Menu
▾
▴
ipsec-tools-commits — CVS Commit Log Messages
This list is closed, nobody may subscribe to it.
| 2004 |
Jan
(59) |
Feb
(43) |
Mar
(72) |
Apr
(93) |
May
(57) |
Jun
(84) |
Jul
(13) |
Aug
(13) |
Sep
(73) |
Oct
(71) |
Nov
(151) |
Dec
(53) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2005 |
Jan
(64) |
Feb
(94) |
Mar
(58) |
Apr
(157) |
May
(178) |
Jun
(81) |
Jul
(135) |
Aug
(35) |
Sep
(33) |
Oct
(49) |
Nov
(34) |
Dec
(33) |
| 2006 |
Jan
(19) |
Feb
(39) |
Mar
(7) |
Apr
(56) |
May
(69) |
Jun
(38) |
Jul
(24) |
Aug
(15) |
Sep
(12) |
Oct
(6) |
Nov
(1) |
Dec
|
| 2007 |
Jan
(7) |
Feb
(8) |
Mar
(2) |
Apr
(6) |
May
(2) |
Jun
(2) |
Jul
(1) |
Aug
(2) |
Sep
(1) |
Oct
(1) |
Nov
(4) |
Dec
|
| 2008 |
Jan
|
Feb
(4) |
Mar
(5) |
Apr
|
May
(1) |
Jun
|
Jul
|
Aug
(2) |
Sep
(2) |
Oct
(2) |
Nov
(8) |
Dec
|
| 2009 |
Jan
(109) |
Feb
|
Mar
|
Apr
(5) |
May
(2) |
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
|
Nov
(1) |
Dec
(2) |
| 2010 |
Jan
|
Feb
(4) |
Mar
(2) |
Apr
(4) |
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
(4) |
Nov
(1) |
Dec
(3) |
| 2011 |
Jan
|
Feb
|
Mar
(1) |
Apr
|
May
(1) |
Jun
(5) |
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
|
Dec
|
| 2012 |
Jan
(1) |
Feb
(1) |
Mar
(1) |
Apr
(1) |
May
(4) |
Jun
|
Jul
(3) |
Aug
(2) |
Sep
|
Oct
|
Nov
(3) |
Dec
|
| 2013 |
Jan
(3) |
Feb
(6) |
Mar
|
Apr
(4) |
May
(2) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: SourceForge.net <no...@so...> - 2012-05-27 22:42:34
|
Bugs item #3530148, was opened at 2012-05-27 15:40 Message generated for change (Comment added) made by bircoph You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=3530148&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Andrew (bircoph) Assigned to: Nobody/Anonymous (nobody) Summary: racoon-0.8.0 segfaults if privsep is used Initial Comment: Hello, I have a following setup: racoon from ipsec-tools-0.8.0, privsep is enabled, on *any* new incoming connection (INITIAL-CONTACT) racoon segfaults: May 27 16:44:13 [racoon] INFO: respond new phase 1 negotiation: 10.50.0.89[500]<=>10.51.15.126[500]_ May 27 16:44:13 [racoon] INFO: begin Identity Protection mode._ May 27 16:44:13 [racoon] INFO: received Vendor ID: DPD_ May 27 16:44:13 [racoon] WARNING: CERT validation disabled by configuration_ May 27 16:44:13 [racoon] INFO: ISAKMP-SA established 10.50.0.89[500]-10.51.15.126[500] spi:e018f61cc1ff7c11:894fe14faf0969f2_ May 27 16:44:13 [racoon] [10.51.15.126] INFO: received INITIAL-CONTACT_ May 27 16:44:13 [racoon] ERROR: privsep_socket: unauthorized domain (15)_ May 27 16:44:13 [racoon] INFO: racoon privileged process 29659 terminated_ May 27 16:44:13 [kernel] racoon[29686]: segfault at 10 ip 0000000000423ab6 sp 00007fffefd5a010 error 4 in racoon[400000+94000] Config file is attached, even without chroot this crash is reproducible, with privsep completely disabled racoon works normally. My distribution is Gentoo, running 3.2.14 kernel. I use only AH tunelling for this connection. Older racoon from ipsec-tools-0.7.3 works fine under the same conditions. ---------------------------------------------------------------------- >Comment By: Andrew (bircoph) Date: 2012-05-27 15:42 Message: I found a very similar bugreport made 10 months ago: https://sourceforge.net/mailarchive/message.php?msg_id=27864382 though, with no reply... ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=3530148&group_id=74601 |
|
From: SourceForge.net <no...@so...> - 2012-05-27 22:40:17
|
Bugs item #3530148, was opened at 2012-05-27 15:40 Message generated for change (Tracker Item Submitted) made by bircoph You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=3530148&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Andrew (bircoph) Assigned to: Nobody/Anonymous (nobody) Summary: racoon-0.8.0 segfaults if privsep is used Initial Comment: Hello, I have a following setup: racoon from ipsec-tools-0.8.0, privsep is enabled, on *any* new incoming connection (INITIAL-CONTACT) racoon segfaults: May 27 16:44:13 [racoon] INFO: respond new phase 1 negotiation: 10.50.0.89[500]<=>10.51.15.126[500]_ May 27 16:44:13 [racoon] INFO: begin Identity Protection mode._ May 27 16:44:13 [racoon] INFO: received Vendor ID: DPD_ May 27 16:44:13 [racoon] WARNING: CERT validation disabled by configuration_ May 27 16:44:13 [racoon] INFO: ISAKMP-SA established 10.50.0.89[500]-10.51.15.126[500] spi:e018f61cc1ff7c11:894fe14faf0969f2_ May 27 16:44:13 [racoon] [10.51.15.126] INFO: received INITIAL-CONTACT_ May 27 16:44:13 [racoon] ERROR: privsep_socket: unauthorized domain (15)_ May 27 16:44:13 [racoon] INFO: racoon privileged process 29659 terminated_ May 27 16:44:13 [kernel] racoon[29686]: segfault at 10 ip 0000000000423ab6 sp 00007fffefd5a010 error 4 in racoon[400000+94000] Config file is attached, even without chroot this crash is reproducible, with privsep completely disabled racoon works normally. My distribution is Gentoo, running 3.2.14 kernel. I use only AH tunelling for this connection. Older racoon from ipsec-tools-0.7.3 works fine under the same conditions. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=3530148&group_id=74601 |
|
From: SourceForge.net <no...@so...> - 2012-04-24 16:55:46
|
Patches item #2852569, was opened at 2009-09-05 13:29 Message generated for change (Comment added) made by abelbeck You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541484&aid=2852569&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Alexandre Zia (arzia) Assigned to: Nobody/Anonymous (nobody) Summary: VPN client not processing xauth packet Initial Comment: I`m using MAC OS X Snow Leopard built-in cisco VPN client to connect to a Linux VPN Server (linux kernel 2.6.30.4 and ipsectools 0.7.3) My client software (that is racoon also) was unable to process the xauth request from the server, it appears to be loosing or ignoring this packet. So I had to add a one second delay in the xauth request from the server, and my VPN client is working perfectly well. ---------------------------------------------------------------------- Comment By: Lonnie Abelbeck (abelbeck) Date: 2012-04-24 09:55 Message: I also have seen this problem with iOS 5.1, ipsec-tools 0.8.0 and Linux 2.6.35. Adding this patch resolved the problem. Possibly resending the xauth request is the best long term fix, but that is a major change. Lonnie ---------------------------------------------------------------------- Comment By: Holger (hdecarne) Date: 2010-03-04 22:17 Message: I have the same issue with my iPhone connecting via VPN/ipsec to a linux server 2.6.33 with ipsec-tools 0.7.3. Adding this patch resolved the problem. Holger ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541484&aid=2852569&group_id=74601 |
|
From: SourceForge.net <no...@so...> - 2012-03-14 10:50:11
|
Bugs item #3504260, was opened at 2012-03-14 03:50 Message generated for change (Tracker Item Submitted) made by christucker You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=3504260&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Chris Tucker (christucker) Assigned to: Nobody/Anonymous (nobody) Summary: segfault in version 0.8.0 Initial Comment: We can\'t see a pattern in when this segfault happens. Sometimes racoon runs for days with no problem, then we have two or three segfaults in five minutes. I have coredumps if these will help, but they are too large to upload as attachments. Here is a summary: Core was generated by `racoon'. Program terminated with signal 11, Segmentation fault. #0 0xb77ca918 in quick_timeover_stub () from /usr/sbin/racoon (gdb) bt #0 0xb77ca918 in quick_timeover_stub () from /usr/sbin/racoon #1 0xb77b36d5 in isakmp_ph2expire_stub () from /usr/sbin/racoon #2 0xb77b622e in isakmp_ph2expire_stub () from /usr/sbin/racoon #3 0xb77ad971 in main () from /usr/sbin/racoon (gdb) The segfault has always been in quick_timeover_stub(). ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=3504260&group_id=74601 |
|
From: Michal L. <lu...@us...> - 2012-02-29 09:11:57
|
Update of /cvsroot/ipsec-tools/htdocs In directory vz-cvs-4.sog:/tmp/cvs-serv32382 Modified Files: index.html Log Message: Updated logo Index: index.html =================================================================== RCS file: /cvsroot/ipsec-tools/htdocs/index.html,v retrieving revision 1.45 retrieving revision 1.46 diff -u -d -r1.45 -r1.46 --- index.html 30 Mar 2011 10:33:38 -0000 1.45 +++ index.html 29 Feb 2012 09:11:54 -0000 1.46 @@ -6,7 +6,7 @@ <body> <h1>IPsec-Tools</h1> <div class="float_right"> -<a href="http://www.suse.com" class="noline"><img src="http://www.logix.cz/michal/suse/suse_geeko.png" alt="suse.com" title="Sponsored by SUSE" width="96" height="58"/></a> +<a href="http://patmat.co.nz/we-buy-houses/" class="noline"><img src="http://patmat.co.nz/media/images/logo-125x106.png" alt="PatMat Property Solutions" title="Private house buyers in Auckland, New Zealand" width="125" height="106"/></a> <br/> <br/> <a href="http://sourceforge.net/projects/ipsec-tools" class="noline"> <img src="http://sourceforge.net/sflogo.php?group_id=74601&type=2" |
![http://www.logix.cz/michal/suse/suse_geeko.png"](http://www.logix.cz/michal/suse/suse_geeko.png"){kind=link}
![http://patmat.co.nz/media/images/logo-125x106.png"](http://patmat.co.nz/media/images/logo-125x106.png"){kind=link}
|
From: SourceForge.net <no...@so...> - 2012-01-21 21:09:23
|
Feature Requests item #3477096, was opened at 2012-01-21 13:09 Message generated for change (Tracker Item Submitted) made by You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541485&aid=3477096&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Interface Improvements (example) Group: Next Release (example) Status: Open Resolution: None Priority: 5 Private: No Submitted By: https://www.google.com/accounts () Assigned to: Nobody/Anonymous (nobody) Summary: Amazon VPC / two tunnels Initial Comment: Hello. Is it possible to add support for additional policies with the same source, destination, protocol, direction, and method for situations where you have more than one tunnel (to the same network) for redunancy? With Amazon VPC you have two tunnels. A tunnel can go down during maintenance, or because of an error. When this happens the second tunnel should take over. Therefor an extra policy is required, but is currently not supported by ipsec. The problem is described here: http://blog.akquinet.de/2011/11/11/connecting-to-amazon-vpc/#more-1588 Whats the verdict? :) ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541485&aid=3477096&group_id=74601 |
|
From: SourceForge.net <no...@so...> - 2011-09-22 06:33:14
|
Support Requests item #3412785, was opened at 2011-09-22 10:33 Message generated for change (Tracker Item Submitted) made by lomaker You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541483&aid=3412785&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Configuration Group: None Status: Open Priority: 5 Private: No Submitted By: Danila St (lomaker) Assigned to: Nobody/Anonymous (nobody) Summary: IPSec on many IP ranges from one subnet Initial Comment: There is the initial configuration for Zyxel Zywall 35: multiple VPN channels in the same subnet, connected to the partial range on a different subnet to the following: server 192.168.1.0/24--------------------------------------------- --------- 192.168.7.1-192.168.7.5 (Client 1) | | | ------------------------------------------------- -------------- 192.168.7.6-192.168.7.10 (Client 2) | -------------------------------------------------- -------------------- 192.168.7.11-192.168.7.15 (Client 3) How many are not searched the internet and could not find how to implement this configuration. As I understand the configuration of IPSec on Linux can not ask idapazon IP, located on the same subnet. You can only specify a subnet completely. Are there any implementation of IPSec support this possibility? Does it your product and how it is implemented? Temporarily decided to forwarding an entire subnet for each client. Here is a diagram: server 192.168.1.0/24------------------------------------------------------192.168.7.0/24 (клиент 1) | | | ---------------------------------------------------------------192.168.7.0/24 (клиент 2) | ----------------------------------------------------------------------192.168.7.0/24 (клиент 3) Below are the configuration files: racoon: path pre_shared_key "/etc/racoon/psk.txt"; remote 192.168.5.10 { exchange_mode_main; # Gateway(ike) proposal proposal { encryption_algorithm des; hash_algorithm md5; authentication_method pre_shared_key; dh_group modp768; } } remote 192.168.5.11 { exchange_mode_main; # Gateway(ike) proposal proposal { encryption_algorithm des; hash_algorithm md5; authentication_method pre_shared_key; dh_group modp768; } } remote 192.168.5.12 { exchange_mode_main; # Gateway(ike) proposal proposal { encryption_algorithm des; hash_algorithm md5; authentication_method pre_shared_key; dh_group modp768; } } sainfo address 192.168.1.0/24 any address 192.168.7.0/24 any { encryption_algorithm des; authentication_algorithm hmac_sha1; compression_algorithm deflate; } ipsec.conf: #!/usr/sbin/setkey -f # #flush SAD and SPD flush; spdflush; # Create policies for racoon spdadd 192.168.1.0/24 192.168.7.0/24 any -P out ipsec esp/tunnel/192.168.5.1-192.168.5.10/require; spdadd 192.168.7.0/24 192.168.1.0/24 any -P in ipsec esp/tunnel/192.168.5.10-192.168.5.1/require; spdadd 192.168.1.0/24 192.168.7.0/24 any -P out ipsec esp/tunnel/192.168.5.1-192.168.5.11/require; spdadd 192.168.7.0/24 192.168.1.0/24 any -P in ipsec esp/tunnel/192.168.5.11-192.168.5.1/require; spdadd 192.168.1.0/24 192.168.7.0/24 any -P out ipsec esp/tunnel/192.168.5.1-192.168.5.12/require; spdadd 192.168.7.0/24 192.168.1.0/24 any -P in ipsec esp/tunnel/192.168.5.12-192.168.5.1/require; After restarting racoon came the following errors: # /etc/init.d/racoon restart * Stopping racoon ... [ ok ] * Flushing policy entries ... [ ok ] * Loading ipsec policies from /etc/ipsec.conf. The result of line 23: File exists. The result of line 26: File exists. The result of line 26: File exists. The result of line 33: File exists. Realizable if the scheme? It is possible that either I am doing wrong? Advise how to? ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541483&aid=3412785&group_id=74601 |
|
From: SourceForge.net <no...@so...> - 2011-06-15 02:31:24
|
Support Requests item #3316508, was opened at 2011-06-15 00:42 Message generated for change (Comment added) made by xgates You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541483&aid=3316508&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Building and installation Group: None Status: Open Priority: 5 Private: No Submitted By: Xgates (xgates) Assigned to: Nobody/Anonymous (nobody) Summary: Slackware 13.1 Compile Kernel Header Error Can't Build Initial Comment: Hi, I'm running Slackware 13.1 x86 and this is the slack build script I set up; http://pastebin.com/DLdtnvVq And I try to run it I keep getting a kernel headers error message; ../../src/include-glibc/linux/types.h:13:2: error: #warning "Attempt to use kernel headers from user space, see http://kernelnewbies.org/KernelHeaders" I have set up in the configure options; --with-kernel-headers=/lib/modules/2.6.36.6/build/include \ Which I thought is correct for compiling against the headers, so I don't know what's going on and why I keep getting this error message... To me that looks like it's looking at the kernel compile /usr/src path? How can I compile this? THANKS ---------------------------------------------------------------------- >Comment By: Xgates (xgates) Date: 2011-06-15 02:31 Message: Ok I got this with the help of some other Slack users; -with-kernel-headers=/usr/include BUT Slackware 13.1 uses gcc 4.4.4 and the code breaks strict aliasing So after running configure in the /src/racoon/Makefile line 164 we have a fix; CFLAGS = -g -O2 -Wall -Werror -Wno-unused -fno-strict-aliasing I tried compiling 0.7.2, 0.7.3 and 0.8.0 all crap for gcc 4.4.4 Newer versions of GCC don't seem to be affected so hopefully this can be patched... THANKS ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541483&aid=3316508&group_id=74601 |
|
From: SourceForge.net <no...@so...> - 2011-06-15 00:42:29
|
Support Requests item #3316508, was opened at 2011-06-15 00:42 Message generated for change (Tracker Item Submitted) made by xgates You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541483&aid=3316508&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Building and installation Group: None Status: Open Priority: 5 Private: No Submitted By: Xgates (xgates) Assigned to: Nobody/Anonymous (nobody) Summary: Slackware 13.1 Compile Kernel Header Error Can't Build Initial Comment: Hi, I'm running Slackware 13.1 x86 and this is the slack build script I set up; http://pastebin.com/DLdtnvVq And I try to run it I keep getting a kernel headers error message; ../../src/include-glibc/linux/types.h:13:2: error: #warning "Attempt to use kernel headers from user space, see http://kernelnewbies.org/KernelHeaders" I have set up in the configure options; --with-kernel-headers=/lib/modules/2.6.36.6/build/include \ Which I thought is correct for compiling against the headers, so I don't know what's going on and why I keep getting this error message... To me that looks like it's looking at the kernel compile /usr/src path? How can I compile this? THANKS ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541483&aid=3316508&group_id=74601 |
|
From: SourceForge.net <no...@so...> - 2011-06-14 21:50:58
|
Bugs item #3316465, was opened at 2011-06-14 17:50 Message generated for change (Tracker Item Submitted) made by arcivanov You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=3316465&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Arcadiy Ivanov (arcivanov) Assigned to: Nobody/Anonymous (nobody) Summary: Racoon 0.8.0 + FreeBSD 8.2 + Windows XP NAT-T failurea Initial Comment: Phase 1 and Phase 2 go through fine, but IPSec fails with the following: Jun 14 17:06:17 <daemon.debug> fw1 racoon: DEBUG: check spi(packet)=4246128700 spi(db)=4246128700. Jun 14 17:06:17 <daemon.info> fw1 racoon: ERROR: no iph2 found: ESP 98.229.10.142[500]->32.178.59.150[500] spi=4246128700(0xfd16c83c) Full logs are attached. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=3316465&group_id=74601 |
|
From: SourceForge.net <no...@so...> - 2011-06-12 19:28:11
|
Support Requests item #3315519, was opened at 2011-06-12 12:18 Message generated for change (Comment added) made by ntselliot You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541483&aid=3315519&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Configuration Group: None Status: Open Priority: 5 Private: No Submitted By: Elliot (ntselliot) Assigned to: Nobody/Anonymous (nobody) Summary: Configure error - "no selinux support! Aborting." Initial Comment: Hi IPsec Tools project, ## print configure error: configure: error: Security Context requested, but no selinux support! Aborting. ## print system information root@redline:~# uname -a Linux redline 2.6.37.5 #3 SMP Thu Mar 24 01:43:22 CDT 2011 x86_64 AMD Phenom(tm) 9850 Quad-Core Processor AuthenticAMD GNU/Linux ## print slackware version root@redline:~# cat /etc/slackware-version Slackware 13.37.0 ---------------------------------------------------------------------- >Comment By: Elliot (ntselliot) Date: 2011-06-12 12:28 Message: The following comment from: * https://sourceforge.net/tracker/index.php?func=detail&aid=3097246&group_id=74601&atid=541483 % ./configure --disable-selinux ... resulted in the following (same) configure error: % configure: error: Security Context requested, but no selinux support! Aborting. Any suggestions or advice you may have are kindly appreciated. Thank you, //. Elliot (an IPsec newbie) ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541483&aid=3315519&group_id=74601 |
|
From: SourceForge.net <no...@so...> - 2011-06-12 19:18:16
|
Support Requests item #3315519, was opened at 2011-06-12 12:18 Message generated for change (Tracker Item Submitted) made by ntselliot You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541483&aid=3315519&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Configuration Group: None Status: Open Priority: 5 Private: No Submitted By: Elliot (ntselliot) Assigned to: Nobody/Anonymous (nobody) Summary: Configure error - "no selinux support! Aborting." Initial Comment: Hi IPsec Tools project, ## print configure error: configure: error: Security Context requested, but no selinux support! Aborting. ## print system information root@redline:~# uname -a Linux redline 2.6.37.5 #3 SMP Thu Mar 24 01:43:22 CDT 2011 x86_64 AMD Phenom(tm) 9850 Quad-Core Processor AuthenticAMD GNU/Linux ## print slackware version root@redline:~# cat /etc/slackware-version Slackware 13.37.0 ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541483&aid=3315519&group_id=74601 |
|
From: SourceForge.net <no...@so...> - 2011-05-30 11:36:09
|
Patches item #3309272, was opened at 2011-05-30 13:36 Message generated for change (Tracker Item Submitted) made by mache You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541484&aid=3309272&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Nicolae Mihalache (mache) Assigned to: Nobody/Anonymous (nobody) Summary: xauth connection to juniper Initial Comment: The Juniper VPN server sends the mode config messages upon reception of the correct xauth data. By default, racoon ignores this message, causing the juniper to close the connection. The attached patch, acks the mode config messages and remembers the settings and it does not initiate a mode config request after the authorization status ok has been received. Only tested in one configuration but I think it should not break existing connections. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541484&aid=3309272&group_id=74601 |
|
From: Timo T. <fab...@us...> - 2011-03-30 10:33:41
|
Update of /cvsroot/ipsec-tools/htdocs In directory vz-cvs-4.sog:/tmp/cvs-serv1982 Modified Files: index.html Log Message: 0.8.0 release Index: index.html =================================================================== RCS file: /cvsroot/ipsec-tools/htdocs/index.html,v retrieving revision 1.44 retrieving revision 1.45 diff -u -d -r1.44 -r1.45 --- index.html 23 Apr 2009 09:59:17 -0000 1.44 +++ index.html 30 Mar 2011 10:33:38 -0000 1.45 @@ -36,6 +36,13 @@ <div class="news"> <p class="listheader">News:</p> <dl> +<dt>2011-03-18</dt> +<dd><b>IPsec-tools 0.8.0</b> released, with many new features and bug fixes. Download +<a href="http://sourceforge.net/projects/ipsec-tools/files/ipsec-tools/0.8.0/">from Sourceforge</a>, +or from the <a href="ftp://ftp.netbsd.org/pub/NetBSD/misc/ipsec-tools/0.8/">misc/ipsec-tools/0.8</a> +directory of most <a href="http://www.netbsd.org/mirrors/#ftp">NetBSD FTP mirrors</a> +(NB: not all NetBSD FTP mirrors replicate the <b>misc</b> directory) +</dd> <dt>2009-04-22</dt> <dd><b>IPsec-tools 0.7.2</b> released, with security and bug fixes. Download <a href="https://sourceforge.net/project/showfiles.php?group_id=74601&package_id=74949&release_id=677611">from Sourceforge</a>, or from the <a href="ftp://ftp.netbsd.org/pub/NetBSD/misc/ipsec-tools/0.7/">misc/ipsec-tools/0.7</a> directory of most <a href="http://www.netbsd.org/mirrors/#ftp">NetBSD FTP mirrors</a> (NB: not all NetBSD FTP mirrors replicate the <b>misc</b> directory) </dd> |
|
From: SourceForge.net <no...@so...> - 2010-12-03 10:05:19
|
Support Requests item #3118505, was opened at 2010-11-25 16:13 Message generated for change (Comment added) made by bunni35 You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541483&aid=3118505&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Configuration Group: setkey Status: Open Priority: 7 Private: No Submitted By: Benoit LORAND (bunni35) Assigned to: Nobody/Anonymous (nobody) Summary: Uncrypt packet outgoing via wan interface Initial Comment: Hi all, I have installed two linux gateway with ipsec-tools. when i launch ping from one network to other, the first one encrypt packet in esp (view with tcpdump), the second uncrypt the packet but send this one via eth0 who is my wan interface. Where should i specifie on wich interface unencrypt packet should go. first gateway : #!/usr/sbin/setkey -f # #Flush SAD and SPD flush; spdflush; #Create policies for racoon spdadd 172.16.84.0/24 172.16.74.0/24 any -P out ipsec esp/tunnel/[ip_wan1]-[ip_wan2]/require; spdadd 172.16.74.0/24 172.16.84.0/24 any -P in ipsec esp/tunnel/{ip_wan2]-[ip_wan1]/require; second gateway : #!/usr/sbin/setkey -f # #Flush SAD and SPD flush; spdflush; #Create policies for racoon spdadd 172.16.74.0/24 172.16.84.0/24 any -P out ipsec esp/tunnel/[ip_wan2]-[ip_wan1]/require; spdadd 172.16.84.0/24 172.16.74.0/24 any -P in ipsec esp/tunnel/[ip_wan1]-[ip_wan2]/require; ---------------------------------------------------------------------- >Comment By: Benoit LORAND (bunni35) Date: 2010-12-03 11:05 Message: Notice i have changed my ip destination in the setkey like : ipsec2 : #!/usr/sbin/setkey -f # #Flush SAD and SPD flush; spdflush; #Create policies for racoon spdadd 172.16.74.0/24 172.16.75.0/24 any -P out ipsec esp/tunnel/10.0.0.1-10.0.0.2/require; spdadd 172.16.75.0/24 172.16.74.0/24 any -P in ipsec esp/tunnel/10.0.0.2-10.0.0.1/require; ipsec3: #!/usr/sbin/setkey -f # #Flush SAD and SPD flush; spdflush; #Create policies for racoon spdadd 172.16.75.0/24 172.16.74.0/24 any -P out ipsec esp/tunnel/10.0.0.2-10.0.0.1/require; spdadd 172.16.74.0/24 172.16.75.0/24 any -P in ipsec esp/tunnel/10.0.0.1-10.0.0.2/require; ---------------------------------------------------------------------- Comment By: Benoit LORAND (bunni35) Date: 2010-12-03 10:41 Message: On the screen attach we can see the problem. May someone have already see that. I was in 2.6.33 kernel, i have updated to 2.6.36.1 but no change. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541483&aid=3118505&group_id=74601 |
|
From: SourceForge.net <no...@so...> - 2010-12-03 09:41:16
|
Support Requests item #3118505, was opened at 2010-11-25 16:13 Message generated for change (Comment added) made by bunni35 You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541483&aid=3118505&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Configuration >Group: setkey Status: Open >Priority: 7 Private: No Submitted By: Benoit LORAND (bunni35) Assigned to: Nobody/Anonymous (nobody) Summary: Uncrypt packet outgoing via wan interface Initial Comment: Hi all, I have installed two linux gateway with ipsec-tools. when i launch ping from one network to other, the first one encrypt packet in esp (view with tcpdump), the second uncrypt the packet but send this one via eth0 who is my wan interface. Where should i specifie on wich interface unencrypt packet should go. first gateway : #!/usr/sbin/setkey -f # #Flush SAD and SPD flush; spdflush; #Create policies for racoon spdadd 172.16.84.0/24 172.16.74.0/24 any -P out ipsec esp/tunnel/[ip_wan1]-[ip_wan2]/require; spdadd 172.16.74.0/24 172.16.84.0/24 any -P in ipsec esp/tunnel/{ip_wan2]-[ip_wan1]/require; second gateway : #!/usr/sbin/setkey -f # #Flush SAD and SPD flush; spdflush; #Create policies for racoon spdadd 172.16.74.0/24 172.16.84.0/24 any -P out ipsec esp/tunnel/[ip_wan2]-[ip_wan1]/require; spdadd 172.16.84.0/24 172.16.74.0/24 any -P in ipsec esp/tunnel/[ip_wan1]-[ip_wan2]/require; ---------------------------------------------------------------------- >Comment By: Benoit LORAND (bunni35) Date: 2010-12-03 10:41 Message: On the screen attach we can see the problem. May someone have already see that. I was in 2.6.33 kernel, i have updated to 2.6.36.1 but no change. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541483&aid=3118505&group_id=74601 |
|
From: SourceForge.net <no...@so...> - 2010-12-02 07:57:59
|
Bugs item #3125315, was opened at 2010-12-02 09:57 Message generated for change (Tracker Item Submitted) made by yurybx You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=3125315&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Yury Bilkovs'ky (yurybx) Assigned to: Nobody/Anonymous (nobody) Summary: ipsec-tunnel becomes inoperative periodically Initial Comment: Ipsec-tools v. 0.7.3, FreeBsd 7.1 <---> D-Link DI-804HV. I have ipsec-tuunel between two offices. All wors nice. But periodically ipsec-tunnet becomes inoperative: does not work even ping from one side to other. Restarting D-link does not help. Only restarting racoon helps. This is a part of racoon's log at that moment: ... 2010-11-27 10:26:03: INFO: IPsec-SA established: ESP/Tunnel YY.YY.YY.YY[0]->XX.XX.XX.XX[0] spi=231504593(0xdcc7ad1) 2010-11-27 10:26:03: INFO: IPsec-SA established: ESP/Tunnel XX.XX.XX.XX[0]->YY.YY.YY.YY[0] spi=1207959568(0x48000010) 2010-11-27 10:26:04: INFO: ISAKMP-SA deleted XX.XX.XX.XX[500]-YY.YY.YY.YY[500] spi:533aec9f0a036333:c822144f933d5475 2010-11-27 10:51:36: ERROR: unknown Informational exchange received. 2010-11-27 10:51:36: INFO: respond new phase 1 negotiation: XX.XX.XX.XX[500]<=>YY.YY.YY.YY[500] 2010-11-27 10:51:36: INFO: begin Identity Protection mode. 2010-11-27 10:51:36: WARNING: SPI size isn't zero, but IKE proposal. 2010-11-27 10:51:36: INFO: ISAKMP-SA established XX.XX.XX.XX[500]-YY.YY.YY.YY[500] spi:a3b014adc0ca9132:64fde296716df57d 2010-11-27 10:51:36: INFO: respond new phase 2 negotiation: XX.XX.XX.XX[0]<=>YY.YY.YY.YY[0] 2010-11-27 10:51:37: INFO: IPsec-SA established: ESP/Tunnel YY.YY.YY.YY[0]->XX.XX.XX.XX[0] spi=239437563(0xe4586fb) 2010-11-27 10:51:37: INFO: IPsec-SA established: ESP/Tunnel XX.XX.XX.XX[0]->YY.YY.YY.YY[0] spi=1308622864(0x4e000010) 2010-11-27 10:53:07: INFO: purged IPsec-SA proto_id=ESP spi=1308622864. 2010-11-27 10:53:07: INFO: ISAKMP-SA expired XX.XX.XX.XX[500]-YY.YY.YY.YY[500] spi:a3b014adc0ca9132:64fde296716df57d 2010-11-27 10:53:07: INFO: respond new phase 1 negotiation: XX.XX.XX.XX[500]<=>YY.YY.YY.YY[500] 2010-11-27 10:53:07: INFO: begin Identity Protection mode. 2010-11-27 10:53:07: WARNING: SPI size isn't zero, but IKE proposal. 2010-11-27 10:53:07: INFO: ISAKMP-SA established XX.XX.XX.XX[500]-YY.YY.YY.YY[500] spi:5a8d85109ccb8221:131c88f5f1333733 2010-11-27 10:53:07: INFO: respond new phase 2 negotiation: XX.XX.XX.XX[0]<=>YY.YY.YY.YY[0] 2010-11-27 10:53:07: INFO: IPsec-SA established: ESP/Tunnel YY.YY.YY.YY[0]->XX.XX.XX.XX[0] spi=194230684(0xb93b99c) 2010-11-27 10:53:07: INFO: IPsec-SA established: ESP/Tunnel XX.XX.XX.XX[0]->YY.YY.YY.YY[0] spi=1342177296(0x50000010) 2010-11-27 10:53:08: INFO: ISAKMP-SA deleted XX.XX.XX.XX[500]-YY.YY.YY.YY[500] spi:a3b014adc0ca9132:64fde296716df57d 2010-11-27 10:54:38: INFO: purged IPsec-SA proto_id=ESP spi=1342177296. 2010-11-27 10:54:38: INFO: ISAKMP-SA expired XX.XX.XX.XX[500]-YY.YY.YY.YY[500] spi:5a8d85109ccb8221:131c88f5f1333733 2010-11-27 10:54:38: INFO: respond new phase 1 negotiation: XX.XX.XX.XX[500]<=>YY.YY.YY.YY[500] 2010-11-27 10:54:38: INFO: begin Identity Protection mode. 2010-11-27 10:54:38: WARNING: SPI size isn't zero, but IKE proposal. 2010-11-27 10:54:38: INFO: ISAKMP-SA established XX.XX.XX.XX[500]-YY.YY.YY.YY[500] spi:c8f7bae16bbd02a0:ab49cfac3dbecda9 2010-11-27 10:54:38: INFO: respond new phase 2 negotiation: XX.XX.XX.XX[0]<=>YY.YY.YY.YY[0] 2010-11-27 10:54:38: INFO: IPsec-SA established: ESP/Tunnel YY.YY.YY.YY[0]->XX.XX.XX.XX[0] spi=200192469(0xbeeb1d5) 2010-11-27 10:54:38: INFO: IPsec-SA established: ESP/Tunnel XX.XX.XX.XX[0]->YY.YY.YY.YY[0] spi=1375731728(0x52000010) 2010-11-27 10:54:39: INFO: ISAKMP-SA deleted XX.XX.XX.XX[500]-YY.YY.YY.YY[500] spi:5a8d85109ccb8221:131c88f5f1333733 ... ("ISAKMP-SA deleted" repeating because of D-Link's "IKE Keep Alive" is enabled (it restarts tunnel every 90 seconds).) As D-link as freebsd says that ipsec-tunnel is up, but it doesn't work! Some strange error occured at 10:51:36, and tunnel becomed inoperative. This situation repeates every several days. Is it possible to fix this bug? This is "racoon.conf" file's content: path include "/usr/local/etc/racoon" ; path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; path certificate "/usr/local/etc/cert" ; padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } listen { isakmp XX.XX.XX.XX [500]; } timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 15 sec; } remote anonymous { exchange_mode main,aggressive; #exchange_mode aggressive,main; doi ipsec_doi; situation identity_only; #my_identifier address; my_identifier address XX.XX.XX.XX; peers_identifier address YY.YY.YY.YY; #certificate_type x509 "mycert" "mypriv"; nonce_size 16; lifetime time 3600 sec; # sec,min,hour initial_contact on; support_proxy on; proposal_check obey; # obey, strict or claim proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 1 ; } } sainfo anonymous { pfs_group 1; lifetime time 3600 sec; encryption_algorithm 3des ; authentication_algorithm hmac_md5; compression_algorithm deflate ; } ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=3125315&group_id=74601 |
|
From: SourceForge.net <no...@so...> - 2010-11-25 15:33:00
|
Support Requests item #3118505, was opened at 2010-11-25 16:13 Message generated for change (Tracker Item Submitted) made by bunni35 You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541483&aid=3118505&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Configuration Group: None Status: Open Priority: 5 Private: No Submitted By: Benoit LORAND (bunni35) Assigned to: Nobody/Anonymous (nobody) Summary: Uncrypt packet outgoing via wan interface Initial Comment: Hi all, I have installed two linux gateway with ipsec-tools. when i launch ping from one network to other, the first one encrypt packet in esp (view with tcpdump), the second uncrypt the packet but send this one via eth0 who is my wan interface. Where should i specifie on wich interface unencrypt packet should go. first gateway : #!/usr/sbin/setkey -f # #Flush SAD and SPD flush; spdflush; #Create policies for racoon spdadd 172.16.84.0/24 172.16.74.0/24 any -P out ipsec esp/tunnel/[ip_wan1]-[ip_wan2]/require; spdadd 172.16.74.0/24 172.16.84.0/24 any -P in ipsec esp/tunnel/{ip_wan2]-[ip_wan1]/require; second gateway : #!/usr/sbin/setkey -f # #Flush SAD and SPD flush; spdflush; #Create policies for racoon spdadd 172.16.74.0/24 172.16.84.0/24 any -P out ipsec esp/tunnel/[ip_wan2]-[ip_wan1]/require; spdadd 172.16.84.0/24 172.16.74.0/24 any -P in ipsec esp/tunnel/[ip_wan1]-[ip_wan2]/require; ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541483&aid=3118505&group_id=74601 |
|
From: SourceForge.net <no...@so...> - 2010-10-28 12:44:47
|
Support Requests item #3097246, was opened at 2010-10-28 05:37 Message generated for change (Comment added) made by bseklecki You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541483&aid=3097246&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Priority: 9 Private: No Submitted By: Mickey Lee (dong-chan) Assigned to: Nobody/Anonymous (nobody) Summary: After ipsec-tools install when ./configure, error occure!!!! Initial Comment: checking kernel Security Context support... yes checking selinux/selinux.h usability... no checking selinux/selinux.h presence... no checking for selinux/selinux.h... no checking whether to support Security Context... yes configure: error: Security Context requested, but no selinux support! Aborting. ------------------------------------------------------------------------------------------------------------------------ What's solution above configure : error ? Would you please inform me? Thanks, Mickey. ---------------------------------------------------------------------- Comment By: Brian A. Seklecki (bseklecki) Date: 2010-10-28 08:44 Message: Looks like your GNU/Linux is broken. Go figure. Add: --disable-selinux to your ./configure. Upload your config.log output from the failed attemptl. Post the URL of the upload here. Please share your "uname -a" output as well. ~BAS ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541483&aid=3097246&group_id=74601 |
|
From: SourceForge.net <no...@so...> - 2010-10-28 12:05:53
|
Support Requests item #3097246, was opened at 2010-10-28 18:37 Message generated for change (Settings changed) made by dong-chan You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541483&aid=3097246&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open >Priority: 9 Private: No Submitted By: Mickey Lee (dong-chan) Assigned to: Nobody/Anonymous (nobody) Summary: After ipsec-tools install when ./configure, error occure!!!! Initial Comment: checking kernel Security Context support... yes checking selinux/selinux.h usability... no checking selinux/selinux.h presence... no checking for selinux/selinux.h... no checking whether to support Security Context... yes configure: error: Security Context requested, but no selinux support! Aborting. ------------------------------------------------------------------------------------------------------------------------ What's solution above configure : error ? Would you please inform me? Thanks, Mickey. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541483&aid=3097246&group_id=74601 |
|
From: SourceForge.net <no...@so...> - 2010-10-28 09:40:24
|
Support Requests item #3097246, was opened at 2010-10-28 18:37 Message generated for change (Settings changed) made by dong-chan You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541483&aid=3097246&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Priority: 5 Private: No Submitted By: Mickey Lee (dong-chan) Assigned to: Nobody/Anonymous (nobody) >Summary: After ipsec-tools install when ./configure, error occure!!!! Initial Comment: checking kernel Security Context support... yes checking selinux/selinux.h usability... no checking selinux/selinux.h presence... no checking for selinux/selinux.h... no checking whether to support Security Context... yes configure: error: Security Context requested, but no selinux support! Aborting. ------------------------------------------------------------------------------------------------------------------------ What's solution above configure : error ? Would you please inform me? Thanks, Mickey. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541483&aid=3097246&group_id=74601 |
|
From: SourceForge.net <no...@so...> - 2010-10-28 09:37:53
|
Support Requests item #3097246, was opened at 2010-10-28 18:37 Message generated for change (Tracker Item Submitted) made by dong-chan You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541483&aid=3097246&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Priority: 5 Private: No Submitted By: Mickey Lee (dong-chan) Assigned to: Nobody/Anonymous (nobody) Summary: when ./configure, error occure!!!! Initial Comment: checking kernel Security Context support... yes checking selinux/selinux.h usability... no checking selinux/selinux.h presence... no checking for selinux/selinux.h... no checking whether to support Security Context... yes configure: error: Security Context requested, but no selinux support! Aborting. ------------------------------------------------------------------------------------------------------------------------ What's solution above configure : error ? Would you please inform me? Thanks, Mickey. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541483&aid=3097246&group_id=74601 |
|
From: SourceForge.net <no...@so...> - 2010-07-19 15:12:49
|
Bugs item #3031644, was opened at 2010-07-20 00:12 Message generated for change (Tracker Item Submitted) made by okanot You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=3031644&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: OKANO Takayoshi (okanot) Assigned to: Nobody/Anonymous (nobody) Summary: obsolete url in FAQ document Initial Comment: in ipsec-tools/src/racoon/doc/FAQ, there is reference to obsolete URL, http://www.netbsd.org/Documentation/network/ipsec/ it has been moved to http://www.NetBSD.org/docs/network/ipsec/ ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=3031644&group_id=74601 |
|
From: SourceForge.net <no...@so...> - 2010-04-21 06:38:41
|
Support Requests item #2990280, was opened at 2010-04-21 10:38 Message generated for change (Tracker Item Submitted) made by mystmare You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541483&aid=2990280&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Configuration Group: racoon Status: Open Priority: 5 Private: No Submitted By: Ilya Morozov (mystmare) Assigned to: Nobody/Anonymous (nobody) Summary: Cannot establish connection from XP box to FreeBSD racoon Initial Comment: Hi. I have problem with connection from Xp to racoon. At the very beginning of connection in raccon logs there is such message: ERROR: invalid DH group 20 ERROR: invalid DH group 19 In such order. Certificates generated, both on FreeBSD openssl, and on Windows 2003 - result same. racoon config: path include "/usr/local/etc/racoon"; path certificate "/usr/local/etc/racoon/cert"; listen { isakmp 192.168.20.27 [500]; #isakmp_natt 192.168.20.27 [4500]; } log notify; #log debug2; padding { maximum_length 20; randomize off; strict_check off; exclusive_tail off; } #listen { # adminsock "/var/run/racoon/racoon.sock"; #} timer { counter 5; interval 20 sec; persend 1; phase1 30 sec; phase2 15 sec; } remote anonymous { exchange_mode main; doi ipsec_doi; situation identity_only; nonce_size 16; lifetime time 28800 min; initial_contact on; proposal_check obey; certificate_type x509 "master.crt" "master.key"; #peers_certfile "ipsec-client.crt"; #my_identifier asn1dn; #verify_identifier off; #verify_cert on; #weak_phase1_check on; #support_proxy on; passive on; generate_policy on; dpd_delay 20; #nat_traversal on; #ike_frag on; #esp_frag 552; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method rsasig; dh_group modp1024; } } mode_cfg { network4 192.168.50.0; netmask4 255.255.255.0; pool_size 200; #auth_source ldap; #conf_source ldap; #auth_source radius; accounting none; dns4 192.168.20.252; wins4 192.168.20.253; banner "/usr/local/etc/racoon/motd"; pfs_group 1; } ldapcfg { host "192.168.20.253"; base "dc=servertd,dc=spb,dc=ru"; subtree on; bind_dn "cn=squid,dc=servertd,dc=spb,dc=ru"; bind_pw "proxy"; } sainfo anonymous { pfs_group 1; lifetime time 1 hour; encryption_algorithm 3des; authentication_algorithm hmac_sha1; compression_algorithm deflate; } ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541483&aid=2990280&group_id=74601 |
|
From: SourceForge.net <no...@so...> - 2010-04-14 12:57:02
|
Bugs item #2987114, was opened at 2010-04-14 14:52 Message generated for change (Settings changed) made by siutkowskij You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=2987114&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None >Status: Deleted Resolution: None Priority: 5 Private: No Submitted By: siutkowskij (siutkowskij) Assigned to: Nobody/Anonymous (nobody) Summary: racoon 0.7.3 crashes with Segmentaion Fault just after start Initial Comment: When I add more than two mode_cfg{} statements in racoon.conf (to allot separate ip address pools 2 different groups by auth_groups directive) racoon vanishes just after start without any single error line in log file; all auth are local system. When starting in foreground mode the only line except INFOs and DEBUGs is: "Segmentation fault". SO: Centos 5.4 updated. Example of racoon output: [root@mobile log]# racoon -4 -v -F -L -dddd Foreground mode. 2010-04-14 12:59:13: INFO: main.c:182:main(): @(#)ipsec-tools 0.7.3 (http://ipsec-tools.sourceforge.net) 2010-04-14 12:59:13: INFO: main.c:185:main(): @(#)This product linked OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 (http://www.openssl.org/) 2010-04-14 12:59:13: INFO: main.c:187:main(): Reading configuration from "/etc/racoon/racoon.conf" 2010-04-14 12:59:13: DEBUG: pfkey.c:414:pfkey_init(): call pfkey_send_register for AH 2010-04-14 12:59:13: DEBUG: pfkey.c:414:pfkey_init(): call pfkey_send_register for ESP 2010-04-14 12:59:13: DEBUG: pfkey.c:414:pfkey_init(): call pfkey_send_register for IPCOMP 2010-04-14 12:59:13: DEBUG: cftoken.l:768:yycf_set_buffer(): reading config file /etc/racoon/racoon.conf 2010-04-14 12:59:13: DEBUG2: cfparse.y:2291:set_isakmp_proposal(): lifetime = 28800 2010-04-14 12:59:13: DEBUG2: cfparse.y:2294:set_isakmp_proposal(): lifebyte = 0 2010-04-14 12:59:13: DEBUG2: cfparse.y:2296:set_isakmp_proposal(): encklen=128 2010-04-14 12:59:13: DEBUG2: cfparse.y:2359:expand_isakmpspec(): p:1 t:1 2010-04-14 12:59:13: DEBUG2: cfparse.y:2367:expand_isakmpspec(): AES-CBC(7) 2010-04-14 12:59:13: DEBUG2: cfparse.y:2367:expand_isakmpspec(): SHA(2) 2010-04-14 12:59:13: DEBUG2: cfparse.y:2367:expand_isakmpspec(): 1024-bit MODP group(2) 2010-04-14 12:59:13: DEBUG2: cfparse.y:2367:expand_isakmpspec(): Hybrid RSA server(64222) 2010-04-14 12:59:13: DEBUG2: cfparse.y:2369:expand_isakmpspec(): 2010-04-14 12:59:13: DEBUG2: cfparse.y:2291:set_isakmp_proposal(): lifetime = 28800 2010-04-14 12:59:13: DEBUG2: cfparse.y:2294:set_isakmp_proposal(): lifebyte = 0 2010-04-14 12:59:13: DEBUG2: cfparse.y:2296:set_isakmp_proposal(): encklen=0 2010-04-14 12:59:13: DEBUG2: cfparse.y:2359:expand_isakmpspec(): p:1 t:2 2010-04-14 12:59:13: DEBUG2: cfparse.y:2367:expand_isakmpspec(): 3DES-CBC(5) 2010-04-14 12:59:13: DEBUG2: cfparse.y:2367:expand_isakmpspec(): MD5(1) Apr 14 12:59:13 mobile racoon: 2010-04-14 12:59:13: INFO: main.c:182:main(): @(#)ipsec-tools 0.7.3 (http://ipsec-tools.sourceforge.net) Apr 14 12:59:13 mobile racoon: 2010-04-14 12:59:13: INFO: main.c:185:main(): @(#)This product linked OpenSSL 0.9.8e-fips-rhel5 01 Jul 2 Apr 14 12:59:13 mobile racoon: 2010-04-14 12:59:13: INFO: main.c:187:main(): Reading configuration from "/etc/racoon/racoon.conf" Apr 14 12:59:13 mobile racoon: 2010-04-14 12:59:13: DEBUG: pfkey.c:414:pfkey_init(): call pfkey_send_register for AH Apr 14 12:59:13 mobile racoon: 2010-04-14 12:59:13: DEBUG: pfkey.c:414:pfkey_init(): call pfkey_send_register for ESP Apr 14 12:59:13 mobile racoon: 2010-04-14 12:59:13: DEBUG: pfkey.c:414:pfkey_init(): call pfkey_send_register for IPCOMP Apr 14 12:59:13 mobile racoon: 2010-04-14 12:59:13: DEBUG: cftoken.l:768:yycf_set_buffer(): reading config file /etc/racoon/racoon.conf Apr 14 12:59:13 mobile racoon: 2010-04-14 12:59:13: DEBUG2: cfparse.y:2291:set_isakmp_proposal(): lifetime = 28800 Apr 14 12:59:13 mobile racoon: 2010-04-14 12:59:13: DEBUG2: cfparse.y:2294:set_isakmp_proposal(): lifebyte = 0 Apr 14 12:59:13 mobile racoon: 2010-04-14 12:59:13: DEBUG2: cfparse.y:2296:set_isakmp_proposal(): encklen=128 2010-04-14 12:59:13: DEBUG2: cfparse.y:2367:expand_isakmpspec(): 1024-bit MODP group(2) 2010-04-14 12:59:13: DEBUG2: cfparse.y:2367:expand_isakmpspec(): Hybrid RSA server(64222) 2010-04-14 12:59:13: DEBUG2: cfparse.y:2369:expand_isakmpspec(): 2010-04-14 12:59:13: DEBUG: algorithm.c:691:alg_oakley_dhdef(): hmac(modp1024) 2010-04-14 12:59:13: INFO: isakmp_cfg.c:2052:isakmp_cfg_resize_pool(): Resize address pool from 0 to 253 Segmentation fault [root@mobile log]# Apr 14 12:59:13 mobile racoon: 2010-04-14 12:59:13: DEBUG2: cfparse.y:2359:expand_isakmpspec(): p:1 t:1 Apr 14 12:59:13 mobile racoon: 2010-04-14 12:59:13: DEBUG2: cfparse.y:2367:expand_isakmpspec(): AES-CBC(7) Apr 14 12:59:13 mobile racoon: 2010-04-14 12:59:13: DEBUG2: cfparse.y:2367:expand_isakmpspec(): SHA(2) Apr 14 12:59:13 mobile racoon: 2010-04-14 12:59:13: DEBUG2: cfparse.y:2367:expand_isakmpspec(): 1024-bit MODP group(2) Apr 14 12:59:13 mobile racoon: 2010-04-14 12:59:13: DEBUG2: cfparse.y:2367:expand_isakmpspec(): Hybrid RSA server(64222) Apr 14 12:59:13 mobile racoon: 2010-04-14 12:59:13: DEBUG2: cfparse.y:2369:expand_isakmpspec(): Apr 14 12:59:13 mobile racoon: 2010-04-14 12:59:13: DEBUG2: cfparse.y:2291:set_isakmp_proposal(): lifetime = 28800 Apr 14 12:59:13 mobile racoon: 2010-04-14 12:59:13: DEBUG2: cfparse.y:2294:set_isakmp_proposal(): lifebyte = 0 Apr 14 12:59:13 mobile racoon: 2010-04-14 12:59:13: DEBUG2: cfparse.y:2296:set_isakmp_proposal(): encklen=0 Apr 14 12:59:13 mobile racoon: 2010-04-14 12:59:13: DEBUG2: cfparse.y:2359:expand_isakmpspec(): p:1 t:2 Apr 14 12:59:13 mobile racoon: 2010-04-14 12:59:13: DEBUG2: cfparse.y:2367:expand_isakmpspec(): 3DES-CBC(5) Apr 14 12:59:13 mobile racoon: 2010-04-14 12:59:13: DEBUG2: cfparse.y:2367:expand_isakmpspec(): MD5(1) Apr 14 12:59:13 mobile racoon: 2010-04-14 12:59:13: DEBUG2: cfparse.y:2367:expand_isakmpspec(): 1024-bit MODP group(2) Apr 14 12:59:13 mobile racoon: 2010-04-14 12:59:13: DEBUG2: cfparse.y:2367:expand_isakmpspec(): Hybrid RSA server(64222) Apr 14 12:59:13 mobile racoon: 2010-04-14 12:59:13: DEBUG2: cfparse.y:2369:expand_isakmpspec(): Apr 14 12:59:13 mobile racoon: 2010-04-14 12:59:13: DEBUG: algorithm.c:691:alg_oakley_dhdef(): hmac(modp1024) Apr 14 12:59:13 mobile racoon: 2010-04-14 12:59:13: INFO: isakmp_cfg.c:2052:isakmp_cfg_resize_pool(): Resize address pool from 0 to 253 ---------------------------------------------------------------------- >Comment By: siutkowskij (siutkowskij) Date: 2010-04-14 14:56 Message: duplicated entry on bugtrack list ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=2987114&group_id=74601 |