Re: [Ipsec-tools-users] Failure matching sainfo when PFS is not configured

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On Thursday 13 Feb 2014 00:18:22 Melissa Jenkins wrote:
> > Fair enough.  From what you shared there is a "remoteid mismatch: 0 != 1"
> > reported, which says that the remote end is not sending the id requested
> > from your local peer.  Have you tried increasing the verbosity of the
> > log and also have a look at the remote peer's logs?
> > 
> >> Feb 11 06:45:30 bogons1vpn racoon: DEBUG: evaluating sainfo:
> >> loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0 Feb 11 06:45:30
> >> bogons1vpn racoon: DEBUG: remoteid mismatch: 0 != 1
> 
> Yup - that’s because the ANONYMOUS sainfo doesn’t match because of the peer
> id.  As I don’t want it to match this isn’t actually a problem :)

OK, I don't know your full topology or how the remote peer is configured, so I 
am getting confused here.  Please ignore my suggestion if not relevant.

> >> Feb 11 06:45:30 bogons1vpn racoon: DEBUG: evaluating sainfo:
> >> loc=‘192.168.0.0/24', rmt=‘192.168.1.0/24', peer='ANY', id=1 Feb 11
> >> 06:45:30 bogons1vpn racoon: DEBUG: check and compare ids : proto_id
> >> mismatch 0 != 47
> 
> This is the one that should match that isn’t :(

Did you try offering both 3des and aes, but listing aes first?  If the remote 
peer wants aes then it should respond to this first.

> Unfortunately I am unable to get access to the remote log - I am currently
> logging at DEBUG and I don’t really want to increase this as it has a
> negative impact on a lot of other IPsecs!

Right, but I was just saying add a -ddd when you launch a racoon session to 
find out what is happening in more detail, only for a short period of time.

> I shall see if I can reproduce with a ipsec-tools to ipsec-tools
> configuration.
> 
> 
> On 13 Feb 2014, at 12:57, Mick <michaelkint
> 
> > Alternatively, you may want to try posting at the ipsec-tools-devel list
> > in case you have come across a bug.
> 
> Attached original mail below and copied
> 
> 
> 
> Thanks!
> Mel
> 
> Begin forwarded message:
> > From: Melissa Jenkins <mel...@li...>
> > Subject: [Ipsec-tools-users] Failure matching sainfo when PFS is not
> > configured Date: 11 February 2014 20:27:35 GMT+13
> > To: "ips...@li..."
> > <ips...@li...>
> > 
> > I’ve been trying to configure ipsec-tools to talk to a peer that prefers
> > not to use PFS.  Our default configuration uses 3DES, but this specific
> > VPN needs to be configured using AES256.
> > 
> > I have confirmed that AES256 works correctly and when configured as the
> > default the IPsec will establish.
> > 
> > If the AES256 setting is configured using a ‘sainfo’ specific for that
> > IPSec it will only work if pfs_group is configured.
> > 
> > Without configuring pfs_group I always get the following logging.  It
> > then proceeds to fail to match the PH2 proposed as it is using 3DES
> > rather than the sainfo specified AES256.
> > 
> > Feb 11 06:45:30 bogons1vpn racoon: DEBUG: getsainfo params:
> > loc=‘192.168.0.0/24' rmt=‘192.168.1.0/24' peer=‘xxx.yyy.zzz.aaa'
> > client='NULL' id=1 Feb 11 06:45:30 bogons1vpn racoon: DEBUG: evaluating
> > sainfo: loc=‘192.168.0.0/24', rmt=‘192.168.1.0/24', peer='ANY', id=1 Feb
> > 11 06:45:30 bogons1vpn racoon: DEBUG: check and compare ids : proto_id
> > mismatch 0 != 47 Feb 11 06:45:30 bogons1vpn racoon: DEBUG: evaluating
> > sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0 Feb 11
> > 06:45:30 bogons1vpn racoon: DEBUG: remoteid mismatch: 0 != 1
> > 
> > I am using 8.0 rev 2 on FreeBSD 8.3.  I can’t see anything in the change
> > log to suggest this would be different in later versions. I’ve had a
> > peek in the code but I can’t see why setting PFS would change this
> > situation.
> > 
> > Thanks,
> > Mel
> > 
> > remote xxx.yyy.zzz.aaa
> > {
> > 
> >        exchange_mode main;
> >        doi ipsec_doi;
> >        situation identity_only;
> >        nonce_size 16;
> >        initial_contact on;
> >        proposal_check obey;
> >        dpd_delay 120;
> >        ph1id 1;
> >        
> >        proposal {
> >        
> >                encryption_algorithm aes 256;
> >                hash_algorithm sha1;
> >                authentication_method pre_shared_key;
> >                dh_group modp1024;
> >                lifetime time 7200 seconds;
> >        
> >        }
> > 
> > }
> > 
> > sainfo subnet 192.168.0.0/24 any subnet 192.168.1.0/24 any
> > {
> > 
> >        remoteid 1;
> >        encryption_algorithm aes 256;
> >        authentication_algorithm hmac_sha1;
> >        compression_algorithm deflate;
> >        lifetime time 3600 seconds;
> > 
> > }

-- 
Regards,
Mick