Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 21 Jan 2004 16:22:36 +1100
From:      Andrew Thomson <andrewjt@applecomm.net>
To:        Kris Kennaway <kris@obsecurity.org>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: ipsec changes in 5.2
Message-ID:  <1074662556.2786.14.camel@itouch-1011.prv.au.itouchnet.net>
In-Reply-To: <1074661486.2786.10.camel@itouch-1011.prv.au.itouchnet.net>
References:  <1074554991.701.57.camel@itouch-1011.prv.au.itouchnet.net> <20040121033854.GA29338@xor.obsecurity.org> <1074661486.2786.10.camel@itouch-1011.prv.au.itouchnet.net>

next in thread | previous in thread | raw e-mail | index | archive | help
At the same time, I do see what I'm asking is a bit of a chicken and an
egg scenario..

spdadd 192.168.13.202/32 0.0.0.0/0 any -P out ipsec

I'm asking for encryption from my laptop to anywhere.. however I'm also
asking it to establish encryption with another host which technically it
needs to talk to unencrypted. This must be where things are getting hung
up.

ajt.

On Wed, 2004-01-21 at 16:04, Andrew Thomson wrote:
> Can't quite access my laptop from work so I've replicated the scenario
> here at work on my 5.2 desktop.
> 
> My host: 192.168.13.202
> Firewall: 192.168.13.1
> 
> Just recompiled kernel with IPSEC options and installed racoon.
> 
> Install the following as per previous setup:
> 
> spdadd 192.168.13.202/32 0.0.0.0/0 any -P out ipsec
>    esp/tunnel/192.168.13.202-192.168.13.1/require;
> spdadd 0.0.0.0/0 192.168.13.202/32 any -P in ipsec
>    esp/tunnel/192.168.13.1-192.168.13.202/require;
> 
> Have an all.log tail and a tcpdump on xl0 listening for my ip or the
> firewall ip.
> 
> I then try a single ping to the firewall.
> 
> ping -c 1 192.168.13.1
> PING 192.168.13.1 (192.168.13.1): 56 data bytes
> 64 bytes from 192.168.13.1: icmp_seq=0 ttl=64 time=0.373 ms
> 
> --- 192.168.13.1 ping statistics ---
> 1 packets transmitted, 1 packets received, 0% packet loss
> round-trip min/avg/max/stddev = 0.373/0.373/0.373/0.000 ms
>  ajt@itouch-1011:~ > ping -c 1 192.168.13.1
> PING 192.168.13.1 (192.168.13.1): 56 data bytes
> 
> --- 192.168.13.1 ping statistics ---
> 1 packets transmitted, 0 packets received, 100% packet loss
> 
> all.log
> 
> Jan 21 15:56:20 1011 racoon: INFO: isakmp.c:1682:isakmp_post_acquire():
> IPsec-SA request for 192.168.13.1 queued due to no phase1 found. 
> Jan 21 15:56:20 1011 racoon: INFO: isakmp.c:796:isakmp_ph1begin_i():
> initiate new phase 1 negotiation:
> 192.168.13.202[500]<=>192.168.13.1[500] 
> Jan 21 15:56:20 1011 racoon: INFO: isakmp.c:801:isakmp_ph1begin_i():
> begin Aggressive mode.  
> Jan 21 15:56:51 1011 racoon: ERROR: isakmp.c:1774:isakmp_chkph1there():
> phase2 negotiation failed due to time up waiting for phase1. ESP
> 192.168.13.1->192.168.13.202  
> Jan 21 15:56:51 1011 racoon: INFO: isakmp.c:1779:isakmp_chkph1there():
> delete phase 2 handler. 
> Jan 21 15:57:00 1011 racoon: INFO: isakmp.c:1701:isakmp_post_acquire():
> request for establishing IPsec-SA was queued due to no phase1 found. 
> Jan 21 15:57:32 1011 racoon: ERROR: isakmp.c:1774:isakmp_chkph1there():
> phase2 negotiation failed due to time up waiting for phase1. ESP
> 192.168.13.1->192.168.13.202  
> 
> However as soon as I setkey -FP and try the ping again...
> 
> It works.. and it's only once SPD entries are cleared that I see
> anything on xl0 - previously with the SPD in place there was nothing.
> Especially the udp 500 communication that is obviously essential to
> setting up the VPN appears..!
> 
> Any tips appreciated... Again this worked between a 5.0 <-> 4.9p1 host
> setup.
> 
> thanks,
> 
> ajt.
> 
> On Wed, 2004-01-21 at 14:38, Kris Kennaway wrote:
> > On Tue, Jan 20, 2004 at 10:29:51AM +1100, Andrew Thomson wrote:
> > > I'm really more interested in changes wrt ipsec since 5.0! ;)
> > > 
> > > I just upgraded my laptop from 5.0 to 5.2 the other day and now my IPSEC
> > > VPN doesn't work.
> > > 
> > > I run a VPN over my wireless adhoc network at home.
> > > 
> > > There are just two hosts on the network, the firewall and the laptop.
> > > 
> > > The firewall is running Freebsd 4.8.
> > > 
> > > When my laptop was on 5.0 the following setup worked a treat. However
> > > since the upgrade, the VPN has stopped working.
> > 
> > Is anything logged by the kernel?  What does tcpdump show happening on
> > the wire?
> > 
> > Kris
> 
> 
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
> 




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1074662556.2786.14.camel>