From: Andy T. <and...@gm...> - 2007-09-04 06:01:59
|
Hi, I am using ipsec-tools 0.6.5. I configured my racoon.conf and setkey.cf as follows: remote anonymous { exchange_mode main; my_identifier address; lifetime time 300 sec; proposal_check claim; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } } sainfo anonymous { lifetime time 300 sec; encryption_algorithm 3des; authentication_algorithm hmac_sha1; compression_algorithm deflate; } setkey.cf: spdadd 192.168.15.102 192.168.15.100 any -P out ipsec esp/transport//require ; spdadd 192.168.15.100 192.168.15.102 any -P in ipsec esp/transport//require ; During negotiation with an IPsec partner, it sends an Informational Notify because of some error: 2007-09-03 22:51:44: DEBUG: HASH with: 2007-09-03 22:51:44: DEBUG: b9635f1a 00000010 00000001 03040001 8670aa81 2007-09-03 22:51:44: DEBUG: hmac(hmac_sha1) 2007-09-03 22:51:44: DEBUG: HASH computed: 2007-09-03 22:51:44: DEBUG: d68e8d8a 6eb771c1 3cac5d35 449a3d61 fbb94242 2007-09-03 22:51:44: DEBUG: hash validated. 2007-09-03 22:51:44: DEBUG: begin. 2007-09-03 22:51:44: DEBUG: seen nptype=8(hash) 2007-09-03 22:51:44: DEBUG: seen nptype=12(delete) 2007-09-03 22:51:44: DEBUG: succeed. 2007-09-03 22:51:44: DEBUG: call pfkey_send_dump 2007-09-03 22:51:44: DEBUG: purged SAs. 2007-09-03 22:51:44: DEBUG: get pfkey EXPIRE message 2007-09-03 22:51:44: DEBUG2: 02080003 17000000 00000000 00000000 02000100 8670aa81 04020303 00000000 04000400 00000000 00000000 00000000 f0000000 00000000 00000000 00000000 04000200 14000000 60090000 00000000 80f1dc46 00000000 f5f1dc46 00000000 03000500 00200000 02000000 c0a80f66 00000000 00000000 03000600 00200000 02000000 c0a80f64 00000000 00000000 03000700 ff000000 02000000 00000000 00000000 00000000 02001300 01000000 00000000 00000000 2007-09-03 22:51:44: INFO: IPsec-SA expired: ESP/Transport 192.168.15.102 [0]->192.168.15.100[0] spi=2255530625(0x8670aa81) 2007-09-03 22:51:44: DEBUG: no such a SA found: ESP/Transport 192.168.15.102 [0]->192.168.15.100[0] spi=2255530625(0x8670aa81) 2007-09-03 22:51:53: DEBUG: 60 bytes from 192.168.15.102[500] to 192.168.15.100[500] 2007-09-03 22:51:53: DEBUG: sockname 192.168.15.102[500] 2007-09-03 22:51:53: DEBUG: send packet from 192.168.15.102[500] 2007-09-03 22:51:53: DEBUG: send packet to 192.168.15.100[500] 2007-09-03 22:51:53: DEBUG: src4 192.168.15.102[500] 2007-09-03 22:51:53: DEBUG: dst4 192.168.15.100[500] 2007-09-03 22:51:53: DEBUG: 1 times of 60 bytes message will be sent to 192.168.15.100[500] 2007-09-03 22:51:53: DEBUG: e09d4541 86bd9bce c1740370 0b345904 08102003 f6524c67 0000003c 3fd70062 46703841 f3258c12 19299d83 9f843e07 6ed50285 838f2151 800118f9 2007-09-03 22:51:53: DEBUG: resend phase2 packet e09d454186bd9bce:c17403700b345904:0000f652 2007-09-03 22:51:53: DEBUG: === 2007-09-03 22:51:53: DEBUG: 76 bytes message received from 192.168.15.100[500] to 192.168.15.102[500] 2007-09-03 22:51:53: DEBUG: e09d4541 86bd9bce c1740370 0b345904 08102003 f6524c67 0000004c 52ccf37c e32a0fa3 c604001a 74382120 b8135364 d03042f4 91cd7f19 96c75ed6 27632fa7 f2bce840 e53b28f6 723f0e9b 2007-09-03 22:51:53: ERROR: wrong state 8. 2007-09-03 22:51:53: ERROR: failed to pre-process packet. 2007-09-03 22:52:03: DEBUG: 60 bytes from 192.168.15.102[500] to 192.168.15.100[500] 2007-09-03 22:52:03: DEBUG: sockname 192.168.15.102[500] Why ipsec-tools declared that it was in the wrong state after receiving the above packet of length 76 bytes from the peers? The racoon.log is too long for this mailing. How can I submit the whole log? -- via GMAIL |