IPsec Tools

I don't recall having this issue with 0.7-beta as of 2 Jan, but on my
netbsd-3-1 system built from the recent tarball posted earlier today
configured with:

vpn# ./configure --enable-frag --enable-hybrid --enable-adminport
--enable-dpd --enable-natt=kernel --enable-stats --with-libradius=/usr/pkg
--sysconfdir=/etc/racoon --localstatedir=/var --with-libldap=/usr/pkg
--enable-fastquit

I'm getting when it goes to link racoon:

isakmp_xauth.o(.text+0x792): In function `xauth_radius_init':
/home/peter/ipsec-tools-0.7-beta3/src/racoon/isakmp_xauth.c:473: undefined
reference to `rad_auth_open'
isakmp_xauth.o(.text+0x7a6):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa
kmp_xauth.c:479: undefined reference to `rad_config'
isakmp_xauth.o(.text+0x7bb):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa
kmp_xauth.c:480: undefined reference to `rad_strerror'
isakmp_xauth.o(.text+0x7f5):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa
kmp_xauth.c:483: undefined reference to `rad_close'
isakmp_xauth.o(.text+0x846):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa
kmp_xauth.c:455: undefined reference to `rad_auth_open'
isakmp_xauth.o(.text+0x85a):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa
kmp_xauth.c:461: undefined reference to `rad_config'
isakmp_xauth.o(.text+0x873):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa
kmp_xauth.c:462: undefined reference to `rad_strerror'
isakmp_xauth.o(.text+0x8ad):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa
kmp_xauth.c:465: undefined reference to `rad_close'
isakmp_xauth.o(.text+0x8f1): In function `xauth_login_radius':
/home/peter/ipsec-tools-0.7-beta3/src/racoon/isakmp_xauth.c:503: undefined
reference to `rad_create_request'
isakmp_xauth.o(.text+0x90d):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa
kmp_xauth.c:510: undefined reference to `rad_put_string'
isakmp_xauth.o(.text+0x929):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa
kmp_xauth.c:517: undefined reference to `rad_put_string'
isakmp_xauth.o(.text+0x965):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa
kmp_xauth.c:527: undefined reference to `rad_send_request'
isakmp_xauth.o(.text+0x9c1):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa
kmp_xauth.c:558: undefined reference to `rad_strerror'
isakmp_xauth.o(.text+0x9fd):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa
kmp_xauth.c:529: undefined reference to `rad_get_attr'
isakmp_xauth.o(.text+0xa59):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa
kmp_xauth.c:538: undefined reference to `rad_cvt_addr'
isakmp_xauth.o(.text+0xa85):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa
kmp_xauth.c:532: undefined reference to `rad_cvt_addr'
isakmp_xauth.o(.text+0xaa4):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa
kmp_xauth.c:518: undefined reference to `rad_strerror'
isakmp_xauth.o(.text+0xace):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa
kmp_xauth.c:511: undefined reference to `rad_strerror'
isakmp_xauth.o(.text+0xaf8):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa
kmp_xauth.c:504: undefined reference to `rad_strerror'
isakmp_cfg.o(.text+0x1e8e): In function `isakmp_cfg_accounting_radius':
/home/peter/ipsec-tools-0.7-beta3/src/racoon/isakmp_cfg.c:1509: undefined
reference to `rad_acct_open'
isakmp_cfg.o(.text+0x1ea6):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak
mp_cfg.c:1515: undefined reference to `rad_config'
isakmp_cfg.o(.text+0x1ec1):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak
mp_cfg.c:1525: undefined reference to `rad_create_request'
isakmp_cfg.o(.text+0x1ee4):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak
mp_cfg.c:1533: undefined reference to `rad_put_string'
isakmp_cfg.o(.text+0x1f3c):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak
mp_cfg.c:1553: undefined reference to `rad_put_addr'
isakmp_cfg.o(.text+0x1f5e):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak
mp_cfg.c:1561: undefined reference to `rad_put_addr'
isakmp_cfg.o(.text+0x1f78):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak
mp_cfg.c:1569: undefined reference to `rad_put_int'
isakmp_cfg.o(.text+0x1fb4):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak
mp_cfg.c:1580: undefined reference to `rad_send_request'
isakmp_cfg.o(.text+0x1fd5):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak
mp_cfg.c:1581: undefined reference to `rad_strerror'
isakmp_cfg.o(.text+0x2016):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak
mp_cfg.c:1570: undefined reference to `rad_strerror'
isakmp_cfg.o(.text+0x203d):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak
mp_cfg.c:1563: undefined reference to `rad_strerror'
isakmp_cfg.o(.text+0x2064):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak
mp_cfg.c:1555: undefined reference to `rad_strerror'
isakmp_cfg.o(.text+0x208e):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak
mp_cfg.c:1535: undefined reference to `rad_strerror'
isakmp_cfg.o(.text+0x20b8):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak
mp_cfg.c:1527: more undefined references to `rad_strerror' follow
isakmp_cfg.o(.text+0x211c): In function `isakmp_cfg_accounting_radius':
/home/peter/ipsec-tools-0.7-beta3/src/racoon/isakmp_cfg.c:1519: undefined
reference to `rad_close'
isakmp_cfg.o(.text+0x21bb): In function `isakmp_cfg_radius_common':
/home/peter/ipsec-tools-0.7-beta3/src/racoon/isakmp_cfg.c:1622: undefined
reference to `rad_put_addr'
isakmp_cfg.o(.text+0x21d2):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak
mp_cfg.c:1629: undefined reference to `rad_put_int'
isakmp_cfg.o(.text+0x21e8):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak
mp_cfg.c:1636: undefined reference to `rad_put_int'
isakmp_cfg.o(.text+0x21fa):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak
mp_cfg.c:1643: undefined reference to `rad_put_int'
isakmp_cfg.o(.text+0x2213):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak
mp_cfg.c:1644: undefined reference to `rad_strerror'
isakmp_cfg.o(.text+0x2251):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak
mp_cfg.c:1637: undefined reference to `rad_strerror'
isakmp_cfg.o(.text+0x2273):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak
mp_cfg.c:1630: undefined reference to `rad_strerror'
isakmp_cfg.o(.text+0x2295):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak
mp_cfg.c:1623: undefined reference to `rad_strerror'
*** Error code 1

Relevant packages built from recent (within the last week) pkgsrc:

freeradius-1.1.4    Free RADIUS server implementation
m4-1.4.8            GNU version of UNIX m4 macro language processor
autoconf-2.61       Generates automatic source code configuration scripts
automake-1.10       GNU Standards-compliant Makefile generator
libtool-base-1.5.22nb4 Generic shared library support script (the script
itself)
openldap-client-2.3.31 Lightweight Directory Access Protocol libraries and
client programs

I had the same result with --with-libradius though I'm wondering if that
discovers /usr/pkg/'s libradius instead of defaulting to the internal
libradius.

peter

I uninstalled the freeradius and reconfigured and then it built fine.

Is there a better, more compatible, radius package?  The goal is to be able
to auth to a radius server with this build.  Is building racoon without a
modern radius lib sufficient to work?  (eg, I'll reinstall freeradius now
that racoon is built)

peter

On 4/4/07 5:12 PM, "Peter Eisch" <peter@...> wrote:

> 
> I don't recall having this issue with 0.7-beta as of 2 Jan, but on my
> netbsd-3-1 system built from the recent tarball posted earlier today
> configured with:
> 
> vpn# ./configure --enable-frag --enable-hybrid --enable-adminport
> --enable-dpd --enable-natt=kernel --enable-stats --with-libradius=/usr/pkg
> --sysconfdir=/etc/racoon --localstatedir=/var --with-libldap=/usr/pkg
> --enable-fastquit
> 
> I'm getting when it goes to link racoon:
> 
> isakmp_xauth.o(.text+0x792): In function `xauth_radius_init':
> /home/peter/ipsec-tools-0.7-beta3/src/racoon/isakmp_xauth.c:473: undefined
> reference to `rad_auth_open'
> isakmp_xauth.o(.text+0x7a6):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa
> kmp_xauth.c:479: undefined reference to `rad_config'
> isakmp_xauth.o(.text+0x7bb):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa
> kmp_xauth.c:480: undefined reference to `rad_strerror'
> isakmp_xauth.o(.text+0x7f5):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa
> kmp_xauth.c:483: undefined reference to `rad_close'
> isakmp_xauth.o(.text+0x846):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa
> kmp_xauth.c:455: undefined reference to `rad_auth_open'
> isakmp_xauth.o(.text+0x85a):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa
> kmp_xauth.c:461: undefined reference to `rad_config'
> isakmp_xauth.o(.text+0x873):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa
> kmp_xauth.c:462: undefined reference to `rad_strerror'
> isakmp_xauth.o(.text+0x8ad):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa
> kmp_xauth.c:465: undefined reference to `rad_close'
> isakmp_xauth.o(.text+0x8f1): In function `xauth_login_radius':
> /home/peter/ipsec-tools-0.7-beta3/src/racoon/isakmp_xauth.c:503: undefined
> reference to `rad_create_request'
> isakmp_xauth.o(.text+0x90d):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa
> kmp_xauth.c:510: undefined reference to `rad_put_string'
> isakmp_xauth.o(.text+0x929):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa
> kmp_xauth.c:517: undefined reference to `rad_put_string'
> isakmp_xauth.o(.text+0x965):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa
> kmp_xauth.c:527: undefined reference to `rad_send_request'
> isakmp_xauth.o(.text+0x9c1):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa
> kmp_xauth.c:558: undefined reference to `rad_strerror'
> isakmp_xauth.o(.text+0x9fd):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa
> kmp_xauth.c:529: undefined reference to `rad_get_attr'
> isakmp_xauth.o(.text+0xa59):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa
> kmp_xauth.c:538: undefined reference to `rad_cvt_addr'
> isakmp_xauth.o(.text+0xa85):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa
> kmp_xauth.c:532: undefined reference to `rad_cvt_addr'
> isakmp_xauth.o(.text+0xaa4):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa
> kmp_xauth.c:518: undefined reference to `rad_strerror'
> isakmp_xauth.o(.text+0xace):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa
> kmp_xauth.c:511: undefined reference to `rad_strerror'
> isakmp_xauth.o(.text+0xaf8):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa
> kmp_xauth.c:504: undefined reference to `rad_strerror'
> isakmp_cfg.o(.text+0x1e8e): In function `isakmp_cfg_accounting_radius':
> /home/peter/ipsec-tools-0.7-beta3/src/racoon/isakmp_cfg.c:1509: undefined
> reference to `rad_acct_open'
> isakmp_cfg.o(.text+0x1ea6):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak
> mp_cfg.c:1515: undefined reference to `rad_config'
> isakmp_cfg.o(.text+0x1ec1):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak
> mp_cfg.c:1525: undefined reference to `rad_create_request'
> isakmp_cfg.o(.text+0x1ee4):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak
> mp_cfg.c:1533: undefined reference to `rad_put_string'
> isakmp_cfg.o(.text+0x1f3c):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak
> mp_cfg.c:1553: undefined reference to `rad_put_addr'
> isakmp_cfg.o(.text+0x1f5e):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak
> mp_cfg.c:1561: undefined reference to `rad_put_addr'
> isakmp_cfg.o(.text+0x1f78):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak
> mp_cfg.c:1569: undefined reference to `rad_put_int'
> isakmp_cfg.o(.text+0x1fb4):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak
> mp_cfg.c:1580: undefined reference to `rad_send_request'
> isakmp_cfg.o(.text+0x1fd5):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak
> mp_cfg.c:1581: undefined reference to `rad_strerror'
> isakmp_cfg.o(.text+0x2016):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak
> mp_cfg.c:1570: undefined reference to `rad_strerror'
> isakmp_cfg.o(.text+0x203d):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak
> mp_cfg.c:1563: undefined reference to `rad_strerror'
> isakmp_cfg.o(.text+0x2064):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak
> mp_cfg.c:1555: undefined reference to `rad_strerror'
> isakmp_cfg.o(.text+0x208e):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak
> mp_cfg.c:1535: undefined reference to `rad_strerror'
> isakmp_cfg.o(.text+0x20b8):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak
> mp_cfg.c:1527: more undefined references to `rad_strerror' follow
> isakmp_cfg.o(.text+0x211c): In function `isakmp_cfg_accounting_radius':
> /home/peter/ipsec-tools-0.7-beta3/src/racoon/isakmp_cfg.c:1519: undefined
> reference to `rad_close'
> isakmp_cfg.o(.text+0x21bb): In function `isakmp_cfg_radius_common':
> /home/peter/ipsec-tools-0.7-beta3/src/racoon/isakmp_cfg.c:1622: undefined
> reference to `rad_put_addr'
> isakmp_cfg.o(.text+0x21d2):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak
> mp_cfg.c:1629: undefined reference to `rad_put_int'
> isakmp_cfg.o(.text+0x21e8):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak
> mp_cfg.c:1636: undefined reference to `rad_put_int'
> isakmp_cfg.o(.text+0x21fa):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak
> mp_cfg.c:1643: undefined reference to `rad_put_int'
> isakmp_cfg.o(.text+0x2213):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak
> mp_cfg.c:1644: undefined reference to `rad_strerror'
> isakmp_cfg.o(.text+0x2251):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak
> mp_cfg.c:1637: undefined reference to `rad_strerror'
> isakmp_cfg.o(.text+0x2273):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak
> mp_cfg.c:1630: undefined reference to `rad_strerror'
> isakmp_cfg.o(.text+0x2295):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak
> mp_cfg.c:1623: undefined reference to `rad_strerror'
> *** Error code 1
> 
> Relevant packages built from recent (within the last week) pkgsrc:
> 
> freeradius-1.1.4    Free RADIUS server implementation
> m4-1.4.8            GNU version of UNIX m4 macro language processor
> autoconf-2.61       Generates automatic source code configuration scripts
> automake-1.10       GNU Standards-compliant Makefile generator
> libtool-base-1.5.22nb4 Generic shared library support script (the script
> itself)
> openldap-client-2.3.31 Lightweight Directory Access Protocol libraries and
> client programs
> 
> I had the same result with --with-libradius though I'm wondering if that
> discovers /usr/pkg/'s libradius instead of defaulting to the internal
> libradius.
> 
> peter
> 
> 
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys-and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Ipsec-tools-devel mailing list
> Ipsec-tools-devel@...
> https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel
>

Peter Eisch <peter@...> wrote:

> I uninstalled the freeradius and reconfigured and then it built fine.
> 
> Is there a better, more compatible, radius package?  The goal is to be able
> to auth to a radius server with this build.  Is building racoon without a
> modern radius lib sufficient to work?  (eg, I'll reinstall freeradius now
> that racoon is built)

I used to use libradius from http://portal-to-web.de/tacacs/ and it
wrked fine. What radius library were you using?

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

On 4/4/07 11:36 PM, "Emmanuel Dreyfus" <manu@...> wrote:

>> I uninstalled the freeradius and reconfigured and then it built fine.
>> 
>> Is there a better, more compatible, radius package?  The goal is to be able
>> to auth to a radius server with this build.  Is building racoon without a
>> modern radius lib sufficient to work?  (eg, I'll reinstall freeradius now
>> that racoon is built)
> 
> I used to use libradius from http://portal-to-web.de/tacacs/ and it
> wrked fine. What radius library were you using?

 pkgsrc/net/freeradius (1.1.4)

I don't need racoon to link to it, but so long as I can auth against it I'm
fine.  Using the internal libradius auth's fine against other systems,
including win2k, so it might be handy to just note somewhere that it can't
use it for it's radius interface.

Thanks,

peter

Peter Eisch <peter@...> wrote:

> > I used to use libradius from http://portal-to-web.de/tacacs/ and it
> > wrked fine. What radius library were you using?
> 
>  pkgsrc/net/freeradius (1.1.4)

The one I use is available from pkgsrc/net/libradius

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

On Wed, Apr 04, 2007 at 09:35:24AM +0200, VANHULLEBUS Yvan wrote:
> Ipsec-tools 0.7 Beta3 is out, with a few fixes since Beta2.
[...]
> Please reporte us any other issue you found on this Beta, and please
> also remind us any pending patch still not reported.

What is with the patch which allows racoon to run under daemontools or
runit I posted a month ago?
Here it is again in case you lost it.

Best regards

* VANHULLEBUS Yvan

> Please reporte us any other issue you found on this Beta, and please
> also remind us any pending patch still not reported.

  Finally got around to upgrading, and it seems to have solved a problem
 I've had where peer-requested SA removal simply didn't happen.  Yay!

  I still have some interop problems with Cisco and Nortel boxes,
 though.  Sometimes traffic is interrupted and the only way to fix it is
 to manually remove all outbound SAs to that peer.  It appears to
 happen at the same time messages such as these appear in the log:

  DEBUG: ===
  DEBUG: 84 bytes message received from peer.peer.peer.peer[500] to me.me.me.me[500]
  DEBUG:  601220a3 7d22dba9 8621d875 3fb759f8 08100501 87cc1679 00000054 a7a36c4c d1b4eccd 031a90fe e80e85e2 7a47bb02 0afaf139 c5f5b6c7 5fed5238 4b96643f 3afd5b03 cc5a072b 5f3b3be7 d50ef9ec 9a1223fe
  ERROR: unknown Informational exchange received.

  However, since racoon doesn't dump the decrypted payload to the log
 I'm stuck and can't debug it further as I have no idea what my peers
 are trying to tell me.  :-(  Is there any hope that such debug output
 may be added to the next beta?

Regards
-- 
Tore Anderson

Another thing I noticed - when using "proposal_check exact" I get the
  following in my logs:

     ERROR: lifebyte mismatched: my:2147483647 peer:4608000
     ERROR: not matched
     ERROR: no suitable policy found.
     ERROR: failed to pre-process packet.

   Do racoon really propose 2G-1 as lifebyte, or is it the proposal
  matching function that's defective?  I'd like to not use lifebyte at
  all, but as far as I can see there's no way to specify it in the
  configuration file.  I assumed it would be proposed as 0...

   Also, the bug about INITIAL-CONTACT being ignored because it's falsely
  assumed to be before phase2 (SF #1705814) is still causing problems
  with this beta.  :-(

   By the way, does anyone know how to determine what lifetime racoon
  ends up using for a phase1 SA?  racoonctl show-sa isakmp only shows the
  creation date it seems.

Regards
-- 
Tore Anderson

On Wed, May 30, 2007 at 06:02:22PM +0200, Tore Anderson wrote:

Hi.

>    Another thing I noticed - when using "proposal_check exact" I get the
>   following in my logs:
> 
>      ERROR: lifebyte mismatched: my:2147483647 peer:4608000
>      ERROR: not matched
>      ERROR: no suitable policy found.
>      ERROR: failed to pre-process packet.
> 
>    Do racoon really propose 2G-1 as lifebyte, or is it the proposal
>   matching function that's defective?  I'd like to not use lifebyte at
>   all, but as far as I can see there's no way to specify it in the
>   configuration file.  I assumed it would be proposed as 0...

Lifebyte is deprecated, and cannot be configured anymore.

I recently had another issue with that (when revalidating conf after a
SIGHUP), which should be fixed by simply ignoring lifebyte.


I guess we should simply discard anything related to lifebyte, but I'm
not sure it won't cause problems with some peers that set up a value
for lifebyte...

Did your peer really sent a proposal with a lifebyte of 4,5 Mb, or is
this another lifebyte related bug/issue/problem on ipsec-tool's side ?

And was your peer an ipsec-tools's racoon (in which version ?) or
"something else" ?



Yvan.

On Wed, May 30, 2007 at 01:36:19PM +0200, Tore Anderson wrote:
[....]
>   I still have some interop problems with Cisco and Nortel boxes,
>  though.  Sometimes traffic is interrupted and the only way to fix it is
>  to manually remove all outbound SAs to that peer.  It appears to
>  happen at the same time messages such as these appear in the log:
> 
>   DEBUG: ===
>   DEBUG: 84 bytes message received from peer.peer.peer.peer[500] to me.me.me.me[500]
>   DEBUG:  601220a3 7d22dba9 8621d875 3fb759f8 08100501 87cc1679 00000054 a7a36c4c d1b4eccd 031a90fe e80e85e2 7a47bb02 0afaf139 c5f5b6c7 5fed5238 4b96643f 3afd5b03 cc5a072b 5f3b3be7 d50ef9ec 9a1223fe
>   ERROR: unknown Informational exchange received.
> 
>   However, since racoon doesn't dump the decrypted payload to the log
>  I'm stuck and can't debug it further as I have no idea what my peers
>  are trying to tell me.  :-(  Is there any hope that such debug output
>  may be added to the next beta?

"unknown informational exchange" means racoon didn't find the PH1
handler (so the IsakmpSA) used to protect the informational
message....

So there is no way to dump an unencrypted version of something crypted
with a key we don't have !!!!!



Yvan.

* VANHULLEBUS Yvan

> "unknown informational exchange" means racoon didn't find the PH1 
> handler (so the IsakmpSA) used to protect the informational 
> message....
> 
> So there is no way to dump an unencrypted version of something
> crypted with a key we don't have !!!!!

   Yes, I've just realised this.  First I thought the message meant that
  racoon received an notify message of a unknown type, but that was very
  wrong.  The problem, it seems, was due to the Nortel defaulting to
  having a (possibly) infinite lifetime for the ISAKMP SA while racoon
  expired it after eight hours.

   I've just posted a (hopefully) better analysis, I'd appreciate it if
  you took a look at it.  Apologies for the noise about this non-bug.

-- 
Tore Anderson

* VANHULLEBUS Yvan

> I guess we should simply discard anything related to lifebyte, but I'm
> not sure it won't cause problems with some peers that set up a value
> for lifebyte...
> 
> Did your peer really sent a proposal with a lifebyte of 4,5 Mb, or is
> this another lifebyte related bug/issue/problem on ipsec-tool's side ?
> 
> And was your peer an ipsec-tools's racoon (in which version ?) or
> "something else" ?

   The peer is a Cisco ASA with OS version 7.2.2, and it really did
  propose a lifebyte of 4.5 MB.  According to my client it's not possible
  to disable this completely.  I'm using racoon 0.7-beta3.

   However I'm more concerned about the racoon part of the log message.
  If racoon proposes a lifebyte of 2GB, but sets up the IPSEC SAs without
  any lifebyte, won't that cause the peer to expire tose SAs prematurely
  if 2GB is transferred before the lifetime has elapsed?  And won't that
  cause connectivity problems?

   I think this might have been the trouble I had speaking to this
  device.  At apparantly random intervals the Cisco would send me a
  delete SA notification (delete SA didn't work with 0.6.6 so
  connectivity was interrupted).  I believe that was due to the 4.5 MB
  limit being hit, the Cisco apparantly thought we'd agreed to such a
  lifebyte.

-- 
Tore Anderson

Tore Anderson <tore@...> writes:

> 
> * VANHULLEBUS Yvan
> 
> > I guess we should simply discard anything related to lifebyte, but I'm
> > not sure it won't cause problems with some peers that set up a value
> > for lifebyte...
> > 
> > Did your peer really sent a proposal with a lifebyte of 4,5 Mb, or is
> > this another lifebyte related bug/issue/problem on ipsec-tool's side ?
> > 
> > And was your peer an ipsec-tools's racoon (in which version ?) or
> > "something else" ?
> 
>    The peer is a Cisco ASA with OS version 7.2.2, and it really did
>   propose a lifebyte of 4.5 MB.  According to my client it's not possible
>   to disable this completely.  I'm using racoon 0.7-beta3.
> 
>    However I'm more concerned about the racoon part of the log message.
>   If racoon proposes a lifebyte of 2GB, but sets up the IPSEC SAs without
>   any lifebyte, won't that cause the peer to expire tose SAs prematurely
>   if 2GB is transferred before the lifetime has elapsed?  And won't that
>   cause connectivity problems?
> 
>    I think this might have been the trouble I had speaking to this
>   device.  At apparantly random intervals the Cisco would send me a
>   delete SA notification (delete SA didn't work with 0.6.6 so
>   connectivity was interrupted).  I believe that was due to the 4.5 MB
>   limit being hit, the Cisco apparantly thought we'd agreed to such a
>   lifebyte.
> 


Hi Tore,

Searching for a solution of my problem, I found your question about set a 
lifebyte in racoon. Aparently my problem is the same - my Peer: racoon - my 
partner peer CISCO, and the log: [racoon: ERROR: lifebyte mismatched: 
my:2147483647 peer:0 ]

Did you find some way to solve this problem ? Or to set the lifebyte ?

Thanks a lot !

Regards.

Jefferson.