From: Daniel C. <dan...@gm...> - 2007-12-14 12:21:00
|
Hello, i had a working configuration on slackware 12.0 with ipsec-tools-0.7-beta2 until i had upgraded to ipsec-tools-0.7 and 2.6.23.9 vanilla kernel This is my conf: path certificate "/etc/ipsec/racoon/certs"; remote anonymous { exchange_mode aggressive,main; certificate_type x509 "newcert.pem" "newkey.bezhasla.pem"; proposal_check claim; generate_policy on; nat_traversal on; dpd_delay 20; ike_frag on; verify_cert on; my_identifier asn1dn; peers_identifier asn1dn; proposal { encryption_algorithm aes; hash_algorithm md5; authentication_method hybrid_rsa_server; dh_group 2;}} mode_cfg { auth_source ldap; conf_source ldap; dns4 10.10.51.5; wins4 10.10.12.247; pfs_group 2;} ldapcfg { version 3; host "rhea"; port 389; base "dc=SITE,dc=PL"; subtree on; bind_dn "cn=Manager,dc=SITE,dc=PL"; bind_pw "haslo"; attr_addr "homePhone"; attr_mask "homePostalAddress"; } sainfo anonymous { pfs_group 2; lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_md5; compression_algorithm deflate; } ./configure script looks like: ./configure \ --enable-adminport \ --enable-natt \ --enable-dpd \ --enable-hybrid \ --enable-frag \ --enable-stats \ --enable-fastquit \ --disable-ipv6 \ --enable-broken-natt \ --with-libldap=/usr/local/openldap-2.3.32 \ --enable-security-context=no In log i have: Dec 14 12:43:19 ipsecgw-node1 racoon: INFO: respond new phase 1 negotiation: 111.111.111.1[500]<=>77.115.20.16[500] Dec 14 12:43:19 ipsecgw-node1 racoon: INFO: begin Aggressive mode. Dec 14 12:43:19 ipsecgw-node1 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt Dec 14 12:43:19 ipsecgw-node1 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Dec 14 12:43:19 ipsecgw-node1 racoon: INFO: received Vendor ID: RFC 3947 Dec 14 12:43:19 ipsecgw-node1 racoon: INFO: received broken Microsoft ID: FRAGMENTATION Dec 14 12:43:19 ipsecgw-node1 racoon: INFO: received Vendor ID: DPD Dec 14 12:43:19 ipsecgw-node1 racoon: INFO: received Vendor ID: CISCO-UNITY Dec 14 12:43:19 ipsecgw-node1 racoon: WARNING: No ID match. Dec 14 12:43:19 ipsecgw-node1 racoon: INFO: Selected NAT-T version: RFC 3947 Dec 14 12:43:19 ipsecgw-node1 racoon: oakley_dh_generate(MODP1024): 0.008084 Dec 14 12:43:19 ipsecgw-node1 racoon: oakley_dh_compute(MODP1024): 0.008051 Dec 14 12:43:19 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5 size=128): 0.000008 Dec 14 12:43:19 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5 size=145): 0.000007 Dec 14 12:43:19 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5 size=161): 0.000007 Dec 14 12:43:19 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5 size=161): 0.000007 Dec 14 12:43:19 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5 size=477): 0.000008 Dec 14 12:43:19 ipsecgw-node1 racoon: INFO: Adding remote and local NAT-D payloads. Dec 14 12:43:19 ipsecgw-node1 racoon: INFO: Hashing 77.115.20.16[500] with algo #1 Dec 14 12:43:19 ipsecgw-node1 racoon: INFO: Hashing 111.111.111.1[500] with algo #1 Dec 14 12:43:19 ipsecgw-node1 racoon: INFO: Adding xauth VID payload. Dec 14 12:43:19 ipsecgw-node1 racoon: phase1(agg R msg1): 0.021371 Dec 14 12:43:22 ipsecgw-node1 racoon: NOTIFY: the packet is retransmitted by 77.115.20.16[500]. Dec 14 12:43:25 ipsecgw-node1 racoon: INFO: NAT-T: ports changed to: 77.115.20.16[4500]<->111.111.111.1[4500] Dec 14 12:43:25 ipsecgw-node1 racoon: alg_oakley_encdef_decrypt(aes klen=128 size=64): 0.000010 Dec 14 12:43:25 ipsecgw-node1 racoon: INFO: Hashing 111.111.111.1[4500] with algo #1 Dec 14 12:43:25 ipsecgw-node1 racoon: INFO: NAT-D payload #0 verified Dec 14 12:43:25 ipsecgw-node1 racoon: INFO: Hashing 77.115.20.16[4500] with algo #1 Dec 14 12:43:25 ipsecgw-node1 racoon: INFO: NAT-D payload #1 verified Dec 14 12:43:25 ipsecgw-node1 racoon: INFO: NAT not detected Dec 14 12:43:25 ipsecgw-node1 racoon: INFO: No SIG was passed, but hybrid auth is enabled Dec 14 12:43:25 ipsecgw-node1 racoon: phase1(???): 0.000145 Dec 14 12:43:25 ipsecgw-node1 racoon: phase1(Aggressive): 6.084209 Dec 14 12:43:25 ipsecgw-node1 racoon: INFO: Sending Xauth request Dec 14 12:43:25 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5 size=24): 0.000006 Dec 14 12:43:25 ipsecgw-node1 racoon: alg_oakley_encdef_encrypt(aes klen=128 size=48): 0.000004 Dec 14 12:43:25 ipsecgw-node1 racoon: INFO: ISAKMP-SA established 111.111.111.1[4500]-77.115.20.16[4500] spi:65d60ff876bebfa8:1548b2078e590e4a Dec 14 12:43:25 ipsecgw-node1 racoon: alg_oakley_encdef_decrypt(aes klen=128 size=48): 0.000005 Dec 14 12:43:25 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5 size=32): 0.000007 Dec 14 12:43:25 ipsecgw-node1 racoon: alg_oakley_encdef_decrypt(aes klen=128 size=64): 0.000005 Dec 14 12:43:25 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5 size=40): 0.000007 Dec 14 12:43:25 ipsecgw-node1 racoon: INFO: Using port 0 Dec 14 12:43:25 ipsecgw-node1 racoon: INFO: ldap returned modecfg address 10.10.52.2 Dec 14 12:43:25 ipsecgw-node1 racoon: INFO: ldap returned modecfg netmask 255.255.255.0 Dec 14 12:43:25 ipsecgw-node1 racoon: INFO: attempting ldap bind for dn 'uid=boka,ou=Users,dc=SITE,dc=PL' Dec 14 12:43:25 ipsecgw-node1 racoon: INFO: login succeeded for user "boka" Dec 14 12:43:25 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5 size=16): 0.000007 Dec 14 12:43:25 ipsecgw-node1 racoon: alg_oakley_encdef_encrypt(aes klen=128 size=48): 0.000006 Dec 14 12:43:25 ipsecgw-node1 racoon: alg_oakley_encdef_decrypt(aes klen=128 size=32): 0.000006 Dec 14 12:43:25 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5 size=16): 0.000007 Dec 14 12:43:25 ipsecgw-node1 racoon: alg_oakley_encdef_decrypt(aes klen=128 size=64): 0.000005 Dec 14 12:43:25 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5 size=44): 0.000007 Dec 14 12:43:25 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5 size=76): 0.000007 Dec 14 12:43:25 ipsecgw-node1 racoon: alg_oakley_encdef_encrypt(aes klen=128 size=96): 0.000006 Dec 14 12:43:32 ipsecgw-node1 racoon: INFO: respond new phase 2 negotiation: 111.111.111.1[0]<=>77.115.20.16[0] Dec 14 12:43:32 ipsecgw-node1 racoon: alg_oakley_encdef_decrypt(aes klen=128 size=272): 0.000011 Dec 14 12:43:32 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5 size=248): 0.000008 Dec 14 12:43:32 ipsecgw-node1 racoon: INFO: Update the generated policy : 10.10.52.2/32[0] 10.10.0.0/16[0] proto=any dir=in Dec 14 12:43:32 ipsecgw-node1 racoon: ERROR: encmode mismatched: my:Tunnel peer:UDP-Tunnel Dec 14 12:43:32 ipsecgw-node1 racoon: ERROR: not matched Dec 14 12:43:32 ipsecgw-node1 racoon: ERROR: no suitable policy found. Dec 14 12:43:32 ipsecgw-node1 racoon: ERROR: failed to pre-process packet. Dec 14 12:43:32 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5 size=16): 0.000006 Dec 14 12:43:32 ipsecgw-node1 racoon: alg_oakley_encdef_encrypt(aes klen=128 size=48): 0.000005 Dec 14 12:43:35 ipsecgw-node1 racoon: alg_oakley_encdef_decrypt(aes klen=128 size=64): 0.000007 Dec 14 12:43:35 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5 size=36): 0.000007 Dec 14 12:43:35 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5 size=36): 0.000006 Dec 14 12:43:35 ipsecgw-node1 racoon: alg_oakley_encdef_encrypt(aes klen=128 size=64): 0.000005 Dec 14 12:43:36 ipsecgw-node1 racoon: INFO: respond new phase 2 negotiation: 111.111.111.1[0]<=>77.115.20.16[0] Dec 14 12:43:36 ipsecgw-node1 racoon: alg_oakley_encdef_decrypt(aes klen=128 size=272): 0.000009 Dec 14 12:43:36 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5 size=248): 0.000008 Dec 14 12:43:36 ipsecgw-node1 racoon: INFO: Update the generated policy : 10.10.52.2/32[0] 10.10.0.0/16[0] proto=any dir=in Dec 14 12:43:36 ipsecgw-node1 racoon: ERROR: encmode mismatched: my:Tunnel peer:UDP-Tunnel Dec 14 12:43:36 ipsecgw-node1 racoon: ERROR: not matched Dec 14 12:43:36 ipsecgw-node1 racoon: ERROR: no suitable policy found. Dec 14 12:43:36 ipsecgw-node1 racoon: ERROR: failed to pre-process packet. Dec 14 12:43:36 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5 size=16): 0.000007 Dec 14 12:43:36 ipsecgw-node1 racoon: alg_oakley_encdef_encrypt(aes klen=128 size=48): 0.000005 Dec 14 12:43:42 ipsecgw-node1 racoon: INFO: respond new phase 2 negotiation: 111.111.111.1[0]<=>77.115.20.16[0] Dec 14 12:43:42 ipsecgw-node1 racoon: alg_oakley_encdef_decrypt(aes klen=128 size=272): 0.000014 Dec 14 12:43:42 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5 size=248): 0.000008 Dec 14 12:43:42 ipsecgw-node1 racoon: INFO: Update the generated policy : 10.10.52.2/32[0] 10.10.0.0/16[0] proto=any dir=in Dec 14 12:43:42 ipsecgw-node1 racoon: ERROR: encmode mismatched: my:Tunnel peer:UDP-Tunnel Dec 14 12:43:42 ipsecgw-node1 racoon: ERROR: not matched Dec 14 12:43:42 ipsecgw-node1 racoon: ERROR: no suitable policy found. Dec 14 12:43:42 ipsecgw-node1 racoon: ERROR: failed to pre-process packet. Dec 14 12:43:42 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5 size=16): 0.000006 Dec 14 12:43:42 ipsecgw-node1 racoon: alg_oakley_encdef_encrypt(aes klen=128 size=48): 0.000006 The most interesting part is: Dec 14 12:43:42 ipsecgw-node1 racoon: ERROR: not matched Dec 14 12:43:42 ipsecgw-node1 racoon: ERROR: no suitable policy found. Dec 14 12:43:42 ipsecgw-node1 racoon: ERROR: failed to pre-process packet. Sometimes i can see also: racoon: ERROR: pfkey X_SPDDELETE failed: No such file or directory Any idea ? Best Regards, Daniel |
From: VANHULLEBUS Y. <va...@fr...> - 2007-12-14 13:26:23
|
On Fri, Dec 14, 2007 at 01:18:44PM +0100, Daniel Chojecki wrote: > Hello, Hi. > i had a working configuration on slackware 12.0 with > ipsec-tools-0.7-beta2 until i had upgraded to ipsec-tools-0.7 and > 2.6.23.9 vanilla kernel You upgraded both ipsec-tools and your kernel ? Would it be possible to roll back to the old version for one of them, to see if the problem is related to racoon 0.7 release, your kernel, or perhaps using both together ? [...] > remote anonymous { > exchange_mode aggressive,main; Once again, please all avoid using such configuration, and I think we should consider such syntax as invalid in future releases (well, we may add a --enable-old-broken-syntaxs to configure....). But it's not related to your actual problem. > proposal_check claim; Same thing, that's generally a bad idea tu use claim or obey checkmodes, but it looks like it's not related to your actual problem. > generate_policy on; > nat_traversal on; > dpd_delay 20; > ike_frag on; > verify_cert on; > my_identifier asn1dn; > peers_identifier asn1dn; > proposal { > encryption_algorithm aes; > hash_algorithm md5; > authentication_method hybrid_rsa_server; > dh_group 2;}} No lifetime for phase1 ? [the log] > Dec 14 12:43:19 ipsecgw-node1 racoon: INFO: Selected NAT-T version: RFC 3947 Good. > Dec 14 12:43:19 ipsecgw-node1 racoon: oakley_dh_generate(MODP1024): 0.008084 > Dec 14 12:43:19 ipsecgw-node1 racoon: oakley_dh_compute(MODP1024): 0.008051 > Dec 14 12:43:19 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5 > size=128): 0.000008 > Dec 14 12:43:19 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5 > size=145): 0.000007 > Dec 14 12:43:19 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5 > size=161): 0.000007 > Dec 14 12:43:19 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5 > size=161): 0.000007 > Dec 14 12:43:19 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5 > size=477): 0.000008 > Dec 14 12:43:19 ipsecgw-node1 racoon: INFO: Adding remote and local > NAT-D payloads. > Dec 14 12:43:19 ipsecgw-node1 racoon: INFO: Hashing 77.115.20.16[500] > with algo #1 > Dec 14 12:43:19 ipsecgw-node1 racoon: INFO: Hashing 111.111.111.1[500] > with algo #1 > Dec 14 12:43:19 ipsecgw-node1 racoon: INFO: Adding xauth VID payload. > Dec 14 12:43:19 ipsecgw-node1 racoon: phase1(agg R msg1): 0.021371 > Dec 14 12:43:22 ipsecgw-node1 racoon: NOTIFY: the packet is > retransmitted by 77.115.20.16[500]. > Dec 14 12:43:25 ipsecgw-node1 racoon: INFO: NAT-T: ports changed to: > 77.115.20.16[4500]<->111.111.111.1[4500] Peers switched to NAT-T ports. > Dec 14 12:43:25 ipsecgw-node1 racoon: alg_oakley_encdef_decrypt(aes > klen=128 size=64): 0.000010 > Dec 14 12:43:25 ipsecgw-node1 racoon: INFO: Hashing 111.111.111.1[4500] > with algo #1 > Dec 14 12:43:25 ipsecgw-node1 racoon: INFO: NAT-D payload #0 verified > Dec 14 12:43:25 ipsecgw-node1 racoon: INFO: Hashing 77.115.20.16[4500] > with algo #1 > Dec 14 12:43:25 ipsecgw-node1 racoon: INFO: NAT-D payload #1 verified > Dec 14 12:43:25 ipsecgw-node1 racoon: INFO: NAT not detected No nat detected.... but that doesn't means there is no nat on the way: it just means we couldn't detect a nat.... > Dec 14 12:43:25 ipsecgw-node1 racoon: INFO: ISAKMP-SA established > 111.111.111.1[4500]-77.115.20.16[4500] spi:65d60ff876bebfa8:1548b2078e590e4a Okay, according to that log , phase1 has been established, and peer jumped to NAT-T port. [....] > Dec 14 12:43:32 ipsecgw-node1 racoon: INFO: Update the generated policy > : 10.10.52.2/32[0] 10.10.0.0/16[0] proto=any dir=in > Dec 14 12:43:32 ipsecgw-node1 racoon: ERROR: encmode mismatched: > my:Tunnel peer:UDP-Tunnel > Dec 14 12:43:32 ipsecgw-node1 racoon: ERROR: not matched > Dec 14 12:43:32 ipsecgw-node1 racoon: ERROR: no suitable policy found. > Dec 14 12:43:32 ipsecgw-node1 racoon: ERROR: failed to pre-process packet. If I understand correctly that, it means that there was already a generated policy, which says "Tunnel", but peers wants UDP-Tunnel (NAT-T encapsulation). There must be something very strange there, because UDP-Tunnel and Tunnel should be more or less the same quite everywhere in the code (kernel doesn't know anything about "UDP-Tunnel"). Can you test again, with ipsec-tools-0.7-beta2+new kernel and/or with ipsec-tools-0.7+old kernel ? Yvan. |
From: Daniel C. <dan...@gm...> - 2008-02-11 11:10:24
|
VANHULLEBUS Yvan pisze: > Can you test again, with ipsec-tools-0.7-beta2+new kernel and/or with > ipsec-tools-0.7+old kernel ? i have checked with old kernel and ipsec-tools - the same. Meantime i have installed latest 2.6.24.2 kernel. I have found something strange in logs: Feb 11 12:02:12 ipsecgw-node1 racoon: INFO: @(#)ipsec-tools 0.7 (http://ipsec-tools.sourceforge.net) Feb 11 12:02:12 ipsecgw-node1 racoon: INFO: @(#)This product linked OpenSSL 0.9.8d 28 Sep 2006 (http://www.openssl.org/) Feb 11 12:02:12 ipsecgw-node1 racoon: INFO: Reading configuration from "/usr/local/etc/racoon.conf" Feb 11 12:02:12 ipsecgw-node1 racoon: INFO: Resize address pool from 0 to 255 Feb 11 12:02:12 ipsecgw-node1 racoon: NOTIFY: NAT-T is enabled, autoconfiguring ports Feb 11 12:02:12 ipsecgw-node1 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=7) Feb 11 12:02:12 ipsecgw-node1 racoon: INFO: 127.0.0.1[500] used for NAT-T Feb 11 12:02:12 ipsecgw-node1 racoon: INFO: 127.0.0.1[4500] used as isakmp port (fd=8) Feb 11 12:02:12 ipsecgw-node1 racoon: INFO: 127.0.0.1[4500] used for NAT-T Feb 11 12:02:12 ipsecgw-node1 racoon: INFO: xxx.xxx.xxx.xxx[500] used as isakmp port (fd=9) Feb 11 12:02:12 ipsecgw-node1 racoon: INFO: xxx.xxx.xxx.xxx[500] used for NAT-T Feb 11 12:02:12 ipsecgw-node1 racoon: INFO: xxx.xxx.xxx.xxx[4500] used as isakmp port (fd=10) Feb 11 12:02:12 ipsecgw-node1 racoon: INFO: xxx.xxx.xxx.xxx[4500] used for NAT-T Feb 11 12:02:12 ipsecgw-node1 racoon: INFO: 10.10.51.31[500] used as isakmp port (fd=11) Feb 11 12:02:12 ipsecgw-node1 racoon: INFO: 10.10.51.31[500] used for NAT-T Feb 11 12:02:12 ipsecgw-node1 racoon: INFO: 10.10.51.31[4500] used as isakmp port (fd=12) Feb 11 12:02:12 ipsecgw-node1 racoon: INFO: 10.10.51.31[4500] used for NAT-T Feb 11 12:02:20 ipsecgw-node1 racoon: INFO: respond new phase 1 negotiation: xxx.xxx.xxx.xxx[500]<=>77.112.75.7[500] Feb 11 12:02:20 ipsecgw-node1 racoon: INFO: begin Identity Protection mode. Feb 11 12:02:20 ipsecgw-node1 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt Feb 11 12:02:20 ipsecgw-node1 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Feb 11 12:02:20 ipsecgw-node1 racoon: INFO: received Vendor ID: RFC 3947 Feb 11 12:02:20 ipsecgw-node1 racoon: INFO: received broken Microsoft ID: FRAGMENTATION Feb 11 12:02:20 ipsecgw-node1 racoon: INFO: received Vendor ID: DPD Feb 11 12:02:20 ipsecgw-node1 racoon: INFO: received Vendor ID: CISCO-UNITY Feb 11 12:02:20 ipsecgw-node1 racoon: INFO: Selected NAT-T version: RFC 3947 Feb 11 12:02:20 ipsecgw-node1 racoon: INFO: Adding xauth VID payload. Feb 11 12:02:20 ipsecgw-node1 racoon: INFO: Hashing xxx.xxx.xxx.xxx[500] with algo #1 Feb 11 12:02:20 ipsecgw-node1 racoon: INFO: NAT-D payload #0 verified Feb 11 12:02:20 ipsecgw-node1 racoon: INFO: Hashing 77.112.75.7[500] with algo #1 Feb 11 12:02:20 ipsecgw-node1 racoon: INFO: NAT-D payload #1 verified Feb 11 12:02:20 ipsecgw-node1 racoon: INFO: NAT not detected Feb 11 12:02:20 ipsecgw-node1 racoon: INFO: Hashing 77.112.75.7[500] with algo #1 Feb 11 12:02:20 ipsecgw-node1 racoon: INFO: Hashing xxx.xxx.xxx.xxx[500] with algo #1 Feb 11 12:02:20 ipsecgw-node1 racoon: INFO: Adding remote and local NAT-D payloads. Feb 11 12:02:20 ipsecgw-node1 racoon: INFO: NAT-T: ports changed to: 77.112.75.7[4500]<->xxx.xxx.xxx.xxx[4500] Feb 11 12:02:20 ipsecgw-node1 racoon: WARNING: No ID match. Feb 11 12:02:20 ipsecgw-node1 racoon: INFO: No SIG was passed, but hybrid auth is enabled Feb 11 12:02:20 ipsecgw-node1 racoon: INFO: Sending Xauth request Feb 11 12:02:20 ipsecgw-node1 racoon: INFO: ISAKMP-SA established xxx.xxx.xxx.xxx[4500]-77.112.75.7[4500] spi:efde654ae2b59094:204399046e28df30 Feb 11 12:02:21 ipsecgw-node1 racoon: INFO: Using port 0 Feb 11 12:02:21 ipsecgw-node1 racoon: INFO: ldap returned modecfg address 10.10.52.2 Feb 11 12:02:21 ipsecgw-node1 racoon: INFO: ldap returned modecfg netmask 255.255.255.0 Feb 11 12:02:21 ipsecgw-node1 racoon: INFO: attempting ldap bind for dn 'uid=boka,ou=Users,dc=DOM,dc=PL' Feb 11 12:02:21 ipsecgw-node1 racoon: INFO: login succeeded for user "boka" Feb 11 12:02:31 ipsecgw-node1 racoon: INFO: respond new phase 2 negotiation: xxx.xxx.xxx.xxx[4500]<=>77.112.75.7[4500] Feb 11 12:02:31 ipsecgw-node1 racoon: INFO: no policy found, try to generate the policy : 10.10.52.2/32[0] 10.10.0.0/16[0] proto=any dir=in Feb 11 12:02:31 ipsecgw-node1 racoon: INFO: IPsec-SA established: ESP/Tunnel 77.112.75.7[0]->xxx.xxx.xxx.xxx[0] spi=143322318(0x88aecce) Feb 11 12:02:31 ipsecgw-node1 racoon: INFO: IPsec-SA established: ESP/Tunnel xxx.xxx.xxx.xxx[4500]->77.112.75.7[4500] spi=3103342626(0xb8f94022) Feb 11 12:02:31 ipsecgw-node1 racoon: ERROR: pfkey X_SPDUPDATE failed: Invalid argument Feb 11 12:02:31 ipsecgw-node1 racoon: ERROR: pfkey X_SPDUPDATE failed: Invalid argument Is is right ? Best Regards Daniel |