Menu
▾
▴
[Ipsec-tools-devel] generate_policy broken?
|
From: Benjamin N. <Ben...@li...> - 2004-04-29 06:13:37
|
Hello,
Since upgrading from 0.2.4 to 0.3[.1] my SPD entries aren't being preserved on the server (or "responder"). The SPD entries are added correctly when it first connects, but as soon as it expires the initial SA's, they get removed.
Anybody have any ideas?
Additional info follows:
X-------------------X - - - - - - - - - - - - - - - X
192.168.123.178 gateway/router/NAT vpnserver
vpnclient (IPSec passthrough)
vpnserver log:
# racoon -F
Foreground mode.
2004-04-29 00:51:28: INFO: @(#)ipsec-tools 0.3 (http://ipsec-tools.sourceforge.net)
2004-04-29 00:51:28: INFO: @(#)This product linked OpenSSL 0.9.7a Feb 19 2003 (http://www.openssl.org/)
2004-04-29 00:51:29: INFO: <vpnserver_public_ip>[500] used as isakmp port (fd=6)
2004-04-29 00:52:32: INFO: respond new phase 1 negotiation: <vpnserver_public_ip>[500]<=><gateway_public_ip>[500]
2004-04-29 00:52:32: INFO: begin Identity Protection mode.
2004-04-29 00:52:33: WARNING: unable to get certificate CRL(3) at depth:0 SubjectName:<cert>
2004-04-29 00:52:33: INFO: ISAKMP-SA established <vpnserver_public_ip>[500]-<gateway_public_ip>[500] spi:d8814a2d2e4ce280:c79b771fecd460bd
2004-04-29 00:52:34: INFO: respond new phase 2 negotiation: <vpnserver_public_ip>[0]<=><gateway_public_ip>[0]
2004-04-29 00:52:34: INFO: no policy found, try to generate the policy : 192.168.123.178/32[0] <vpnserver_public_ip>/32[0] proto=any dir=in
2004-04-29 00:52:34: INFO: IPsec-SA established: ESP/Tunnel <gateway_public_ip>-><vpnserver_public_ip> spi=259221793(0xf736921)
2004-04-29 00:52:34: INFO: IPsec-SA established: ESP/Tunnel <vpnserver_public_ip>-><gateway_public_ip> spi=162817640(0x9b46668)
2004-04-29 00:52:34: ERROR: such policy does not already exist: 192.168.123.178/32[0] <vpnserver_public_ip>/32[0] proto=any dir=in
2004-04-29 00:52:34: ERROR: such policy does not already exist: <vpnserver_public_ip>/32[0] 192.168.123.178/32[0] proto=any dir=out
2004-04-29 00:56:34: INFO: IPsec-SA expired: ESP/Tunnel <gateway_public_ip>-><vpnserver_public_ip> spi=259221793(0xf736921)
2004-04-29 00:56:34: INFO: IPsec-SA expired: ESP/Tunnel <vpnserver_public_ip>-><gateway_public_ip> spi=162817640(0x9b46668)
2004-04-29 00:56:34: INFO: respond new phase 2 negotiation: <vpnserver_public_ip>[0]<=><gateway_public_ip>[0]
2004-04-29 00:56:34: INFO: IPsec-SA established: ESP/Tunnel <gateway_public_ip>-><vpnserver_public_ip> spi=61745223(0x3ae2847)
2004-04-29 00:56:34: INFO: IPsec-SA established: ESP/Tunnel <vpnserver_public_ip>-><gateway_public_ip> spi=137632060(0x834193c)
2004-04-29 00:57:34: INFO: IPsec-SA expired: ESP/Tunnel <gateway_public_ip>-><vpnserver_public_ip> spi=259221793(0xf736921)
2004-04-29 00:57:34: INFO: IPsec-SA expired: ESP/Tunnel <vpnserver_public_ip>-><gateway_public_ip> spi=162817640(0x9b46668)
setkey -DP looks like this until the "2004-04-29 00:57:34" expire entries:
192.168.123.178[any] <vpnserver_public_ip>[any] any
in ipsec
esp/tunnel/<gateway_public_ip>-<vpnserver_public_ip>/require
created: Apr 29 00:52:34 2004 lastused: Apr 29 00:56:48 2004
lifetime: 300(s) validtime: 0(s)
spid=2848 seq=3 pid=15496
refcnt=3
<vpnserver_public_ip>[any] 192.168.123.178[any] any
out ipsec
esp/tunnel/<vpnserver_public_ip>-<gateway_public_ip>/require
created: Apr 29 00:52:34 2004 lastused: Apr 29 00:56:48 2004
lifetime: 300(s) validtime: 0(s)
spid=2857 seq=2 pid=15496
refcnt=3
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Apr 29 00:51:29 2004 lastused: Apr 29 00:56:34 2004
lifetime: 0(s) validtime: 0(s)
spid=2835 seq=1 pid=15496
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Apr 29 00:51:29 2004 lastused: Apr 29 00:56:34 2004
lifetime: 0(s) validtime: 0(s)
spid=2844 seq=0 pid=15496
refcnt=1
after that they go to:
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Apr 29 00:51:29 2004 lastused: Apr 29 00:56:34 2004
lifetime: 0(s) validtime: 0(s)
spid=2835 seq=1 pid=15496
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Apr 29 00:51:29 2004 lastused: Apr 29 00:56:34 2004
lifetime: 0(s) validtime: 0(s)
spid=2844 seq=0 pid=15496
refcnt=1
vpnserver's racoon.conf:
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
listen {
isakmp <vpnserver_public_ip>;
}
remote anonymous {
exchange_mode main;
generate_policy on;
passive on;
certificate_type x509 "vpngateway_cert.pem" "vpngateway_key.pem";
my_identifier asn1dn;
peers_identifier asn1dn;
proposal {
encryption_algorithm blowfish;
hash_algorithm sha1;
authentication_method rsasig;
dh_group 2;
}
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method rsasig;
dh_group 2;
}
}
sainfo anonymous {
pfs_group 2;
lifetime time 5 minute ;
encryption_algorithm 3des, blowfish 448, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
vpnclient's logs:
[root@localhost racoon]# racoon -F
Foreground mode.
2004-04-29 00:52:22: INFO: @(#)ipsec-tools 0.3 (http://ipsec-tools.sourceforge.net)
2004-04-29 00:52:22: INFO: @(#)This product linked OpenSSL 0.9.7a Feb 19 2003 (http://www.openssl.org/)
2004-04-29 00:52:23: ERROR: failed to bind to address fe80::220:78ff:fe03:9bca%253[500] (No such device).
2004-04-29 00:52:23: INFO: ::1[500] used as isakmp port (fd=6)
2004-04-29 00:52:23: INFO: 192.168.123.178[500] used as isakmp port (fd=7)
2004-04-29 00:52:23: INFO: 127.0.0.1[500] used as isakmp port (fd=8)
2004-04-29 00:52:26: INFO: IPsec-SA request for <vpnserver_public_ip> queued due to no phase1 found.
2004-04-29 00:52:26: INFO: initiate new phase 1 negotiation: 192.168.123.178[500]<=><vpnserver_public_ip>[500]
2004-04-29 00:52:26: INFO: begin Identity Protection mode.
2004-04-29 00:52:26: WARNING: ID type mismatched.
2004-04-29 00:52:26: WARNING: ID value mismatched.
2004-04-29 00:52:26: INFO: ISAKMP-SA established 192.168.123.178[500]-<vpnserver_public_ip>[500] spi:d8814a2d2e4ce280:c79b771fecd460bd
2004-04-29 00:52:27: INFO: initiate new phase 2 negotiation: 192.168.123.178[0]<=><vpnserver_public_ip>[0]
2004-04-29 00:52:28: INFO: IPsec-SA established: ESP/Tunnel <vpnserver_public_ip>->192.168.123.178 spi=162817640(0x9b46668)
2004-04-29 00:52:28: INFO: IPsec-SA established: ESP/Tunnel 192.168.123.178-><vpnserver_public_ip> spi=259221793(0xf736921)
2004-04-29 00:56:28: INFO: IPsec-SA expired: ESP/Tunnel <vpnserver_public_ip>->192.168.123.178 spi=162817640(0x9b46668)
2004-04-29 00:56:28: INFO: initiate new phase 2 negotiation: 192.168.123.178[0]<=><vpnserver_public_ip>[0]
2004-04-29 00:56:28: INFO: IPsec-SA expired: ESP/Tunnel 192.168.123.178-><vpnserver_public_ip> spi=259221793(0xf736921)
2004-04-29 00:56:28: INFO: IPsec-SA established: ESP/Tunnel <vpnserver_public_ip>->192.168.123.178 spi=137632060(0x834193c)
2004-04-29 00:56:28: INFO: IPsec-SA established: ESP/Tunnel 192.168.123.178-><vpnserver_public_ip> spi=61745223(0x3ae2847)
2004-04-29 00:57:28: INFO: IPsec-SA expired: ESP/Tunnel <vpnserver_public_ip>->192.168.123.178 spi=162817640(0x9b46668)
2004-04-29 00:57:28: INFO: IPsec-SA expired: ESP/Tunnel 192.168.123.178-><vpnserver_public_ip> spi=259221793(0xf736921)
vpnclient's setkey script:
#!/sbin/setkey -f
flush;
spdflush;
spdadd 192.168.123.178 <vpnserver_public_ip> any -P out ipsec
esp/tunnel/192.168.123.178-<vpnserver_public_ip>/require ;
spdadd <vpnserver_public_ip> 192.168.123.178 any -P in ipsec
esp/tunnel/<vpnserver_public_ip>-192.168.123.178/require ;
vpnclient's racoon.conf:
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
remote <vpnserver_public_ip> {
exchange_mode main;
my_identifier asn1dn;
peers_identifier fqdn "<vpnserver's hostname>";
certificate_type x509 "vpnclient_cert.pem" "vpnclient_key.pem";
peers_certfile "vpngateway_cert.pem";
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method rsasig;
dh_group 2;
}
}
sainfo anonymous
{
pfs_group 2;
lifetime time 5 minute ;
encryption_algorithm 3des, blowfish 448, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
|