From: Peter E. <pe...@bo...> - 2006-06-29 23:43:48
|
I've recently upgraded from NetBSD 2.0 to 3.0 and with it came 0.6.3. A peer that I could initiate to before now rejects me. Neither side's config has changed. My side bundles up the phase 2 proposal, and fires it off. The peer (cisco) responds with: ... 2006-06-29 18:17:36: DEBUG: begin. 2006-06-29 18:17:36: DEBUG: seen nptype=8(hash) 2006-06-29 18:17:36: DEBUG: seen nptype=1(sa) 2006-06-29 18:17:36: DEBUG: seen nptype=10(nonce) 2006-06-29 18:17:36: DEBUG: seen nptype=4(ke) 2006-06-29 18:17:36: DEBUG: seen nptype=5(id) 2006-06-29 18:17:36: DEBUG: seen nptype=5(id) 2006-06-29 18:17:36: DEBUG: seen nptype=11(notify) 2006-06-29 18:17:36: DEBUG: succeed. 2006-06-29 18:17:36: ERROR: mismatched ID was returned . Jun 29 18:17:36 adder racoon: 2006-06-29 18:17:36: ERROR: mismatched ID was returned. The proposal that goes out looks like (the best that I can tell from the debug): 2006-06-29 18:17:36: DEBUG: use local ID type IPv4_subnet 2006-06-29 18:17:36: DEBUG: use remote ID type IPv4_subnet 2006-06-29 18:17:36: DEBUG: IDci:2006-06-29 18:17:36: DEBUG: 04000000 ce092200 ffffff00 2006-06-29 18:17:36: DEBUG: IDcr:2006-06-29 18:17:36: DEBUG: 04000000 0a840aba ffffffff 2006-06-29 18:17:36: DEBUG: add payload of len 324, next type 10 2006-06-29 18:17:36: DEBUG: add payload of len 16, next type 4 2006-06-29 18:17:36: DEBUG: add payload of len 128, next type 5 2006-06-29 18:17:36: DEBUG: add payload of len 12, next type 5 2006-06-29 18:17:36: DEBUG: add payload of len 12, next type 0 The relevant portions of the racoon.conf are: ... remote <them> { exchange_mode main ; lifetime time 24 hour ; proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key ; dh_group 2 ; } } ... sainfo address <my-net> any address <them-net> any { pfs_group 2; lifetime time 8 hour ; encryption_algorithm 3des, cast128, blowfish 448, des, rijndael, aes ; authentication_algorithm hmac_sha1, hmac_md5 ; compression_algorithm deflate ; } sainfo address <them-net> any address <my-net> any { pfs_group 2; lifetime time 8 hour ; encryption_algorithm 3des, cast128, blowfish 448, des, rijndael, aes ; authentication_algorithm hmac_sha1, hmac_md5 ; compression_algorithm deflate ; } ... Any ideas? Thanks, peter |
From: <ma...@ne...> - 2006-06-30 11:07:24
|
Peter Eisch <pe...@bo...> wrote: > I've recently upgraded from NetBSD 2.0 to 3.0 and with it came 0.6.3. A > peer that I could initiate to before now rejects me. Neither side's config > has changed. You were using KAME racoon that came built-in with NetBSD 2.0, or you installed an ipsec-tools release? On NetBSD 3.0, if you try to install a newer ipsec-tools release, does it fix your problem? -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz ma...@ne... |
From: Peter E. <pe...@bo...> - 2006-06-30 13:00:13
|
On 6/30/06 6:07 AM, "Emmanuel Dreyfus" <ma...@ne...> wrote: > Peter Eisch <pe...@bo...> wrote: > >> I've recently upgraded from NetBSD 2.0 to 3.0 and with it came 0.6.3. A >> peer that I could initiate to before now rejects me. Neither side's config >> has changed. > > You were using KAME racoon that came built-in with NetBSD 2.0, or you > installed an ipsec-tools release? > When I, at one point, tried to use the pkgsrc ipsec-tools I saw this same problem, had a snit with tron and rolled back to the KAME set. > On NetBSD 3.0, if you try to install a newer ipsec-tools release, does > it fix your problem? It looked like the pkgsrc version was the same as what what is in 3.0 (0.6.3) so I haven't tried that yet. I'm only hesitant of going outside of bundled and pkgsrc because I have less-savvy people as support backups -- I'd have to symlink everything to keep them effective. Late last night my "peer" emailed: > This is the error message I got in my log: > > 1201 06/29/2006 19:29:49.730 SEV=5 IKE/75 RPT=1758 <my-addr> > Group [<my-addr>] > Overriding Initiator's IPSec rekeying duration from 43200 to 28800 > seconds > > 1203 06/29/2006 19:29:49.800 SEV=5 IKE/68 RPT=80 <my-addr> > Group [<my-addr>] > Received non-routine Notify message: Attributes not supported (13) > > After so research and checking RFC 2409, it seems this might have > something to do with the Perfect Forward Secrecy group value. While not pertinent to the error, we think, the rekeying message is interesing. We're both set to 8 hours, but it seems that my side is proposing something other than 28800, the 43200. I'm not sure where that number comes from. The Attribute message is the one that gets logged before it then shuts down the session. Thanks Manu, peter |
From: Emmanuel D. <ma...@ne...> - 2006-06-30 13:09:57
|
On Fri, Jun 30, 2006 at 08:00:02AM -0500, Peter Eisch wrote: > It looked like the pkgsrc version was the same as what what is in 3.0 > (0.6.3) so I haven't tried that yet. I'm only hesitant of going outside of > bundled and pkgsrc because I have less-savvy people as support backups -- > I'd have to symlink everything to keep them effective. If that can help, I can upgrade pkgsrc :-) But it would be nice to spot the problem first. > Thanks Manu, I'll be AFK for 3 days starting tomorrow morning. Don't hesitate to ask me again about the issue if I don't catch up with it when I'll be back (getting online again, being flooded by the incoming mail, you have the picture). -- Emmanuel Dreyfus ma...@ne... |
From: Peter E. <pe...@bo...> - 2006-06-30 13:39:57
|
On 6/30/06 8:09 AM, "Emmanuel Dreyfus" <ma...@ne...> wrote: > On Fri, Jun 30, 2006 at 08:00:02AM -0500, Peter Eisch wrote: >> It looked like the pkgsrc version was the same as what what is in 3.0 >> (0.6.3) so I haven't tried that yet. I'm only hesitant of going outside of >> bundled and pkgsrc because I have less-savvy people as support backups -- >> I'd have to symlink everything to keep them effective. > > If that can help, I can upgrade pkgsrc :-) > But it would be nice to spot the problem first. > I'm now building/installing 0.6.6 with: ./configure --enable-frag --enable-hybrid --enable-adminport --enable-dpd --enable-natt=kernel --with-libradius adder# /usr/local/sbin/racoon -dddF Foreground mode. 2006-06-30 08:35:21: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net) 2006-06-30 08:35:21: INFO: @(#)This product linked OpenSSL 0.9.7d 17 Mar 2004 (http://www.openssl.org/) 2006-06-30 08:35:21: DEBUG: call pfkey_send_register for AH 2006-06-30 08:35:21: DEBUG: call pfkey_send_register for ESP 2006-06-30 08:35:21: DEBUG: call pfkey_send_register for IPCOMP racoon: failed to parse configuration file. 2006-06-30 08:35:21: ERROR: glob found no matches for path <poof> it's dead. [full config emailed to manu privately] I'm back to the bundled 0.6.3. peter |
From: Emmanuel D. <ma...@ne...> - 2006-06-30 13:41:26
|
On Fri, Jun 30, 2006 at 08:39:49AM -0500, Peter Eisch wrote: > racoon: failed to parse configuration file. > 2006-06-30 08:35:21: ERROR: glob found no matches for path > > <poof> it's dead. [full config emailed to manu privately] That probably means it did not find the config file where expected. it looks for it in the directory you gave as --sysconfdir to configure, or in /usr/local/etc if you supplied nothing. -- Emmanuel Dreyfus ma...@ne... |
From: Peter E. <pe...@bo...> - 2006-06-30 15:11:51
|
On 6/30/06 8:41 AM, "Emmanuel Dreyfus" <ma...@ne...> wrote: > On Fri, Jun 30, 2006 at 08:39:49AM -0500, Peter Eisch wrote: >> racoon: failed to parse configuration file. >> 2006-06-30 08:35:21: ERROR: glob found no matches for path >> >> <poof> it's dead. [full config emailed to manu privately] > > That probably means it did not find the config file where > expected. it looks for it in the directory you gave as > --sysconfdir to configure, or in /usr/local/etc if you supplied > nothing. Yep, I had copied -rp /etc/racoon into /usr/local/etc/racoon so it couldn't find the conf file. Couldn't a "no racoon.conf found" message make more sense there? Anyway, my bad. Right now all the peers are up and I'm waiting for my window to slide this in. peter |
From: <ma...@ne...> - 2006-06-30 19:33:58
|
Peter Eisch <pe...@bo...> wrote: > Yep, I had copied -rp /etc/racoon into /usr/local/etc/racoon so it couldn't > find the conf file. You could have just made a link to racoon.conf, that's enough. > Couldn't a "no racoon.conf found" message make more > sense there? Anyway, my bad. You're absolutely right, this ought to be fixed. -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz ma...@ne... |
From: Peter E. <pe...@bo...> - 2006-07-01 00:26:51
|
On 6/30/06 2:34 PM, "Emmanuel Dreyfus" <ma...@ne...> wrote: > Peter Eisch <pe...@bo...> wrote: > >> Yep, I had copied -rp /etc/racoon into /usr/local/etc/racoon so it couldn't >> find the conf file. > > You could have just made a link to racoon.conf, that's enough. > 'tis true. I just rebuilt with the NetBSD-ish sysconfdir/statedir vals. It took a while, but I have been able to trap debug log of the session wedging with 0.6.6. It's attached. The neat thing is that even if I do a "racoonctl vd <peer-addr>" it says that it's flushing the keys, but even when they initiate at this point we get to start phase 2 and it too hangs with the same problem. While it's doing this I can: "racoonctl show-sa esp" and get: ... adder# /usr/local/sbin/racoonctl show-sa esp ... <my-addr> <peer-addr> esp mode=tunnel spi=115265397(0x06decf75) reqid=0(0x00000000) E: 3des-cbc 597694d6 c28d4fd1 750c4c16 deb39033 8a400482 fce3d166 A: hmac-md5 a0ce0ff1 688bcd49 bd762a56 34ad373b seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Jun 30 19:04:00 2006 current: Jun 30 19:13:52 2006 diff: 592(s) hard: 28800(s) soft: 23040(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=15 pid=2868 refcnt=1 <my-addr> <peer-addr> esp mode=tunnel spi=825946560(0x313af1c0) reqid=0(0x00000000) E: 3des-cbc 08083088 5e03db3b 1f73ea82 6be7c66f 8983f290 10def616 A: hmac-md5 d7a96eeb cdb8a62b ee43c69e c32bdda9 seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Jun 30 19:03:11 2006 current: Jun 30 19:13:52 2006 diff: 641(s) hard: 28800(s) soft: 23040(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=14 pid=2868 refcnt=1 <my-addr> <peer-addr> esp mode=tunnel spi=739174988(0x2c0eea4c) reqid=0(0x00000000) E: 3des-cbc db7bb4d7 0fca1275 13bb4909 e28ff551 abc74093 40f7f480 A: hmac-md5 522dd74e 4c8c8110 9dbead1a b0104a3a seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Jun 30 19:01:34 2006 current: Jun 30 19:13:52 2006 diff: 738(s) hard: 28800(s) soft: 23040(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=13 pid=2868 refcnt=1 <my-addr> <peer-addr> esp mode=tunnel spi=1504605477(0x59ae7525) reqid=0(0x00000000) E: 3des-cbc 67c5fec7 b91c5778 c1d6e934 fa37a941 8ec85b18 63b49e81 A: hmac-md5 31441dc7 9c34618b d0965414 793c5ca4 seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Jun 30 19:00:02 2006 current: Jun 30 19:13:52 2006 diff: 830(s) hard: 28800(s) soft: 23040(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=12 pid=2868 refcnt=1 <my-addr> <peer-addr> esp mode=tunnel spi=1305032725(0x4dc93815) reqid=0(0x00000000) E: 3des-cbc c81ef71e c479d4ee 07f5180e 37dfb49a 7313cc7d bce41171 A: hmac-md5 e5dcbeb2 a949e316 0b9acdd3 a65381d0 seq=0x0000011b replay=4 flags=0x00000000 state=mature created: Jun 30 18:55:03 2006 current: Jun 30 19:13:52 2006 diff: 1129(s) hard: 28800(s) soft: 23040(s) last: Jun 30 19:13:40 2006 hard: 0(s) soft: 0(s) current: 106136(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 283 hard: 0 soft: 0 sadb_seq=11 pid=2868 refcnt=2 <peer-addr> <my-addr> esp mode=tunnel spi=266855192(0x0fe7e318) reqid=0(0x00000000) E: 3des-cbc a4336d44 163b95e0 2c9859e6 e63f5d8c 0d5fc9ce 791126ca A: hmac-md5 a1c44635 f2c5e4cc 1838b8c3 fc76f8d5 seq=0x00000018 replay=4 flags=0x00000000 state=mature created: Jun 30 19:04:00 2006 current: Jun 30 19:13:52 2006 diff: 592(s) hard: 28800(s) soft: 23040(s) last: Jun 30 19:13:40 2006 hard: 0(s) soft: 0(s) current: 1456(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 24 hard: 0 soft: 0 sadb_seq=10 pid=2868 refcnt=1 <peer-addr> <my-addr> esp mode=tunnel spi=257996556(0x0f60b70c) reqid=0(0x00000000) E: 3des-cbc 8f0d214f 7c13d802 dbdff429 052be31f d7e87e6f ee51b7e8 A: hmac-md5 e92942bd 4b4719f0 8b1bf2c5 cba157b1 seq=0x00000005 replay=4 flags=0x00000000 state=mature created: Jun 30 19:03:11 2006 current: Jun 30 19:13:52 2006 diff: 641(s) hard: 28800(s) soft: 23040(s) last: Jun 30 19:03:54 2006 hard: 0(s) soft: 0(s) current: 300(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 5 hard: 0 soft: 0 sadb_seq=9 pid=2868 refcnt=1 <peer-addr> <my-addr> esp mode=tunnel spi=70046402(0x042cd2c2) reqid=0(0x00000000) E: 3des-cbc 6f030ad1 70975ed3 3deb19f5 807f13b2 dc00422c 20400802 A: hmac-md5 07a98f99 d9f61228 1f27ed4b 56598cf7 seq=0x00000004 replay=4 flags=0x00000000 state=mature created: Jun 30 19:01:34 2006 current: Jun 30 19:13:52 2006 diff: 738(s) hard: 28800(s) soft: 23040(s) last: Jun 30 19:02:47 2006 hard: 0(s) soft: 0(s) current: 240(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 4 hard: 0 soft: 0 sadb_seq=8 pid=2868 refcnt=1 <peer-addr> <my-addr> esp mode=tunnel spi=105737958(0x064d6ee6) reqid=0(0x00000000) E: 3des-cbc 22ce9dee 141ce042 b9d0616e bdfe256d 546ae084 f3aea21f A: hmac-md5 449dd278 54ce388b 431003bd 59ef0eae seq=0x00000004 replay=4 flags=0x00000000 state=mature created: Jun 30 19:00:02 2006 current: Jun 30 19:13:52 2006 diff: 830(s) hard: 28800(s) soft: 23040(s) last: Jun 30 19:00:45 2006 hard: 0(s) soft: 0(s) current: 240(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 4 hard: 0 soft: 0 sadb_seq=7 pid=2868 refcnt=1 <peer-addr> <my-addr> esp mode=tunnel spi=120152780(0x072962cc) reqid=0(0x00000000) E: 3des-cbc f74c8bef c13eb466 4202a48b 7112ac40 eccc3d5a d7c28b0d A: hmac-md5 1b814848 5d7b0590 85e9ebcc 3540e585 seq=0x00000068 replay=4 flags=0x00000000 state=mature created: Jun 30 18:55:03 2006 current: Jun 30 19:13:52 2006 diff: 1129(s) hard: 28800(s) soft: 23040(s) last: Jun 30 18:58:07 2006 hard: 0(s) soft: 0(s) current: 16672(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 104 hard: 0 soft: 0 sadb_seq=6 pid=2868 refcnt=1 ... Invalid sadb message adder# Anyway, I can't get the peer back up at all, even with the command "racoonctl flush-sa ipsec" and I have to literally flush and load ipsec _and_ racoon. Racoon will even keep ACK'ing DPD queries for entries that I know have been flushed. Once I stop racoon, stop ipsec, start ipsec and restart racoon, the troubled peer comes right up _only_ if they initiate. I'm open to ideas, thoughts and suggestions. My windows of when I can test/tamper are controlled significantly in that this is a production system. Our customers go home at night though. Thanks, peter |
From: Peter E. <pe...@bo...> - 2006-07-01 01:19:22
|
Perhaps useful: I removed the lifetime parameter from the sainfo config and I can now initiate successfully. Remember that we're both configured for 8 hours, but the cisco is seeing 43200 from me instead of the 28800 it should be. Anyone seen this before? |
From: Peter E. <pe...@bo...> - 2006-07-01 12:40:08
|
Nevermind my optimism, rekeying permanently wedges the peer with 0.6.6. I'm back to 0.6.3 I guess. |