d:2:203:47ff:fe68:2efe any address 3ffe:8070:100d:2:203:47ff:fea8:8dee
{
 pfs_group 1;
 lifetime time 60 sec;
 encryption_algorithm 3des ;
 authentication_algorithm hmac_sha1 ;
 compression_algorithm deflate ;
}

psk.txt

3ffe:8070:100d:2:203:47ff:fea8:8dee wolverine

 

Node B:

setkey:

spdadd 3ffe:8070:100d:2:203:47ff:fe68:2efe[any]
3ffe:8070:100d:2:203:47ff:fea8:8dee[any] any
-P in ipsec esp/transport//require;

spdadd 3ffe:8070:100d:2:203:47ff:fea8:8dee[any]
3ffe:8070:100d:2:203:47ff:fe68:2efe[any] any
-P out ipsec esp/transport//require;


racoon.conf:

# $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $

# "path" must be placed before it should be used.
# You can overwrite which you defined, but it should not use due to confusing.
path include "/usr/local/etc/racoon" ;
#include "remote.conf" ;

# search this file for pre_shared_key with various ID key.
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;

# racoon will look for certificate file in the directory,
# if the certificate/certificate request payload is received.
#path certificate "/usr/local/etc/cert" ;

# "log" specifies logging level.  It is followed by either "notify", "debug"
# or "debug2".
log notify;

# "padding" defines some parameter of padding.  You should not touch these.
padding
{
 maximum_length 20; # maximum padding length.
 randomize off;  # enable randomize length.
 strict_check off; # enable strict check.
 exclusive_tail off; # extract last one octet.
}

# if no listen directive is specified, racoon will listen to all
# available interface addresses.
listen
{
 isakmp 3ffe:8070:100d:2:203:47ff:fea8:8dee [7000];
 #isakmp 202.249.11.124 [500];
 #admin [7002];  # administrative's port by kmpstat.
 #strict_address;  # required all addresses must be bound.
}

# Specification of default various timer.
timer
{
 # These value can be changed per remote node.
 counter 5;  # maximum trying count to send.
 interval 20 sec; # maximum interval to resend.
 persend 1;  # the number of packets per a send.

 # timer for waiting to complete each phase.
 phase1 30 sec;
 phase2 15 sec;
}

remote anonymous
{
 #exchange_mode main,aggressive;
 exchange_mode aggressive,main;
 doi ipsec_doi;
 situation identity_only;

 #my_identifier address;
 #my_identifier user_fqdn "sakane@kame.net";
# peers_identifier user_fqdn "sakane@kame.net";
 #certificate_type x509 "mycert" "mypriv";

 nonce_size 16;
 lifetime time 1 min; # sec,min,hour
 initial_contact on;
 support_mip6 on;
 proposal_check obey; # obey, strict or claim

 proposal {
  encryption_algorithm 3des;
  hash_algorithm sha1;
  authentication_method pre_shared_key ;
  dh_group 2 ;
 }
}

remote 3ffe:8070:100d:2:203:47ff:fe68:2efe [8000]
{
 #exchange_mode main,aggressive;
 exchange_mode aggressive,main;
 doi ipsec_doi;
 situation identity_only;

# my_identifier user_fqdn "sakane@kame.net";
 #peers_identifier user_fqdn "sakane@kame.net";
 #certificate_type x509 "mycert" "mypriv";

 nonce_size 16;
 lifetime time 1 min; # sec,min,hour

 proposal {
  encryption_algorithm 3des;
  hash_algorithm sha1;
  authentication_method pre_shared_key ;
  dh_group 2 ;
 }
}

sainfo anonymous
{
 pfs_group 1;
 lifetime time 30 sec;
 encryption_algorithm 3des ;
 authentication_algorithm hmac_sha1;
 compression_algorithm deflate ;
}

sainfo address 203.178.141.209 any address 203.178.141.218 any
{
 pfs_group 1;
 lifetime time 30 sec;
 encryption_algorithm des ;
 authentication_algorithm hmac_md5;
 compression_algorithm deflate ;
}

sainfo address 3ffe:8070:100d:2:203:47ff:fea8:8dee any address 3ffe:8070:100d:2:203:47ff:fe68:2efe
{
 pfs_group 1;
 lifetime time 60 sec;
 encryption_algorithm 3des ;
 authentication_algorithm hmac_sha1 ;
 compression_algorithm deflate ;
}

 

psk.txt:

3ffe:8070:100d:2:203:47ff:fe68:2efe wolverine

 

1) in Node A i write: /usr/local/sbin/racoon -Fd -f /usr/local/etc/racoon/racoon.conf

2) in Node B: /usr/local/sbin/racoon -f /usr/local/etc/racoon/racoon.conf

the next file is the output when i make ping from B to A:

Foreground mode.
2002-08-05 05:14:39: INFO: main.c:163:main(): @(#)package version 20010831a
2002-08-05 05:14:39: INFO: main.c:165:main(): @(#)internal version 20001216 sakane@ydc.co.jp
2002-08-05 05:14:39: INFO: main.c:166:main(): @(#)This product linked OpenSSL 0.9.6a 5 Apr 2001 (http://www.openssl.org/)
2002-08-05 05:14:39: DEBUG: pfkey.c:368:pfkey_init(): call pfkey_send_register for AH
2002-08-05 05:14:39: DEBUG: pfkey.c:368:pfkey_init(): call pfkey_send_register for ESP
2002-08-05 05:14:39: DEBUG: pfkey.c:368:pfkey_init(): call pfkey_send_register for IPCOMP
2002-08-05 05:14:39: DEBUG: algorithm.c:608:alg_oakley_dhdef(): hmac(modp1024)
2002-08-05 05:14:39: DEBUG: pfkey.c:2230:pk_checkalg(): compression algorithm can not be checked because sadb message doesn't support it.
2002-08-05 05:14:39: DEBUG: pfkey.c:2230:pk_checkalg(): compression algorithm can not be checked because sadb message doesn't support it.
2002-08-05 05:14:39: DEBUG: sainfo.c:99:getsainfo(): anonymous sainfo selected.
2002-08-05 05:14:39: DEBUG: pfkey.c:2230:pk_checkalg(): compression algorithm can not be checked because sadb message doesn't support it.
2002-08-05 05:14:39: DEBUG: sainfo.c:99:getsainfo(): anonymous sainfo selected.
2002-08-05 05:14:39: INFO: isakmp.c:1387:isakmp_open(): 3ffe:8070:100d:2:203:47ff:fe68:2efe[7000] used as isakmp port (fd=6)
2002-08-05 05:14:39: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey X_SPDDUMP message
2002-08-05 05:14:39: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey X_SPDDUMP message
2002-08-05 05:14:39: DEBUG: policy.c:213:cmpspidxstrict(): sub:0xbfbff980: 3ffe:8070:100d:2:203:47ff:fe68:2efe/128[0] 3ffe:8070:100d:2:203:47ff:fea8:8dee/128[0] proto=any dir=out
2002-08-05 05:14:39: DEBUG: policy.c:214:cmpspidxstrict(): db :0x80a3a08: 3ffe:8070:100d:2:203:47ff:fea8:8dee/128[0] 3ffe:8070:100d:2:203:47ff:fe68:2efe/128[0] proto=any dir=in
2002-08-05 05:14:45: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey ACQUIRE message
2002-08-05 05:14:45: DEBUG: policy.c:245:cmpspidxwild(): sub:0xbfbff96c: 3ffe:8070:100d:2:203:47ff:fea8:8dee/128[0] 3ffe:8070:100d:2:203:47ff:fe68:2efe/128[0] proto=any dir=in
2002-08-05 05:14:45: DEBUG: policy.c:246:cmpspidxwild(): db: 0x80a3a08: 3ffe:8070:100d:2:203:47ff:fea8:8dee/128[0] 3ffe:8070:100d:2:203:47ff:fe68:2efe/128[0] proto=any dir=in
2002-08-05 05:14:45: DEBUG: policy.c:274:cmpspidxwild(): 0xbfbff96c masked with /128: 3ffe:8070:100d:2:203:47ff:fea8:8dee[0]
2002-08-05 05:14:45: DEBUG: policy.c:276:cmpspidxwild(): 0x80a3a08 masked with /128: 3ffe:8070:100d:2:203:47ff:fea8:8dee[0]
2002-08-05 05:14:45: DEBUG: policy.c:290:cmpspidxwild(): 0xbfbff96c masked with /128: 3ffe:8070:100d:2:203:47ff:fe68:2efe[0]
2002-08-05 05:14:45: DEBUG: policy.c:292:cmpspidxwild(): 0x80a3a08 masked with /128: 3ffe:8070:100d:2:203:47ff:fe68:2efe[0]
2002-08-05 05:14:45: DEBUG: pfkey.c:1539:pk_recvacquire(): suitable outbound SP found: 3ffe:8070:100d:2:203:47ff:fe68:2efe/128[0] 3ffe:8070:100d:2:203:47ff:fea8:8dee/128[0] proto=any dir=out.
2002-08-05 05:14:45: DEBUG: pfkey.c:1541:pk_recvacquire(): suitable inbound SP found: 3ffe:8070:100d:2:203:47ff:fea8:8dee/128[0] 3ffe:8070:100d:2:203:47ff:fe68:2efe/128[0] proto=any dir=in.
2002-08-05 05:14:45: DEBUG: pfkey.c:1573:pk_recvacquire(): new acquire 3ffe:8070:100d:2:203:47ff:fe68:2efe/128[0] 3ffe:8070:100d:2:203:47ff:fea8:8dee/128[0] proto=any dir=out
2002-08-05 05:14:45: DEBUG: proposal.c:824:printsaproto():  (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Transport reqid=0:0)
2002-08-05 05:14:45: DEBUG: proposal.c:858:printsatrns():   (trns_id=3DES encklen=0 authtype=2)
2002-08-05 05:14:45: DEBUG: remoteconf.c:118:getrmconf(): configuration found for 3ffe:8070:100d:2:203:47ff:fea8:8dee.
2002-08-05 05:14:45: INFO: isakmp.c:1734:isakmp_post_acquire(): IPsec-SA request for 3ffe:8070:100d:2:203:47ff:fea8:8dee queued due to no phase1 found.
2002-08-05 05:14:45: DEBUG: isakmp.c:819:isakmp_ph1begin_i(): ===
2002-08-05 05:14:45: INFO: isakmp.c:824:isakmp_ph1begin_i(): initiate new phase 1 negotiation: 3ffe:8070:100d:2:203:47ff:fe68:2efe[7000]<=>3ffe:8070:100d:2:203:47ff:fea8:8dee[8000]
2002-08-05 05:14:45: INFO: isakmp.c:829:isakmp_ph1begin_i(): begin Identity Protection mode.
2002-08-05 05:14:45: DEBUG: isakmp.c:2046:isakmp_newcookie(): new cookie:
40646eeddb80df45 
2002-08-05 05:14:45: DEBUG: isakmp.c:2163:set_isakmp_payload(): add payload of len 48, next type 0
2002-08-05 05:14:45: DEBUG: isakmp.c:2298:isakmp_printpacket(): begin.
14:45.999926 3ffe:8070:100d:2:203:47ff:fe68:2efe:7000 -> 3ffe:8070:100d:2:203:47ff:fea8:8dee:8000: isakmp 1.0 msgid 00000000: phase 1 I ident:
    (sa: doi=ipsec situation=identity
        (p: #1 protoid=isakmp transform=1
            (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=003c)(type=enc value=3des)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024))))
2002-08-05 05:14:46: DEBUG: sockmisc.c:419:sendfromto(): sockname 3ffe:8070:100d:2:203:47ff:fe68:2efe[7000]
2002-08-05 05:14:46: DEBUG: sockmisc.c:421:sendfromto(): send packet from 3ffe:8070:100d:2:203:47ff:fe68:2efe[7000]
2002-08-05 05:14:46: DEBUG: sockmisc.c:423:sendfromto(): send packet to 3ffe:8070:100d:2:203:47ff:fea8:8dee[8000]
2002-08-05 05:14:46: DEBUG: sockmisc.c:479:sendfromto(): src6 3ffe:8070:100d:2:203:47ff:fe68:2efe[7000] 0
2002-08-05 05:14:46: DEBUG: sockmisc.c:483:sendfromto(): dst6 3ffe:8070:100d:2:203:47ff:fea8:8dee[8000] 0
2002-08-05 05:14:46: DEBUG: isakmp.c:1470:isakmp_send(): 1 times of 80 bytes message will be sent.
2002-08-05 05:14:46: DEBUG: plog.c:209:plogdump(): 
40646eed db80df45 00000000 00000000 01100200 00000000 00000050 00000034
00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c003c
80010005 80030001 80020002 80040002
2002-08-05 05:15:06: DEBUG: isakmp.c:1490:isakmp_ph1resend(): resend phase1 packet 40646eeddb80df45:0000000000000000
2002-08-05 05:15:06: DEBUG: sockmisc.c:419:sendfromto(): sockname 3ffe:8070:100d:2:203:47ff:fe68:2efe[7000]
2002-08-05 05:15:06: DEBUG: sockmisc.c:421:sendfromto(): send packet from 3ffe:8070:100d:2:203:47ff:fe68:2efe[7000]
2002-08-05 05:15:06: DEBUG: sockmisc.c:423:sendfromto(): send packet to 3ffe:8070:100d:2:203:47ff:fea8:8dee[8000]
2002-08-05 05:15:06: DEBUG: sockmisc.c:479:sendfromto(): src6 3ffe:8070:100d:2:203:47ff:fe68:2efe[7000] 0
2002-08-05 05:15:06: DEBUG: sockmisc.c:483:sendfromto(): dst6 3ffe:8070:100d:2:203:47ff:fea8:8dee[8000] 0
2002-08-05 05:15:06: DEBUG: isakmp.c:1470:isakmp_send(): 1 times of 80 bytes message will be sent.
2002-08-05 05:15:06: DEBUG: plog.c:209:plogdump(): 
40646eed db80df45 00000000 00000000 01100200 00000000 00000050 00000034
00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c003c
80010005 80030001 80020002 80040002
2002-08-05 05:15:06: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey ACQUIRE message
2002-08-05 05:15:06: DEBUG: pfkey.c:1503:pk_recvacquire(): ignore the acquire becuase ph2 found
2002-08-05 05:15:17: ERROR: isakmp.c:1826:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 3ffe:8070:100d:2:203:47ff:fea8:8dee->3ffe:8070:100d:2:203:47ff:fe68:2efe 
2002-08-05 05:15:17: INFO: isakmp.c:1831:isakmp_chkph1there(): delete phase 2 handler.
2002-08-05 05:15:18: INFO: session.c:276:check_sigreq(): caught signal 2
2002-08-05 05:15:18: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey FLUSH message
2002-08-05 05:15:19: DEBUG: pfkey.c:268:pfkey_dump_sadb(): call pfkey_send_dump
2002-08-05 05:15:19: INFO: session.c:180:close_session(): racoon shutdown


Thanks

H.V.



---------------------------------
Do You Yahoo!?
Yahoo! Health - Feel better, live better
--0-1133668583-1028564366=:16943
Content-Type: text/html; charset=us-ascii

<P>hi.</P>
<P>i have a big problem:</P>
<P>my racoon configuration does not work.</P>
<P>can you help me?</P>
<P>Here are my racoon.conf, psk.txt, the debug of racoon and my setkey configuration:</P>
<P>Node A:</P>
<P>setkey:</P>
<P>spdadd 3ffe:8070:100d:2:203:47ff:fea8:8dee[any]<BR>3ffe:8070:100d:2:203:47ff:fe68:2efe[any] any<BR>-P in ipsec&nbsp;esp/transport//require; </P>
<P>spdadd 3ffe:8070:100d:2:203:47ff:fe68:2efe[any]<BR>3ffe:8070:100d:2:203:47ff:fea8:8dee[any] any<BR>-P out ipsec esp/transport//require;<BR></P>
<P>racoon.conf</P>
<P># $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $</P>
<P># "path" must be placed before it should be used.<BR># You can overwrite which you defined, but it should not use due to confusing.<BR>path include "/usr/local/etc/racoon" ;<BR>#include "remote.conf" ;</P>
<P># search this file for pre_shared_key with various ID key.<BR>path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;</P>
<P># racoon will look for certificate file in the directory,<BR># if the certificate/certificate request payload is received.<BR>#path certificate "/usr/local/etc/cert" ;</P>
<P># "log" specifies logging level.&nbsp; It is followed by either "notify", "debug"<BR># or "debug2".<BR>log notify;</P>
<P># "padding" defines some parameter of padding.&nbsp; You should not touch these.<BR>padding<BR>{<BR>&nbsp;maximum_length 20;&nbsp;# maximum padding length.<BR>&nbsp;randomize off;&nbsp;&nbsp;# enable randomize length.<BR>&nbsp;strict_check off;&nbsp;# enable strict check.<BR>&nbsp;exclusive_tail off;&nbsp;# extract last one octet.<BR>}</P>
<P># if no listen directive is specified, racoon will listen to all<BR># available interface addresses.<BR>listen<BR>{<BR>&nbsp;isakmp 3ffe:8070:100d:2:203:47ff:fe68:2efe [7000];<BR>&nbsp;#isakmp 202.249.11.124 [500];<BR>&nbsp;#admin [7002];&nbsp;&nbsp;# administrative's port by kmpstat.<BR>&nbsp;#strict_address; &nbsp;# required all addresses must be bound.<BR>}</P>
<P># Specification of default various timer.<BR>timer<BR>{<BR>&nbsp;# These value can be changed per remote node.<BR>&nbsp;counter 5;&nbsp;&nbsp;# maximum trying count to send.<BR>&nbsp;interval 20 sec;&nbsp;# maximum interval to resend.<BR>&nbsp;persend 1;&nbsp;&nbsp;# the number of packets per a send.</P>
<P>&nbsp;# timer for waiting to complete each phase.<BR>&nbsp;phase1 30 sec;<BR>&nbsp;phase2 15 sec;<BR>}</P>
<P>remote anonymous<BR>{<BR>&nbsp;#exchange_mode main,aggressive;<BR>&nbsp;exchange_mode aggressive,main;<BR>&nbsp;doi ipsec_doi;<BR>&nbsp;situation identity_only;</P>
<P>&nbsp;#my_identifier address;<BR>&nbsp;#my_identifier user_fqdn "<A href="mailto:sakane@kame.net">sakane@kame.net</A>";<BR>&nbsp;#peers_identifier user_fqdn "<A href="mailto:sakane@kame.net">sakane@kame.net</A>";<BR>&nbsp;#certificate_type x509 "mycert" "mypriv";</P>
<P>&nbsp;nonce_size 16;<BR>&nbsp;lifetime time 1 min;&nbsp;# sec,min,hour<BR>&nbsp;initial_contact on;<BR>&nbsp;support_mip6 on;<BR>&nbsp;proposal_check obey;&nbsp;# obey, strict or claim</P>
<P>&nbsp;proposal {<BR>&nbsp;&nbsp;encryption_algorithm 3des;<BR>&nbsp;&nbsp;hash_algorithm sha1;<BR>&nbsp;&nbsp;authentication_method pre_shared_key ;<BR>&nbsp;&nbsp;dh_group 2 ;<BR>&nbsp;}<BR>}</P>
<P>remote 3ffe:8070:100d:2:203:47ff:fea8:8dee [8000]<BR>{<BR>&nbsp;#exchange_mode main,aggressive;<BR>&nbsp;exchange_mode aggressive,main;<BR>&nbsp;doi ipsec_doi;<BR>&nbsp;situation identity_only;</P>
<P>&nbsp;#my_identifier user_fqdn "<A href="mailto:sakane@kame.net">sakane@kame.net</A>";<BR>&nbsp;#peers_identifier user_fqdn "<A href="mailto:sakane@kame.net">sakane@kame.net</A>";<BR>&nbsp;#certificate_type x509 "mycert" "mypriv";</P>
<P>&nbsp;nonce_size 16;<BR>&nbsp;lifetime time 1 min;&nbsp;# sec,min,hour</P>
<P>&nbsp;proposal {<BR>&nbsp;&nbsp;encryption_algorithm 3des;<BR>&nbsp;&nbsp;hash_algorithm sha1;<BR>&nbsp;&nbsp;authentication_method pre_shared_key ;<BR>&nbsp;&nbsp;dh_group 2 ;<BR>&nbsp;}<BR>}</P>
<P>sainfo anonymous<BR>{<BR>&nbsp;pfs_group 1;<BR>&nbsp;lifetime time 30 sec;<BR>&nbsp;encryption_algorithm 3des ;<BR>&nbsp;authentication_algorithm hmac_sha1;<BR>&nbsp;compression_algorithm deflate ;<BR>}</P>
<P>sainfo address 203.178.141.209 any address 203.178.141.218 any<BR>{<BR>&nbsp;pfs_group 1;<BR>&nbsp;lifetime time 30 sec;<BR>&nbsp;encryption_algorithm des ;<BR>&nbsp;authentication_algorithm hmac_md5;<BR>&nbsp;compression_algorithm deflate ;<BR>}</P>
<P>sainfo address 3ffe:8070:100d:2:203:47ff:fe68:2efe any address 3ffe:8070:100d:2:203:47ff:fea8:8dee<BR>{<BR>&nbsp;pfs_group 1;<BR>&nbsp;lifetime time 60 sec;<BR>&nbsp;encryption_algorithm 3des ;<BR>&nbsp;authentication_algorithm hmac_sha1 ;<BR>&nbsp;compression_algorithm deflate ;<BR>}</P>
<P>psk.txt</P>
<P>3ffe:8070:100d:2:203:47ff:fea8:8dee wolverine</P>
<P>&nbsp;</P>
<P>Node B:</P>
<P>setkey:</P>
<P>spdadd 3ffe:8070:100d:2:203:47ff:fe68:2efe[any]<BR>3ffe:8070:100d:2:203:47ff:fea8:8dee[any] any<BR>-P in ipsec esp/transport//require;</P>
<P>spdadd 3ffe:8070:100d:2:203:47ff:fea8:8dee[any]<BR>3ffe:8070:100d:2:203:47ff:fe68:2efe[any] any<BR>-P out ipsec esp/transport//require;<BR></P>
<P>racoon.conf:</P>
<P># $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $</P>
<P># "path" must be placed before it should be used.<BR># You can overwrite which you defined, but it should not use due to confusing.<BR>path include "/usr/local/etc/racoon" ;<BR>#include "remote.conf" ;</P>
<P># search this file for pre_shared_key with various ID key.<BR>path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;</P>
<P># racoon will look for certificate file in the directory,<BR># if the certificate/certificate request payload is received.<BR>#path certificate "/usr/local/etc/cert" ;</P>
<P># "log" specifies logging level.&nbsp; It is followed by either "notify", "debug"<BR># or "debug2".<BR>log notify;</P>
<P># "padding" defines some parameter of padding.&nbsp; You should not touch these.<BR>padding<BR>{<BR>&nbsp;maximum_length 20;&nbsp;# maximum padding length.<BR>&nbsp;randomize off;&nbsp;&nbsp;# enable randomize length.<BR>&nbsp;strict_check off;&nbsp;# enable strict check.<BR>&nbsp;exclusive_tail off;&nbsp;# extract last one octet.<BR>}</P>
<P># if no listen directive is specified, racoon will listen to all<BR># available interface addresses.<BR>listen<BR>{<BR>&nbsp;isakmp 3ffe:8070:100d:2:203:47ff:fea8:8dee [7000];<BR>&nbsp;#isakmp 202.249.11.124 [500];<BR>&nbsp;#admin [7002];&nbsp;&nbsp;# administrative's port by kmpstat.<BR>&nbsp;#strict_address; &nbsp;# required all addresses must be bound.<BR>}</P>
<P># Specification of default various timer.<BR>timer<BR>{<BR>&nbsp;# These value can be changed per remote node.<BR>&nbsp;counter 5;&nbsp;&nbsp;# maximum trying count to send.<BR>&nbsp;interval 20 sec;&nbsp;# maximum interval to resend.<BR>&nbsp;persend 1;&nbsp;&nbsp;# the number of packets per a send.</P>
<P>&nbsp;# timer for waiting to complete each phase.<BR>&nbsp;phase1 30 sec;<BR>&nbsp;phase2 15 sec;<BR>}</P>
<P>remote anonymous<BR>{<BR>&nbsp;#exchange_mode main,aggressive;<BR>&nbsp;exchange_mode aggressive,main;<BR>&nbsp;doi ipsec_doi;<BR>&nbsp;situation identity_only;</P>
<P>&nbsp;#my_identifier address;<BR>&nbsp;#my_identifier user_fqdn "<A href="mailto:sakane@kame.net">sakane@kame.net</A>";<BR>#&nbsp;peers_identifier user_fqdn "<A href="mailto:sakane@kame.net">sakane@kame.net</A>";<BR>&nbsp;#certificate_type x509 "mycert" "mypriv";</P>
<P>&nbsp;nonce_size 16;<BR>&nbsp;lifetime time 1 min;&nbsp;# sec,min,hour<BR>&nbsp;initial_contact on;<BR>&nbsp;support_mip6 on;<BR>&nbsp;proposal_check obey;&nbsp;# obey, strict or claim</P>
<P>&nbsp;proposal {<BR>&nbsp;&nbsp;encryption_algorithm 3des;<BR>&nbsp;&nbsp;hash_algorithm sha1;<BR>&nbsp;&nbsp;authentication_method pre_shared_key ;<BR>&nbsp;&nbsp;dh_group 2 ;<BR>&nbsp;}<BR>}</P>
<P>remote 3ffe:8070:100d:2:203:47ff:fe68:2efe [8000]<BR>{<BR>&nbsp;#exchange_mode main,aggressive;<BR>&nbsp;exchange_mode aggressive,main;<BR>&nbsp;doi ipsec_doi;<BR>&nbsp;situation identity_only;</P>
<P>#&nbsp;my_identifier user_fqdn "<A href="mailto:sakane@kame.net">sakane@kame.net</A>";<BR>&nbsp;#peers_identifier user_fqdn "<A href="mailto:sakane@kame.net">sakane@kame.net</A>";<BR>&nbsp;#certificate_type x509 "mycert" "mypriv";</P>
<P>&nbsp;nonce_size 16;<BR>&nbsp;lifetime time 1 min;&nbsp;# sec,min,hour</P>
<P>&nbsp;proposal {<BR>&nbsp;&nbsp;encryption_algorithm 3des;<BR>&nbsp;&nbsp;hash_algorithm sha1;<BR>&nbsp;&nbsp;authentication_method pre_shared_key ;<BR>&nbsp;&nbsp;dh_group 2 ;<BR>&nbsp;}<BR>}</P>
<P>sainfo anonymous<BR>{<BR>&nbsp;pfs_group 1;<BR>&nbsp;lifetime time 30 sec;<BR>&nbsp;encryption_algorithm 3des ;<BR>&nbsp;authentication_algorithm hmac_sha1;<BR>&nbsp;compression_algorithm deflate ;<BR>}</P>
<P>sainfo address 203.178.141.209 any address 203.178.141.218 any<BR>{<BR>&nbsp;pfs_group 1;<BR>&nbsp;lifetime time 30 sec;<BR>&nbsp;encryption_algorithm des ;<BR>&nbsp;authentication_algorithm hmac_md5;<BR>&nbsp;compression_algorithm deflate ;<BR>}</P>
<P>sainfo address 3ffe:8070:100d:2:203:47ff:fea8:8dee any address 3ffe:8070:100d:2:203:47ff:fe68:2efe<BR>{<BR>&nbsp;pfs_group 1;<BR>&nbsp;lifetime time 60 sec;<BR>&nbsp;encryption_algorithm 3des ;<BR>&nbsp;authentication_algorithm hmac_sha1 ;<BR>&nbsp;compression_algorithm deflate ;<BR>}</P>
<P>&nbsp;</P>
<P>psk.txt:</P>
<P>3ffe:8070:100d:2:203:47ff:fe68:2efe wolverine</P>
<P>&nbsp;</P>
<P>1) in Node A i write:&nbsp;/usr/local/sbin/racoon -Fd -f /usr/local/etc/racoon/racoon.conf</P>
<P>2) in Node B: /usr/local/sbin/racoon -f /usr/local/etc/racoon/racoon.conf</P>
<P>the next file is the output when i make ping from B to A:</P>
<P>Foreground mode.<BR>2002-08-05 05:14:39: INFO: main.c:163:main(): @(#)package version 20010831a<BR>2002-08-05 05:14:39: INFO: main.c:165:main(): @(#)internal version 20001216 <A href="mailto:sakane@ydc.co.jp">sakane@ydc.co.jp</A><BR>2002-08-05 05:14:39: INFO: main.c:166:main(): @(#)This product linked OpenSSL 0.9.6a 5 Apr 2001 (<A href="http://www.openssl.org/">http://www.openssl.org/</A>)<BR>2002-08-05 05:14:39: DEBUG: pfkey.c:368:pfkey_init(): call pfkey_send_register for AH<BR>2002-08-05 05:14:39: DEBUG: pfkey.c:368:pfkey_init(): call pfkey_send_register for ESP<BR>2002-08-05 05:14:39: DEBUG: pfkey.c:368:pfkey_init(): call pfkey_send_register for IPCOMP<BR>2002-08-05 05:14:39: DEBUG: algorithm.c:608:alg_oakley_dhdef(): hmac(modp1024)<BR>2002-08-05 05:14:39: DEBUG: pfkey.c:2230:pk_checkalg(): compression algorithm can not be checked because sadb message doesn't support it.<BR>2002-08-05 05:14:39: DEBUG: pfkey.c:2230:pk_checkalg(): compression algorithm can not be checked
  because sadb message doesn't support it.<BR>2002-08-05 05:14:39: DEBUG: sainfo.c:99:getsainfo(): anonymous sainfo selected.<BR>2002-08-05 05:14:39: DEBUG: pfkey.c:2230:pk_checkalg(): compression algorithm can not be checked because sadb message doesn't support it.<BR>2002-08-05 05:14:39: DEBUG: sainfo.c:99:getsainfo(): anonymous sainfo selected.<BR>2002-08-05 05:14:39: INFO: isakmp.c:1387:isakmp_open(): 3ffe:8070:100d:2:203:47ff:fe68:2efe[7000] used as isakmp port (fd=6)<BR>2002-08-05 05:14:39: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey X_SPDDUMP message<BR>2002-08-05 05:14:39: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey X_SPDDUMP message<BR>2002-08-05 05:14:39: DEBUG: policy.c:213:cmpspidxstrict(): sub:0xbfbff980: 3ffe:8070:100d:2:203:47ff:fe68:2efe/128[0] 3ffe:8070:100d:2:203:47ff:fea8:8dee/128[0] proto=any dir=out<BR>2002-08-05 05:14:39: DEBUG: policy.c:214:cmpspidxstrict(): db :0x80a3a08: 3ffe:8070:100d:2:203:47ff:fea8:8dee/128[0] 3ffe:8070:100d:2:203:47ff:fe68:2ef
 e/128[0] proto=any dir=in<BR>2002-08-05 05:14:45: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey ACQUIRE message<BR>2002-08-05 05:14:45: DEBUG: policy.c:245:cmpspidxwild(): sub:0xbfbff96c: 3ffe:8070:100d:2:203:47ff:fea8:8dee/128[0] 3ffe:8070:100d:2:203:47ff:fe68:2efe/128[0] proto=any dir=in<BR>2002-08-05 05:14:45: DEBUG: policy.c:246:cmpspidxwild(): db: 0x80a3a08: 3ffe:8070:100d:2:203:47ff:fea8:8dee/128[0] 3ffe:8070:100d:2:203:47ff:fe68:2efe/128[0] proto=any dir=in<BR>2002-08-05 05:14:45: DEBUG: policy.c:274:cmpspidxwild(): 0xbfbff96c masked with /128: 3ffe:8070:100d:2:203:47ff:fea8:8dee[0]<BR>2002-08-05 05:14:45: DEBUG: policy.c:276:cmpspidxwild(): 0x80a3a08 masked with /128: 3ffe:8070:100d:2:203:47ff:fea8:8dee[0]<BR>2002-08-05 05:14:45: DEBUG: policy.c:290:cmpspidxwild(): 0xbfbff96c masked with /128: 3ffe:8070:100d:2:203:47ff:fe68:2efe[0]<BR>2002-08-05 05:14:45: DEBUG: policy.c:292:cmpspidxwild(): 0x80a3a08 masked with /128: 3ffe:8070:100d:2:203:47ff:fe68:2efe[0]<BR>2002-08
 -05 05:14:45: DEBUG: pfkey.c:1539:pk_recvacquire(): suitable outbound SP found: 3ffe:8070:100d:2:203:47ff:fe68:2efe/128[0] 3ffe:8070:100d:2:203:47ff:fea8:8dee/128[0] proto=any dir=out.<BR>2002-08-05 05:14:45: DEBUG: pfkey.c:1541:pk_recvacquire(): suitable inbound SP found: 3ffe:8070:100d:2:203:47ff:fea8:8dee/128[0] 3ffe:8070:100d:2:203:47ff:fe68:2efe/128[0] proto=any dir=in.<BR>2002-08-05 05:14:45: DEBUG: pfkey.c:1573:pk_recvacquire(): new acquire 3ffe:8070:100d:2:203:47ff:fe68:2efe/128[0] 3ffe:8070:100d:2:203:47ff:fea8:8dee/128[0] proto=any dir=out<BR>2002-08-05 05:14:45: DEBUG: proposal.c:824:printsaproto():&nbsp; (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Transport reqid=0:0)<BR>2002-08-05 05:14:45: DEBUG: proposal.c:858:printsatrns():&nbsp;&nbsp; (trns_id=3DES encklen=0 authtype=2)<BR>2002-08-05 05:14:45: DEBUG: remoteconf.c:118:getrmconf(): configuration found for 3ffe:8070:100d:2:203:47ff:fea8:8dee.<BR>2002-08-05 05:14:45: INFO: isakmp.c:1734:isakmp_po
 st_acquire(): <STRONG>IPsec-SA request for 3ffe:8070:100d:2:203:47ff:fea8:8dee queued due to no phase1 found.<BR></STRONG>2002-08-05 05:14:45: DEBUG: isakmp.c:819:isakmp_ph1begin_i(): ===<BR>2002-08-05 05:14:45: INFO: isakmp.c:824:isakmp_ph1begin_i(): initiate new phase 1 negotiation: 3ffe:8070:100d:2:203:47ff:fe68:2efe[7000]&lt;=&gt;3ffe:8070:100d:2:203:47ff:fea8:8dee[8000]<BR>2002-08-05 05:14:45: INFO: isakmp.c:829:isakmp_ph1begin_i(): begin Identity Protection mode.<BR>2002-08-05 05:14:45: DEBUG: isakmp.c:2046:isakmp_newcookie(): new cookie:<BR>40646eeddb80df45 <BR>2002-08-05 05:14:45: DEBUG: isakmp.c:2163:set_isakmp_payload(): add payload of len 48, next type 0<BR>2002-08-05 05:14:45: DEBUG: isakmp.c:2298:isakmp_printpacket(): begin.<BR>14:45.999926 3ffe:8070:100d:2:203:47ff:fe68:2efe:7000 -&gt; 3ffe:8070:100d:2:203:47ff:fea8:8dee:8000: isakmp 1.0 msgid 00000000: phase 1 I ident:<BR>&nbsp;&nbsp;&nbsp; (sa: doi=ipsec situation=identity<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb
 sp;&nbsp; (p: #1 protoid=isakmp transform=1<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=003c)(type=enc value=3des)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024))))<BR>2002-08-05 05:14:46: DEBUG: sockmisc.c:419:sendfromto(): sockname 3ffe:8070:100d:2:203:47ff:fe68:2efe[7000]<BR>2002-08-05 05:14:46: DEBUG: sockmisc.c:421:sendfromto(): send packet from 3ffe:8070:100d:2:203:47ff:fe68:2efe[7000]<BR>2002-08-05 05:14:46: DEBUG: sockmisc.c:423:sendfromto(): send packet to 3ffe:8070:100d:2:203:47ff:fea8:8dee[8000]<BR>2002-08-05 05:14:46: DEBUG: sockmisc.c:479:sendfromto(): src6 3ffe:8070:100d:2:203:47ff:fe68:2efe[7000] 0<BR>2002-08-05 05:14:46: DEBUG: sockmisc.c:483:sendfromto(): dst6 3ffe:8070:100d:2:203:47ff:fea8:8dee[8000] 0<BR>2002-08-05 05:14:46: DEBUG: isakmp.c:1470:isakmp_send(): 1 times of 80 bytes message will be sent.<BR>2002-08-05 05:14:46: DEBUG: pl
 og.c:209:plogdump(): <BR>40646eed db80df45 00000000 00000000 01100200 00000000 00000050 00000034<BR>00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c003c<BR>80010005 80030001 80020002 80040002<BR>2002-08-05 05:15:06: DEBUG: isakmp.c:1490:isakmp_ph1resend(): resend phase1 packet 40646eeddb80df45:0000000000000000<BR>2002-08-05 05:15:06: DEBUG: sockmisc.c:419:sendfromto(): sockname 3ffe:8070:100d:2:203:47ff:fe68:2efe[7000]<BR>2002-08-05 05:15:06: DEBUG: sockmisc.c:421:sendfromto(): send packet from 3ffe:8070:100d:2:203:47ff:fe68:2efe[7000]<BR>2002-08-05 05:15:06: DEBUG: sockmisc.c:423:sendfromto(): send packet to 3ffe:8070:100d:2:203:47ff:fea8:8dee[8000]<BR>2002-08-05 05:15:06: DEBUG: sockmisc.c:479:sendfromto(): src6 3ffe:8070:100d:2:203:47ff:fe68:2efe[7000] 0<BR>2002-08-05 05:15:06: DEBUG: sockmisc.c:483:sendfromto(): dst6 3ffe:8070:100d:2:203:47ff:fea8:8dee[8000] 0<BR>2002-08-05 05:15:06: DEBUG: isakmp.c:1470:isakmp_send(): 1 times of 80 bytes message will 
 be sent.<BR>2002-08-05 05:15:06: DEBUG: plog.c:209:plogdump(): <BR>40646eed db80df45 00000000 00000000 01100200 00000000 00000050 00000034<BR>00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c003c<BR>80010005 80030001 80020002 80040002<BR>2002-08-05 05:15:06: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey ACQUIRE message<BR>2002-08-05 05:15:06: DEBUG: pfkey.c:1503:pk_recvacquire(): ignore the acquire becuase ph2 found<BR>2002-08-05 05:15:17: ERROR: isakmp.c:1826:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 3ffe:8070:100d:2:203:47ff:fea8:8dee-&gt;3ffe:8070:100d:2:203:47ff:fe68:2efe <BR>2002-08-05 05:15:17: INFO: isakmp.c:1831:isakmp_chkph1there(): delete phase 2 handler.<BR>2002-08-05 05:15:18: INFO: session.c:276:check_sigreq(): caught signal 2<BR>2002-08-05 05:15:18: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey FLUSH message<BR>2002-08-05 05:15:19: DEBUG: pfkey.c:268:pfkey_dump_sadb(): call pfkey_send_dump<BR>2002-0
 8-05 05:15:19: INFO: session.c:180:close_session(): racoon shutdown<BR></P>
<P>Thanks</P>
<P>H.V.</P><p><br><hr size=1><b>Do You Yahoo!?</b><br>
<a href="http://health.yahoo.com/">Yahoo! Health</a> - Feel better, live better
--0-1133668583-1028564366=:16943--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020805161926.17009.qmail>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation