Date: Thu, 28 Dec 2006 17:51:42 +0100 From: "Robert Usle" <robertus.n@gmail.com> To: freebsd-net@freebsd.org Subject: ipsec-tools 0.6.6 problem Message-ID: <3713853f0612280851m243f9e75u918c0969b038a865@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello list & Yvan. This is my second post regarding the one from: http://osdir.com/ml/freebsd-net@freebsd.org/msg20572.html Sorry for not replying, but my email provider simply sucks. Here's more info. --------------------------------- racoon.conf path include "/usr/local/etc/racoon"; path pre_shared_key "/usr/local/etc/racoon/psk.txt"; path certificate "/usr/local/etc/racoon/cert"; log debug; padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } listen { #isakmp ::1 [7000]; isakmp 89.217.11.250 [500]; isakmp 10.0.5.1 [500]; #admin [7002]; # administrative port for racoonctl. #strict_address; # requires that all addresses must be bound. } timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 2 sec; # maximum interval to resend. persend 1; # the number of packets per send. # maximum time to wait for completing each phase. phase1 60 sec; phase2 15 sec; } remote anonymous { exchange_mode aggressive,main,base; lifetime time 24 hour; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } } sainfo anonymous { lifetime time 12 hour ; encryption_algorithm des, 3des, des_iv64, des_iv32, null_enc, rijndael, blowfish; authentication_algorithm hmac_sha1, hmac_md5; compression_algorithm deflate ; } ----- kernel config: machine i386 cpu I686_CPU ident TUNED maxusers 512 makeoptions COPTFLAGS="-O2 -pipe" # FIREWALL and TrafficShaper options IPFIREWALL options IPFIREWALL_FORWARD options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=100 options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFW2 options IPDIVERT options DUMMYNET options DEVICE_POLLING options HZ=2000 options MATH_EMULATE #Support for x87 emulation options INET #InterNETworking #options INET6 #IPv6 communications protocols options FFS #Berkeley Fast Filesystem options FFS_ROOT #FFS usable as root device [keep this!] options SOFTUPDATES #Enable FFS soft updates support options UFS_DIRHASH #Improve performance on big directories options MFS #Memory Filesystem #options MD_ROOT #MD is a potential root device #options NFS #Network Filesystem #options NFS_ROOT #NFS usable as root device, NFS required #options MSDOSFS #MSDOS Filesystem options CD9660 #ISO 9660 Filesystem options CD9660_ROOT #CD-ROM usable as root, CD9660 required options PROCFS #Process filesystem ...skipping... pseudo-device ether # Ethernet support #pseudo-device sl 1 # Kernel SLIP #pseudo-device ppp 1 # Kernel PPP #pseudo-device tun # Packet tunnel. pseudo-device pty # Pseudo-ttys (telnet etc) pseudo-device md # Memory "disks" pseudo-device gif # IPv6 and IPv4 tunneling #pseudo-device faith 1 # IPv6-to-IPv4 relaying (translation) # The `bpf' pseudo-device enables the Berkeley Packet Filter. # Be aware of the administrative consequences of enabling this! pseudo-device bpf #Berkeley packet filter # USB support #device uhci # UHCI PCI->USB interface #device ohci # OHCI PCI->USB interface #device usb # USB Bus (required) #device ugen # Generic #device uhid # "Human Interface Devices" #device ukbd # Keyboard #device ulpt # Printer #device umass # Disks/Mass storage - Requires scbus and da #device ums # Mouse #device uscanner # Scanners #device urio # Diamond Rio MP3 Player ## USB Ethernet, requires mii #device aue # ADMtek USB ethernet #device cue # CATC USB ethernet #device kue # Kawasaki LSI USB ethernet # # FireWire support #device firewire # FireWire bus code #device sbp # SCSI over FireWire (Requires scbus and da) #device fwe # Ethernet over FireWire (non-standard!) #options DISABLE_PSE # Quota options QUOTA #enable disk quotas options IPSEC #IP security options IPSEC_ESP #IP security (crypto; define w/ IPSEC) ---------------------------------------------------------------------------------------- ----uname -a FreeBSD wall.s93l.pl 4.11-STABLE FreeBSD 4.11-STABLE #5: Sat Nov 18 09:14:30 CET 2006 root@wall.s93l.pl:/usr/obj/usr/src/sys/TUNED i386 --- /var/log/racoon.log 2006-12-28 17:30:49: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net) 2006-12-28 17:30:49: INFO: @(#)This product linked OpenSSL 0.9.7d-p1 17 Mar 2004 (http://www.openssl.org/) 2006-12-28 17:30:49: DEBUG: hmac(modp1024) 2006-12-28 17:30:49: DEBUG: compression algorithm can not be checked because sadb message doesn't support it. 2006-12-28 17:30:49: INFO: 10.0.5.1[500] used as isakmp port (fd=5) 2006-12-28 17:30:49: INFO: 89.217.11.250[500] used as isakmp port (fd=6) 2006-12-28 17:30:49: DEBUG: get pfkey X_SPDDUMP message 2006-12-28 17:30:49: DEBUG: get pfkey X_SPDDUMP message 2006-12-28 17:30:49: DEBUG: sub:0xbfbff524: 0.0.0.0/0[0] 192.168.2.0/24[0] proto=any dir=out 2006-12-28 17:30:49: DEBUG: db :0x80a5408: 192.168.2.0/24[0] 0.0.0.0/0[0] proto=any dir=in 2006-12-28 17:30:49: DEBUG: msg 1 not interesting 2006-12-28 17:30:49: DEBUG: caught rtm:2, need update interface address list 2006-12-28 17:30:49: DEBUG: msg 1 not interesting 2006-12-28 17:30:49: DEBUG: caught rtm:2, need update interface address list 2006-12-28 17:30:49: DEBUG: msg 1 not interesting 2006-12-28 17:30:49: DEBUG: caught rtm:2, need update interface address list 2006-12-28 17:30:50: DEBUG: msg 5 not interesting 2006-12-28 17:30:50: DEBUG: msg 1 not interesting 2006-12-28 17:30:50: DEBUG: caught rtm:2, need update interface address list 2006-12-28 17:30:50: DEBUG: msg 1 not interesting and so on..... infinite loop with 'caught rtm;2, need update interface address list --------------------------------------- I was trying to establish a vpn connection with Win XP host, now trying with asmax br-604G. There are 2 setkey commands now, (/usr/sbin/ & /usr/local/sbin) can I use both ? Also, sometimes I'm getting 'unsupported PF_KEY message REGISTER' after running setkey Let me know if you need more info, -- Robert
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3713853f0612280851m243f9e75u918c0969b038a865>