[Ipsec-tools-devel] Question on how to interpret the IPsec IKE Informational Notify

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi, I am using ipsec-tools 0.6.5.
I configured my racoon.conf and setkey.cf as follows:

remote anonymous
{
        exchange_mode main;
        my_identifier address;
        lifetime time 300 sec;
        proposal_check claim;

        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2;
        }

}

sainfo anonymous
{
        lifetime time 300 sec;
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
}

setkey.cf:
spdadd 192.168.15.102 192.168.15.100 any -P out ipsec
        esp/transport//require ;

spdadd 192.168.15.100 192.168.15.102 any -P in ipsec
        esp/transport//require ;

During negotiation with an IPsec partner, it sends an Informational Notify
because of some error:
2007-09-03 22:51:44: DEBUG: HASH with:
2007-09-03 22:51:44: DEBUG:
b9635f1a 00000010 00000001 03040001 8670aa81
2007-09-03 22:51:44: DEBUG: hmac(hmac_sha1)
2007-09-03 22:51:44: DEBUG: HASH computed:
2007-09-03 22:51:44: DEBUG:
d68e8d8a 6eb771c1 3cac5d35 449a3d61 fbb94242
2007-09-03 22:51:44: DEBUG: hash validated.
2007-09-03 22:51:44: DEBUG: begin.
2007-09-03 22:51:44: DEBUG: seen nptype=8(hash)
2007-09-03 22:51:44: DEBUG: seen nptype=12(delete)
2007-09-03 22:51:44: DEBUG: succeed.
2007-09-03 22:51:44: DEBUG: call pfkey_send_dump
2007-09-03 22:51:44: DEBUG: purged SAs.
2007-09-03 22:51:44: DEBUG: get pfkey EXPIRE message
2007-09-03 22:51:44: DEBUG2:
02080003 17000000 00000000 00000000 02000100 8670aa81 04020303 00000000
04000400 00000000 00000000 00000000 f0000000 00000000 00000000 00000000
04000200 14000000 60090000 00000000 80f1dc46 00000000 f5f1dc46 00000000
03000500 00200000 02000000 c0a80f66 00000000 00000000 03000600 00200000
02000000 c0a80f64 00000000 00000000 03000700 ff000000 02000000 00000000
00000000 00000000 02001300 01000000 00000000 00000000
2007-09-03 22:51:44: INFO: IPsec-SA expired: ESP/Transport 192.168.15.102
[0]->192.168.15.100[0] spi=2255530625(0x8670aa81)
2007-09-03 22:51:44: DEBUG: no such a SA found: ESP/Transport 192.168.15.102
[0]->192.168.15.100[0] spi=2255530625(0x8670aa81)
2007-09-03 22:51:53: DEBUG: 60 bytes from 192.168.15.102[500] to
192.168.15.100[500]
2007-09-03 22:51:53: DEBUG: sockname 192.168.15.102[500]
2007-09-03 22:51:53: DEBUG: send packet from 192.168.15.102[500]
2007-09-03 22:51:53: DEBUG: send packet to 192.168.15.100[500]
2007-09-03 22:51:53: DEBUG: src4 192.168.15.102[500]
2007-09-03 22:51:53: DEBUG: dst4 192.168.15.100[500]
2007-09-03 22:51:53: DEBUG: 1 times of 60 bytes message will be sent to
192.168.15.100[500]
2007-09-03 22:51:53: DEBUG:
e09d4541 86bd9bce c1740370 0b345904 08102003 f6524c67 0000003c 3fd70062
46703841 f3258c12 19299d83 9f843e07 6ed50285 838f2151 800118f9
2007-09-03 22:51:53: DEBUG: resend phase2 packet
e09d454186bd9bce:c17403700b345904:0000f652
2007-09-03 22:51:53: DEBUG: ===
2007-09-03 22:51:53: DEBUG: 76 bytes message received from 192.168.15.100[500]
to 192.168.15.102[500]
2007-09-03 22:51:53: DEBUG:
e09d4541 86bd9bce c1740370 0b345904 08102003 f6524c67 0000004c 52ccf37c
e32a0fa3 c604001a 74382120 b8135364 d03042f4 91cd7f19 96c75ed6 27632fa7
f2bce840 e53b28f6 723f0e9b
2007-09-03 22:51:53: ERROR: wrong state 8.
2007-09-03 22:51:53: ERROR: failed to pre-process packet.
2007-09-03 22:52:03: DEBUG: 60 bytes from 192.168.15.102[500] to
192.168.15.100[500]
2007-09-03 22:52:03: DEBUG: sockname 192.168.15.102[500]

Why ipsec-tools declared that it was in the wrong state after receiving the
above packet of length 76 bytes from the peers?
The racoon.log is too long for this mailing.  How can I submit the whole
log?

-- 
via GMAIL