From: Russell M. <rus...@gu...> - 2006-07-11 20:03:38
|
I am having problems getting racoon to work between two endpoints: =20 Left NAT router Right NetBSD 3.0/i386 w/IPsec Passthrough Linux kernel 2.6.17.4 =20 (24.64.116.36) (69.46.x.x) (10.x.x.x/16) =20 IPsec G/W -> (Internet Cloud) -> Office Router doing NAT -> Internal workstation =20 The session log is below for this connection: =20 --------------- NetBSD 3.0 w/IPSEC_NATT built into the kernel --------------- =20 Starting racoon. Jul 11 13:32:28 tungsten racoon: ERROR: reject the packet, received unexpecting payload type 0.=20 Jul 11 13:32:58 tungsten last message repeated 3 times Jul 11 13:32:59 tungsten racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 69.46.x.x[500]->24.64.116.36[500] Jul 11 13:32:59 tungsten racoon: INFO: delete phase 2 handler.=20 Jul 11 13:33:08 tungsten racoon: ERROR: reject the packet, received unexpecting payload type 0.=20 Jul 11 13:33:14 tungsten racoon: INFO: caught signal 15 Jul 11 13:33:15 tungsten racoon: INFO: racoon shutdown Jul 11 13:33:16 tungsten racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net) Jul 11 13:33:16 tungsten racoon: INFO: @(#)This product linked OpenSSL 0.9.7d 17 Mar 2004 (http://www.openssl.org/) Jul 11 13:33:16 tungsten racoon: INFO: 24.64.116.36[4500] used as isakmp port (fd=3D7) Jul 11 13:33:16 tungsten racoon: INFO: 24.64.116.36[4500] used for NAT-T Jul 11 13:33:16 tungsten racoon: INFO: 24.64.116.36[500] used as isakmp port (fd=3D8) Jul 11 13:33:16 tungsten racoon: INFO: 24.64.116.36[500] used = for NAT-T Jul 11 13:33:17 tungsten racoon: INFO: IPsec-SA request for 69.46.x.x queued due to no phase1 found.=20 Jul 11 13:33:17 tungsten racoon: INFO: initiate new phase 1 negotiation: 24.64.116.36[500]<=3D>69.46.x.x[500] Jul 11 13:33:17 tungsten racoon: INFO: begin Aggressive mode.=20 Jul 11 13:33:17 tungsten racoon: ERROR: reject the packet, received unexpecting payload type 0.=20 Jul 11 13:33:37 tungsten last message repeated 2 times Jul 11 13:33:38 tungsten racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.=20 Jul 11 13:33:47 tungsten racoon: ERROR: reject the packet, received unexpecting payload type 0.=20 Jul 11 13:33:48 tungsten racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 69.46.x.x[500]->24.64.116.36[500] Jul 11 13:33:48 tungsten racoon: INFO: delete phase 2 handler.=20 Jul 11 13:33:57 tungsten racoon: ERROR: reject the packet, received unexpecting payload type 0.=20 Jul 11 13:34:07 tungsten racoon: ERROR: reject the packet, received unexpecting payload type 0.=20 Jul 11 13:34:09 tungsten racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 69.46.x.x[500]->24.64.116.36[500] Jul 11 13:34:09 tungsten racoon: INFO: delete phase 2 handler.=20 Jul 11 13:34:17 tungsten racoon: ERROR: phase1 negotiation failed due to time up. a1aebd9a9fa1fd8f:0000000000000000 Jul 11 13:34:50 tungsten racoon: INFO: IPsec-SA request for 69.46.x.x queued due to no phase1 found.=20 Jul 11 13:34:50 tungsten racoon: INFO: initiate new phase 1 negotiation: 24.64.116.36[500]<=3D>69.46.x.x[500] Jul 11 13:34:50 tungsten racoon: INFO: begin Aggressive mode.=20 Jul 11 13:34:50 tungsten racoon: ERROR: reject the packet, received unexpecting payload type 0.=20 Jul 11 13:35:20 tungsten last message repeated 3 times Jul 11 13:35:21 tungsten racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 69.46.x.x[500]->24.64.116.36[500] Jul 11 13:35:21 tungsten racoon: INFO: delete phase 2 handler.=20 Jul 11 13:35:30 tungsten racoon: ERROR: reject the packet, received unexpecting payload type 0.=20 Jul 11 13:35:40 tungsten racoon: ERROR: reject the packet, received unexpecting payload type 0.=20 Jul 11 13:35:50 tungsten racoon: ERROR: phase1 negotiation failed due to time up. b242746ec62a3e7c:0000000000000000 Jul 11 13:35:58 tungsten racoon: INFO: IPsec-SA request for 69.46.x.x queued due to no phase1 found.=20 Jul 11 13:35:58 tungsten racoon: INFO: initiate new phase 1 negotiation: 24.64.116.36[500]<=3D>69.46.x.x[500] Jul 11 13:35:58 tungsten racoon: INFO: begin Aggressive mode.=20 Jul 11 13:35:58 tungsten racoon: ERROR: reject the packet, received unexpecting payload type 0.=20 Jul 11 13:36:28 tungsten last message repeated 3 times Jul 11 13:36:30 tungsten racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 69.46.x.x[500]->24.64.116.36[500] Jul 11 13:36:30 tungsten racoon: INFO: delete phase 2 handler.=20 Jul 11 13:36:38 tungsten racoon: ERROR: reject the packet, received unexpecting payload type 0.=20 Jul 11 13:36:48 tungsten racoon: ERROR: reject the packet, received unexpecting payload type 0.=20 Jul 11 13:36:58 tungsten racoon: ERROR: phase1 negotiation failed due to time up. 2ccc38aa711ace50:0000000000000000 Jul 11 13:43:39 tungsten racoon: INFO: IPsec-SA request for 69.46.x.x queued due to no phase1 found.=20 Jul 11 13:43:39 tungsten racoon: INFO: initiate new phase 1 negotiation: 24.64.116.36[500]<=3D>69.46.x.x[500] Jul 11 13:43:39 tungsten racoon: INFO: begin Aggressive mode.=20 Jul 11 13:43:39 tungsten racoon: ERROR: reject the packet, received unexpecting payload type 0.=20 Jul 11 13:44:09 tungsten last message repeated 3 times Jul 11 13:44:10 tungsten racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 69.46.x.x[500]->24.64.116.36[500] Jul 11 13:44:10 tungsten racoon: INFO: delete phase 2 handler.=20 Jul 11 13:44:19 tungsten racoon: ERROR: reject the packet, received unexpecting payload type 0.=20 Jul 11 13:44:29 tungsten racoon: ERROR: reject the packet, received unexpecting payload type 0.=20 Jul 11 13:44:39 tungsten racoon: ERROR: phase1 negotiation failed due to time up. 3d8eee8b74e43295:0000000000000000=20 =20 path pre_shared_key "/etc/racoon/psk.txt" ; log debug; =20 listen { isakmp 24.64.116.36 [500]; isakmp_natt 24.64.116.36 [4500]; } =20 timer { natt_keepalive 20 sec; } =20 remote 69.46.x.x { exchange_mode aggressive ; my_identifier user_fqdn "ru...@mc..." ; peers_identifier user_fqdn "ru...@gu..." ; lifetime time 24 hour ; doi ipsec_doi ; situation identity_only ; initial_contact on ; nat_traversal force ; generate_policy on ; =20 # phase 1 proposal (for ISAKMP SA) proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } =20 remote anonymous { exchange_mode aggressive ; # exchange_mode main, aggressive, base ; my_identifier user_fqdn "ru...@mc..." ; lifetime time 24 hour ; doi ipsec_doi ; situation identity_only ; initial_contact on ; nat_traversal force ; generate_policy on ; =20 # phase 1 proposal (for ISAKMP SA) proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } =20 # phase 2 proposal (for IPsec SA). # actual phase 2 proposal will obey the following items: # - kernel IPsec policy configuration (like "esp/transport//use) # - permutation of the crypto/hash/compression algorithms presented below sainfo anonymous { pfs_group 2; lifetime time 2 min ; encryption_algorithm 3des, blowfish 448, des, rijndael ; authentication_algorithm hmac_sha1, hmac_md5 ; compression_algorithm deflate ; } =20 -------------------------- Linux right-side endpoint -------------------------- # $KAME: racoon.conf,v 1.28 2002/10/18 14:33:28 itojun Exp $ =20 path pre_shared_key "/etc/racoon/psk.txt" ; log debug; =20 listen { =20 isakmp 24.64.116.36 [500]; isakmp_natt 24.64.116.36 [4500]; } =20 timer { =20 natt_keepalive 20 sec; } =20 remote 69.46.x.x { =20 exchange_mode aggressive ; my_identifier user_fqdn "ru...@mc..." ; peers_identifier user_fqdn "ru...@gu..." ; lifetime time 24 hour ; doi ipsec_doi ; situation identity_only ; initial_contact on ; nat_traversal force ; generate_policy on ; =20 # phase 1 proposal (for ISAKMP SA) proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } =20 remote anonymous { =20 exchange_mode aggressive ; # exchange_mode main, aggressive, base ; my_identifier user_fqdn "ru...@mc..." ; lifetime time 24 hour ; doi ipsec_doi ; situation identity_only ; initial_contact on ; nat_traversal force ; generate_policy on ; =20 # phase 1 proposal (for ISAKMP SA) proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } =20 # phase 2 proposal (for IPsec SA). # actual phase 2 proposal will obey the following items: # - kernel IPsec policy configuration (like "esp/transport//use) # - permutation of the crypto/hash/compression algorithms presented below sainfo anonymous { =20 pfs_group 2; lifetime time 2 min ; encryption_algorithm 3des, blowfish 448, des, rijndael ; authentication_algorithm hmac_sha1, hmac_md5 ; compression_algorithm deflate ; } =20 Any help is appreciated. =20 Thanks =20 Russell McConnachie =20 |