Hi,

Could you post your vpnc configuration ?

You're using mode_config statement in your racoon configuration, is your NetBSD client's IP dynamic ?


--
SOLANKI Jigar
---


2009/3/16 Rodriguez Garcia, Jose Luis <jose.l.rodriguez@tecnocom.es>
I am tring to connect a Cisco VPN Server (I don't know its

configuration) using racoon from NetBSD 4.0.1

I have tried 0.7.1 and 0.8-alpha20090126 and both fail with the message:

Mar 16 13:18:22 pc1 racoon: INFO: unsupported PF_KEY message REGISTER
Mar 16 13:18:30 pc1 racoon: WARNING: Ignored attribute UNITY_BANNER
Mar 16 13:18:30 pc1 racoon: WARNING: Ignored attribute APPLICATION_VERSION

I have managed to connect with vpnc without problems.

¿Any idea about this error? ¿Is it supported with ipcsec-tools?

Both obtain a ip address for a few seconds, but the connection is lost in 5-7 seconds. If you try a ping to this address for the 5 seconds that the ip address is up, the ping doesn't work.


The log with debug2 of the 0.8 version is the next (I think that it is the same that 0.7.1 version):

Mar 16 13:18:12 pc1 racoon: INFO: accept a request to establish IKE-SA:
194.224.111.229
Mar 16 13:18:12 pc1 racoon: INFO: initiate new phase 1 negotiation:
X.X.46.60[500]<=>Y.Y.111.229[500]
Mar 16 13:18:12 pc1 racoon: INFO: begin Aggressive mode.
Mar 16 13:18:12 pc1 racoon: INFO: received Vendor ID: CISCO-UNITY
Mar 16 13:18:12 pc1 racoon: INFO: received Vendor ID:
draft-ietf-ipsra-isakmp-xauth-06.txt
Mar 16 13:18:12 pc1 racoon: INFO: received Vendor ID: DPD
Mar 16 13:18:12 pc1 racoon: INFO: received Vendor ID:
draft-ietf-ipsec-nat-t-ike-02
Mar 16 13:18:12 pc1 racoon: INFO: received broken Microsoft ID:
FRAGMENTATION
Mar 16 13:18:12 pc1 racoon: WARNING: port 500 expected, but 0
Mar 16 13:18:12 pc1 racoon: INFO: Selected NAT-T version:
draft-ietf-ipsec-nat-t-ike-02
Mar 16 13:18:12 pc1 racoon: INFO: Hashing X.X.46.60[500] with algo #1
Mar 16 13:18:12 pc1 racoon: INFO: NAT-D payload #-1 doesn't match
Mar 16 13:18:12 pc1 racoon: INFO: Hashing Y.Y.111.229[500] with algo #1
Mar 16 13:18:12 pc1 racoon: INFO: NAT-D payload #0 verified
Mar 16 13:18:12 pc1 racoon: INFO: NAT detected: ME
Mar 16 13:18:12 pc1 racoon: INFO: KA list add:
X.X.46.60[4500]->Y.Y.111.229[4500]
Mar 16 13:18:12 pc1 racoon: NOTIFY: couldn't find the proper pskey, try
to get one by the peer's address.
Mar 16 13:18:12 pc1 racoon: INFO: Adding remote and local NAT-D payloads.
Mar 16 13:18:12 pc1 racoon: INFO: Hashing 194.224.111.229[4500] with
algo #1
Mar 16 13:18:12 pc1 racoon: INFO: Hashing 151.184.46.60[4500] with algo #1
Mar 16 13:18:13 pc1 racoon: INFO: ISAKMP-SA established
X.X.46.60[4500]-Y.Y.111.229[4500] spi:eeb45e9aaa9d3223:ba099429d8a2456f
Mar 16 13:18:13 pc1 racoon: NOTIFY: XAUTH Message: 'Enter Username and
Password.'.
Mar 16 13:18:14 pc1 racoon: WARNING: Ignored attribute UNITY_BANNER
Mar 16 13:18:14 pc1 racoon: WARNING: Ignored attribute APPLICATION_VERSION
Mar 16 13:18:14 pc1 racoon: INFO: unsupported PF_KEY message REGISTER
Mar 16 13:18:22 pc1 racoon: WARNING: Ignored attribute UNITY_BANNER
Mar 16 13:18:22 pc1 racoon: WARNING: Ignored attribute APPLICATION_VERSION
Mar 16 13:18:22 pc1 racoon: INFO: unsupported PF_KEY message REGISTER
Mar 16 13:18:30 pc1 racoon: WARNING: Ignored attribute UNITY_BANNER
Mar 16 13:18:30 pc1 racoon: WARNING: Ignored attribute APPLICATION_VERSION
Mar 16 13:18:30 pc1 racoon: INFO: unsupported PF_KEY message REGISTER
Mar 16 13:18:38 pc1 racoon: ERROR: Too many addresses given
Mar 16 13:18:38 pc1 racoon: WARNING: Ignored attribute UNITY_BANNER
Mar 16 13:18:38 pc1 racoon: WARNING: Ignored attribute APPLICATION_VERSION
Mar 16 13:18:38 pc1 racoon: INFO: unsupported PF_KEY message REGISTER
Mar 16 13:18:46 pc1 racoon: INFO: ISAKMP-SA expired
X.X.46.60[4500]-Y.Y.111.229[4500] spi:eeb45e9aaa9d3223:ba099429d8a2456f
Mar 16 13:18:47 pc1 racoon: INFO: ISAKMP-SA deleted
X.X.46.60[4500]-Y.Y.111.229[4500] spi:eeb45e9aaa9d3223:ba099429d8a2456f
Mar 16 13:18:47 pc1 racoon: INFO: KA remove:
X.X.46.60[4500]->Y.Y.111.229[4500]
Mar 16 13:18:47 pc1 racoon: INFO: unsupported PF_KEY message REGISTER
Mar 16 13:18:47 pc1 racoon: ERROR: inappropriate sadb delete message
passed.
Mar 16 13:18:47 pc1 racoon: ERROR: inappropriate sadb delete message
passed.

My configuration is the next:

path pre_shared_key "/etc/racoon/psk.txt" ;
log debug2;
remote Y.Y.111.229[500]
{
       #exchange_mode main,aggressive,base;
       exchange_mode aggressive;

       my_identifier keyid tag "User";

       lifetime time 24 hour ; # sec,min,hour


       # phase 1 proposal (for ISAKMP SA)
       proposal {
               encryption_algorithm 3des;
               hash_algorithm md5;
               authentication_method xauth_psk_client ;
               dh_group 2 ;
       }

       proposal_check obey;
       mode_cfg on;
       xauth_login "user" ;
       nat_traversal on ;
      script "/etc/racoon/phase1-up.sh" phase1_up;
       script "/etc/racoon/phase1-down.sh" phase1_down;
       esp_frag 552;
       peers_identifier address Y.Y.111.229;
}
sainfo anonymous
{
       pfs_group 2;
       lifetime time 12 hour ;
       encryption_algorithm 3des, cast128, blowfish 448, des, rijndael ;
       authentication_algorithm hmac_sha1, hmac_md5 ;
       compression_algorithm deflate ;
}

listen {
       adminsock "/var/racoon/racoon.sock" "root" "operator" 0660;
#        isakmp 192.168.11.201[500];
#        isakmp_natt 192.168.11.201[4500];
       isakmp  X.X.46.60[500];
       isakmp_natt  X.X.46.60[4500];
}







------------------------------------------------------------------------------
Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
easily build your RIAs with Flex Builder, the Eclipse(TM)based development
software that enables intelligent coding and step-through debugging.
Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
_______________________________________________
Ipsec-tools-devel mailing list
Ipsec-tools-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel