From: Yogesh J. <yj...@gm...> - 2009-05-27 08:59:22
|
Hi all, I have strange problem with racoon. I wan to encrypt my lan traffic. here is my setkey.conf ( ipsec-tools version 0.7 on openwrt kamimaze 8.09) spdadd 10.0.0.0/8 10.0.0.0/8 any -P in ipsec esp/transport//require ah/transport//require; spdadd 10.0.0.0/8 10.0.0.0/8 any -P out ipsec esp/transport//require ah/transport//require; racoon is using x509 certificates. On some nodes it work perfectly , but some it gives strange error on start. some how it gets SA request from it self ( not from other node ) with ip 10.255.255.255 fails. what may be the reason ? Sorry for posting in devel list ( but i saw only spam in users list ). Thanks in advance. #racoon -F -d -vv -f /etc/racoon.conf Foreground mode. 2009-05-27 02:53:12: INFO: @(#)ipsec-tools 0.7 (http://ipsec-tools.sourceforge.net) 2009-05-27 02:53:12: INFO: @(#)This product linked OpenSSL 0.9.8i 15 Sep 2008 (http://www.openssl.org/) 2009-05-27 02:53:12: INFO: Reading configuration from "/etc/racoon.conf" 2009-05-27 02:53:12: DEBUG: call pfkey_send_register for AH 2009-05-27 02:53:12: DEBUG: call pfkey_send_register for ESP 2009-05-27 02:53:12: DEBUG: call pfkey_send_register for IPCOMP 2009-05-27 02:53:12: INFO: Resize address pool from 0 to 255 2009-05-27 02:53:12: DEBUG: reading config file /etc/racoon.conf 2009-05-27 02:53:12: DEBUG: compression algorithm can not be checked because sadb message doesn't support it. 2009-05-27 02:53:12: DEBUG: getsainfo params: loc='ANONYMOUS', rmt='ANONYMOUS', peer='NULL', id=0 2009-05-27 02:53:12: DEBUG: getsainfo pass #2 2009-05-27 02:53:12: DEBUG: open /etc/racoon/racoon.sock as racoon management. 2009-05-27 02:53:12: DEBUG: my interface: 10.128.92.36 (ath0) 2009-05-27 02:53:12: DEBUG: my interface: 192.168.1.95 (eth0) 2009-05-27 02:53:12: DEBUG: my interface: 127.0.0.1 (lo) 2009-05-27 02:53:12: DEBUG: configuring default isakmp port. 2009-05-27 02:53:12: DEBUG: 3 addrs are configured successfully 2009-05-27 02:53:12: INFO: 127.0.0.1[500] used as isakmp port (fd=7) 2009-05-27 02:53:12: INFO: 127.0.0.1[500] used for NAT-T 2009-05-27 02:53:12: INFO: 192.168.1.95[500] used as isakmp port (fd=8) 2009-05-27 02:53:12: INFO: 192.168.1.95[500] used for NAT-T 2009-05-27 02:53:12: INFO: 10.128.92.36[500] used as isakmp port (fd=9) 2009-05-27 02:53:12: INFO: 10.128.92.36[500] used for NAT-T 2009-05-27 02:53:12: DEBUG: pk_recv: retry[0] recv() 2009-05-27 02:53:12: DEBUG: get pfkey X_SPDDUMP message 2009-05-27 02:53:13: DEBUG: pk_recv: retry[0] recv() 2009-05-27 02:53:13: DEBUG: get pfkey X_SPDDUMP message 2009-05-27 02:53:13: DEBUG: sub:0x7f8842b8: 10.0.0.0/8[0] 10.0.0.0/8[0] proto=any dir=fwd 2009-05-27 02:53:13: DEBUG: db :0x4c8618: 10.0.0.0/8[0] 10.0.0.0/8[0] proto=any dir=in 2009-05-27 02:53:13: DEBUG: pk_recv: retry[0] recv() 2009-05-27 02:53:13: DEBUG: get pfkey X_SPDDUMP message 2009-05-27 02:53:13: DEBUG: sub:0x7f8842b8: 10.0.0.0/8[0] 10.0.0.0/8[0] proto=any dir=out 2009-05-27 02:53:13: DEBUG: db :0x4c8618: 10.0.0.0/8[0] 10.0.0.0/8[0] proto=any dir=in 2009-05-27 02:53:13: DEBUG: sub:0x7f8842b8: 10.0.0.0/8[0] 10.0.0.0/8[0] proto=any dir=out 2009-05-27 02:53:13: DEBUG: db :0x4c8e48: 10.0.0.0/8[0] 10.0.0.0/8[0] proto=any dir=fwd 2009-05-27 02:53:14: DEBUG: pk_recv: retry[0] recv() 2009-05-27 02:53:14: DEBUG: get pfkey ACQUIRE message 2009-05-27 02:53:14: DEBUG: suitable outbound SP found: 10.0.0.0/8[0] 10.0.0.0/8[0] proto=any dir=out. 2009-05-27 02:53:14: DEBUG: sub:0x7f8842a8: 10.0.0.0/8[0] 10.0.0.0/8[0] proto=any dir=in 2009-05-27 02:53:14: DEBUG: db :0x4c8618: 10.0.0.0/8[0] 10.0.0.0/8[0] proto=any dir=in 2009-05-27 02:53:14: DEBUG: suitable inbound SP found: 10.0.0.0/8[0] 10.0.0.0/8[0] proto=any dir=in. 2009-05-27 02:53:14: DEBUG: new acquire 10.0.0.0/8[0] 10.0.0.0/8[0] proto=any dir=out 2009-05-27 02:53:14: DEBUG: anonymous configuration selected for 10.255.255.255. 2009-05-27 02:53:14: DEBUG: getsainfo params: loc='10.0.0.0/8', rmt='10.0.0.0/8', peer='NULL', id=0 2009-05-27 02:53:14: DEBUG: getsainfo pass #2 2009-05-27 02:53:14: DEBUG: evaluating sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0 2009-05-27 02:53:14: DEBUG: selected sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0 2009-05-27 02:53:14: DEBUG: (proto_id=AH spisize=4 spi=00000000 spi_p=00000000 encmode=Transport reqid=0:0) 2009-05-27 02:53:14: DEBUG: (trns_id=SHA authtype=hmac-sha) 2009-05-27 02:53:14: DEBUG: (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Transport reqid=0:0) 2009-05-27 02:53:14: DEBUG: (trns_id=3DES encklen=0 authtype=hmac-sha) 2009-05-27 02:53:14: DEBUG: in post_acquire 2009-05-27 02:53:14: DEBUG: anonymous configuration selected for 10.255.255.255. 2009-05-27 02:53:14: INFO: IPsec-SA request for 10.255.255.255 queued due to no phase1 found. 2009-05-27 02:53:14: DEBUG: === 2009-05-27 02:53:14: INFO: initiate new phase 1 negotiation: 10.128.92.36[500]<=>10.255.255.255[500] 2009-05-27 02:53:14: INFO: begin Identity Protection mode. 2009-05-27 02:53:14: DEBUG: new cookie: 4f25f5bde9754e35 2009-05-27 02:53:14: DEBUG: add payload of len 48, next type 13 2009-05-27 02:53:14: DEBUG: add payload of len 16, next type 0 2009-05-27 02:53:14: DEBUG: 100 bytes from 10.128.92.36[500] to 10.255.255.255[500] 2009-05-27 02:53:14: DEBUG: sockname 10.128.92.36[500] 2009-05-27 02:53:14: DEBUG: send packet from 10.128.92.36[500] 2009-05-27 02:53:14: DEBUG: send packet to 10.255.255.255[500] 2009-05-27 02:53:14: DEBUG: src4 10.128.92.36[500] 2009-05-27 02:53:14: DEBUG: dst4 10.255.255.255[500] 2009-05-27 02:53:14: DEBUG: 1 times of -1 bytes message will be sent to 10.255.255.255[500] 2009-05-27 02:53:14: DEBUG: 4f25f5bd e974324e35 00000000 00000000 01100200 00000000 00000064 0d000034 00000001 01010000 800b0001 800c0e10 80010005 80030003 80020002 80040002 00000014 afcad713 68a1f1c9 6b864326fc 77570100 2009-05-27 02:53:14: ERROR: sendfromto failed 2009-05-27 02:53:14: ERROR: phase1 negotiation failed due to send error. 4f25f5bde9754e35:0000000000000000 2009-05-27 02:53:14: ERROR: failed to begin ipsec sa negotication. ^C2009-05-27 02:53:15: INFO: caught signal 2 2009-05-27 02:53:15: DEBUG: pk_recv: retry[0] recv() 2009-05-27 02:53:15: DEBUG: get pfkey FLUSH message 2009-05-27 02:53:15: DEBUG: pk_recv: retry[0] recv() 2009-05-27 02:53:15: DEBUG: get pfkey ACQUIRE message 2009-05-27 02:53:15: DEBUG: suitable outbound SP found: 10.0.0.0/8[0] 10.0.0.0/8[0] proto=any dir=out. 2009-05-27 02:53:15: DEBUG: sub:0x7f8842a8: 10.0.0.0/8[0] 10.0.0.0/8[0] proto=any dir=in 2009-05-27 02:53:15: DEBUG: db :0x4c8618: 10.0.0.0/8[0] 10.0.0.0/8[0] proto=any dir=in 2009-05-27 02:53:15: DEBUG: suitable inbound SP found: 10.0.0.0/8[0] 10.0.0.0/8[0] proto=any dir=in. 2009-05-27 02:53:15: DEBUG: new acquire 10.0.0.0/8[0] 10.0.0.0/8[0] proto=any dir=out 2009-05-27 02:53:15: DEBUG: anonymous configuration selected for 10.255.255.255. 2009-05-27 02:53:15: DEBUG: getsainfo params: loc='10.0.0.0/8', rmt='10.0.0.0/8', peer='NULL', id=0 2009-05-27 02:53:15: DEBUG: getsainfo pass #2 2009-05-27 02:53:15: DEBUG: evaluating sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0 2009-05-27 02:53:15: DEBUG: selected sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0 2009-05-27 02:53:15: DEBUG: (proto_id=AH spisize=4 spi=00000000 spi_p=00000000 encmode=Transport reqid=0:0) 2009-05-27 02:53:15: DEBUG: (trns_id=SHA authtype=hmac-sha) 2009-05-27 02:53:15: DEBUG: (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Transport reqid=0:0) 2009-05-27 02:53:15: DEBUG: (trns_id=3DES encklen=0 authtype=hmac-sha) 2009-05-27 02:53:15: DEBUG: in post_acquire 2009-05-27 02:53:15: DEBUG: anonymous configuration selected for 10.255.255.255. 2009-05-27 02:53:15: INFO: IPsec-SA request for 10.255.255.255 queued due to no phase1 found. 2009-05-27 02:53:15: DEBUG: === 2009-05-27 02:53:15: INFO: initiate new phase 1 negotiation: 10.128.92.36[500]<=>10.255.255.255[500] 2009-05-27 02:53:15: INFO: begin Identity Protection mode. 2009-05-27 02:53:15: DEBUG: new cookie: 814437502bd4fb2d 2009-05-27 02:53:15: DEBUG: add payload of len 48, next type 13 2009-05-27 02:53:15: DEBUG: add payload of len 16, next type 0 2009-05-27 02:53:15: DEBUG: 100 bytes from 10.128.92.36[500] to 10.255.255.255[500] 2009-05-27 02:53:15: DEBUG: sockname 10.128.92.36[500] 2009-05-27 02:53:15: DEBUG: send packet from 10.128.92.36[500] 2009-05-27 02:53:15: DEBUG: send packet to 10.255.255.255[500] 2009-05-27 02:53:15: DEBUG: src4 10.128.92.36[500] 2009-05-27 02:53:15: DEBUG: dst4 10.255.255.255[500] 2009-05-27 02:53:15: DEBUG: 1 times of -1 bytes message will be sent to 10.255.255.255[500] 2009-05-27 02:53:15: DEBUG: 81443750 2b34fb2d 00000000 00000000 01100200 00000000 00000064 0d000034 00000001 000000 01010000 800b0001 800c0e10 80010005 80030003 80020002 80040002 00000014 afcad713 68a1f1c9 6b8696fc 77570100 2009-05-27 02:53:15: ERROR: sendfromto failed 2009-05-27 02:53:15: ERROR: phase1 negotiation failed due to send error. 814437502bd4fb2d:0000000000000000 2009-05-27 02:53:15: ERROR: failed to begin ipsec sa negotication. 2009-05-27 02:53:16: DEBUG: call pfkey_send_dump 2009-05-27 02:53:16: DEBUG: pk_recv: retry[0] recv() 2009-05-27 02:53:17: INFO: racoon shutdown -- Regards, Yogesh |