Menu
▾
▴
[Ipsec-tools-devel] Interoperability with Sidewinder G2 Version 7
|
From: Siegfried <si...@db...> - 2008-01-16 20:16:07
|
Hi list,
I want to establish a IPSEC connection between a PC with debian etch (ipsec=
=2Dtools, racoon V0.7) and a Sidewinder G2 V.7 on the other side.
The connection should be a client-gateway connection with pre-shared key an=
d NAT-T because my PC is located behind a DSL-Router=20
with a dynamic address and NAT. The IPSEC Phase 1 was successfull establish=
ed. But during the negotiation of the Phase 2 I noticed a proposal mismatch=
=2E Therefore=20
we doublechecked the Phase 2 proposal configuration on both sides as follow=
s:
encryption_algorithm: 3des, aes128
authentication_algorithm: hmac_sha1, hmac_md5
lifetime time 30 min
compression_algorithm deflate
udp-esp tunnel
Racoon sends the proposal with 4 transforms and the SW responds with one t=
hat matches with the racoon configuration.=20
But racoon logs a proposal mismathed (?), and sends the notification NO PRO=
POSAL CHOOSEN back to the SW.=20
It seems that the SW sends the right proposal but in the racoon log I found=
a little difference:
=2D-----------log SW---------------------
information: [outbound packet]=20
[NONE]=20
CKY_I: |16b983676574de7d|, CKY_R: |a80bbe641e58b710|, exch: QUICK_MODE(=
32),=20
mess_id: 0xeaea96b7
[HASH]=20
data(20): |01009411c0211408d02114080400000000000000|
[SA]=20
[PROPOSAL #1]=20
protocol: ESP(3)
spi(4): |fb615bed|
[TRANSFORM #0]=20
tran_id: 3DES(3)
[attributes]=20
ENCAPS_MODE:UDP_TUNNEL, AUTH_ALG:HMAC_SHA1, LIFE:SECONDS, DURATIO=
N:
|00000708|
[NONCE]=20
data(20): |d91e409c5784a81a1dd365dc99adfa4f96de2eed|
[IDENTITY]=20
type: IPV4_ADDR(1), data: 192.168.2.2
[IDENTITY]=20
type: IPV4_SUBNET(4), data: 172.22.0.0/16=20
Jan 16 11:35:32 2008 CET f_isakmp_daemon a_vpn t_debug p_major=20
information: [inbound packet]=20
[HASH]=20
data(20): |dfe14dcce08e6a5807bf791922111c999f077259|
[NOTIFY]=20
protocol: IKE, type: NO_PROPOSAL_CHOSEN(14)=20
------end log SW-----------------------------------------------------------
=2D------log racoon--------------------------------------------------------=
=2D---
Jan 16 11:35:32 debian racoon: DEBUG: begin. =
=20
Jan 16 11:35:32 debian racoon: DEBUG: seen nptype=3D2(prop) =
=20
Jan 16 11:35:32 debian racoon: DEBUG: succeed. =
=20
Jan 16 11:35:32 debian racoon: DEBUG: proposal #1 len=3D116 =
=20
Jan 16 11:35:32 debian racoon: DEBUG: begin. =
=20
Jan 16 11:35:32 debian racoon: DEBUG: seen nptype=3D3(trns) =
=20
Jan 16 11:35:32 debian racoon: DEBUG: succeed. =
=20
Jan 16 11:35:32 debian racoon: DEBUG: transform #1 len=3D24 =
=20
Jan 16 11:35:32 debian racoon: DEBUG: type=3DSA Life Type, flag=3D0x8000, l=
orv=3Dseconds =20
Jan 16 11:35:32 debian racoon: DEBUG: type=3DSA Life Duration, flag=3D0x800=
0, lorv=3D1800 =20
Jan 16 11:35:32 debian racoon: DEBUG: life duration was in TLV. =
=20
Jan 16 11:35:32 debian racoon: DEBUG: type=3DEncryption Mode, flag=3D0x8000=
, lorv=3DUDP-Tunnel =20
Jan 16 11:35:32 debian racoon: DEBUG: UDP encapsulation requested =
=20
Jan 16 11:35:32 debian racoon: DEBUG: type=3DAuthentication Algorithm, flag=
=3D0x8000, lorv=3Dhmac-sha =20
Jan 16 11:35:32 debian racoon: DEBUG: transform #2 len=3D24 =
=20
Jan 16 11:35:32 debian racoon: DEBUG: type=3DSA Life Type, flag=3D0x8000, l=
orv=3Dseconds =20
Jan 16 11:35:32 debian racoon: DEBUG: type=3DSA Life Duration, flag=3D0x800=
0, lorv=3D1800 =20
Jan 16 11:35:32 debian racoon: DEBUG: life duration was in TLV. =
=20
Jan 16 11:35:32 debian racoon: DEBUG: type=3DEncryption Mode, flag=3D0x8000=
, lorv=3DUDP-Tunnel =20
Jan 16 11:35:32 debian racoon: DEBUG: UDP encapsulation requested =
=20
Jan 16 11:35:32 debian racoon: DEBUG: type=3DAuthentication Algorithm, flag=
=3D0x8000, lorv=3Dhmac-md5 =20
Jan 16 11:35:32 debian racoon: DEBUG: transform #3 len=3D28 =
=20
Jan 16 11:35:32 debian racoon: DEBUG: type=3DSA Life Type, flag=3D0x8000, l=
orv=3Dseconds =20
Jan 16 11:35:32 debian racoon: DEBUG: type=3DSA Life Duration, flag=3D0x800=
0, lorv=3D1800 =20
Jan 16 11:35:32 debian racoon: DEBUG: life duration was in TLV. =
=20
Jan 16 11:35:32 debian racoon: DEBUG: type=3DEncryption Mode, flag=3D0x8000=
, lorv=3DUDP-Tunnel =20
Jan 16 11:35:32 debian racoon: DEBUG: UDP encapsulation requested =
=20
Jan 16 11:35:32 debian racoon: DEBUG: type=3DKey Length, flag=3D0x8000, lor=
v=3D128 =20
Jan 16 11:35:32 debian racoon: DEBUG: type=3DAuthentication Algorithm, flag=
=3D0x8000, lorv=3Dhmac-sha =20
Jan 16 11:35:32 debian racoon: DEBUG: transform #4 len=3D28 =
=20
Jan 16 11:35:32 debian racoon: DEBUG: type=3DSA Life Type, flag=3D0x8000, l=
orv=3Dseconds =20
Jan 16 11:35:32 debian racoon: DEBUG: type=3DSA Life Duration, flag=3D0x800=
0, lorv=3D1800 =20
Jan 16 11:35:32 debian racoon: DEBUG: life duration was in TLV. =20
Jan 16 11:35:32 debian racoon: DEBUG: type=3DEncryption Mode, flag=3D0x8000=
, lorv=3DUDP-Tunnel
Jan 16 11:35:32 debian racoon: DEBUG: UDP encapsulation requested
Jan 16 11:35:32 debian racoon: DEBUG: type=3DKey Length, flag=3D0x8000, lor=
v=3D128
Jan 16 11:35:32 debian racoon: DEBUG: type=3DAuthentication Algorithm, flag=
=3D0x8000, lorv=3Dhmac-md5
Jan 16 11:35:32 debian racoon: DEBUG: pair 1:
Jan 16 11:35:32 debian racoon: DEBUG: 0x80ce6e8: next=3D(nil) tnext=3D0x80=
ce700
Jan 16 11:35:32 debian racoon: DEBUG: 0x80ce700: next=3D(nil) tnext=3D0x8=
0ce718
Jan 16 11:35:32 debian racoon: DEBUG: 0x80ce718: next=3D(nil) tnext=3D0x=
80d3400
Jan 16 11:35:32 debian racoon: DEBUG: 0x80d3400: next=3D(nil) tnext=3D(=
nil)
Jan 16 11:35:32 debian racoon: DEBUG: proposal #1: 4 transform
Jan 16 11:35:32 debian racoon: DEBUG: total SA len=3D48
Jan 16 11:35:32 debian racoon: DEBUG: 00000001 00000001 00000028 01030401 =
fb615bed 0000001c 00030000 80040003 80050002 80010001 00020004 00000708
Jan 16 11:35:32 debian racoon: DEBUG: begin.
Jan 16 11:35:32 debian racoon: DEBUG: seen nptype=3D2(prop)
Jan 16 11:35:32 debian racoon: DEBUG: succeed.
Jan 16 11:35:32 debian racoon: DEBUG: proposal #1 len=3D40
Jan 16 11:35:32 debian racoon: DEBUG: begin.
Jan 16 11:35:32 debian racoon: DEBUG: seen nptype=3D3(trns)
Jan 16 11:35:32 debian racoon: DEBUG: succeed.
Jan 16 11:35:32 debian racoon: DEBUG: transform #0 len=3D28
Jan 16 11:35:32 debian racoon: DEBUG: type=3DEncryption Mode, flag=3D0x8000=
, lorv=3DUDP-Tunnel
Jan 16 11:35:32 debian racoon: DEBUG: UDP encapsulation requested
Jan 16 11:35:32 debian racoon: DEBUG: type=3DAuthentication Algorithm, flag=
=3D0x8000, lorv=3Dhmac-sha
Jan 16 11:35:32 debian racoon: DEBUG: type=3DSA Life Type, flag=3D0x8000, l=
orv=3Dseconds
Jan 16 11:35:32 debian racoon: DEBUG: type=3DSA Life Duration, flag=3D0x000=
0, lorv=3D4
Jan 16 11:35:32 debian racoon: DEBUG: pair 1:
Jan 16 11:35:32 debian racoon: DEBUG: 0x80cfab0: next=3D(nil) tnext=3D(nil)
Jan 16 11:35:32 debian racoon: DEBUG: proposal #1: 1 transform
Jan 16 11:35:32 debian racoon: ERROR: no suitable transform found.
Jan 16 11:35:32 debian racoon: ERROR: proposal mismathed.
Jan 16 11:35:32 debian racoon: ERROR: failed to pre-process packet.
Jan 16 11:35:32 debian racoon: DEBUG: compute IV for phase2
Jan 16 11:35:32 debian racoon: DEBUG: phase1 last IV:
Jan 16 11:35:32 debian racoon: DEBUG: ae2061be b41f2b9b ec4241f0
Jan 16 11:35:32 debian racoon: DEBUG: hash(sha1)
=2E.......
=2D---------log racoon-----
My question is why reports racoon: type=3DSA Life Duration, flag=3D0x0000, =
lorv=3D4
instead of: type=3DSA Life Duration, flag=3D0x8000, lorv=3D1800
Has the flag=3D0x0000, lorv=3D4 a special meaning ?
How I can trace the phase 2 hashed packets (before SA established) on ethe=
rnet to see what the SW really sends? (tcpdump -E (but which key?))=20
Many THX
=2D-=20
Best Regards/Gruss Siggi
|