From: Siegfried <si...@db...> - 2008-01-16 20:16:07
|
Hi list, I want to establish a IPSEC connection between a PC with debian etch (ipsec= =2Dtools, racoon V0.7) and a Sidewinder G2 V.7 on the other side. The connection should be a client-gateway connection with pre-shared key an= d NAT-T because my PC is located behind a DSL-Router=20 with a dynamic address and NAT. The IPSEC Phase 1 was successfull establish= ed. But during the negotiation of the Phase 2 I noticed a proposal mismatch= =2E Therefore=20 we doublechecked the Phase 2 proposal configuration on both sides as follow= s: encryption_algorithm: 3des, aes128 authentication_algorithm: hmac_sha1, hmac_md5 lifetime time 30 min compression_algorithm deflate udp-esp tunnel Racoon sends the proposal with 4 transforms and the SW responds with one t= hat matches with the racoon configuration.=20 But racoon logs a proposal mismathed (?), and sends the notification NO PRO= POSAL CHOOSEN back to the SW.=20 It seems that the SW sends the right proposal but in the racoon log I found= a little difference: =2D-----------log SW--------------------- information: [outbound packet]=20 [NONE]=20 CKY_I: |16b983676574de7d|, CKY_R: |a80bbe641e58b710|, exch: QUICK_MODE(= 32),=20 mess_id: 0xeaea96b7 [HASH]=20 data(20): |01009411c0211408d02114080400000000000000| [SA]=20 [PROPOSAL #1]=20 protocol: ESP(3) spi(4): |fb615bed| [TRANSFORM #0]=20 tran_id: 3DES(3) [attributes]=20 ENCAPS_MODE:UDP_TUNNEL, AUTH_ALG:HMAC_SHA1, LIFE:SECONDS, DURATIO= N: |00000708| [NONCE]=20 data(20): |d91e409c5784a81a1dd365dc99adfa4f96de2eed| [IDENTITY]=20 type: IPV4_ADDR(1), data: 192.168.2.2 [IDENTITY]=20 type: IPV4_SUBNET(4), data: 172.22.0.0/16=20 Jan 16 11:35:32 2008 CET f_isakmp_daemon a_vpn t_debug p_major=20 information: [inbound packet]=20 [HASH]=20 data(20): |dfe14dcce08e6a5807bf791922111c999f077259| [NOTIFY]=20 protocol: IKE, type: NO_PROPOSAL_CHOSEN(14)=20 ------end log SW----------------------------------------------------------- =2D------log racoon--------------------------------------------------------= =2D--- Jan 16 11:35:32 debian racoon: DEBUG: begin. = =20 Jan 16 11:35:32 debian racoon: DEBUG: seen nptype=3D2(prop) = =20 Jan 16 11:35:32 debian racoon: DEBUG: succeed. = =20 Jan 16 11:35:32 debian racoon: DEBUG: proposal #1 len=3D116 = =20 Jan 16 11:35:32 debian racoon: DEBUG: begin. = =20 Jan 16 11:35:32 debian racoon: DEBUG: seen nptype=3D3(trns) = =20 Jan 16 11:35:32 debian racoon: DEBUG: succeed. = =20 Jan 16 11:35:32 debian racoon: DEBUG: transform #1 len=3D24 = =20 Jan 16 11:35:32 debian racoon: DEBUG: type=3DSA Life Type, flag=3D0x8000, l= orv=3Dseconds =20 Jan 16 11:35:32 debian racoon: DEBUG: type=3DSA Life Duration, flag=3D0x800= 0, lorv=3D1800 =20 Jan 16 11:35:32 debian racoon: DEBUG: life duration was in TLV. = =20 Jan 16 11:35:32 debian racoon: DEBUG: type=3DEncryption Mode, flag=3D0x8000= , lorv=3DUDP-Tunnel =20 Jan 16 11:35:32 debian racoon: DEBUG: UDP encapsulation requested = =20 Jan 16 11:35:32 debian racoon: DEBUG: type=3DAuthentication Algorithm, flag= =3D0x8000, lorv=3Dhmac-sha =20 Jan 16 11:35:32 debian racoon: DEBUG: transform #2 len=3D24 = =20 Jan 16 11:35:32 debian racoon: DEBUG: type=3DSA Life Type, flag=3D0x8000, l= orv=3Dseconds =20 Jan 16 11:35:32 debian racoon: DEBUG: type=3DSA Life Duration, flag=3D0x800= 0, lorv=3D1800 =20 Jan 16 11:35:32 debian racoon: DEBUG: life duration was in TLV. = =20 Jan 16 11:35:32 debian racoon: DEBUG: type=3DEncryption Mode, flag=3D0x8000= , lorv=3DUDP-Tunnel =20 Jan 16 11:35:32 debian racoon: DEBUG: UDP encapsulation requested = =20 Jan 16 11:35:32 debian racoon: DEBUG: type=3DAuthentication Algorithm, flag= =3D0x8000, lorv=3Dhmac-md5 =20 Jan 16 11:35:32 debian racoon: DEBUG: transform #3 len=3D28 = =20 Jan 16 11:35:32 debian racoon: DEBUG: type=3DSA Life Type, flag=3D0x8000, l= orv=3Dseconds =20 Jan 16 11:35:32 debian racoon: DEBUG: type=3DSA Life Duration, flag=3D0x800= 0, lorv=3D1800 =20 Jan 16 11:35:32 debian racoon: DEBUG: life duration was in TLV. = =20 Jan 16 11:35:32 debian racoon: DEBUG: type=3DEncryption Mode, flag=3D0x8000= , lorv=3DUDP-Tunnel =20 Jan 16 11:35:32 debian racoon: DEBUG: UDP encapsulation requested = =20 Jan 16 11:35:32 debian racoon: DEBUG: type=3DKey Length, flag=3D0x8000, lor= v=3D128 =20 Jan 16 11:35:32 debian racoon: DEBUG: type=3DAuthentication Algorithm, flag= =3D0x8000, lorv=3Dhmac-sha =20 Jan 16 11:35:32 debian racoon: DEBUG: transform #4 len=3D28 = =20 Jan 16 11:35:32 debian racoon: DEBUG: type=3DSA Life Type, flag=3D0x8000, l= orv=3Dseconds =20 Jan 16 11:35:32 debian racoon: DEBUG: type=3DSA Life Duration, flag=3D0x800= 0, lorv=3D1800 =20 Jan 16 11:35:32 debian racoon: DEBUG: life duration was in TLV. =20 Jan 16 11:35:32 debian racoon: DEBUG: type=3DEncryption Mode, flag=3D0x8000= , lorv=3DUDP-Tunnel Jan 16 11:35:32 debian racoon: DEBUG: UDP encapsulation requested Jan 16 11:35:32 debian racoon: DEBUG: type=3DKey Length, flag=3D0x8000, lor= v=3D128 Jan 16 11:35:32 debian racoon: DEBUG: type=3DAuthentication Algorithm, flag= =3D0x8000, lorv=3Dhmac-md5 Jan 16 11:35:32 debian racoon: DEBUG: pair 1: Jan 16 11:35:32 debian racoon: DEBUG: 0x80ce6e8: next=3D(nil) tnext=3D0x80= ce700 Jan 16 11:35:32 debian racoon: DEBUG: 0x80ce700: next=3D(nil) tnext=3D0x8= 0ce718 Jan 16 11:35:32 debian racoon: DEBUG: 0x80ce718: next=3D(nil) tnext=3D0x= 80d3400 Jan 16 11:35:32 debian racoon: DEBUG: 0x80d3400: next=3D(nil) tnext=3D(= nil) Jan 16 11:35:32 debian racoon: DEBUG: proposal #1: 4 transform Jan 16 11:35:32 debian racoon: DEBUG: total SA len=3D48 Jan 16 11:35:32 debian racoon: DEBUG: 00000001 00000001 00000028 01030401 = fb615bed 0000001c 00030000 80040003 80050002 80010001 00020004 00000708 Jan 16 11:35:32 debian racoon: DEBUG: begin. Jan 16 11:35:32 debian racoon: DEBUG: seen nptype=3D2(prop) Jan 16 11:35:32 debian racoon: DEBUG: succeed. Jan 16 11:35:32 debian racoon: DEBUG: proposal #1 len=3D40 Jan 16 11:35:32 debian racoon: DEBUG: begin. Jan 16 11:35:32 debian racoon: DEBUG: seen nptype=3D3(trns) Jan 16 11:35:32 debian racoon: DEBUG: succeed. Jan 16 11:35:32 debian racoon: DEBUG: transform #0 len=3D28 Jan 16 11:35:32 debian racoon: DEBUG: type=3DEncryption Mode, flag=3D0x8000= , lorv=3DUDP-Tunnel Jan 16 11:35:32 debian racoon: DEBUG: UDP encapsulation requested Jan 16 11:35:32 debian racoon: DEBUG: type=3DAuthentication Algorithm, flag= =3D0x8000, lorv=3Dhmac-sha Jan 16 11:35:32 debian racoon: DEBUG: type=3DSA Life Type, flag=3D0x8000, l= orv=3Dseconds Jan 16 11:35:32 debian racoon: DEBUG: type=3DSA Life Duration, flag=3D0x000= 0, lorv=3D4 Jan 16 11:35:32 debian racoon: DEBUG: pair 1: Jan 16 11:35:32 debian racoon: DEBUG: 0x80cfab0: next=3D(nil) tnext=3D(nil) Jan 16 11:35:32 debian racoon: DEBUG: proposal #1: 1 transform Jan 16 11:35:32 debian racoon: ERROR: no suitable transform found. Jan 16 11:35:32 debian racoon: ERROR: proposal mismathed. Jan 16 11:35:32 debian racoon: ERROR: failed to pre-process packet. Jan 16 11:35:32 debian racoon: DEBUG: compute IV for phase2 Jan 16 11:35:32 debian racoon: DEBUG: phase1 last IV: Jan 16 11:35:32 debian racoon: DEBUG: ae2061be b41f2b9b ec4241f0 Jan 16 11:35:32 debian racoon: DEBUG: hash(sha1) =2E....... =2D---------log racoon----- My question is why reports racoon: type=3DSA Life Duration, flag=3D0x0000, = lorv=3D4 instead of: type=3DSA Life Duration, flag=3D0x8000, lorv=3D1800 Has the flag=3D0x0000, lorv=3D4 a special meaning ? How I can trace the phase 2 hashed packets (before SA established) on ethe= rnet to see what the SW really sends? (tcpdump -E (but which key?))=20 Many THX =2D-=20 Best Regards/Gruss Siggi |