#72 ipsec-tools 0.7.1 break compatibility with version 0.7

closed
nobody
None
5
2009-01-16
2008-11-07
Alexandre Reis
No

I have a fedora 9 gateway with ipsec-tools version 0.7 connected via network interface with a wireless router. My wireless notebook run kubuntu 8.10, also with ipsec-tools version 0.7. All work fine.
After upgrade, in fedora, the ipsec-tools for version 0.7.1, the SA not more is established.
If i downgrade, in fedora, for ipsec-tools 0.7, all work fine.

Attached my configuration files: ipsec.tgz
Inside this archive, are 4 files,

gateway configuration:
gw-racoon.conf
gw-setkey.conf

Notebook configuration:
client-racoon.conf
client-setkey.conf

Gawteway log:

Nov 7 16:11:12 tango racoon: 2008-11-07 16:11:12: INFO: @(#)ipsec-tools 0.7.1 (http://ipsec-tools.sourceforge.net)
Nov 7 16:11:12 tango racoon: 2008-11-07 16:11:12: INFO: @(#)This product linked OpenSSL 0.9.8g 19 Oct 2007 (http://www.openssl.org/)
Nov 7 16:11:12 tango racoon: 2008-11-07 16:11:12: INFO: Reading configuration from "/etc/racoon/racoon.conf"
Nov 7 16:11:13 tango racoon: 2008-11-07 16:11:13: INFO: Resize address pool from 0 to 255
Nov 7 16:11:13 tango racoon: 2008-11-07 16:11:13: INFO: 127.0.0.1[500] used as isakmp port (fd=16)
Nov 7 16:11:13 tango racoon: 2008-11-07 16:11:13: INFO: 127.0.0.1[500] used for NAT-T
Nov 7 16:11:13 tango racoon: 2008-11-07 16:11:13: INFO: 192.168.1.254[500] used as isakmp port (fd=17)
Nov 7 16:11:13 tango racoon: 2008-11-07 16:11:13: INFO: 192.168.1.254[500] used for NAT-T
Nov 7 16:11:13 tango racoon: 2008-11-07 16:11:13: INFO: 192.168.2.254[500] used as isakmp port (fd=18)
Nov 7 16:11:13 tango racoon: 2008-11-07 16:11:13: INFO: 192.168.2.254[500] used for NAT-T
Nov 7 16:11:13 tango racoon: 2008-11-07 16:11:13: INFO: 10.1.1.254[500] used as isakmp port (fd=19)
Nov 7 16:11:13 tango racoon: 2008-11-07 16:11:13: INFO: 10.1.1.254[500] used for NAT-T
Nov 7 16:11:13 tango racoon: 2008-11-07 16:11:13: INFO: ::1[500] used as isakmp port (fd=20)
Nov 7 16:11:13 tango racoon: 2008-11-07 16:11:13: INFO: fe80::2e0:7dff:fe89:544a%eth3[500] used as isakmp port (fd=21)
Nov 7 16:11:13 tango racoon: 2008-11-07 16:11:13: INFO: fe80::208:54ff:feb0:a674%eth0[500] used as isakmp port (fd=22)
Nov 7 16:12:11 tango racoon: 2008-11-07 16:12:11: INFO: respond new phase 1 negotiation: 192.168.2.254[500]<=>192.168.2.100[500]
Nov 7 16:12:11 tango racoon: 2008-11-07 16:12:11: INFO: begin Identity Protection mode.
Nov 7 16:12:11 tango racoon: 2008-11-07 16:12:11: INFO: received Vendor ID: DPD
Nov 7 16:12:21 tango racoon: 2008-11-07 16:12:21: NOTIFY: the packet is retransmitted by 192.168.2.100[500].
Nov 7 16:12:31 tango racoon: 2008-11-07 16:12:31: NOTIFY: the packet is retransmitted by 192.168.2.100[500].
Nov 7 16:12:42 tango racoon: 2008-11-07 16:12:42: INFO: respond new phase 1 negotiation: 192.168.2.254[500]<=>192.168.2.100[500]
Nov 7 16:12:42 tango racoon: 2008-11-07 16:12:42: INFO: begin Identity Protection mode.
Nov 7 16:12:42 tango racoon: 2008-11-07 16:12:42: INFO: received Vendor ID: DPD
Nov 7 16:12:42 tango racoon: 2008-11-07 16:12:42: INFO: ISAKMP-SA established 192.168.2.254[500]-192.168.2.100[500] spi:64a225f4e0339ec6:62ee7fc5a01cf6a5
Nov 7 16:12:43 tango racoon: 2008-11-07 16:12:43: INFO: respond new phase 2 negotiation: 192.168.2.254[500]<=>192.168.2.100[500]
Nov 7 16:12:43 tango racoon: 2008-11-07 16:12:43: INFO: Update the generated policy : 192.168.2.100/32[0] 0.0.0.0/0[0] proto=any dir=in
Nov 7 16:12:43 tango racoon: 2008-11-07 16:12:43: ERROR: pfkey add failed.
Nov 7 16:12:43 tango racoon: 2008-11-07 16:12:43: ERROR: failed to process packet.
Nov 7 16:12:43 tango racoon: 2008-11-07 16:12:43: ERROR: phase2 negotiation failed.
Nov 7 16:12:44 tango racoon: 2008-11-07 16:12:44: ERROR: no policy found: id:13425.
Nov 7 16:13:01 tango racoon: 2008-11-07 16:13:01: ERROR: phase1 negotiation failed due to time up. 0b4d45724065803c:f7fcbe9ac1472b5c
Nov 7 16:13:05 tango racoon: 2008-11-07 16:13:05: INFO: ISAKMP-SA expired 192.168.2.254[500]-192.168.2.100[500] spi:64a225f4e0339ec6:62ee7fc5a01cf6a5
Nov 7 16:13:06 tango racoon: 2008-11-07 16:13:06: INFO: ISAKMP-SA deleted 192.168.2.254[500]-192.168.2.100[500] spi:64a225f4e0339ec6:62ee7fc5a01cf6a5
Nov 7 16:13:58 tango racoon: 2008-11-07 16:13:58: INFO: respond new phase 1 negotiation: 192.168.2.254[500]<=>192.168.2.100[500]
Nov 7 16:13:58 tango racoon: 2008-11-07 16:13:58: INFO: begin Identity Protection mode.
Nov 7 16:13:58 tango racoon: 2008-11-07 16:13:58: INFO: received Vendor ID: DPD
Nov 7 16:13:58 tango racoon: 2008-11-07 16:13:58: INFO: ISAKMP-SA established 192.168.2.254[500]-192.168.2.100[500] spi:6e7b8d061ab04421:4a32dc9b37fd506d
Nov 7 16:13:58 tango racoon: 2008-11-07 16:13:58: INFO: purging spi=62105852.
Nov 7 16:13:59 tango racoon: 2008-11-07 16:13:59: INFO: respond new phase 2 negotiation: 192.168.2.254[500]<=>192.168.2.100[500]
Nov 7 16:13:59 tango racoon: 2008-11-07 16:13:59: INFO: no policy found, try to generate the policy : 192.168.2.100/32[0] 0.0.0.0/0[0] proto=any dir=in
Nov 7 16:13:59 tango racoon: 2008-11-07 16:13:59: ERROR: pfkey add failed.
Nov 7 16:13:59 tango racoon: 2008-11-07 16:13:59: ERROR: failed to process packet.
Nov 7 16:13:59 tango racoon: 2008-11-07 16:13:59: ERROR: phase2 negotiation failed.
Nov 7 16:14:00 tango racoon: 2008-11-07 16:14:00: ERROR: no policy found: id:13425.
Nov 7 16:14:30 tango racoon: 2008-11-07 16:14:30: ERROR: no policy found: id:13425.
Nov 7 16:15:00 tango racoon: 2008-11-07 16:15:00: ERROR: no policy found: id:13425.
Nov 7 16:15:30 tango racoon: 2008-11-07 16:15:30: ERROR: no policy found: id:13425.
Nov 7 16:16:01 tango racoon: 2008-11-07 16:16:01: ERROR: no policy found: id:13425.
Nov 7 16:16:31 tango racoon: 2008-11-07 16:16:31: ERROR: no policy found: id:13425.
Nov 7 16:17:01 tango racoon: 2008-11-07 16:17:01: ERROR: no policy found: id:13425.
Nov 7 16:17:31 tango racoon: 2008-11-07 16:17:31: ERROR: no policy found: id:13425.

OBS: Client and Gateway configuration not change.

PS: Excuse my poor english

Discussion

  • Alexandre Reis
    Alexandre Reis
    2008-11-07

    configuration files

     
    Attachments
  • Alexandre Reis
    Alexandre Reis
    2008-11-07

    client-racoon.log (tail -f /var/log/syslog), client-racoon-debug.log (racoon -d -F), gw-racoon.log (tail -f /var/log/messages), gw-racoon-debug.log (racoon -d -F)

     
    Attachments
  • Alexandre Reis
    Alexandre Reis
    2008-11-07

    File Added: racoon.log

     
  • Alexandre Reis
    Alexandre Reis
    2008-11-07

    File Added: racoon.tgz

     
  • Alexandre Reis
    Alexandre Reis
    2008-11-07

    racoon.log is racoon.tgz, excuse me!

     
    Attachments
  • Alexandre Reis
    Alexandre Reis
    2008-11-08

    If client is ipsec-tools version 0.7.1, also do not work!

     
  • Alexandre Reis
    Alexandre Reis
    2008-11-08

    I download ipsec-tools 0.7.1 from sourceforge, compile without redhat/fedora patch and racoon work fine!!!
    My apologizes!!!

     
  • Timo Teras
    Timo Teras
    2009-01-16

    • status: open --> closed
     
  • Timo Teras
    Timo Teras
    2009-01-16

    Closing all sourceforge.net bugs. If this issue has not been cared for please submit a new bug report to https://trac.ipsec-tools.net/ issue tracker. Thank you.