Thread: [Ipsec-tools-devel] [ANNOUNCE] Ipsec-tools 0.7-beta3 released
Brought to you by:
mit_warlord,
netbsd
From: VANHULLEBUS Y. <va...@fr...> - 2007-04-04 07:35:33
|
Hi all. Ipsec-tools 0.7 Beta3 is out, with a few fixes since Beta2. Archive is available here http://prdownloads.sourceforge.net/ipsec-tools/ipsec-tools-0.7-beta3.tar.bz2 and here ftp://ftp.netbsd.org/pub/NetBSD/misc/ipsec-tools/0.7/ipsec-tools-0.7-beta3.tar.bz2 (please have a look at http://www.netbsd.org/mirrors/#ftp). There is one known issue still present in this version: sainfo search does not check protocols, this should be fixed today or tomorrow. Please reporte us any other issue you found on this Beta, and please also remind us any pending patch still not reported. Yvan, ipsec-tools developer team. _______________________________________________ Ipsec-tools-devel mailing list Ips...@li... https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel |
From: Peter E. <pe...@bo...> - 2007-04-04 22:12:26
|
I don't recall having this issue with 0.7-beta as of 2 Jan, but on my netbsd-3-1 system built from the recent tarball posted earlier today configured with: vpn# ./configure --enable-frag --enable-hybrid --enable-adminport --enable-dpd --enable-natt=kernel --enable-stats --with-libradius=/usr/pkg --sysconfdir=/etc/racoon --localstatedir=/var --with-libldap=/usr/pkg --enable-fastquit I'm getting when it goes to link racoon: isakmp_xauth.o(.text+0x792): In function `xauth_radius_init': /home/peter/ipsec-tools-0.7-beta3/src/racoon/isakmp_xauth.c:473: undefined reference to `rad_auth_open' isakmp_xauth.o(.text+0x7a6):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa kmp_xauth.c:479: undefined reference to `rad_config' isakmp_xauth.o(.text+0x7bb):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa kmp_xauth.c:480: undefined reference to `rad_strerror' isakmp_xauth.o(.text+0x7f5):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa kmp_xauth.c:483: undefined reference to `rad_close' isakmp_xauth.o(.text+0x846):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa kmp_xauth.c:455: undefined reference to `rad_auth_open' isakmp_xauth.o(.text+0x85a):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa kmp_xauth.c:461: undefined reference to `rad_config' isakmp_xauth.o(.text+0x873):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa kmp_xauth.c:462: undefined reference to `rad_strerror' isakmp_xauth.o(.text+0x8ad):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa kmp_xauth.c:465: undefined reference to `rad_close' isakmp_xauth.o(.text+0x8f1): In function `xauth_login_radius': /home/peter/ipsec-tools-0.7-beta3/src/racoon/isakmp_xauth.c:503: undefined reference to `rad_create_request' isakmp_xauth.o(.text+0x90d):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa kmp_xauth.c:510: undefined reference to `rad_put_string' isakmp_xauth.o(.text+0x929):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa kmp_xauth.c:517: undefined reference to `rad_put_string' isakmp_xauth.o(.text+0x965):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa kmp_xauth.c:527: undefined reference to `rad_send_request' isakmp_xauth.o(.text+0x9c1):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa kmp_xauth.c:558: undefined reference to `rad_strerror' isakmp_xauth.o(.text+0x9fd):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa kmp_xauth.c:529: undefined reference to `rad_get_attr' isakmp_xauth.o(.text+0xa59):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa kmp_xauth.c:538: undefined reference to `rad_cvt_addr' isakmp_xauth.o(.text+0xa85):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa kmp_xauth.c:532: undefined reference to `rad_cvt_addr' isakmp_xauth.o(.text+0xaa4):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa kmp_xauth.c:518: undefined reference to `rad_strerror' isakmp_xauth.o(.text+0xace):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa kmp_xauth.c:511: undefined reference to `rad_strerror' isakmp_xauth.o(.text+0xaf8):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa kmp_xauth.c:504: undefined reference to `rad_strerror' isakmp_cfg.o(.text+0x1e8e): In function `isakmp_cfg_accounting_radius': /home/peter/ipsec-tools-0.7-beta3/src/racoon/isakmp_cfg.c:1509: undefined reference to `rad_acct_open' isakmp_cfg.o(.text+0x1ea6):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak mp_cfg.c:1515: undefined reference to `rad_config' isakmp_cfg.o(.text+0x1ec1):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak mp_cfg.c:1525: undefined reference to `rad_create_request' isakmp_cfg.o(.text+0x1ee4):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak mp_cfg.c:1533: undefined reference to `rad_put_string' isakmp_cfg.o(.text+0x1f3c):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak mp_cfg.c:1553: undefined reference to `rad_put_addr' isakmp_cfg.o(.text+0x1f5e):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak mp_cfg.c:1561: undefined reference to `rad_put_addr' isakmp_cfg.o(.text+0x1f78):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak mp_cfg.c:1569: undefined reference to `rad_put_int' isakmp_cfg.o(.text+0x1fb4):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak mp_cfg.c:1580: undefined reference to `rad_send_request' isakmp_cfg.o(.text+0x1fd5):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak mp_cfg.c:1581: undefined reference to `rad_strerror' isakmp_cfg.o(.text+0x2016):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak mp_cfg.c:1570: undefined reference to `rad_strerror' isakmp_cfg.o(.text+0x203d):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak mp_cfg.c:1563: undefined reference to `rad_strerror' isakmp_cfg.o(.text+0x2064):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak mp_cfg.c:1555: undefined reference to `rad_strerror' isakmp_cfg.o(.text+0x208e):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak mp_cfg.c:1535: undefined reference to `rad_strerror' isakmp_cfg.o(.text+0x20b8):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak mp_cfg.c:1527: more undefined references to `rad_strerror' follow isakmp_cfg.o(.text+0x211c): In function `isakmp_cfg_accounting_radius': /home/peter/ipsec-tools-0.7-beta3/src/racoon/isakmp_cfg.c:1519: undefined reference to `rad_close' isakmp_cfg.o(.text+0x21bb): In function `isakmp_cfg_radius_common': /home/peter/ipsec-tools-0.7-beta3/src/racoon/isakmp_cfg.c:1622: undefined reference to `rad_put_addr' isakmp_cfg.o(.text+0x21d2):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak mp_cfg.c:1629: undefined reference to `rad_put_int' isakmp_cfg.o(.text+0x21e8):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak mp_cfg.c:1636: undefined reference to `rad_put_int' isakmp_cfg.o(.text+0x21fa):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak mp_cfg.c:1643: undefined reference to `rad_put_int' isakmp_cfg.o(.text+0x2213):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak mp_cfg.c:1644: undefined reference to `rad_strerror' isakmp_cfg.o(.text+0x2251):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak mp_cfg.c:1637: undefined reference to `rad_strerror' isakmp_cfg.o(.text+0x2273):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak mp_cfg.c:1630: undefined reference to `rad_strerror' isakmp_cfg.o(.text+0x2295):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak mp_cfg.c:1623: undefined reference to `rad_strerror' *** Error code 1 Relevant packages built from recent (within the last week) pkgsrc: freeradius-1.1.4 Free RADIUS server implementation m4-1.4.8 GNU version of UNIX m4 macro language processor autoconf-2.61 Generates automatic source code configuration scripts automake-1.10 GNU Standards-compliant Makefile generator libtool-base-1.5.22nb4 Generic shared library support script (the script itself) openldap-client-2.3.31 Lightweight Directory Access Protocol libraries and client programs I had the same result with --with-libradius though I'm wondering if that discovers /usr/pkg/'s libradius instead of defaulting to the internal libradius. peter |
From: Peter E. <pe...@bo...> - 2007-04-05 01:41:11
|
I uninstalled the freeradius and reconfigured and then it built fine. Is there a better, more compatible, radius package? The goal is to be able to auth to a radius server with this build. Is building racoon without a modern radius lib sufficient to work? (eg, I'll reinstall freeradius now that racoon is built) peter On 4/4/07 5:12 PM, "Peter Eisch" <pe...@bo...> wrote: > > I don't recall having this issue with 0.7-beta as of 2 Jan, but on my > netbsd-3-1 system built from the recent tarball posted earlier today > configured with: > > vpn# ./configure --enable-frag --enable-hybrid --enable-adminport > --enable-dpd --enable-natt=kernel --enable-stats --with-libradius=/usr/pkg > --sysconfdir=/etc/racoon --localstatedir=/var --with-libldap=/usr/pkg > --enable-fastquit > > I'm getting when it goes to link racoon: > > isakmp_xauth.o(.text+0x792): In function `xauth_radius_init': > /home/peter/ipsec-tools-0.7-beta3/src/racoon/isakmp_xauth.c:473: undefined > reference to `rad_auth_open' > isakmp_xauth.o(.text+0x7a6):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa > kmp_xauth.c:479: undefined reference to `rad_config' > isakmp_xauth.o(.text+0x7bb):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa > kmp_xauth.c:480: undefined reference to `rad_strerror' > isakmp_xauth.o(.text+0x7f5):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa > kmp_xauth.c:483: undefined reference to `rad_close' > isakmp_xauth.o(.text+0x846):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa > kmp_xauth.c:455: undefined reference to `rad_auth_open' > isakmp_xauth.o(.text+0x85a):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa > kmp_xauth.c:461: undefined reference to `rad_config' > isakmp_xauth.o(.text+0x873):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa > kmp_xauth.c:462: undefined reference to `rad_strerror' > isakmp_xauth.o(.text+0x8ad):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa > kmp_xauth.c:465: undefined reference to `rad_close' > isakmp_xauth.o(.text+0x8f1): In function `xauth_login_radius': > /home/peter/ipsec-tools-0.7-beta3/src/racoon/isakmp_xauth.c:503: undefined > reference to `rad_create_request' > isakmp_xauth.o(.text+0x90d):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa > kmp_xauth.c:510: undefined reference to `rad_put_string' > isakmp_xauth.o(.text+0x929):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa > kmp_xauth.c:517: undefined reference to `rad_put_string' > isakmp_xauth.o(.text+0x965):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa > kmp_xauth.c:527: undefined reference to `rad_send_request' > isakmp_xauth.o(.text+0x9c1):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa > kmp_xauth.c:558: undefined reference to `rad_strerror' > isakmp_xauth.o(.text+0x9fd):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa > kmp_xauth.c:529: undefined reference to `rad_get_attr' > isakmp_xauth.o(.text+0xa59):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa > kmp_xauth.c:538: undefined reference to `rad_cvt_addr' > isakmp_xauth.o(.text+0xa85):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa > kmp_xauth.c:532: undefined reference to `rad_cvt_addr' > isakmp_xauth.o(.text+0xaa4):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa > kmp_xauth.c:518: undefined reference to `rad_strerror' > isakmp_xauth.o(.text+0xace):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa > kmp_xauth.c:511: undefined reference to `rad_strerror' > isakmp_xauth.o(.text+0xaf8):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isa > kmp_xauth.c:504: undefined reference to `rad_strerror' > isakmp_cfg.o(.text+0x1e8e): In function `isakmp_cfg_accounting_radius': > /home/peter/ipsec-tools-0.7-beta3/src/racoon/isakmp_cfg.c:1509: undefined > reference to `rad_acct_open' > isakmp_cfg.o(.text+0x1ea6):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak > mp_cfg.c:1515: undefined reference to `rad_config' > isakmp_cfg.o(.text+0x1ec1):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak > mp_cfg.c:1525: undefined reference to `rad_create_request' > isakmp_cfg.o(.text+0x1ee4):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak > mp_cfg.c:1533: undefined reference to `rad_put_string' > isakmp_cfg.o(.text+0x1f3c):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak > mp_cfg.c:1553: undefined reference to `rad_put_addr' > isakmp_cfg.o(.text+0x1f5e):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak > mp_cfg.c:1561: undefined reference to `rad_put_addr' > isakmp_cfg.o(.text+0x1f78):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak > mp_cfg.c:1569: undefined reference to `rad_put_int' > isakmp_cfg.o(.text+0x1fb4):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak > mp_cfg.c:1580: undefined reference to `rad_send_request' > isakmp_cfg.o(.text+0x1fd5):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak > mp_cfg.c:1581: undefined reference to `rad_strerror' > isakmp_cfg.o(.text+0x2016):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak > mp_cfg.c:1570: undefined reference to `rad_strerror' > isakmp_cfg.o(.text+0x203d):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak > mp_cfg.c:1563: undefined reference to `rad_strerror' > isakmp_cfg.o(.text+0x2064):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak > mp_cfg.c:1555: undefined reference to `rad_strerror' > isakmp_cfg.o(.text+0x208e):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak > mp_cfg.c:1535: undefined reference to `rad_strerror' > isakmp_cfg.o(.text+0x20b8):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak > mp_cfg.c:1527: more undefined references to `rad_strerror' follow > isakmp_cfg.o(.text+0x211c): In function `isakmp_cfg_accounting_radius': > /home/peter/ipsec-tools-0.7-beta3/src/racoon/isakmp_cfg.c:1519: undefined > reference to `rad_close' > isakmp_cfg.o(.text+0x21bb): In function `isakmp_cfg_radius_common': > /home/peter/ipsec-tools-0.7-beta3/src/racoon/isakmp_cfg.c:1622: undefined > reference to `rad_put_addr' > isakmp_cfg.o(.text+0x21d2):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak > mp_cfg.c:1629: undefined reference to `rad_put_int' > isakmp_cfg.o(.text+0x21e8):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak > mp_cfg.c:1636: undefined reference to `rad_put_int' > isakmp_cfg.o(.text+0x21fa):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak > mp_cfg.c:1643: undefined reference to `rad_put_int' > isakmp_cfg.o(.text+0x2213):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak > mp_cfg.c:1644: undefined reference to `rad_strerror' > isakmp_cfg.o(.text+0x2251):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak > mp_cfg.c:1637: undefined reference to `rad_strerror' > isakmp_cfg.o(.text+0x2273):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak > mp_cfg.c:1630: undefined reference to `rad_strerror' > isakmp_cfg.o(.text+0x2295):/home/peter/ipsec-tools-0.7-beta3/src/racoon/isak > mp_cfg.c:1623: undefined reference to `rad_strerror' > *** Error code 1 > > Relevant packages built from recent (within the last week) pkgsrc: > > freeradius-1.1.4 Free RADIUS server implementation > m4-1.4.8 GNU version of UNIX m4 macro language processor > autoconf-2.61 Generates automatic source code configuration scripts > automake-1.10 GNU Standards-compliant Makefile generator > libtool-base-1.5.22nb4 Generic shared library support script (the script > itself) > openldap-client-2.3.31 Lightweight Directory Access Protocol libraries and > client programs > > I had the same result with --with-libradius though I'm wondering if that > discovers /usr/pkg/'s libradius instead of defaulting to the internal > libradius. > > peter > > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Ipsec-tools-devel mailing list > Ips...@li... > https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel > |
From: <ma...@ne...> - 2007-04-05 04:35:26
|
Peter Eisch <pe...@bo...> wrote: > I uninstalled the freeradius and reconfigured and then it built fine. > > Is there a better, more compatible, radius package? The goal is to be able > to auth to a radius server with this build. Is building racoon without a > modern radius lib sufficient to work? (eg, I'll reinstall freeradius now > that racoon is built) I used to use libradius from http://portal-to-web.de/tacacs/ and it wrked fine. What radius library were you using? -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz ma...@ne... |
From: Peter E. <pe...@bo...> - 2007-04-05 04:56:37
|
On 4/4/07 11:36 PM, "Emmanuel Dreyfus" <ma...@ne...> wrote: >> I uninstalled the freeradius and reconfigured and then it built fine. >> >> Is there a better, more compatible, radius package? The goal is to be able >> to auth to a radius server with this build. Is building racoon without a >> modern radius lib sufficient to work? (eg, I'll reinstall freeradius now >> that racoon is built) > > I used to use libradius from http://portal-to-web.de/tacacs/ and it > wrked fine. What radius library were you using? pkgsrc/net/freeradius (1.1.4) I don't need racoon to link to it, but so long as I can auth against it I'm fine. Using the internal libradius auth's fine against other systems, including win2k, so it might be handy to just note somewhere that it can't use it for it's radius interface. Thanks, peter |
From: <ma...@ne...> - 2007-04-05 05:37:22
|
Peter Eisch <pe...@bo...> wrote: > > I used to use libradius from http://portal-to-web.de/tacacs/ and it > > wrked fine. What radius library were you using? > > pkgsrc/net/freeradius (1.1.4) The one I use is available from pkgsrc/net/libradius -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz ma...@ne... |
From: Milan P. S. <mp...@os...> - 2007-04-06 10:20:22
Attachments:
racoon-supervise.patch
|
On Wed, Apr 04, 2007 at 09:35:24AM +0200, VANHULLEBUS Yvan wrote: > Ipsec-tools 0.7 Beta3 is out, with a few fixes since Beta2. [...] > Please reporte us any other issue you found on this Beta, and please > also remind us any pending patch still not reported. What is with the patch which allows racoon to run under daemontools or runit I posted a month ago? Here it is again in case you lost it. Best regards |
From: Tore A. <to...@li...> - 2007-05-30 11:36:27
|
* VANHULLEBUS Yvan > Please reporte us any other issue you found on this Beta, and please > also remind us any pending patch still not reported. Finally got around to upgrading, and it seems to have solved a problem I've had where peer-requested SA removal simply didn't happen. Yay! I still have some interop problems with Cisco and Nortel boxes, though. Sometimes traffic is interrupted and the only way to fix it is to manually remove all outbound SAs to that peer. It appears to happen at the same time messages such as these appear in the log: DEBUG: === DEBUG: 84 bytes message received from peer.peer.peer.peer[500] to me.me.me.me[500] DEBUG: 601220a3 7d22dba9 8621d875 3fb759f8 08100501 87cc1679 00000054 a7a36c4c d1b4eccd 031a90fe e80e85e2 7a47bb02 0afaf139 c5f5b6c7 5fed5238 4b96643f 3afd5b03 cc5a072b 5f3b3be7 d50ef9ec 9a1223fe ERROR: unknown Informational exchange received. However, since racoon doesn't dump the decrypted payload to the log I'm stuck and can't debug it further as I have no idea what my peers are trying to tell me. :-( Is there any hope that such debug output may be added to the next beta? Regards -- Tore Anderson |
From: Tore A. <to...@li...> - 2007-05-30 16:02:28
|
Another thing I noticed - when using "proposal_check exact" I get the following in my logs: ERROR: lifebyte mismatched: my:2147483647 peer:4608000 ERROR: not matched ERROR: no suitable policy found. ERROR: failed to pre-process packet. Do racoon really propose 2G-1 as lifebyte, or is it the proposal matching function that's defective? I'd like to not use lifebyte at all, but as far as I can see there's no way to specify it in the configuration file. I assumed it would be proposed as 0... Also, the bug about INITIAL-CONTACT being ignored because it's falsely assumed to be before phase2 (SF #1705814) is still causing problems with this beta. :-( By the way, does anyone know how to determine what lifetime racoon ends up using for a phase1 SA? racoonctl show-sa isakmp only shows the creation date it seems. Regards -- Tore Anderson |
From: VANHULLEBUS Y. <va...@fr...> - 2007-05-31 09:00:36
|
On Wed, May 30, 2007 at 01:36:19PM +0200, Tore Anderson wrote: [....] > I still have some interop problems with Cisco and Nortel boxes, > though. Sometimes traffic is interrupted and the only way to fix it is > to manually remove all outbound SAs to that peer. It appears to > happen at the same time messages such as these appear in the log: > > DEBUG: === > DEBUG: 84 bytes message received from peer.peer.peer.peer[500] to me.me.me.me[500] > DEBUG: 601220a3 7d22dba9 8621d875 3fb759f8 08100501 87cc1679 00000054 a7a36c4c d1b4eccd 031a90fe e80e85e2 7a47bb02 0afaf139 c5f5b6c7 5fed5238 4b96643f 3afd5b03 cc5a072b 5f3b3be7 d50ef9ec 9a1223fe > ERROR: unknown Informational exchange received. > > However, since racoon doesn't dump the decrypted payload to the log > I'm stuck and can't debug it further as I have no idea what my peers > are trying to tell me. :-( Is there any hope that such debug output > may be added to the next beta? "unknown informational exchange" means racoon didn't find the PH1 handler (so the IsakmpSA) used to protect the informational message.... So there is no way to dump an unencrypted version of something crypted with a key we don't have !!!!! Yvan. |
From: Tore A. <to...@li...> - 2007-05-31 10:21:47
|
* VANHULLEBUS Yvan > "unknown informational exchange" means racoon didn't find the PH1 > handler (so the IsakmpSA) used to protect the informational > message.... > > So there is no way to dump an unencrypted version of something > crypted with a key we don't have !!!!! Yes, I've just realised this. First I thought the message meant that racoon received an notify message of a unknown type, but that was very wrong. The problem, it seems, was due to the Nortel defaulting to having a (possibly) infinite lifetime for the ISAKMP SA while racoon expired it after eight hours. I've just posted a (hopefully) better analysis, I'd appreciate it if you took a look at it. Apologies for the noise about this non-bug. -- Tore Anderson |
From: VANHULLEBUS Y. <va...@fr...> - 2007-05-31 08:58:18
|
On Wed, May 30, 2007 at 06:02:22PM +0200, Tore Anderson wrote: Hi. > Another thing I noticed - when using "proposal_check exact" I get the > following in my logs: > > ERROR: lifebyte mismatched: my:2147483647 peer:4608000 > ERROR: not matched > ERROR: no suitable policy found. > ERROR: failed to pre-process packet. > > Do racoon really propose 2G-1 as lifebyte, or is it the proposal > matching function that's defective? I'd like to not use lifebyte at > all, but as far as I can see there's no way to specify it in the > configuration file. I assumed it would be proposed as 0... Lifebyte is deprecated, and cannot be configured anymore. I recently had another issue with that (when revalidating conf after a SIGHUP), which should be fixed by simply ignoring lifebyte. I guess we should simply discard anything related to lifebyte, but I'm not sure it won't cause problems with some peers that set up a value for lifebyte... Did your peer really sent a proposal with a lifebyte of 4,5 Mb, or is this another lifebyte related bug/issue/problem on ipsec-tool's side ? And was your peer an ipsec-tools's racoon (in which version ?) or "something else" ? Yvan. |
From: Tore A. <to...@li...> - 2007-06-04 09:33:55
|
* VANHULLEBUS Yvan > I guess we should simply discard anything related to lifebyte, but I'm > not sure it won't cause problems with some peers that set up a value > for lifebyte... > > Did your peer really sent a proposal with a lifebyte of 4,5 Mb, or is > this another lifebyte related bug/issue/problem on ipsec-tool's side ? > > And was your peer an ipsec-tools's racoon (in which version ?) or > "something else" ? The peer is a Cisco ASA with OS version 7.2.2, and it really did propose a lifebyte of 4.5 MB. According to my client it's not possible to disable this completely. I'm using racoon 0.7-beta3. However I'm more concerned about the racoon part of the log message. If racoon proposes a lifebyte of 2GB, but sets up the IPSEC SAs without any lifebyte, won't that cause the peer to expire tose SAs prematurely if 2GB is transferred before the lifetime has elapsed? And won't that cause connectivity problems? I think this might have been the trouble I had speaking to this device. At apparantly random intervals the Cisco would send me a delete SA notification (delete SA didn't work with 0.6.6 so connectivity was interrupted). I believe that was due to the 4.5 MB limit being hit, the Cisco apparantly thought we'd agreed to such a lifebyte. -- Tore Anderson |
From: Jefferson L. F. <fr...@gm...> - 2012-09-03 18:20:11
|
Tore Anderson <tore@...> writes: > > * VANHULLEBUS Yvan > > > I guess we should simply discard anything related to lifebyte, but I'm > > not sure it won't cause problems with some peers that set up a value > > for lifebyte... > > > > Did your peer really sent a proposal with a lifebyte of 4,5 Mb, or is > > this another lifebyte related bug/issue/problem on ipsec-tool's side ? > > > > And was your peer an ipsec-tools's racoon (in which version ?) or > > "something else" ? > > The peer is a Cisco ASA with OS version 7.2.2, and it really did > propose a lifebyte of 4.5 MB. According to my client it's not possible > to disable this completely. I'm using racoon 0.7-beta3. > > However I'm more concerned about the racoon part of the log message. > If racoon proposes a lifebyte of 2GB, but sets up the IPSEC SAs without > any lifebyte, won't that cause the peer to expire tose SAs prematurely > if 2GB is transferred before the lifetime has elapsed? And won't that > cause connectivity problems? > > I think this might have been the trouble I had speaking to this > device. At apparantly random intervals the Cisco would send me a > delete SA notification (delete SA didn't work with 0.6.6 so > connectivity was interrupted). I believe that was due to the 4.5 MB > limit being hit, the Cisco apparantly thought we'd agreed to such a > lifebyte. > Hi Tore, Searching for a solution of my problem, I found your question about set a lifebyte in racoon. Aparently my problem is the same - my Peer: racoon - my partner peer CISCO, and the log: [racoon: ERROR: lifebyte mismatched: my:2147483647 peer:0 ] Did you find some way to solve this problem ? Or to set the lifebyte ? Thanks a lot ! Regards. Jefferson. |