Thread: [Ipsec-tools-devel] Missing SAD
Brought to you by:
mit_warlord,
netbsd
From: Sam W. <swu...@gm...> - 2007-09-13 12:00:55
|
Hi, I have installed ipsec-tools 0.7 in freebsd 6.2. One end of the VPN connection shown 2 SAD entries, while another end of the VPN doesn't shown any SAD entry. The one shown 2 SAD entries are: core: # setkey -D 12x.x.x.x 2x.x.x.x esp mode=tunnel spi=265231941(0x0fcf1e45) reqid=0(0x00000000) E: 3des-cbc 1a8ab592 8b738761 1aefb342 c8068f21 b1014ecf ec867731 A: hmac-md5 61d09189 e1aaec8c 9a3d7ebf 842768aa seq=0x00000001 replay=4 flags=0x00000000 state=mature created: Sep 13 21:38:07 2007 current: Sep 13 21:54:40 2007 diff: 993(s) hard: 28800(s) soft: 23040(s) last: Sep 13 21:42:39 2007 hard: 0(s) soft: 0(s) current: 144(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 1 hard: 0 soft: 0 sadb_seq=1 pid=88156 refcnt=2 2x.x.x.x 12x.x.x.x esp mode=tunnel spi=236492096(0x0e189540) reqid=0(0x00000000) E: 3des-cbc bf1ea2ed e661f704 931a6d94 3a4a6049 d3efa161 82fa5014 A: hmac-md5 28a88aa9 57ac1e12 c9548807 6b22742f seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Sep 13 21:38:07 2007 current: Sep 13 21:54:40 2007 diff: 993(s) hard: 28800(s) soft: 23040(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=0 pid=88156 refcnt=1 the other end of the VPN connection shown nothing: belmore# setkey -D # but -DP shown: belmore# setkey -DP 12x.x.x.x[any] 2x.x.x.x[any] any in ipsec esp/tunnel/12x.x.x.x-2x.x.x.x/require created: Sep 13 18:02:37 2007 lastused: Sep 13 18:02:37 2007 lifetime: 0(s) validtime: 0(s) spid=16388 seq=1 pid=2061 refcnt=1 2x.x.x.x[any] 12x.x.x.x[any] any out ipsec esp/tunnel/2x.x.x.x-12x.x.x.x/require created: Sep 13 18:02:37 2007 lastused: Sep 13 18:05:37 2007 lifetime: 0(s) validtime: 0(s) spid=16389 seq=0 pid=2061 refcnt=1 belmore# Can anyone explain why the other end of the VPN connection (Belmore) has no SAD entry? Thanks S |
From: Brian A. S. <lav...@sp...> - 2007-09-25 19:00:00
|
I have an outstanding issue (which I haven't looked at this month) where SAD/SPD entries are not properly cleared on 6.2/amd64 ~BAS On Thu, 13 Sep 2007, Sam Wun wrote: > Hi, > > I have installed ipsec-tools 0.7 in freebsd 6.2. > One end of the VPN connection shown 2 SAD entries, while another end > of the VPN doesn't shown any SAD entry. > The one shown 2 SAD entries are: > core: # setkey -D > 12x.x.x.x 2x.x.x.x > esp mode=tunnel spi=265231941(0x0fcf1e45) reqid=0(0x00000000) > E: 3des-cbc 1a8ab592 8b738761 1aefb342 c8068f21 b1014ecf ec867731 > A: hmac-md5 61d09189 e1aaec8c 9a3d7ebf 842768aa > seq=0x00000001 replay=4 flags=0x00000000 state=mature > created: Sep 13 21:38:07 2007 current: Sep 13 21:54:40 2007 > diff: 993(s) hard: 28800(s) soft: 23040(s) > last: Sep 13 21:42:39 2007 hard: 0(s) soft: 0(s) > current: 144(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 1 hard: 0 soft: 0 > sadb_seq=1 pid=88156 refcnt=2 > 2x.x.x.x 12x.x.x.x > esp mode=tunnel spi=236492096(0x0e189540) reqid=0(0x00000000) > E: 3des-cbc bf1ea2ed e661f704 931a6d94 3a4a6049 d3efa161 82fa5014 > A: hmac-md5 28a88aa9 57ac1e12 c9548807 6b22742f > seq=0x00000000 replay=4 flags=0x00000000 state=mature > created: Sep 13 21:38:07 2007 current: Sep 13 21:54:40 2007 > diff: 993(s) hard: 28800(s) soft: 23040(s) > last: hard: 0(s) soft: 0(s) > current: 0(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 0 hard: 0 soft: 0 > sadb_seq=0 pid=88156 refcnt=1 > > the other end of the VPN connection shown nothing: > belmore# setkey -D > # > but -DP shown: > belmore# setkey -DP > 12x.x.x.x[any] 2x.x.x.x[any] any > in ipsec > esp/tunnel/12x.x.x.x-2x.x.x.x/require > created: Sep 13 18:02:37 2007 lastused: Sep 13 18:02:37 2007 > lifetime: 0(s) validtime: 0(s) > spid=16388 seq=1 pid=2061 > refcnt=1 > 2x.x.x.x[any] 12x.x.x.x[any] any > out ipsec > esp/tunnel/2x.x.x.x-12x.x.x.x/require > created: Sep 13 18:02:37 2007 lastused: Sep 13 18:05:37 2007 > lifetime: 0(s) validtime: 0(s) > spid=16389 seq=0 pid=2061 > refcnt=1 > belmore# > > Can anyone explain why the other end of the VPN connection (Belmore) > has no SAD entry? > > Thanks > S > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2005. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Ipsec-tools-devel mailing list > Ips...@li... > https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel > l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/ "Guilty? Yeah. But he knows it. I mean, you're guilty. You just don't know it. So who's really in jail?" ~Maynard James Keenan |
From: VANHULLEBUS Y. <va...@fr...> - 2007-09-25 20:14:48
|
On Thu, Sep 13, 2007 at 10:00:57PM +1000, Sam Wun wrote: > Hi, Hi. > I have installed ipsec-tools 0.7 in freebsd 6.2. > One end of the VPN connection shown 2 SAD entries, while another end > of the VPN doesn't shown any SAD entry. > The one shown 2 SAD entries are: > core: # setkey -D > 12x.x.x.x 2x.x.x.x > esp mode=tunnel spi=265231941(0x0fcf1e45) reqid=0(0x00000000) > E: 3des-cbc 1a8ab592 8b738761 1aefb342 c8068f21 b1014ecf ec867731 > A: hmac-md5 61d09189 e1aaec8c 9a3d7ebf 842768aa > seq=0x00000001 replay=4 flags=0x00000000 state=mature > created: Sep 13 21:38:07 2007 current: Sep 13 21:54:40 2007 > diff: 993(s) hard: 28800(s) soft: 23040(s) > last: Sep 13 21:42:39 2007 hard: 0(s) soft: 0(s) > current: 144(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 1 hard: 0 soft: 0 > sadb_seq=1 pid=88156 refcnt=2 > 2x.x.x.x 12x.x.x.x > esp mode=tunnel spi=236492096(0x0e189540) reqid=0(0x00000000) > E: 3des-cbc bf1ea2ed e661f704 931a6d94 3a4a6049 d3efa161 82fa5014 > A: hmac-md5 28a88aa9 57ac1e12 c9548807 6b22742f > seq=0x00000000 replay=4 flags=0x00000000 state=mature > created: Sep 13 21:38:07 2007 current: Sep 13 21:54:40 2007 > diff: 993(s) hard: 28800(s) soft: 23040(s) > last: hard: 0(s) soft: 0(s) > current: 0(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 0 hard: 0 soft: 0 > sadb_seq=0 pid=88156 refcnt=1 > > the other end of the VPN connection shown nothing: > belmore# setkey -D > # Did it show something before ? The first thing I would have a look to is the checkmode on both racoons: you may just have issues with strange behaviour of claim or obey checkmodes, which would result to SAs having different lifetimes on both ends. Yvan. |
From: Sam W. <swu...@gm...> - 2007-09-25 23:21:23
|
On 9/26/07, VANHULLEBUS Yvan <va...@fr...> wrote: > On Thu, Sep 13, 2007 at 10:00:57PM +1000, Sam Wun wrote: > > Hi, > > Hi. > > > > I have installed ipsec-tools 0.7 in freebsd 6.2. > > One end of the VPN connection shown 2 SAD entries, while another end > > of the VPN doesn't shown any SAD entry. > > The one shown 2 SAD entries are: > > core: # setkey -D > > 12x.x.x.x 2x.x.x.x > > esp mode=tunnel spi=265231941(0x0fcf1e45) reqid=0(0x00000000) > > E: 3des-cbc 1a8ab592 8b738761 1aefb342 c8068f21 b1014ecf ec867731 > > A: hmac-md5 61d09189 e1aaec8c 9a3d7ebf 842768aa > > seq=0x00000001 replay=4 flags=0x00000000 state=mature > > created: Sep 13 21:38:07 2007 current: Sep 13 21:54:40 2007 > > diff: 993(s) hard: 28800(s) soft: 23040(s) > > last: Sep 13 21:42:39 2007 hard: 0(s) soft: 0(s) > > current: 144(bytes) hard: 0(bytes) soft: 0(bytes) > > allocated: 1 hard: 0 soft: 0 > > sadb_seq=1 pid=88156 refcnt=2 > > 2x.x.x.x 12x.x.x.x > > esp mode=tunnel spi=236492096(0x0e189540) reqid=0(0x00000000) > > E: 3des-cbc bf1ea2ed e661f704 931a6d94 3a4a6049 d3efa161 82fa5014 > > A: hmac-md5 28a88aa9 57ac1e12 c9548807 6b22742f > > seq=0x00000000 replay=4 flags=0x00000000 state=mature > > created: Sep 13 21:38:07 2007 current: Sep 13 21:54:40 2007 > > diff: 993(s) hard: 28800(s) soft: 23040(s) > > last: hard: 0(s) soft: 0(s) > > current: 0(bytes) hard: 0(bytes) soft: 0(bytes) > > allocated: 0 hard: 0 soft: 0 > > sadb_seq=0 pid=88156 refcnt=1 > > > > the other end of the VPN connection shown nothing: > > belmore# setkey -D > > # > > Did it show something before ? > > The first thing I would have a look to is the checkmode on both > racoons: you may just have issues with strange behaviour of claim or > obey checkmodes, which would result to SAs having different lifetimes > on both ends. > > Hi, There is no *checkmode* in my both racoon.conf file. What is it? How can I find out what the *checkmode* on both racoon config is? Thanks S > Yvan. > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2005. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Ipsec-tools-devel mailing list > Ips...@li... > https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel > |