Thread: [Ipsec-tools-devel] general questions about racoon support
Brought to you by:
mit_warlord,
netbsd
From: racoon D. <rac...@ya...> - 2006-03-08 18:19:09
|
Hi, 1. What version of XAUTH does Racoon support? 2. So does racoon work with the Cisco VPN client? I saw some issues raised in the mail archive, one of which was rekeying. Does rekey still cause problems? 3. Has anyone tried it with a Netscreen client? 4. How does the Racoon ike implementation scale, in the sense that if I were to use it as a VPN concentrator, can it support thousands of ipsec initiators or it was not designed to be used in such a scenario? 5. Does it provide support for SA import/export? Thanks. --------------------------------- Yahoo! Mail Bring photos to life! New PhotoMail makes sharing a breeze. |
From: <ma...@ne...> - 2006-03-08 19:25:54
|
racoon Dev <rac...@ya...> wrote: =20 > 1. What version of XAUTH does Racoon support? Partial implementation of latest drafts. =20 > 2. So does racoon work with the Cisco VPN client? I saw some issues > raised in the mail archive, one of which was rekeying. Does rekey still > cause problems? Not as far as I'm aware. =20 > 3. Has anyone tried it with a Netscreen client? I think Fred did.=20 =20 > 4. How does the Racoon ike implementation scale, in the sense that if I > were to use it as a VPN concentrator, can it support thousands of ipsec > initiators or it was not designed to be used in such a scenario? Your problem will probably be that the CPU won't be able to cope with thousands of initiators at once.=20 =20 > 5. Does it provide support for SA import/export? I don't understand this question, but I don't know what I'm talking about. --=20 Emmanuel Dreyfus Un bouquin en fran=E7ais sur BSD: http://www.eyrolles.com/Informatique/Livre/9782212114638/livre-bsd.php ma...@ne... |
From: racoon D. <rac...@ya...> - 2006-03-08 20:19:37
|
> > > 3. Has anyone tried it with a Netscreen client? > > I think Fred did. Sorry, I am new to this mailing list and racoon, hence don't know who Fred is. Can Fred confirm? > > > 4. How does the Racoon ike implementation scale, > in the sense that if I > > were to use it as a VPN concentrator, can it > support thousands of ipsec > > initiators or it was not designed to be used in > such a scenario? > > Your problem will probably be that the CPU won't be > able to cope with > thousands of initiators at once. Sure, I meant as an IKE receiver using the racoon implementation, can it support thousands of 'established' sessions that were initiated by some road warriors? Let's say about 10-20 sessions are initiated at a given time. Just wondering how much scalability testing the implementation has gone through. > > > 5. Does it provide support for SA import/export? > > I don't understand this question, but I don't know > what I'm talking > about. > :-) ... perhaps I'm using the wrong terminology. For failover support, a box establishes an SA session and 'exports' the SA session material to a failover box. The failover box 'imports' the SA information so it can take over the SA session (including the ability to rekey) should the original box which established the session fails. I was wondering whether racoon provides some import/export SA APIs/support, thanks. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com |
From: <ma...@ne...> - 2006-03-08 20:35:19
|
racoon Dev <rac...@ya...> wrote: > > I think Fred did. > Sorry, I am new to this mailing list and racoon, hence > don't know who Fred is. Can Fred confirm? Don't worry, I expected Fred to comment soon on his own. If he haven't done it, it's just because he is offline. > Sure, I meant as an IKE receiver using the racoon > implementation, can it support thousands of > 'established' sessions that were initiated by some > road warriors? Let's say about 10-20 sessions are > initiated at a given time. Just wondering how much > scalability testing the implementation has gone > through. Once the IKE phase 2 occured, the IKE daemon is not involved anymore for data exchange. The kernel does all the work, which is quite lightweighted since it's only symetric cryptography. The real problem is when the gateway reboots and all the roadwarriors try to perform IKE exchange at the same time. Here your machine will die. > :-) ... perhaps I'm using the wrong terminology. For > failover support, a box establishes an SA session and > 'exports' the SA session material to a failover box. > The failover box 'imports' the SA information so it > can take over the SA session (including the ability to > rekey) should the original box which established the > session fails. > > I was wondering whether racoon provides some > import/export SA APIs/support, thanks. I don't think it does, but Yvan might want to comment (you don't know Yvan? Just wait for a few hours...) -- Emmanuel Dreyfus Le cahier de l'admin BSD 2eme ed. est dans toutes les bonnes librairies http://www.eyrolles.com/Informatique/Livre/9782212114638/livre-bsd.php ma...@ne... |
From: racoon D. <rac...@ya...> - 2006-03-08 22:44:01
|
Hi, reading the racoon code, wondering where the xauth support code is. Hi, it looks like xauth is supported under the ENABLE_HYBRID compiler flag, is this correct? I am not sure because I would think ENABLE_HYBRID is meant for hybrid auth only (as the case OAKLEY_ATTR_AUTH_METHOD_HYBRID_xxx statements imply in ph1_main()), but I don't see anything else that points to xauth that is not under the ENABLE_HYBRID flag. Can someone point me to it? Also, there is no xauth state machine (I see one for main mode, aggress mode, and quick mode in isakmp.c) ... or did I miss it? Thanks. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com |
From: Emmanuel D. <ma...@ne...> - 2006-03-09 09:08:42
|
On Wed, Mar 08, 2006 at 02:37:04PM -0800, racoon Dev wrote: > Hi, reading the racoon code, wondering where the xauth > support code is. > > Hi, it looks like xauth is supported under the > ENABLE_HYBRID compiler flag, is this correct? I am not > sure because I would think ENABLE_HYBRID is meant for > hybrid auth only (as the case > OAKLEY_ATTR_AUTH_METHOD_HYBRID_xxx statements imply in > ph1_main()), but I don't see anything else that points > to xauth that is not under the ENABLE_HYBRID flag. Can > someone point me to it? Yes, this is an old mistake: --enable-hybrid enables Xauth and hybrid auth at thesame time. Someone should fix this one day, but it's not that important. > Also, there is no xauth state machine (I see one for > main mode, aggress mode, and quick mode in isakmp.c) > ... or did I miss it? Thanks. See status flag in xauth_state. client has no state and is driven by the replies it gets. -- Emmanuel Dreyfus ma...@ne... |
From: VANHULLEBUS Y. <va...@fr...> - 2006-03-09 13:24:04
|
On Wed, Mar 08, 2006 at 11:57:14AM -0800, racoon Dev wrote: Hi. > > > 4. How does the Racoon ike implementation scale, > > in the sense that if I > > > were to use it as a VPN concentrator, can it > > support thousands of ipsec > > > initiators or it was not designed to be used in > > such a scenario? > > > > Your problem will probably be that the CPU won't be > > able to cope with > > thousands of initiators at once. > > Sure, I meant as an IKE receiver using the racoon > implementation, can it support thousands of > 'established' sessions that were initiated by some > road warriors? Let's say about 10-20 sessions are > initiated at a given time. Just wondering how much > scalability testing the implementation has gone > through. With appropriate hardware (and/or appropriate configuration), we tested racoon with hundreds of peers, and it works. But you'll have to deal with another problem: pfkey big messages. I know there are some problems on BSD with more than a few hundred SPD entries / SAs (I have a patch for that, it should be clean enough to be published in a few weeks.... well, in fact, when I'll have some hours to work again on that....), and if I remember well, there are some similar problems reported for Linux. > > > 5. Does it provide support for SA import/export? > > > > I don't understand this question, but I don't know > > what I'm talking > > about. > > > > :-) ... perhaps I'm using the wrong terminology. For > failover support, a box establishes an SA session and > 'exports' the SA session material to a failover box. > The failover box 'imports' the SA information so it > can take over the SA session (including the ability to > rekey) should the original box which established the > session fails. > > I was wondering whether racoon provides some > import/export SA APIs/support, thanks. Actually, there is an option to dump all negociated SAs to a file, and to load the content of this file when starting, but I don't expect it to work and do what you want. Some kind of HA support is somewhere on my TODO list, but I can't give you a deadline for now. And it is quite complex to do it correctly. Yvan. |
From: Brian C. <B.C...@po...> - 2006-03-09 15:32:04
|
On Wed, Mar 08, 2006 at 11:57:14AM -0800, racoon Dev wrote: > For > failover support, a box establishes an SA session and > 'exports' the SA session material to a failover box. > The failover box 'imports' the SA information so it > can take over the SA session (including the ability to > rekey) should the original box which established the > session fails. > > I was wondering whether racoon provides some > import/export SA APIs/support, thanks. The only open source implementation I'm aware of for this is OpenBSD's sasyncd, but I've not tested it myself. |
From: Matthew G. <mg...@sh...> - 2006-03-09 17:14:34
|
All, I have a few quick questions about inter-operating with racoons IKE fragmentation option. First of all, does anyone know of an paper that describes this as a draft or a standard? I can't seem to google it. Anyhow, when racoon uses a Fragmentation vendor id that includes the 4 byte capabilities value appended, I get this in the log output ... received broken Microsoft ID: FRAGMENTATION ... and racoon _will_ perform fragmentation. But when only the vendor hash itself is received without the capability value, I get this in the log output ... received Vendor ID: FRAGMENTATION ... and racoon _will_not_ perform fragmentation nor will it reply with a "FRAGMENTATION" vendor id of its own. The first log message looks a lot more like an error to me than the second one does. Is this the desired effect? Should fragmentation work in both cases? Is there a non "broken-microsoft-id" method to coax racoon into performing ike fragmentation? Is this just really confusing log output? Thanks in advance, -Matthew |
From: Matthew G. <mg...@sh...> - 2006-03-13 23:29:58
|
Matthew Grooms wrote: > All, > > I have a few quick questions about inter-operating with racoons IKE > fragmentation option. First of all, does anyone know of an paper that > describes this as a draft or a standard? I can't seem to google it. > > Anyhow, when racoon uses a Fragmentation vendor id that includes > the 4 byte capabilities value appended, I get this in the log output ... > > received broken Microsoft ID: FRAGMENTATION > > ... and racoon _will_ perform fragmentation. > > But when only the vendor hash itself is received without the capability > value, I get this in the log output ... > > received Vendor ID: FRAGMENTATION > > ... and racoon _will_not_ perform fragmentation nor will it reply with a > "FRAGMENTATION" vendor id of its own. > > The first log message looks a lot more like an error to me than the > second one does. Is this the desired effect? Should fragmentation work > in both cases? Is there a non "broken-microsoft-id" method to coax > racoon into performing ike fragmentation? Is this just really confusing > log output? > > Thanks in advance, > > -Matthew > Hello again, I have other questions/comments to add to the mix. When reviewing the fragmentation code logic, I am a bit confused how it is intended to operate with respect the the man page. ike_frag (on | off); Enable receiver-side IKE fragmentation, if racoon(8) has been built with this feature. This extension is there to work around broken firewalls that do not work with frag- mented UDP packets. IKE fragmentation is always enabled on the sender-side, and it is used if the peer advertises itself as IKE fragmentation capable. I assume, that receiver side means that you are the entity that is receiving the isakmp packet ( not necessarily the responder ). But the two variables used to control the use of fragmentation and the way they are being manipulated does not make sense to me. For example, it looks like the rmconf->ike_frag variable is set to 1 only if the "ike_frag = on" is present in the racoon.conf file. But this variable is only checked before sending a fragment vendor id when acting as an initiator. So the "ike_frag = on" in the racoon.conf file really determines whether or not fragmentation will be negotiated. If racoon is acting as an initiator and the vendor id is omitted, the responder would interpret this as unsupported. The other variable iph1->frag is always initialized to 0 and then set to 1 when the fragmentation vendor id payload is seen ( + capabilities, see previous post above ) from the remote peer. This matches the man page and makes sense since it only seems to control whether or not a packet may be fragmented in the send path. Also, the "ike_frag = on" is stated as controlling "receiver side ike-fragmentation". Any packet ( except the first, see below ) that has the first payload marked as a fragment is passed from isakmp_main to frag_handler to rebuild a complete packet and then back to isakmp_main. But the rmconf->ike_frag variable is not referenced anywhere in this receive path that I can see. Maybe this is just an out of date man page, but there seems to be a bug as well. When a remote initiator fragments the first packet in an exchange, racoon will never be able to handle a fragmented payload because isakmp_main calls isakmp_ph1begin_r before the ike message can be reassembled by frag_handler. For main mode this is not that big of a deal unless the initiator has an ungodly amount of sa + proposal + transforms in its initial packet. But for aggressive mode, the only packet that an initiator would likely need to fragment is the first one. Racoon logs this debug info in its logfile ... 2006-03-13 16:21:10: INFO: respond new phase 1 negotiation: 66.90.165.114[500]<=>10.22.200.21[500] 2006-03-13 16:21:10: INFO: begin Aggressive mode. 2006-03-13 16:21:10: DEBUG: begin. 2006-03-13 16:21:10: DEBUG: seen nptype=132(ike frag) 2006-03-13 16:21:10: DEBUG: succeed. 2006-03-13 16:21:10: ERROR: received invalid next payload type 132, expecting 1. 2006-03-13 16:21:10: ERROR: failed to process packet. All this is in reference to the CVS branch. If someone can clarify the intended behavior for me, I can try to come up with a patch to correct any of the issues I raised that are deemed 'actual bugs'. Thanks, -Matthew |
From: Matthew G. <mg...@sh...> - 2006-03-20 22:09:41
Attachments:
isakmp_cfg.diff
|
Unity local lan is not working for me in CVS. The isakmp_cfg_request function ignores the attribute in the switch because UNITY_LOCAL_LAN is not listed as a case for isakmp_unity_req. -Matthew |
From: <ma...@ne...> - 2006-03-14 07:24:58
|
Matthew Grooms <mg...@sh...> wrote: > I have a few quick questions about inter-operating with racoons > IKE fragmentation option. First of all, does anyone know of an paper=20 > that describes this as a draft or a standard? I can't seem to google it. I'm not aware of any documentation. I implemented the thing by engineering exchanges between Cisco VPN client and Cisco VPN 3000. =20 > Anyhow, when racoon uses a Fragmentation vendor id that includes > the 4 byte capabilities value appended, I get this in the log output ... >=20 > received broken Microsoft ID: FRAGMENTATION >=20 > ... and racoon _will_ perform fragmentation. >=20 > But when only the vendor hash itself is received without the capability > value, I get this in the log output ... >=20 > received Vendor ID: FRAGMENTATION It seems we need a minor fix to support that. What software produces this? --=20 Emmanuel Dreyfus Un bouquin en fran=E7ais sur BSD: http://www.eyrolles.com/Informatique/Livre/9782212114638/livre-bsd.php ma...@ne... |
From: Matthew G. <mg...@sh...> - 2006-03-14 08:01:34
|
Emmanuel Dreyfus wrote: > I'm not aware of any documentation. I implemented the thing by > engineering exchanges between Cisco VPN client and Cisco VPN 3000. > Alright then. I was using racoons code as a reference as I could not find any documentation myself. > It seems we need a minor fix to support that. What software produces > this? > Well, my IPSEC stack used to only send the vendor id before I figured out that it wasn't working. Now I send the capability info as well. I was trying to implement the feature in the best manner possible. But I have no idea what is good or bad here, I only have the racoon source code, the log output and my interpretation of what its trying to do. I thought maybe there was some official spec somewhere and racoon was trying to accommodate some broken Microsoft stack. I didn't want to implement my code using the same broken behavior. If a 4 byte capability value is always expected to follow the fragmentation vendor id, then I don't see why anything needs to be changed in racoon. The log output could be a little more clear though :) If just the vendor id is sent, you get a log output message stating that racoon received the vendor id just like any other vendor id with no error. To me, that would imply that racoon understands that I support fragmentation, but then it doesn't work. But when you send the vendor id plus the capabilities it logs that it received a "broken microsoft" vendor id. To me this would imply that my stack is doing something wrong, but then it works. Thats why I was confused and asked for clarification. Sorry if this sounds like static ;) -Matthew |
From: V <ve...@ne...> - 2006-03-15 23:39:31
|
Hello, I still have problem with rekey of xauth, when using 2 vpn connections (1 vpn and 1 psk). So, it is not resolved. rgds, V. > racoon Dev <rac...@ya...> wrote: > >> 1. What version of XAUTH does Racoon support? > > Partial implementation of latest drafts. > >> 2. So does racoon work with the Cisco VPN client? I saw some issues >> raised in the mail archive, one of which was rekeying. Does rekey stil= l >> cause problems? > > Not as far as I'm aware. > >> 3. Has anyone tried it with a Netscreen client? > > I think Fred did. > >> 4. How does the Racoon ike implementation scale, in the sense that i= f >> I >> were to use it as a VPN concentrator, can it support thousands of ipse= c >> initiators or it was not designed to be used in such a scenario? > > Your problem will probably be that the CPU won't be able to cope with > thousands of initiators at once. > >> 5. Does it provide support for SA import/export? > > I don't understand this question, but I don't know what I'm talking > about. > > -- > Emmanuel Dreyfus > Un bouquin en fran=C3=A7ais sur BSD: > http://www.eyrolles.com/Informatique/Livre/9782212114638/livre-bsd.php > ma...@ne... > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scripting > language > that extends applications into web and mobile media. Attend the live > webcast > and join the prime developer group breaking into this new coding > territory! > http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=110944&bid$1720&dat=12164= 2 > _______________________________________________ > Ipsec-tools-devel mailing list > Ips...@li... > https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel > |
From: V <ve...@ne...> - 2006-04-07 20:30:33
|
Hello, I use 2 VPN connections: 1. Xauth (for connecting to Cisco concentrator) 2. PSK Xauth connetion fails after expire with error: Apr 7 22:45:05 sms racoon2: INFO: IPsec-SA expired: ESP/Tunnel 11.11.11.11[0]->22.22.22.22[0] spi=3D877147657(0x34483609) Apr 7 22:45:05 sms racoon2: INFO: initiate new phase 2 negotiation: 11.11.11.11[500]<=3D>22.22.22.22[500] Apr 7 22:45:05 sms racoon2: WARNING: ignore RESPONDER-LIFETIME notificat= ion. Apr 7 22:45:05 sms racoon2: WARNING: attribute has been modified. Apr 7 22:45:05 sms racoon2: ERROR: failed to recv from pfkey (Resource temporarily unavailable) Apr 7 22:45:06 sms racoon2: INFO: IPsec-SA expired: ESP/Tunnel 22.22.22.22[0]->11.11.11.11[0] spi=3D212605157(0xcac18e5) Apr 7 22:45:06 sms racoon2: WARNING: the expire message is received but the handler has not been established. Apr 7 22:45:35 sms racoon2: ERROR: 22.22.22.22 give up to get IPsec-SA due to time up to wait. Maybe somebody resolved that problem? regards, M. |
From: V <ve...@ne...> - 2006-04-08 09:18:19
|
Hello, It seems, that sainfo address type does not work correctly in 0.6.5 (CVS)= . I used 0.6.2 with config: sainfo address xx.xx.xx.xx any address yy.yy.yy.yy any And it worked. When I upgraded to latest CVS version (7th April), I got errors: ERROR: failed to get sainfo. I tried to set: sainfo subnet xx.xx.xx.xx/32 any subnet yy.yy.yy.yy/32 any And it works with CVS version. So, something is wrong with sainfo "address" type. Could you fix that? regards, M. |
From: VANHULLEBUS Y. <va...@fr...> - 2006-04-11 16:56:38
|
On Sat, Apr 08, 2006 at 12:17:11PM +0300, V wrote: > Hello, > > It seems, that sainfo address type does not work correctly in 0.6.5 (CVS). > I used 0.6.2 with config: Are you sure it is still broken in 0.6.5 ??? > sainfo address xx.xx.xx.xx any address yy.yy.yy.yy any > > And it worked. When I upgraded to latest CVS version (7th April), I got > errors: > > ERROR: failed to get sainfo. > > I tried to set: > sainfo subnet xx.xx.xx.xx/32 any subnet yy.yy.yy.yy/32 any > > And it works with CVS version. So, something is wrong with sainfo > "address" type. Could you fix that? We already reported and fixed a problem with /32 sainfos, afaik, it IS fixed in 0.6.5 (but perhaps still not reported in HEAD...). I know I have configurations with such /32 sainfos, and those configurations works with 0.6.5. Yvan. |
From: V <ve...@ne...> - 2006-04-13 19:11:57
|
Hello, It works with "sainfo subnet /32", but it does not work with "sainfo address IP". But "address IP" is the same as "subnet /32". Or "sainfo address" type is not supported any more? regards, M. > On Sat, Apr 08, 2006 at 12:17:11PM +0300, V wrote: >> Hello, >> >> It seems, that sainfo address type does not work correctly in 0.6.5 >> (CVS). >> I used 0.6.2 with config: > > Are you sure it is still broken in 0.6.5 ??? > > >> sainfo address xx.xx.xx.xx any address yy.yy.yy.yy any >> >> And it worked. When I upgraded to latest CVS version (7th April), I go= t >> errors: >> >> ERROR: failed to get sainfo. >> >> I tried to set: >> sainfo subnet xx.xx.xx.xx/32 any subnet yy.yy.yy.yy/32 any >> >> And it works with CVS version. So, something is wrong with sainfo >> "address" type. Could you fix that? > > We already reported and fixed a problem with /32 sainfos, afaik, it IS > fixed in 0.6.5 (but perhaps still not reported in HEAD...). > > > I know I have configurations with such /32 sainfos, and those > configurations works with 0.6.5. > > > > Yvan. > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scripting > language > that extends applications into web and mobile media. Attend the live > webcast > and join the prime developer group breaking into this new coding > territory! > http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D110944&bid=3D241720&dat= =3D121642 > _______________________________________________ > Ipsec-tools-devel mailing list > Ips...@li... > https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel > |
From: Larry B. <la...@gt...> - 2006-05-11 16:10:39
|
Yvan, I want to add NAT-T support to the fast ipsec code in FreeBSD 6.1. In recent email to the mailing list, you indicated you were working on this. Have you or anybody else started on this? Assuming not is the 6.x patch at http://cvs.sourceforge.net/viewcvs.py/ipsec-tools/htdocs/ the best place to start? Larry -- ------------------------------------------------------------------------ Larry Baird | http://www.gta.com Global Technology Associates, Inc. | Orlando, FL Email: la...@gt... | TEL 407-380-0220, FAX 407-380-6080 |
From: VANHULLEBUS Y. <va...@fr...> - 2006-05-13 09:29:45
|
On Thu, May 11, 2006 at 04:10:30PM -0000, Larry Baird wrote: > Yvan, Hi. > I want to add NAT-T support to the fast ipsec code in FreeBSD 6.1. > In recent email to the mailing list, you indicated you were working > on this. Have you or anybody else started on this? Assuming not is > the 6.x patch at http://cvs.sourceforge.net/viewcvs.py/ipsec-tools/htdocs/ > the best place to start? I'm currently working on reporting Manu's works on NetBSD to FreeBSD6.1 / 7, and that work is "almost done". My next step is to report that to FAST_IPSEC, but as some FreeBSD developpers are also working on some parts of FAST_IPSEC, I'm trying to synchronize with them. The "clean and complete" patch for IPSEC / FreeBSD 6.1 should be available during next week, if we are able again to acces Sourceforge's CVS and release a 0.6.6 ! Yvan. |
From: Eric M. <e-m...@ki...> - 2006-05-13 10:43:07
|
VANHULLEBUS Yvan <va...@fr...> writes: Hi, > My next step is to report that to FAST_IPSEC, but as some FreeBSD > developpers are also working on some parts of FAST_IPSEC, I'm trying > to synchronize with them. Nice. > The "clean and complete" patch for IPSEC / FreeBSD 6.1 should be > available during next week, if we are able again to acces > Sourceforge's CVS and release a 0.6.6 ! Great, thanks for your work. =C9ric --=20 Hello, Je me suis achet=E9 une webcam et j'ai donc install=E9 Netmeeting 2.11. Depuis, .... RIEN Comment esp=E9rer contacter quelqu'un par netmeeting ? Il faut s'inscrire =E0 un serveur ? Help ! -+- GS in GNU : Et t'as pens=E9 =E0 oter le bouchon de l'objectif ? -+- |