[Ipsec-tools-devel] Cisco + XAUTH + pre-shared key + rekey + agresssive mode = fails
Brought to you by:
mit_warlord,
netbsd
From: Andrew C. <And...@ma...> - 2011-03-18 04:10:57
|
Hello, We are currently using openswan and looking to migrate to ipsec-tools/racoon for future IPsec implementation. Our current configuration as the subject points out needs some refinement (certificates), but it is a good starting point. Our test thus far racoon establishes to a Cisco IOS router and phase1 + modecfg + phase 2 connects as planned. After the lifetime on phase 2 expires there is another phase 2 session established. The problem we are having is when the lifetime on phase 1 expires the connection is dropped. Linux debian 2.6.33.2-1.0.2-vs #3 Tue Mar 1 00:45:58 EST 2011 armv4tl GNU/Linux @(#)ipsec-tools 0.8.0.RC Any help would be much appreciated. Last few lines from of the log file below. Thanks, Andrew Campbell 2011-03-17 10:10:28: INFO: Flushing all SAs for peer 113.192.10.21 2011-03-17 10:10:28: DEBUG2: getph1: start 2011-03-17 10:10:28: DEBUG2: local: (null) 2011-03-17 10:10:28: DEBUG2: remote: 113.192.10.21[0] 2011-03-17 10:10:28: DEBUG2: p->local: 192.168.254.200[4500] 2011-03-17 10:10:28: DEBUG2: p->remote: 113.192.10.21[4500] 2011-03-17 10:10:28: DEBUG2: matched 2011-03-17 10:10:28: DEBUG: compute IV for phase2 2011-03-17 10:10:28: DEBUG: phase1 last IV: 2011-03-17 10:10:28: DEBUG: 2804fc27 dfe59d29 8421d908 2011-03-17 10:10:28: DEBUG: hash(sha1) 2011-03-17 10:10:28: DEBUG: encryption(3des) 2011-03-17 10:10:28: DEBUG: phase2 IV computed: 2011-03-17 10:10:28: DEBUG: 443a6aa2 26632dbf 2011-03-17 10:10:28: DEBUG: HASH with: 2011-03-17 10:10:28: DEBUG: 8421d908 0000001c 00000001 01100001 96ad5eca a7b714e6 87ce6b53 5d3d0279 2011-03-17 10:10:28: DEBUG: hmac(hmac_sha1) 2011-03-17 10:10:28: DEBUG: HASH computed: 2011-03-17 10:10:28: DEBUG: af804b96 4e90577f 9f4a335c 3fd61615 7ecb234b 2011-03-17 10:10:28: DEBUG: begin encryption. 2011-03-17 10:10:28: DEBUG: encryption(3des) 2011-03-17 10:10:28: DEBUG: pad length = 4 2011-03-17 10:10:28: DEBUG: 0c000018 af804b96 4e90577f 9f4a335c 3fd61615 7ecb234b 0000001c 00000001 01100001 96ad5eca a7b714e6 87ce6b53 5d3d0279 00000004 2011-03-17 10:10:28: DEBUG: encryption(3des) 2011-03-17 10:10:28: DEBUG: with key: 2011-03-17 10:10:28: DEBUG: 0cb50591 cc09708a 25c9d12f ad301845 1d7c7a38 bbc9d86c 2011-03-17 10:10:28: DEBUG: encrypted payload by IV: 2011-03-17 10:10:28: DEBUG: 443a6aa2 26632dbf 2011-03-17 10:10:28: DEBUG: save IV for next: 2011-03-17 10:10:28: DEBUG: 08a7e2f5 b3f40bfd 2011-03-17 10:10:28: DEBUG: encrypted. 2011-03-17 10:10:28: DEBUG: Adding NON-ESP marker 2011-03-17 10:10:28: DEBUG: 88 bytes from 192.168.254.200[4500] to 113.192.10.21[4500] 2011-03-17 10:10:28: DEBUG: sockname 192.168.254.200[4500] 2011-03-17 10:10:28: DEBUG: send packet from 192.168.254.200[4500] 2011-03-17 10:10:28: DEBUG: send packet to 113.192.10.21[4500] 2011-03-17 10:10:28: DEBUG: src4 192.168.254.200[4500] 2011-03-17 10:10:28: DEBUG: dst4 113.192.10.21[4500] 2011-03-17 10:10:28: DEBUG: 1 times of 88 bytes message will be sent to 113.192.10.21[4500] 2011-03-17 10:10:28: DEBUG: 00000000 96ad5eca a7b714e6 87ce6b53 5d3d0279 08100501 8421d908 00000054 0867ecbe e5e39999 bb2b0d0b dc54fb98 016f34d6 f4b33eeb f5fdfaae 45b7dca8 e901c979 8c3a2963 6d38a01b dd422023 08a7e2f5 b3f40bfd 2011-03-17 10:10:28: DEBUG: sendto Information delete. 2011-03-17 10:10:28: DEBUG: IV freed 2011-03-17 10:10:28: INFO: purging ISAKMP-SA spi=96ad5ecaa7b714e6:87ce6b535d3d0279:0000461e. 2011-03-17 10:10:28: DEBUG2: getph1: start 2011-03-17 10:10:28: DEBUG2: local: 192.168.254.200[4500] 2011-03-17 10:10:28: DEBUG2: remote: 113.192.10.21[4500] 2011-03-17 10:10:28: DEBUG2: no match 2011-03-17 10:10:28: DEBUG: call pfkey_send_dump 2011-03-17 10:10:28: DEBUG: pk_recv: retry[0] recv() 2011-03-17 10:10:28: DEBUG: pk_recv: retry[0] recv() 2011-03-17 10:10:28: DEBUG: IV freed 2011-03-17 10:10:28: INFO: purged IPsec-SA spi=2716136441. 2011-03-17 10:10:28: INFO: purged IPsec-SA spi=5565255. 2011-03-17 10:10:28: INFO: purged ISAKMP-SA spi=96ad5ecaa7b714e6:87ce6b535d3d0279:0000461e. 2011-03-17 10:10:28: DEBUG2: getph1: start 2011-03-17 10:10:28: DEBUG2: local: (null) 2011-03-17 10:10:28: DEBUG2: remote: 113.192.10.21[0] 2011-03-17 10:10:28: DEBUG2: no match 2011-03-17 10:10:28: DEBUG: pk_recv: retry[0] recv() 2011-03-17 10:10:28: DEBUG: got pfkey DELETE message 2011-03-17 10:10:28: DEBUG2: 02040003 26000000 00000000 00620000 02000100 a1e4f3f9 04030303 00000000 04000300 00000000 00000000 00000000 100e0000 00000000 00000000 00000000 04000400 00000000 00000000 00000000 400b0000 00000000 00000000 00000000 04000200 66010000 78750000 00000000 2940814d 00000000 2a40814d 00000000 03000500 00200000 02000000 c0a8fec8 00000000 00000000 03000600 00200000 02000000 71c00a15 00000000 00000000 03000700 ff000000 02000000 00000000 00000000 00000000 04000800 a0000000 e25ccb96 eb340237 8e0cede2 4a6b4fce 0c0b8684 00000000 04000900 c0000000 49c32e1f bd42e44f 806113ce 4042914a 5c7de603 65a1232f 02001300 02000000 00000000 00000000 01001400 02000000 01001500 11940000 01001600 11940000 2011-03-17 10:10:28: DEBUG: DELETE message is not interesting because the message was originated by me. 2011-03-17 10:10:28: DEBUG: pk_recv: retry[0] recv() 2011-03-17 10:10:28: DEBUG: got pfkey DELETE message 2011-03-17 10:10:28: DEBUG2: 02040003 26000000 00000000 00620000 02000100 0054eb47 04030303 00000000 04000300 00000000 00000000 00000000 100e0000 00000000 00000000 00000000 04000400 00000000 00000000 00000000 400b0000 00000000 00000000 00000000 04000200 66010000 78750000 00000000 2940814d 00000000 2a40814d 00000000 03000500 00200000 02000000 71c00a15 00000000 00000000 03000600 00200000 02000000 c0a8fec8 00000000 00000000 03000700 ff000000 02000000 00000000 00000000 00000000 04000800 a0000000 70101bc8 6d2b0b21 2b137e80 6904b766 2bba9075 00000000 04000900 c0000000 d47b7448 d1523fab 71852e73 38b96cd6 1f665ad7 d133ffcb 02001300 02000000 00000000 00000000 01001400 02000000 01001500 11940000 01001600 11940000 2011-03-17 10:10:28: DEBUG: DELETE message is not interesting because the message was originated by me. 2011-03-17 10:10:28: DEBUG: === 2011-03-17 10:10:28: DEBUG: 84 bytes message received from 113.192.10.21[4500] to 192.168.254.200[4500] 2011-03-17 10:10:28: DEBUG: 96ad5eca a7b714e6 87ce6b53 5d3d0279 08100501 8a0bdbbf 00000054 4eda80fd 0d54d8ec 357e4f25 de81ee7e 5e750555 1dca939c a1e80f93 f4a1cad7 6b60e203 8bfc4adc 1ded3e05 6018545e e9581626 3e849ea0 2011-03-17 10:10:28: [113.192.10.21] ERROR: unknown Informational exchange received. 2011-03-17 10:10:29: DEBUG2: getph1: start 2011-03-17 10:10:29: DEBUG2: local: 192.168.254.200[4500] 2011-03-17 10:10:29: DEBUG2: remote: 113.192.10.21[4500] 2011-03-17 10:10:29: DEBUG2: no match 2011-03-17 10:10:29: INFO: ISAKMP-SA deleted 192.168.254.200[4500]-113.192.10.21[4500] spi:96ad5ecaa7b714e6:87ce6b535d3d0279 2011-03-17 10:10:29: DEBUG: Starting a script. 2011-03-17 10:10:29: INFO: KA remove: 192.168.254.200[4500]->113.192.10.21[4500] 2011-03-17 10:10:29: DEBUG: KA tree dump: 192.168.254.200[4500]->113.192.10.21[4500] (in_use=1) 2011-03-17 10:10:29: DEBUG: KA removing this one... 2011-03-17 10:10:29: DEBUG: IV freed 2011-03-17 10:10:30: DEBUG: Netlink: address 172.16.15.10 deleted 2011-03-17 10:10:30: DEBUG: pk_recv: retry[0] recv() 2011-03-17 10:10:30: DEBUG: got pfkey FLUSH message 2011-03-17 10:10:30: DEBUG2: 02090000 02000000 00000000 4c670000 2011-03-17 10:10:30: DEBUG2: flushing all ph2 handlers... 2011-03-17 10:10:32: DEBUG: pk_recv: retry[0] recv() 2011-03-17 10:10:32: DEBUG: got pfkey REGISTER message 2011-03-17 10:10:32: DEBUG2: 02070000 0e000000 00000000 4e670000 07000e00 fe02fd01 02008000 80000000 0300a000 a0000000 05000001 00010000 06008001 80010000 07000002 00020000 09008000 80000000 05000f00 00000000 02084000 40000000 0308c000 c0000000 07082800 c0010000 0c088000 00010000 2011-03-17 10:10:32: INFO: unsupported PF_KEY message REGISTER 2011-03-17 10:10:32: DEBUG: pk_recv: retry[0] recv() 2011-03-17 10:10:32: DEBUG: got pfkey X_SPDDELETE message 2011-03-17 10:10:32: DEBUG2: 020f0000 1c000300 00000000 4e670000 03000500 ff200000 02000000 ac100f0a 00000000 00000000 03000600 ff080000 02000000 0a000000 00000000 00000000 04000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000 04000400 00000000 00000000 00000000 00000000 00000000 00000000 00000000 04000200 00000000 00000000 00000000 2340814d 00000000 3142814d 00000000 08001200 02000200 e1050000 00000080 30003200 02020000 00000000 00000000 02000000 c0a8fec8 00000000 00000000 02000000 71c00a15 00000000 00000000 2011-03-17 10:10:32: DEBUG: sub:0xbebfc508: 172.16.15.10/32[0] 10.0.0.0/8[0] proto=any dir=out 2011-03-17 10:10:32: DEBUG: db :0xa2be0: 172.16.15.10/32[0] 10.0.0.0/8[0] proto=any dir=out 2011-03-17 10:10:32: DEBUG: pk_recv: retry[0] recv() 2011-03-17 10:10:32: DEBUG: got pfkey X_SPDDELETE message 2011-03-17 10:10:32: DEBUG2: 020f0000 1c000200 00000000 4e670000 03000500 ff080000 02000000 0a000000 00000000 00000000 03000600 ff200000 02000000 ac100f0a 00000000 00000000 04000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000 04000400 00000000 00000000 00000000 00000000 00000000 00000000 00000000 04000200 00000000 00000000 00000000 2340814d 00000000 3142814d 00000000 08001200 02000100 e8050000 00000080 30003200 02020000 00000000 00000000 02000000 71c00a15 00000000 00000000 02000000 c0a8fec8 00000000 00000000 2011-03-17 10:10:32: DEBUG: sub:0xbebfc508: 10.0.0.0/8[0] 172.16.15.10/32[0] proto=any dir=in 2011-03-17 10:10:32: DEBUG: db :0xa3810: 10.0.0.0/8[0] 172.16.15.10/32[0] proto=any dir=in ______________________________________________________________________ The information contained in this e-mail (including any attachments) is confidential. It is only intended for the recipient/s named above. If you are not the intended or one of the intended recipient/s any unauthorised use is prohibited. If you have received this e-mail in error, please notify the sender and destroy all copies of this e-mail. Confidentiality and legal privilege are not waived or lost as a result of mistaken delivery. Opinions expressed in this e-mail are those of the sender and unless expressly stated are not necessarily the opinions of Madison Technologies Pty Ltd. This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________ |