[Ipsec-tools-devel] Mail ok? - Racoon keeps re-negotiating phase2-SAs everytime a packet is sent
Brought to you by:
mit_warlord,
netbsd
From: Daniel Z. (A.P.E. IT-S. - H. & S. Development)
<D.Z...@ap...> - 2009-12-21 10:01:11
|
Hi, sorry for posting this on the devel-list as well, but the users-list seems to be very overwhelmed with spam and therefore maybe not read by many people. We use two routers running NetBSD 5-release to tunnel traffic between two LANs using tunnel-mode. We've recently patched racoon on both systems to the state of NetBSD-current as of 2009-12-14. Since then our IPsec-connection doesn't work anymore (racoon.conf and SPs from ipsec.conf are unchanged). We already tried using main-mode instead of aggressive-mode with no success. We face the same problem as it was already described here [1], only despite the fact that we're not using NAT-T yet. When initiating IPsec by pinging from one LAN to the other, phase1 is being completed successfully and phase2 seems to come up working as well but no packets are sent through the tunnel and after a certain time, new phase2-SAs are being established for the same connections. This goes on for all further attempts resulting in a rapidly growing number of phase2-SAs for each direction on each router (all have state=mature). When shutting down racoon on one router, the remote router only deletes its outgoing phase2-SAs, but not its incoming ones. The unpatched racoon-implementation worked with the same setup. Reverting to this version is no option for us, as we will need racoons' feature of specifying the "remote"-sections using something else than the remote peers' IP address (which is not implemented in the version shipped with NetBSD 5-release). Has anyone else had a similar problem and maybe a solution? Any hints would be appreciated! Kind regards - Daniel [1] http://sourceforge.net/mailarchive/message.php?msg_id=20090725215420.GA3745%40internode.on.net Messages on responder (main-mode, correct SPs were read from ipsec.conf): ========================== Dec 20 20:45:50 vpngw-responder racoon: INFO: respond new phase 1 negotiation: 10.11.11.1[500]<=>10.11.11.2[500] Dec 20 20:45:50 vpngw-responder racoon: INFO: begin Identity Protection mode. Dec 20 20:45:50 vpngw-responder racoon: INFO: received Vendor ID: DPD Dec 20 20:45:50 vpngw-responder racoon: INFO: ISAKMP-SA established 10.11.11.1[500]-10.11.11.2[500] spi:8f1ce20a7266b68e:ac518daaae027033 Dec 20 20:45:50 vpngw-responder racoon: INFO: received INITIAL-CONTACT Dec 20 20:45:51 vpngw-responder racoon: INFO: respond new phase 2 negotiation: 10.11.11.1[500]<=>10.11.11.2[500] Dec 20 20:45:51 vpngw-responder racoon: INFO: IPsec-SA established: ESP/Tunnel 10.11.11.1[500]->10.11.11.2[500] spi=3638025(0x378309) Dec 20 20:45:51 vpngw-responder racoon: INFO: IPsec-SA established: ESP/Tunnel 10.11.11.1[500]->10.11.11.2[500] spi=171616900(0xa3aaa84) Dec 20 20:46:03 vpngw-responder racoon: INFO: respond new phase 2 negotiation: 10.11.11.1[500]<=>10.11.11.2[500] Dec 20 20:46:03 vpngw-responder racoon: INFO: IPsec-SA established: ESP/Tunnel 10.11.11.1[500]->10.11.11.2[500] spi=67231461(0x401dee5) Dec 20 20:46:03 vpngw-responder racoon: INFO: IPsec-SA established: ESP/Tunnel 10.11.11.1[500]->10.11.11.2[500] spi=12517706(0xbf014a) Dec 20 20:46:15 vpngw-responder racoon: INFO: respond new phase 2 negotiation: 10.11.11.1[500]<=>10.11.11.2[500] Dec 20 20:46:15 vpngw-responder racoon: INFO: IPsec-SA established: ESP/Tunnel 10.11.11.1[500]->10.11.11.2[500] spi=268430061(0xfffeaed) Dec 20 20:46:15 vpngw-responder racoon: INFO: IPsec-SA established: ESP/Tunnel 10.11.11.1[500]->10.11.11.2[500] spi=100427072(0x5fc6540) Messages on responder (main-mode, SPs are generated): ========================== Dec 20 20:56:03 vpngw-responder racoon: INFO: respond new phase 1 negotiation: 10.11.11.1[500]<=>10.11.11.2[500] Dec 20 20:56:03 vpngw-responder racoon: INFO: begin Identity Protection mode. Dec 20 20:56:03 vpngw-responder racoon: INFO: received Vendor ID: DPD Dec 20 20:56:04 vpngw-responder racoon: INFO: ISAKMP-SA established 10.11.11.1[500]-10.11.11.2[500] spi:91e584adc35527e3:cfdf32fce1d8d162 Dec 20 20:56:04 vpngw-responder racoon: INFO: received INITIAL-CONTACT Dec 20 20:56:04 vpngw-responder racoon: INFO: respond new phase 2 negotiation: 10.11.11.1[500]<=>10.11.11.2[500] Dec 20 20:56:04 vpngw-responder racoon: INFO: no policy found, try to generate the policy : 192.168.11.0/24[0] 0.0.0.0/0[0] proto=any dir=in Dec 20 20:56:05 vpngw-responder racoon: INFO: IPsec-SA established: ESP/Tunnel 10.11.11.1[500]->10.11.11.2[500] spi=183003571(0xae869b3) Dec 20 20:56:05 vpngw-responder racoon: INFO: IPsec-SA established: ESP/Tunnel 10.11.11.1[500]->10.11.11.2[500] spi=126574819(0x78b60e3) Dec 20 20:56:05 vpngw-responder racoon: ERROR: such policy does not already exist: "192.168.11.0/24[0] 0.0.0.0/0[0] proto=any dir=in" Dec 20 20:56:05 vpngw-responder racoon: ERROR: such policy does not already exist: "0.0.0.0/0[0] 192.168.11.0/24[0] proto=any dir=out" Dec 20 20:56:16 vpngw-responder racoon: INFO: respond new phase 2 negotiation: 10.11.11.1[500]<=>10.11.11.2[500] Dec 20 20:56:16 vpngw-responder racoon: INFO: Update the generated policy : 192.168.11.0/24[0] 0.0.0.0/0[0] proto=any dir=in Dec 20 20:56:16 vpngw-responder racoon: INFO: IPsec-SA established: ESP/Tunnel 10.11.11.1[500]->10.11.11.2[500] spi=91343079(0x571c8e7) Dec 20 20:56:16 vpngw-responder racoon: INFO: IPsec-SA established: ESP/Tunnel 10.11.11.1[500]->10.11.11.2[500] spi=88881718(0x54c3a36) Dec 20 20:56:16 vpngw-responder racoon: ERROR: such policy does not already exist: "192.168.11.0/24[0] 0.0.0.0/0[0] proto=any dir=in" Dec 20 20:56:16 vpngw-responder racoon: ERROR: such policy does not already exist: "0.0.0.0/0[0] 192.168.11.0/24[0] proto=any dir=out" Dec 20 20:56:28 vpngw-responder racoon: INFO: respond new phase 2 negotiation: 10.11.11.1[500]<=>10.11.11.2[500] Dec 20 20:56:28 vpngw-responder racoon: INFO: Update the generated policy : 192.168.11.0/24[0] 0.0.0.0/0[0] proto=any dir=in Dec 20 20:56:28 vpngw-responder racoon: INFO: IPsec-SA established: ESP/Tunnel 10.11.11.1[500]->10.11.11.2[500] spi=222250519(0xd3f4617) Dec 20 20:56:28 vpngw-responder racoon: INFO: IPsec-SA established: ESP/Tunnel 10.11.11.1[500]->10.11.11.2[500] spi=32618639(0x1f1b88f) Dec 20 20:56:28 vpngw-responder racoon: ERROR: such policy does not already exist: "192.168.11.0/24[0] 0.0.0.0/0[0] proto=any dir=in" Dec 20 20:56:28 vpngw-responder racoon: ERROR: such policy does not already exist: "0.0.0.0/0[0] 192.168.11.0/24[0] proto=any dir=out" Our current racoon.conf-files: Initiator-side: ======================= path pre_shared_key "/etc/racoon/psk.txt" ; remote anonymous { exchange_mode main; lifetime time 1 hour ; # sec,min,hour initial_contact on ; # phase 1 proposal (for ISAKMP SA) proposal { encryption_algorithm aes; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } # phase 2 proposal (for IPsec SA). sainfo anonymous { pfs_group 2; lifetime time 1 hour ; encryption_algorithm aes ; authentication_algorithm hmac_sha1 ; compression_algorithm deflate ; } Responder-side: ====================== path pre_shared_key "/etc/racoon/psk.txt" ; remote anonymous { exchange_mode aggressive,main,base; lifetime time 1 hour; # sec,min,hour initial_contact off; passive on; generate_policy on; # phase 1 proposal (for ISAKMP SA) proposal { encryption_algorithm aes; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } proposal_check strict; } # phase 2 proposal (for IPsec SA). sainfo anonymous { pfs_group 2; lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; } A.P.E. GmbH Hard- & Software Development Daniel Zebralla Galgenbergstraße 2a - Posthof 93053 Regensburg - Germany Telefon +49 (941) 78385-460 Telefax +49 (941) 78385-150 D.Z...@ap... http://www.ape-net.com _______________________________________ A.P.E. GmbH IT-Security Sitz der Gesellschaft: Regensburg Handelsregister: HRB 5953, Regensburg Geschäftsführer: Dr. Dieter Steiner |