#39 unknown notify message, no phase2 handle found

closed
nobody
None
5
2009-01-16
2005-10-25
Robie Basak
No

I'm trying to establish an ESP tunnel with a Windows XP
machine.

I have SPDs set up, but racoon seems to fail to
establish an SA in the direction Linux->Windows. The
other direction seems to work fine.

Clearing all SAs in Linux and then running racoon -Fd
gives me this:
2005-10-25 19:35:15: DEBUG:
05aaf25e a5a11192 44c7df2f 319aa4e0 08100501 33a062b1
00000044 0b000018
d71182a8 4a58ba94 446f1211 199efef2 1a0b78cf 00000010
00000001 03040012
00000000
2005-10-25 19:35:15: DEBUG: HASH with:
2005-10-25 19:35:15: DEBUG:
33a062b1 00000010 00000001 03040012 00000000
2005-10-25 19:35:15: DEBUG: hmac(hmac_sha1)
2005-10-25 19:35:15: DEBUG: HASH computed:
2005-10-25 19:35:15: DEBUG:
d71182a8 4a58ba94 446f1211 199efef2 1a0b78cf
2005-10-25 19:35:15: DEBUG: hash validated.
2005-10-25 19:35:15: DEBUG: begin.
2005-10-25 19:35:15: DEBUG: seen nptype=8(hash)
2005-10-25 19:35:15: DEBUG: seen nptype=11(notify)
2005-10-25 19:35:15: DEBUG: succeed.
2005-10-25 19:35:15: ERROR: unknown notify message, no
phase2 handle found.
2005-10-25 19:35:15: DEBUG: notification message
18:INVALID-ID-INFORMATION, doi=1 proto_id=3
spi=00000000(size=4).

I have the complete transcript if required, but please
give me some information on sanitizing my RSA keys!

This problem is intermittent - sometimes the debug log
looks OK, and racoon establishes an SA, but when it
does Windows doesn't have a matching SA and packets
Linux->Windows don't work.

Once (I haven't been able to reproduce this again) I
left it and came back to find SAs established both ways.

The erratic behaviour leads me to think that this is a
bug and not a configuration problem.

I'm using Ubuntu kernel 2.6.12-9-386. The problem
happened with Ubuntu racoon (1:0.6-1ubuntu1) but I have
since compiled vanilla ipsec-tools-0.6 racoon and have
the same error. As I'm getting the error from racoon
and racoon sometimes establishes the SA, and sometimes
gives me an error I think is related to negotiation, I
think this is a problem with racoon and not my kernel.

I may be being unusual in even trying an ESP tunnel
with Windows. I have tried disabling pfs at both ends,
but this hasn't helped.

My SPDs are as follows:
spdadd 192.168.35.17 0.0.0.0/0 any -P in ipsec
esp/tunnel/192.168.35.17-192.168.35.1/require;

spdadd 0.0.0.0/0 192.168.35.17 any -P out ipsec
esp/tunnel/192.168.35.1-192.168.35.17/require;

Relevant sections of racoon.conf (I have anonymous
entries too):
remote 192.168.35.17
{
exchange_mode main,aggressive;
doi ipsec_doi;
situation identity_only;

my_identifier asn1dn;
peers_identifier asn1dn;
verify_identifier on;
certificate_type x509 "function.pem"
"function.key";

proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method rsasig;
dh_group 2;
}
}
sainfo address 192.168.35.17 any address 0.0.0.0/0 any {
pfs_group 2;
lifetime time 60 min;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}

sainfo address 0.0.0.0/0 any address 192.168.35.17 any {
pfs_group 2;
lifetime time 60 min;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}

Discussion

  • Robie Basak

    Robie Basak - 2005-10-25

    Logged In: YES
    user_id=17714

    Correction: I'm using vanilla ipsec-tools-0.6.2.

     
  • Aidas Kasparas

    Aidas Kasparas - 2005-10-26

    Logged In: YES
    user_id=39627

    Robie,

    2005-10-25 19:35:15: DEBUG: notification message
    18:INVALID-ID-INFORMATION, doi=1 proto_id=3
    spi=00000000(size=4).

    this says that your windows box does not like ID racoon
    provides. Could you please try to find in windows logs
    (don't know how to do that) what they expected and did not got.

    In case windows wants subnet/32 instead of ip address in the
    policy, try latest cvs version and use "subnet" instead of
    "address" in sainfo.

     
  • Timo Teras

    Timo Teras - 2009-01-16

    Closing all sourceforge.net bugs. If this issue has not been cared for please submit a new bug report to https://trac.ipsec-tools.net/ issue tracker. Thank you.

     
  • Timo Teras

    Timo Teras - 2009-01-16
    • status: open --> closed
     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks