Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

#12 Racoon wrong source ip...

racoon
closed
nobody
5
2015-02-15
2005-02-10
Anonymous
No

In my network i have two distinct router/fw with linux:
1) router A with Kernel 2.4 and Freeswan 2.06
2) router B with Fedora Core 2 and latest updated
kernel 2.6.10-1.12_FC2 and ipsec-tools 2.5.4.

Router A have 4 NIC (intel e100 and e1000):
eth0: inet addr:192.168.255.254 (to the internet
default gw)

eth1: inet addr:83.103.39.17 (class with 16IP) PUBLIC
eth1.0: inet addr:10.255.0.1...

eth2: inet addr:83.103.90.129 (class with 64IP) PUBLIC

eth3: inet addr:83.103.90.193 (class with 64IP) PUBLIC

When i configure on racoon.conf the listen directive with
listen
{
isakmp 83.103.39.17;
}
to use the public IP of eth1 (and not the private of
eth0) i see this log an raccon.conf:
--------------------------
2005-02-10 15:15:56: INFO: main.c:174:main():
@(#)racoon - IPsec-tools 0.2.3
2005-02-10 15:15:56: INFO: main.c:175:main(): @(#)This
product linked OpenSSL 0.9.7a Feb 19 2003
(http://www.openssl.org/)
2005-02-10 15:15:57: INFO: isakmp.c:1387:isakmp_open():
83.103.39.17[500] used as isakmp port (fd=6)
2005-02-10 15:15:57: NOTIFY:
pfkey.c:1568:pk_recvacquire(): no in-bound policy
found: 10.39.0.0/16[0] 10.0.0.0/16[0] proto=any dir=in
2005-02-10 15:15:57: INFO:
isakmp.c:1713:isakmp_post_acquire(): IPsec-SA request
for 193.70.160.1 queued due to no phase1 found.
2005-02-10 15:15:57: INFO:
isakmp.c:807:isakmp_ph1begin_i(): initiate new phase 1
negotiation: 83.103.39.17[500]<=>193.70.160.1[500]
2005-02-10 15:15:57: INFO:
isakmp.c:812:isakmp_ph1begin_i(): begin Identity
Protection mode.
2005-02-10 15:16:28: ERROR:
isakmp.c:1805:isakmp_chkph1there(): phase2 negotiation
failed due to time up waiting for phase1. ESP
193.70.160.1->83.103.39.17
2005-02-10 15:16:28: INFO:
isakmp.c:1810:isakmp_chkph1there(): delete phase 2 handler.
2005-02-10 15:16:30: NOTIFY:
pfkey.c:1568:pk_recvacquire(): no in-bound policy
found: 10.39.0.0/16[0] 10.0.0.0/16[0] proto=any dir=in
2005-02-10 15:16:30: INFO:
isakmp.c:1732:isakmp_post_acquire(): request for
establishing IPsec-SA was queued due to no phase1 found.

and this on a tcpdump session:
------------------------------
15:16:07.879842 IP 83.103.39.17.isakmp >
193.70.160.1.isakmp: UDP, length 80
15:16:08.209860 IP 193.70.160.1.isakmp >
83.103.39.17.isakmp: UDP, length 80
15:16:08.209907 IP 83.103.39.17 > 193.70.160.1: icmp
116: 83.103.39.17 udp port isakmp unreachable
15:16:08.210252 IP 193.70.160.1.isakmp >
83.103.39.17.isakmp: UDP, length 80
15:16:08.210279 IP 83.103.39.17 > 193.70.160.1: icmp
116: 83.103.39.17 udp port isakmp unreachable
15:16:17.878502 IP 83.103.39.17.isakmp >
193.70.160.1.isakmp: UDP, length 80
15:16:18.045414 IP 193.70.160.1.isakmp >
83.103.39.17.isakmp: UDP, length 80
15:16:18.045473 IP 83.103.39.17 > 193.70.160.1: icmp
116: 83.103.39.17 udp port isakmp unreachable
15:16:18.045747 IP 193.70.160.1.isakmp >
83.103.39.17.isakmp: UDP, length 80
15:16:18.045779 IP 83.103.39.17 > 193.70.160.1: icmp
116: 83.103.39.17 udp port isakmp unreachable
15:16:27.876804 IP 83.103.39.17.isakmp >
193.70.160.1.isakmp: UDP, length 80
15:16:28.149670 IP 193.70.160.1.isakmp >
83.103.39.17.isakmp: UDP, length 80
15:16:28.149727 IP 83.103.39.17 > 193.70.160.1: icmp
116: 83.103.39.17 udp port isakmp unreachable
15:16:28.149858 IP 193.70.160.1.isakmp >
83.103.39.17.isakmp: UDP, length 80
15:16:28.149883 IP 83.103.39.17 > 193.70.160.1: icmp
116: 83.103.39.17 udp port isakmp unreachable
15:16:28.154852 IP 193.70.160.1.isakmp >
83.103.39.17.isakmp: UDP, length 80
15:16:28.154906 IP 83.103.39.17 > 193.70.160.1: icmp
116: 83.103.39.17 udp port isakmp unreachable

The logs show that racoon receive the packet but
respond to router A with an icmp unreachable packet.
Why this???

If i comment out completely the listen directive on the
racoon.conf file the router B respond to isakmp packet
from router A but after establishing an isakmp-SA
respond to router A with the private adress of eth0.
The tunnel work (it's instable) but there are error on
the racoon.log file:
--------------------------------------
2005-02-10 15:44:28: INFO: main.c:174:main():
@(#)racoon - IPsec-tools 0.2.3
2005-02-10 15:44:28: INFO: main.c:175:main(): @(#)This
product linked OpenSSL 0.9.7a Feb 19 2003
(http://www.openssl.org/)
2005-02-10 15:44:28: ERROR:
isakmp.c:1378:isakmp_open(): failed to bind to address
fe80::202:b3ff:febe:521d%253[500] (No such device).
2005-02-10 15:44:28: ERROR:
isakmp.c:1378:isakmp_open(): failed to bind to address
fe80::20d:61ff:fe58:535%253[500] (No such device).
2005-02-10 15:44:28: ERROR:
isakmp.c:1378:isakmp_open(): failed to bind to address
fe80::20d:61ff:fe58:534%253[500] (No such device).
2005-02-10 15:44:28: ERROR:
isakmp.c:1378:isakmp_open(): failed to bind to address
fe80::20e:cff:fe60:4ec3%253[500] (No such device).
2005-02-10 15:44:28: INFO: isakmp.c:1387:isakmp_open():
::1[500] used as isakmp port (fd=6)
2005-02-10 15:44:28: INFO: isakmp.c:1387:isakmp_open():
83.103.90.193[500] used as isakmp port (fd=7)
2005-02-10 15:44:28: INFO: isakmp.c:1387:isakmp_open():
83.103.90.129[500] used as isakmp port (fd=8)
2005-02-10 15:44:28: INFO: isakmp.c:1387:isakmp_open():
10.255.0.1[500] used as isakmp port (fd=9)
2005-02-10 15:44:28: INFO: isakmp.c:1387:isakmp_open():
83.103.39.17[500] used as isakmp port (fd=10)
2005-02-10 15:44:28: INFO: isakmp.c:1387:isakmp_open():
192.168.255.254[500] used as isakmp port (fd=11)
2005-02-10 15:44:28: INFO: isakmp.c:1387:isakmp_open():
127.0.0.1[500] used as isakmp port (fd=12)
2005-02-10 15:44:33: NOTIFY:
pfkey.c:1568:pk_recvacquire(): no in-bound policy
found: 10.39.0.0/16[0] 10.0.0.0/16[0] proto=any dir=in
2005-02-10 15:44:33: INFO:
isakmp.c:1713:isakmp_post_acquire(): IPsec-SA request
for 193.70.160.1 queued due to no phase1 found.
2005-02-10 15:44:33: INFO:
isakmp.c:807:isakmp_ph1begin_i(): initiate new phase 1
negotiation: 83.103.39.17[500]<=>193.70.160.1[500]
2005-02-10 15:44:33: INFO:
isakmp.c:812:isakmp_ph1begin_i(): begin Identity
Protection mode.
2005-02-10 15:44:34: INFO:
isakmp.c:2443:log_ph1established(): ISAKMP-SA
established 83.103.39.17[500]-193.70.160.1[500]
spi:9179853728d6fd4d:940fb19070b4508f
2005-02-10 15:44:35: INFO:
isakmp.c:951:isakmp_ph2begin_i(): initiate new phase 2
negotiation: 83.103.39.17[0]<=>193.70.160.1[0]
2005-02-10 15:44:35: INFO:
pfkey.c:1127:pk_recvupdate(): IPsec-SA established:
ESP/Tunnel 193.70.160.1->83.103.39.17
spi=228196571(0xd9a00db)
2005-02-10 15:44:35: INFO: pfkey.c:1348:pk_recvadd():
IPsec-SA established: ESP/Tunnel
83.103.39.17->193.70.160.1 spi=985989981(0x3ac5035d)
2005-02-10 15:45:01: INFO:
isakmp.c:903:isakmp_ph1begin_r(): respond new phase 1
negotiation: 192.168.255.254[500]<=>193.70.160.1[500]
2005-02-10 15:45:01: INFO:
isakmp.c:908:isakmp_ph1begin_r(): begin Identity
Protection mode.
2005-02-10 15:45:01: INFO:
isakmp.c:2443:log_ph1established(): ISAKMP-SA
established 192.168.255.254[500]-193.70.160.1[500]
spi:ae6c22e16f577e15:b93bbb93db00ba1a
2005-02-10 15:45:01: INFO:
isakmp.c:1058:isakmp_ph2begin_r(): respond new phase 2
negotiation: 192.168.255.254[0]<=>193.70.160.1[0]
2005-02-10 15:45:01: ERROR:
isakmp_quick.c:2029:get_proposal_r(): no policy found:
10.39.0.0/16[0] 10.0.0.0/16[0] proto=any dir=in
2005-02-10 15:45:01: ERROR:
isakmp_quick.c:1070:quick_r1recv(): failed to get
proposal for responder.
2005-02-10 15:45:01: ERROR:
isakmp.c:1072:isakmp_ph2begin_r(): failed to
pre-process packet.
2005-02-10 15:45:01: INFO:
isakmp.c:1058:isakmp_ph2begin_r(): respond new phase 2
negotiation: 192.168.255.254[0]<=>193.70.160.1[0]
2005-02-10 15:45:01: ERROR:
isakmp_quick.c:2029:get_proposal_r(): no policy found:
10.39.0.0/16[0] 10.0.0.0/16[0] proto=any dir=in
2005-02-10 15:45:01: ERROR:
isakmp_quick.c:1070:quick_r1recv(): failed to get
proposal for responder.
2005-02-10 15:45:01: ERROR:
isakmp.c:1072:isakmp_ph2begin_r(): failed to
pre-process packet.
2005-02-10 15:45:11: INFO:
isakmp.c:1058:isakmp_ph2begin_r(): respond new phase 2
negotiation: 192.168.255.254[0]<=>193.70.160.1[0]
2005-02-10 15:45:11: ERROR:
isakmp_quick.c:2029:get_proposal_r(): no policy found:
10.39.0.0/16[0] 10.0.0.0/16[0] proto=any dir=in
2005-02-10 15:45:11: ERROR:
isakmp_quick.c:1070:quick_r1recv(): failed to get
proposal for responder.
2005-02-10 15:45:11: ERROR:
isakmp.c:1072:isakmp_ph2begin_r(): failed to
pre-process packet.
2005-02-10 15:45:11: INFO:
isakmp.c:1058:isakmp_ph2begin_r(): respond new phase 2
negotiation: 192.168.255.254[0]<=>193.70.160.1[0]
2005-02-10 15:45:11: ERROR:
isakmp_quick.c:2029:get_proposal_r(): no policy found:
10.39.0.0/16[0] 10.0.0.0/16[0] proto=any dir=in
2005-02-10 15:45:11: ERROR:
isakmp_quick.c:1070:quick_r1recv(): failed to get
proposal for responder.
2005-02-10 15:45:11: ERROR:
isakmp.c:1072:isakmp_ph2begin_r(): failed to
pre-process packet.
2005-02-10 15:45:31: INFO:
isakmp.c:1058:isakmp_ph2begin_r(): respond new phase 2
negotiation: 192.168.255.254[0]<=>193.70.160.1[0]
2005-02-10 15:45:31: ERROR:
isakmp_quick.c:2029:get_proposal_r(): no policy found:
10.39.0.0/16[0] 10.0.0.0/16[0] proto=any dir=in
2005-02-10 15:45:31: ERROR:
isakmp_quick.c:1070:quick_r1recv(): failed to get
proposal for responder.
2005-02-10 15:45:31: ERROR:
isakmp.c:1072:isakmp_ph2begin_r(): failed to
pre-process packet.
2005-02-10 15:45:31: INFO:
isakmp.c:1058:isakmp_ph2begin_r(): respond new phase 2
negotiation: 192.168.255.254[0]<=>193.70.160.1[0]
2005-02-10 15:45:31: ERROR:
isakmp_quick.c:2029:get_proposal_r(): no policy found:
10.39.0.0/16[0] 10.0.0.0/16[0] proto=any dir=in
2005-02-10 15:45:31: ERROR:
isakmp_quick.c:1070:quick_r1recv(): failed to get
proposal for responder.
2005-02-10 15:45:31: ERROR:
isakmp.c:1072:isakmp_ph2begin_r(): failed to
pre-process packet.
2005-02-10 15:46:11: INFO:
isakmp.c:1058:isakmp_ph2begin_r(): respond new phase 2
negotiation: 83.103.39.17[0]<=>193.70.160.1[0]
2005-02-10 15:46:11: ERROR:
isakmp_quick.c:2029:get_proposal_r(): no policy found:
10.39.0.0/16[0] 10.0.0.0/16[0] proto=any dir=in
2005-02-10 15:46:11: ERROR:
isakmp_quick.c:1070:quick_r1recv(): failed to get
proposal for responder.
2005-02-10 15:46:11: ERROR:
isakmp.c:1072:isakmp_ph2begin_r(): failed to
pre-process packet.
2005-02-10 15:46:11: INFO:
isakmp.c:1058:isakmp_ph2begin_r(): respond new phase 2
negotiation: 83.103.39.17[0]<=>193.70.160.1[0]
2005-02-10 15:46:11: ERROR:
isakmp_quick.c:2029:get_proposal_r(): no policy found:
10.39.0.0/16[0] 10.0.0.0/16[0] proto=any dir=in
2005-02-10 15:46:11: ERROR:
isakmp_quick.c:1070:quick_r1recv(): failed to get
proposal for responder.
2005-02-10 15:46:11: ERROR:
isakmp.c:1072:isakmp_ph2begin_r(): failed to
pre-process packet.
2005-02-10 15:46:21: INFO:
isakmp.c:1058:isakmp_ph2begin_r(): respond new phase 2
negotiation: 83.103.39.17[0]<=>193.70.160.1[0]
2005-02-10 15:46:21: ERROR:
isakmp_quick.c:2029:get_proposal_r(): no policy found:
10.39.0.0/16[0] 10.0.0.0/16[0] proto=any dir=in
2005-02-10 15:46:21: ERROR:
isakmp_quick.c:1070:quick_r1recv(): failed to get
proposal for responder.
2005-02-10 15:46:21: ERROR:
isakmp.c:1072:isakmp_ph2begin_r(): failed to
pre-process packet.
2005-02-10 15:46:21: INFO:
isakmp.c:1058:isakmp_ph2begin_r(): respond new phase 2
negotiation: 83.103.39.17[0]<=>193.70.160.1[0]
2005-02-10 15:46:21: ERROR:
isakmp_quick.c:2029:get_proposal_r(): no policy found:
10.39.0.0/16[0] 10.0.0.0/16[0] proto=any dir=in
2005-02-10 15:46:21: ERROR:
isakmp_quick.c:1070:quick_r1recv(): failed to get
proposal for responder.
2005-02-10 15:46:21: ERROR:
isakmp.c:1072:isakmp_ph2begin_r(): failed to
pre-process packet.
2005-02-10 15:46:41: INFO:
isakmp.c:1058:isakmp_ph2begin_r(): respond new phase 2
negotiation: 83.103.39.17[0]<=>193.70.160.1[0]
2005-02-10 15:46:41: ERROR:
isakmp_quick.c:2029:get_proposal_r(): no policy found:
10.39.0.0/16[0] 10.0.0.0/16[0] proto=any dir=in
2005-02-10 15:46:41: ERROR:
isakmp_quick.c:1070:quick_r1recv(): failed to get
proposal for responder.
2005-02-10 15:46:41: ERROR:
isakmp.c:1072:isakmp_ph2begin_r(): failed to
pre-process packet.
2005-02-10 15:46:41: INFO:
isakmp.c:1058:isakmp_ph2begin_r(): respond new phase 2
negotiation: 83.103.39.17[0]<=>193.70.160.1[0]
2005-02-10 15:46:41: ERROR:
isakmp_quick.c:2029:get_proposal_r(): no policy found:
10.39.0.0/16[0] 10.0.0.0/16[0] proto=any dir=in
2005-02-10 15:46:41: ERROR:
isakmp_quick.c:1070:quick_r1recv(): failed to get
proposal for responder.
2005-02-10 15:46:41: ERROR:
isakmp.c:1072:isakmp_ph2begin_r(): failed to
pre-process packet.

Why first racoon use the 192.168.255.254 IP and after
use the public IP???
Follow the configuration file i use:

RACOON.CONF:
---------------
remote 193.70.160.1
{
exchange_mode main,aggressive,base;
my_identifier address 83.103.39.17;

proposal
{
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group modp1024;
}
}

#sainfo address 10.0.0.0/16 any address 10.39.0.0/16 any {
sainfo anonymous
{
pfs_group 2;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}

SETKEY:
--------
# Flush SAD and SPD
flush;
spdflush;

# Create policies for racoon
spdadd 10.0.0.0/16 10.39.0.0/16 any -P out ipsec
esp/tunnel/83.103.39.17-193.70.160.1/require;

spdadd 10.39.0.0/16 10.0.0.0/16 any -P fwd ipsec
esp/tunnel/193.70.160.1-83.103.39.17/require;

Sorry for the enormous message... but i'm going very
crazy.
Thank you for all your patience.

Discussion

  • Aidas Kasparas
    Aidas Kasparas
    2005-02-10

    Logged In: YES
    user_id=39627

    Hi,

    If you use 2.6.10 kernel, then you definitely need racoon
    version 0.5 (rc1 or rc2 are OK) -- you're using 0.2.3 (not
    2.5.4 as you claim; and BTW, where did you find such version
    number?). If I remember correctly, then fix for wrong source
    address was added into code before 0.5rc1.

     
  • Aidas Kasparas
    Aidas Kasparas
    2005-02-10

    • status: open --> closed