From: Akos K. <ako...@gm...> - 2011-06-30 09:58:51
|
Hi all, I am trying to create an IPSec tunnel between two Linux boxes using IPv6 and racoon 0.6.5. I get a "failed to get sainfo" error though my sainfo entries are exactly the same (with addresses interchanged) on the two ends. The same configuration worked with IPv4 addresses. My remote and sainfo entries in racoon.conf: remote fdbd::5:103 inherit anonymous { exchange_mode main; verify_cert off; my_identifier asn1dn; certificate_type x509 "9d567e1b.0" "key_NE01.pem"; ca_type x509 "9786cb84.0"; peers_identifier asn1dn; lifetime time 1440 secs; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method rsasig; dh_group 2; } } sainfo address fdbd::2:101 any address fdbd::5:0/120 any { encryption_algorithm 3des; authentication_algorithm hmac_sha1; compression_algorithm deflate; } My setkey.conf: #!/usr/sbin/setkey -f spdflush; spdadd fdbd::2:101 fdbd::5:0/120 any -P out ipsec esp/tunnel/fdbd::2:2-fdbd::5:103/require; spdadd fdbd::5:0/120 fdbd::2:101 any -P in ipsec esp/tunnel/fdbd::5:103-fdbd::2:2/require; The other side is the same with addresses interchanged, the sainfo there is sainfo address fdbd::5:0/120 any address fdbd::2:101 any { encryption_algorithm 3des; authentication_algorithm hmac_sha1; compression_algorithm deflate; } When pinging the other side: ping6 -I fdbd::2:101 fdbd::5:3 I get: Foreground mode. 2011-06-30 11:34:08: INFO: @(#)ipsec-tools 0.6.5 ( http://ipsec-tools.sourceforge.net) 2011-06-30 11:34:08: INFO: @(#)This product linked OpenSSL 0.9.8a 11 Oct 2005 (http://www.openssl.org/) 2011-06-30 11:34:08: DEBUG2: lifetime = 28800 2011-06-30 11:34:08: DEBUG2: lifebyte = 0 2011-06-30 11:34:08: DEBUG2: encklen=0 2011-06-30 11:34:08: DEBUG2: p:1 t:1 2011-06-30 11:34:08: DEBUG2: 3DES-CBC(5) 2011-06-30 11:34:08: DEBUG2: SHA(2) 2011-06-30 11:34:08: DEBUG2: 1024-bit MODP group(2) 2011-06-30 11:34:08: DEBUG2: RSA signatures(3) 2011-06-30 11:34:08: DEBUG2: 2011-06-30 11:34:08: DEBUG: configuration found for anonymous. 2011-06-30 11:34:08: DEBUG: configuration found for anonymous. 2011-06-30 11:34:08: DEBUG2: lifetime = 1440 2011-06-30 11:34:08: DEBUG2: lifebyte = 0 2011-06-30 11:34:08: DEBUG2: encklen=0 2011-06-30 11:34:08: DEBUG2: p:1 t:1 2011-06-30 11:34:08: DEBUG2: 3DES-CBC(5) 2011-06-30 11:34:08: DEBUG2: SHA(2) 2011-06-30 11:34:08: DEBUG2: 1536-bit MODP group(5) 2011-06-30 11:34:08: DEBUG2: RSA signatures(3) 2011-06-30 11:34:08: DEBUG2: 2011-06-30 11:34:08: DEBUG2: lifetime = 1440 2011-06-30 11:34:08: DEBUG2: lifebyte = 0 2011-06-30 11:34:08: DEBUG2: encklen=0 2011-06-30 11:34:08: DEBUG2: p:1 t:2 2011-06-30 11:34:08: DEBUG2: 3DES-CBC(5) 2011-06-30 11:34:08: DEBUG2: MD5(1) 2011-06-30 11:34:08: DEBUG2: 1536-bit MODP group(5) 2011-06-30 11:34:08: DEBUG2: RSA signatures(3) 2011-06-30 11:34:08: DEBUG2: 2011-06-30 11:34:08: DEBUG2: lifetime = 1440 2011-06-30 11:34:08: DEBUG2: lifebyte = 0 2011-06-30 11:34:08: DEBUG2: encklen=0 2011-06-30 11:34:08: DEBUG2: p:1 t:3 2011-06-30 11:34:08: DEBUG2: 3DES-CBC(5) 2011-06-30 11:34:08: DEBUG2: SHA(2) 2011-06-30 11:34:08: DEBUG2: 1024-bit MODP group(2) 2011-06-30 11:34:08: DEBUG2: RSA signatures(3) 2011-06-30 11:34:08: DEBUG2: 2011-06-30 11:34:08: DEBUG2: lifetime = 1440 2011-06-30 11:34:08: DEBUG2: lifebyte = 0 2011-06-30 11:34:08: DEBUG2: encklen=0 2011-06-30 11:34:08: DEBUG2: p:1 t:4 2011-06-30 11:34:08: DEBUG2: 3DES-CBC(5) 2011-06-30 11:34:08: DEBUG2: MD5(1) 2011-06-30 11:34:08: DEBUG2: 1024-bit MODP group(2) 2011-06-30 11:34:08: DEBUG2: RSA signatures(3) 2011-06-30 11:34:08: DEBUG2: 2011-06-30 11:34:08: DEBUG2: lifetime = 1440 2011-06-30 11:34:08: DEBUG2: lifebyte = 0 2011-06-30 11:34:08: DEBUG2: encklen=0 2011-06-30 11:34:08: DEBUG2: p:1 t:5 2011-06-30 11:34:08: DEBUG2: 3DES-CBC(5) 2011-06-30 11:34:08: DEBUG2: SHA(2) 2011-06-30 11:34:08: DEBUG2: 768-bit MODP group(1) 2011-06-30 11:34:08: DEBUG2: RSA signatures(3) 2011-06-30 11:34:08: DEBUG2: 2011-06-30 11:34:08: DEBUG2: lifetime = 1440 2011-06-30 11:34:08: DEBUG2: lifebyte = 0 2011-06-30 11:34:08: DEBUG2: encklen=0 2011-06-30 11:34:08: DEBUG2: p:1 t:6 2011-06-30 11:34:08: DEBUG2: 3DES-CBC(5) 2011-06-30 11:34:08: DEBUG2: MD5(1) 2011-06-30 11:34:08: DEBUG2: 768-bit MODP group(1) 2011-06-30 11:34:08: DEBUG2: RSA signatures(3) 2011-06-30 11:34:08: DEBUG2: 2011-06-30 11:34:08: DEBUG: compression algorithm can not be checked because sadb message doesn't support it. 2011-06-30 11:34:08: DEBUG2: parse successed. 2011-06-30 11:34:08: DEBUG: open /var/run/racoon/racoon.sock as racoon management. 2011-06-30 11:34:08: INFO: fdbd::2:2[500] used as isakmp port (fd=6) 2011-06-30 11:34:08: DEBUG: get pfkey X_SPDDUMP message 2011-06-30 11:34:08: DEBUG2: 02120000 23000100 02000000 d1420000 05000500 ff780000 0a000000 00000000 fdbd0000 00000000 00000000 00050000 00000000 00000000 05000600 ff800000 0a000000 00000000 fdbd0000 00000000 00000000 00020101 00000000 00000000 04000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000 04000400 00000000 00000000 00000000 00000000 00000000 00000000 00000000 04000200 00000000 00000000 00000000 fc420c4e 00000000 00000000 00000000 0b001200 02000100 b81b0000 00000080 48003200 02020000 00000000 00000000 0a000000 00000000 fdbd0000 00000000 00000000 00050103 00000000 0a000000 00000000 fdbd0000 00000000 00000000 00020002 00000000 2011-06-30 11:34:08: DEBUG: get pfkey X_SPDDUMP message 2011-06-30 11:34:08: DEBUG2: 02120000 23000100 01000000 d1420000 05000500 ff800000 0a000000 00000000 fdbd0000 00000000 00000000 00020101 00000000 00000000 05000600 ff780000 0a000000 00000000 fdbd0000 00000000 00000000 00050000 00000000 00000000 04000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000 04000400 00000000 00000000 00000000 00000000 00000000 00000000 00000000 04000200 00000000 00000000 00000000 fc420c4e 00000000 00000000 00000000 0b001200 02000200 b11b0000 00000080 48003200 02020000 00000000 00000000 0a000000 00000000 fdbd0000 00000000 00000000 00020002 00000000 0a000000 00000000 fdbd0000 00000000 00000000 00050103 00000000 2011-06-30 11:34:08: DEBUG: sub:0x7fffadf65820: fdbd::2:101/128[0] fdbd::5:0/120[0] proto=any dir=out 2011-06-30 11:34:08: DEBUG: db :0x58b930: fdbd::5:0/120[0] fdbd::2:101/128[0] proto=any dir=in 2011-06-30 11:34:08: DEBUG: get pfkey X_SPDDUMP message 2011-06-30 11:34:08: DEBUG2: 02120000 23000100 00000000 d1420000 05000500 ff780000 0a000000 00000000 fdbd0000 00000000 00000000 00050000 00000000 00000000 05000600 ff800000 0a000000 00000000 fdbd0000 00000000 00000000 00020101 00000000 00000000 04000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000 04000400 00000000 00000000 00000000 00000000 00000000 00000000 00000000 04000200 00000000 00000000 00000000 fc420c4e 00000000 00000000 00000000 0b001200 02000300 c21b0000 00000080 48003200 02020000 00000000 00000000 0a000000 00000000 fdbd0000 00000000 00000000 00050103 00000000 0a000000 00000000 fdbd0000 00000000 00000000 00020002 00000000 2011-06-30 11:34:08: DEBUG: sub:0x7fffadf65820: fdbd::5:0/120[0] fdbd::2:101/128[0] proto=any dir=fwd 2011-06-30 11:34:08: DEBUG: db :0x58b930: fdbd::5:0/120[0] fdbd::2:101/128[0] proto=any dir=in 2011-06-30 11:34:08: DEBUG: sub:0x7fffadf65820: fdbd::5:0/120[0] fdbd::2:101/128[0] proto=any dir=fwd 2011-06-30 11:34:08: DEBUG: db :0x58bba0: fdbd::2:101/128[0] fdbd::5:0/120[0] proto=any dir=out 2011-06-30 11:34:16: DEBUG: get pfkey ACQUIRE message 2011-06-30 11:34:16: DEBUG2: 02060003 0f000000 52030000 00000000 05000500 00800000 0a000000 00000000 fdbd0000 00000000 00000000 00020002 00000000 08000200 05000600 00800000 0a000000 00000000 fdbd0000 00000000 00000000 00050103 00000000 00050003 02001200 02000200 b11b0000 00000000 01000d00 20000000 2011-06-30 11:34:16: DEBUG: suitable outbound SP found: fdbd::2:101/128[0] fdbd::5:0/120[0] proto=any dir=out. 2011-06-30 11:34:16: DEBUG: sub:0x7fffadf657f0: fdbd::5:0/120[0] fdbd::2:101/128[0] proto=any dir=in 2011-06-30 11:34:16: DEBUG: db :0x58b930: fdbd::5:0/120[0] fdbd::2:101/128[0] proto=any dir=in 2011-06-30 11:34:16: DEBUG: suitable inbound SP found: fdbd::5:0/120[0] fdbd::2:101/128[0] proto=any dir=in. 2011-06-30 11:34:16: DEBUG: new acquire fdbd::2:101/128[0] fdbd::5:0/120[0] proto=any dir=out 2011-06-30 11:34:16: ERROR: failed to get sainfo. It works when I replace the addresses of the racoon.conf sainfo with anonymous. What am I doing wrong? Or shall I upgrade to a newer racoon? Thank you. BR Akos Korosmezey |
From: VANHULLEBUS Y. <va...@fr...> - 2011-07-08 08:01:58
|
On Thu, Jun 30, 2011 at 11:58:42AM +0200, Akos Korosmezey wrote: > Hi all, > [....] > It works when I replace the addresses of the racoon.conf sainfo with > anonymous. What am I doing wrong? Or shall I upgrade to a newer racoon? Anyways, yes, please start by using a recent version of racoon, at least 0.7.x, 0.8.0 is the most recent and the version on which we'll have a deeper look if there are some issues..... Yvan. |