Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 28 Dec 2006 17:51:42 +0100
From:      "Robert Usle" <robertus.n@gmail.com>
To:        freebsd-net@freebsd.org
Subject:   ipsec-tools 0.6.6 problem
Message-ID:  <3713853f0612280851m243f9e75u918c0969b038a865@mail.gmail.com>

next in thread | raw e-mail | index | archive | help
Hello list & Yvan.

This is my second post regarding the one from:
http://osdir.com/ml/freebsd-net@freebsd.org/msg20572.html

Sorry for not replying, but my email provider simply sucks.

Here's more info.

--------------------------------- racoon.conf
path include "/usr/local/etc/racoon";

path pre_shared_key "/usr/local/etc/racoon/psk.txt";

path certificate "/usr/local/etc/racoon/cert";

log debug;

padding
{
        maximum_length 20;      # maximum padding length.
        randomize off;          # enable randomize length.
        strict_check off;       # enable strict check.
        exclusive_tail off;     # extract last one octet.
}

listen
{
        #isakmp ::1 [7000];
        isakmp 89.217.11.250 [500];
        isakmp 10.0.5.1 [500];
        #admin [7002];          # administrative port for racoonctl.
        #strict_address;        # requires that all addresses must be bound.
}

timer
{
        # These value can be changed per remote node.
        counter 5;              # maximum trying count to send.
        interval 2 sec; # maximum interval to resend.
        persend 1;              # the number of packets per send.

        # maximum time to wait for completing each phase.
        phase1 60 sec;
        phase2 15 sec;
}
remote anonymous {
  exchange_mode aggressive,main,base;
  lifetime time 24 hour;
  proposal {
    encryption_algorithm  3des;
    hash_algorithm        sha1;
    authentication_method pre_shared_key;
    dh_group              2;
  }
}

sainfo anonymous {
  lifetime                 time 12 hour ;
  encryption_algorithm     des, 3des, des_iv64, des_iv32, null_enc,
rijndael, blowfish;
  authentication_algorithm hmac_sha1, hmac_md5;
  compression_algorithm    deflate ;
}

-----

kernel config:
machine         i386
cpu             I686_CPU
ident           TUNED
maxusers        512

makeoptions     COPTFLAGS="-O2 -pipe"

# FIREWALL and TrafficShaper
options IPFIREWALL
options IPFIREWALL_FORWARD
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFW2
options IPDIVERT
options DUMMYNET

options         DEVICE_POLLING
options         HZ=2000

options         MATH_EMULATE            #Support for x87 emulation
options         INET                    #InterNETworking
#options        INET6                   #IPv6 communications protocols
options         FFS                     #Berkeley Fast Filesystem
options         FFS_ROOT                #FFS usable as root device [keep this!]
options         SOFTUPDATES             #Enable FFS soft updates support
options         UFS_DIRHASH             #Improve performance on big directories
options         MFS                     #Memory Filesystem
#options        MD_ROOT                 #MD is a potential root device
#options        NFS                     #Network Filesystem
#options        NFS_ROOT                #NFS usable as root device, NFS required
#options        MSDOSFS                 #MSDOS Filesystem
options         CD9660                  #ISO 9660 Filesystem
options         CD9660_ROOT             #CD-ROM usable as root, CD9660 required
options         PROCFS                  #Process filesystem
...skipping...
pseudo-device   ether           # Ethernet support
#pseudo-device  sl      1       # Kernel SLIP
#pseudo-device  ppp     1       # Kernel PPP
#pseudo-device  tun             # Packet tunnel.
pseudo-device   pty             # Pseudo-ttys (telnet etc)
pseudo-device   md              # Memory "disks"
pseudo-device   gif             # IPv6 and IPv4 tunneling
#pseudo-device  faith   1       # IPv6-to-IPv4 relaying (translation)

# The `bpf' pseudo-device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
pseudo-device   bpf             #Berkeley packet filter

# USB support
#device         uhci            # UHCI PCI->USB interface
#device         ohci            # OHCI PCI->USB interface
#device         usb             # USB Bus (required)
#device         ugen            # Generic
#device         uhid            # "Human Interface Devices"
#device         ukbd            # Keyboard
#device         ulpt            # Printer
#device         umass           # Disks/Mass storage - Requires scbus and da
#device         ums             # Mouse
#device         uscanner        # Scanners
#device         urio            # Diamond Rio MP3 Player
## USB Ethernet, requires mii
#device         aue             # ADMtek USB ethernet
#device         cue             # CATC USB ethernet
#device         kue             # Kawasaki LSI USB ethernet
#
# FireWire support
#device         firewire        # FireWire bus code
#device         sbp             # SCSI over FireWire (Requires scbus and da)
#device         fwe             # Ethernet over FireWire (non-standard!)

#options        DISABLE_PSE

# Quota
options         QUOTA                   #enable disk quotas


options   IPSEC        #IP security
options   IPSEC_ESP    #IP security (crypto; define w/ IPSEC)

----------------------------------------------------------------------------------------


----uname -a
FreeBSD wall.s93l.pl 4.11-STABLE FreeBSD 4.11-STABLE #5: Sat Nov 18
09:14:30 CET 2006     root@wall.s93l.pl:/usr/obj/usr/src/sys/TUNED
i386

--- /var/log/racoon.log
2006-12-28 17:30:49: INFO: @(#)ipsec-tools 0.6.6
(http://ipsec-tools.sourceforge.net)
2006-12-28 17:30:49: INFO: @(#)This product linked OpenSSL 0.9.7d-p1
17 Mar 2004 (http://www.openssl.org/)
2006-12-28 17:30:49: DEBUG: hmac(modp1024)
2006-12-28 17:30:49: DEBUG: compression algorithm can not be checked
because sadb message doesn't support it.
2006-12-28 17:30:49: INFO: 10.0.5.1[500] used as isakmp port (fd=5)
2006-12-28 17:30:49: INFO: 89.217.11.250[500] used as isakmp port (fd=6)
2006-12-28 17:30:49: DEBUG: get pfkey X_SPDDUMP message
2006-12-28 17:30:49: DEBUG: get pfkey X_SPDDUMP message
2006-12-28 17:30:49: DEBUG: sub:0xbfbff524: 0.0.0.0/0[0]
192.168.2.0/24[0] proto=any dir=out
2006-12-28 17:30:49: DEBUG: db :0x80a5408: 192.168.2.0/24[0]
0.0.0.0/0[0] proto=any dir=in
2006-12-28 17:30:49: DEBUG: msg 1 not interesting
2006-12-28 17:30:49: DEBUG: caught rtm:2, need update interface address list
2006-12-28 17:30:49: DEBUG: msg 1 not interesting
2006-12-28 17:30:49: DEBUG: caught rtm:2, need update interface address list
2006-12-28 17:30:49: DEBUG: msg 1 not interesting
2006-12-28 17:30:49: DEBUG: caught rtm:2, need update interface address list
2006-12-28 17:30:50: DEBUG: msg 5 not interesting
2006-12-28 17:30:50: DEBUG: msg 1 not interesting
2006-12-28 17:30:50: DEBUG: caught rtm:2, need update interface address list
2006-12-28 17:30:50: DEBUG: msg 1 not interesting
and so on..... infinite loop with 'caught rtm;2, need update interface
address list
---------------------------------------

I was trying to establish a vpn connection with Win XP host, now trying
with asmax br-604G.

There are 2 setkey commands now, (/usr/sbin/ & /usr/local/sbin)
can I use both ?

Also, sometimes I'm getting 'unsupported PF_KEY message REGISTER'
after running setkey

Let me know if you need more info,

-- 
Robert



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3713853f0612280851m243f9e75u918c0969b038a865>