[Ipsec-tools-commits] [ ipsec-tools-Bugs-1337757 ] unknown notify message, no phase2 handle found

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Bugs item #1337757, was opened at 2005-10-25 21:57
Message generated for change (Comment added) made by monas
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=541482&aid=1337757&group_id=74601

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Robie Basak (gorf)
Assigned to: Nobody/Anonymous (nobody)
Summary: unknown notify message, no phase2 handle found

Initial Comment:
I'm trying to establish an ESP tunnel with a Windows XP
machine.

I have SPDs set up, but racoon seems to fail to
establish an SA in the direction Linux->Windows. The
other direction seems to work fine.

Clearing all SAs in Linux and then running racoon -Fd
gives me this:
2005-10-25 19:35:15: DEBUG:
05aaf25e a5a11192 44c7df2f 319aa4e0 08100501 33a062b1
00000044 0b000018
d71182a8 4a58ba94 446f1211 199efef2 1a0b78cf 00000010
00000001 03040012
00000000
2005-10-25 19:35:15: DEBUG: HASH with:
2005-10-25 19:35:15: DEBUG:
33a062b1 00000010 00000001 03040012 00000000
2005-10-25 19:35:15: DEBUG: hmac(hmac_sha1)
2005-10-25 19:35:15: DEBUG: HASH computed:
2005-10-25 19:35:15: DEBUG:
d71182a8 4a58ba94 446f1211 199efef2 1a0b78cf
2005-10-25 19:35:15: DEBUG: hash validated.
2005-10-25 19:35:15: DEBUG: begin.
2005-10-25 19:35:15: DEBUG: seen nptype=8(hash)
2005-10-25 19:35:15: DEBUG: seen nptype=11(notify)
2005-10-25 19:35:15: DEBUG: succeed.
2005-10-25 19:35:15: ERROR: unknown notify message, no
phase2 handle found.
2005-10-25 19:35:15: DEBUG: notification message
18:INVALID-ID-INFORMATION, doi=1 proto_id=3
spi=00000000(size=4).

I have the complete transcript if required, but please
give me some information on sanitizing my RSA keys!

This problem is intermittent - sometimes the debug log
looks OK, and racoon establishes an SA, but when it
does Windows doesn't have a matching SA and packets
Linux->Windows don't work.

Once (I haven't been able to reproduce this again) I
left it and came back to find SAs established both ways.

The erratic behaviour leads me to think that this is a
bug and not a configuration problem.

I'm using Ubuntu kernel 2.6.12-9-386. The problem
happened with Ubuntu racoon (1:0.6-1ubuntu1) but I have
since compiled vanilla ipsec-tools-0.6 racoon and have
the same error. As I'm getting the error from racoon
and racoon sometimes establishes the SA, and sometimes
gives me an error I think is related to negotiation, I
think this is a problem with racoon and not my kernel.

I may be being unusual in even trying an ESP tunnel
with Windows. I have tried disabling pfs at both ends,
but this hasn't helped.

My SPDs are as follows:
spdadd 192.168.35.17 0.0.0.0/0 any -P in ipsec
        esp/tunnel/192.168.35.17-192.168.35.1/require;

spdadd 0.0.0.0/0 192.168.35.17 any -P out ipsec
        esp/tunnel/192.168.35.1-192.168.35.17/require;

Relevant sections of racoon.conf (I have anonymous
entries too):
remote 192.168.35.17
{
        exchange_mode main,aggressive;
        doi ipsec_doi;
        situation identity_only;

        my_identifier asn1dn;
        peers_identifier asn1dn;
        verify_identifier on;
        certificate_type x509 "function.pem"
"function.key";

        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method rsasig;
                dh_group 2;
        }
}
sainfo address 192.168.35.17 any address 0.0.0.0/0 any {
        pfs_group 2;
        lifetime time 60 min;
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
}

sainfo address 0.0.0.0/0 any address 192.168.35.17 any {
        pfs_group 2;
        lifetime time 60 min;
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
}

----------------------------------------------------------------------

>Comment By: Aidas Kasparas (monas)
Date: 2005-10-26 09:31

Message:
Logged In: YES 
user_id=39627

Robie,

2005-10-25 19:35:15: DEBUG: notification message
18:INVALID-ID-INFORMATION, doi=1 proto_id=3
spi=00000000(size=4).

this says that your windows box does not like ID racoon
provides. Could you please try to find in windows logs
(don't know how to do that) what they expected and did not got.

In case windows wants subnet/32 instead of ip address in the
policy, try latest cvs version and use "subnet" instead of
"address" in sainfo.

----------------------------------------------------------------------

Comment By: Robie Basak (gorf)
Date: 2005-10-25 21:59

Message:
Logged In: YES 
user_id=17714

Correction: I'm using vanilla ipsec-tools-0.6.2.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=541482&aid=1337757&group_id=74601