From: SourceForge.net <no...@so...> - 2005-10-26 06:31:29
|
Bugs item #1337757, was opened at 2005-10-25 21:57 Message generated for change (Comment added) made by monas You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=1337757&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Submitted By: Robie Basak (gorf) Assigned to: Nobody/Anonymous (nobody) Summary: unknown notify message, no phase2 handle found Initial Comment: I'm trying to establish an ESP tunnel with a Windows XP machine. I have SPDs set up, but racoon seems to fail to establish an SA in the direction Linux->Windows. The other direction seems to work fine. Clearing all SAs in Linux and then running racoon -Fd gives me this: 2005-10-25 19:35:15: DEBUG: 05aaf25e a5a11192 44c7df2f 319aa4e0 08100501 33a062b1 00000044 0b000018 d71182a8 4a58ba94 446f1211 199efef2 1a0b78cf 00000010 00000001 03040012 00000000 2005-10-25 19:35:15: DEBUG: HASH with: 2005-10-25 19:35:15: DEBUG: 33a062b1 00000010 00000001 03040012 00000000 2005-10-25 19:35:15: DEBUG: hmac(hmac_sha1) 2005-10-25 19:35:15: DEBUG: HASH computed: 2005-10-25 19:35:15: DEBUG: d71182a8 4a58ba94 446f1211 199efef2 1a0b78cf 2005-10-25 19:35:15: DEBUG: hash validated. 2005-10-25 19:35:15: DEBUG: begin. 2005-10-25 19:35:15: DEBUG: seen nptype=8(hash) 2005-10-25 19:35:15: DEBUG: seen nptype=11(notify) 2005-10-25 19:35:15: DEBUG: succeed. 2005-10-25 19:35:15: ERROR: unknown notify message, no phase2 handle found. 2005-10-25 19:35:15: DEBUG: notification message 18:INVALID-ID-INFORMATION, doi=1 proto_id=3 spi=00000000(size=4). I have the complete transcript if required, but please give me some information on sanitizing my RSA keys! This problem is intermittent - sometimes the debug log looks OK, and racoon establishes an SA, but when it does Windows doesn't have a matching SA and packets Linux->Windows don't work. Once (I haven't been able to reproduce this again) I left it and came back to find SAs established both ways. The erratic behaviour leads me to think that this is a bug and not a configuration problem. I'm using Ubuntu kernel 2.6.12-9-386. The problem happened with Ubuntu racoon (1:0.6-1ubuntu1) but I have since compiled vanilla ipsec-tools-0.6 racoon and have the same error. As I'm getting the error from racoon and racoon sometimes establishes the SA, and sometimes gives me an error I think is related to negotiation, I think this is a problem with racoon and not my kernel. I may be being unusual in even trying an ESP tunnel with Windows. I have tried disabling pfs at both ends, but this hasn't helped. My SPDs are as follows: spdadd 192.168.35.17 0.0.0.0/0 any -P in ipsec esp/tunnel/192.168.35.17-192.168.35.1/require; spdadd 0.0.0.0/0 192.168.35.17 any -P out ipsec esp/tunnel/192.168.35.1-192.168.35.17/require; Relevant sections of racoon.conf (I have anonymous entries too): remote 192.168.35.17 { exchange_mode main,aggressive; doi ipsec_doi; situation identity_only; my_identifier asn1dn; peers_identifier asn1dn; verify_identifier on; certificate_type x509 "function.pem" "function.key"; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method rsasig; dh_group 2; } } sainfo address 192.168.35.17 any address 0.0.0.0/0 any { pfs_group 2; lifetime time 60 min; encryption_algorithm 3des; authentication_algorithm hmac_sha1; compression_algorithm deflate; } sainfo address 0.0.0.0/0 any address 192.168.35.17 any { pfs_group 2; lifetime time 60 min; encryption_algorithm 3des; authentication_algorithm hmac_sha1; compression_algorithm deflate; } ---------------------------------------------------------------------- >Comment By: Aidas Kasparas (monas) Date: 2005-10-26 09:31 Message: Logged In: YES user_id=39627 Robie, 2005-10-25 19:35:15: DEBUG: notification message 18:INVALID-ID-INFORMATION, doi=1 proto_id=3 spi=00000000(size=4). this says that your windows box does not like ID racoon provides. Could you please try to find in windows logs (don't know how to do that) what they expected and did not got. In case windows wants subnet/32 instead of ip address in the policy, try latest cvs version and use "subnet" instead of "address" in sainfo. ---------------------------------------------------------------------- Comment By: Robie Basak (gorf) Date: 2005-10-25 21:59 Message: Logged In: YES user_id=17714 Correction: I'm using vanilla ipsec-tools-0.6.2. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=1337757&group_id=74601 |