From: Daniel C. <dan...@gm...> - 2007-12-14 12:21:00
|
Hello, i had a working configuration on slackware 12.0 with ipsec-tools-0.7-beta2 until i had upgraded to ipsec-tools-0.7 and 2.6.23.9 vanilla kernel This is my conf: path certificate "/etc/ipsec/racoon/certs"; remote anonymous { exchange_mode aggressive,main; certificate_type x509 "newcert.pem" "newkey.bezhasla.pem"; proposal_check claim; generate_policy on; nat_traversal on; dpd_delay 20; ike_frag on; verify_cert on; my_identifier asn1dn; peers_identifier asn1dn; proposal { encryption_algorithm aes; hash_algorithm md5; authentication_method hybrid_rsa_server; dh_group 2;}} mode_cfg { auth_source ldap; conf_source ldap; dns4 10.10.51.5; wins4 10.10.12.247; pfs_group 2;} ldapcfg { version 3; host "rhea"; port 389; base "dc=SITE,dc=PL"; subtree on; bind_dn "cn=Manager,dc=SITE,dc=PL"; bind_pw "haslo"; attr_addr "homePhone"; attr_mask "homePostalAddress"; } sainfo anonymous { pfs_group 2; lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_md5; compression_algorithm deflate; } ./configure script looks like: ./configure \ --enable-adminport \ --enable-natt \ --enable-dpd \ --enable-hybrid \ --enable-frag \ --enable-stats \ --enable-fastquit \ --disable-ipv6 \ --enable-broken-natt \ --with-libldap=/usr/local/openldap-2.3.32 \ --enable-security-context=no In log i have: Dec 14 12:43:19 ipsecgw-node1 racoon: INFO: respond new phase 1 negotiation: 111.111.111.1[500]<=>77.115.20.16[500] Dec 14 12:43:19 ipsecgw-node1 racoon: INFO: begin Aggressive mode. Dec 14 12:43:19 ipsecgw-node1 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt Dec 14 12:43:19 ipsecgw-node1 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Dec 14 12:43:19 ipsecgw-node1 racoon: INFO: received Vendor ID: RFC 3947 Dec 14 12:43:19 ipsecgw-node1 racoon: INFO: received broken Microsoft ID: FRAGMENTATION Dec 14 12:43:19 ipsecgw-node1 racoon: INFO: received Vendor ID: DPD Dec 14 12:43:19 ipsecgw-node1 racoon: INFO: received Vendor ID: CISCO-UNITY Dec 14 12:43:19 ipsecgw-node1 racoon: WARNING: No ID match. Dec 14 12:43:19 ipsecgw-node1 racoon: INFO: Selected NAT-T version: RFC 3947 Dec 14 12:43:19 ipsecgw-node1 racoon: oakley_dh_generate(MODP1024): 0.008084 Dec 14 12:43:19 ipsecgw-node1 racoon: oakley_dh_compute(MODP1024): 0.008051 Dec 14 12:43:19 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5 size=128): 0.000008 Dec 14 12:43:19 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5 size=145): 0.000007 Dec 14 12:43:19 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5 size=161): 0.000007 Dec 14 12:43:19 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5 size=161): 0.000007 Dec 14 12:43:19 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5 size=477): 0.000008 Dec 14 12:43:19 ipsecgw-node1 racoon: INFO: Adding remote and local NAT-D payloads. Dec 14 12:43:19 ipsecgw-node1 racoon: INFO: Hashing 77.115.20.16[500] with algo #1 Dec 14 12:43:19 ipsecgw-node1 racoon: INFO: Hashing 111.111.111.1[500] with algo #1 Dec 14 12:43:19 ipsecgw-node1 racoon: INFO: Adding xauth VID payload. Dec 14 12:43:19 ipsecgw-node1 racoon: phase1(agg R msg1): 0.021371 Dec 14 12:43:22 ipsecgw-node1 racoon: NOTIFY: the packet is retransmitted by 77.115.20.16[500]. Dec 14 12:43:25 ipsecgw-node1 racoon: INFO: NAT-T: ports changed to: 77.115.20.16[4500]<->111.111.111.1[4500] Dec 14 12:43:25 ipsecgw-node1 racoon: alg_oakley_encdef_decrypt(aes klen=128 size=64): 0.000010 Dec 14 12:43:25 ipsecgw-node1 racoon: INFO: Hashing 111.111.111.1[4500] with algo #1 Dec 14 12:43:25 ipsecgw-node1 racoon: INFO: NAT-D payload #0 verified Dec 14 12:43:25 ipsecgw-node1 racoon: INFO: Hashing 77.115.20.16[4500] with algo #1 Dec 14 12:43:25 ipsecgw-node1 racoon: INFO: NAT-D payload #1 verified Dec 14 12:43:25 ipsecgw-node1 racoon: INFO: NAT not detected Dec 14 12:43:25 ipsecgw-node1 racoon: INFO: No SIG was passed, but hybrid auth is enabled Dec 14 12:43:25 ipsecgw-node1 racoon: phase1(???): 0.000145 Dec 14 12:43:25 ipsecgw-node1 racoon: phase1(Aggressive): 6.084209 Dec 14 12:43:25 ipsecgw-node1 racoon: INFO: Sending Xauth request Dec 14 12:43:25 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5 size=24): 0.000006 Dec 14 12:43:25 ipsecgw-node1 racoon: alg_oakley_encdef_encrypt(aes klen=128 size=48): 0.000004 Dec 14 12:43:25 ipsecgw-node1 racoon: INFO: ISAKMP-SA established 111.111.111.1[4500]-77.115.20.16[4500] spi:65d60ff876bebfa8:1548b2078e590e4a Dec 14 12:43:25 ipsecgw-node1 racoon: alg_oakley_encdef_decrypt(aes klen=128 size=48): 0.000005 Dec 14 12:43:25 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5 size=32): 0.000007 Dec 14 12:43:25 ipsecgw-node1 racoon: alg_oakley_encdef_decrypt(aes klen=128 size=64): 0.000005 Dec 14 12:43:25 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5 size=40): 0.000007 Dec 14 12:43:25 ipsecgw-node1 racoon: INFO: Using port 0 Dec 14 12:43:25 ipsecgw-node1 racoon: INFO: ldap returned modecfg address 10.10.52.2 Dec 14 12:43:25 ipsecgw-node1 racoon: INFO: ldap returned modecfg netmask 255.255.255.0 Dec 14 12:43:25 ipsecgw-node1 racoon: INFO: attempting ldap bind for dn 'uid=boka,ou=Users,dc=SITE,dc=PL' Dec 14 12:43:25 ipsecgw-node1 racoon: INFO: login succeeded for user "boka" Dec 14 12:43:25 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5 size=16): 0.000007 Dec 14 12:43:25 ipsecgw-node1 racoon: alg_oakley_encdef_encrypt(aes klen=128 size=48): 0.000006 Dec 14 12:43:25 ipsecgw-node1 racoon: alg_oakley_encdef_decrypt(aes klen=128 size=32): 0.000006 Dec 14 12:43:25 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5 size=16): 0.000007 Dec 14 12:43:25 ipsecgw-node1 racoon: alg_oakley_encdef_decrypt(aes klen=128 size=64): 0.000005 Dec 14 12:43:25 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5 size=44): 0.000007 Dec 14 12:43:25 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5 size=76): 0.000007 Dec 14 12:43:25 ipsecgw-node1 racoon: alg_oakley_encdef_encrypt(aes klen=128 size=96): 0.000006 Dec 14 12:43:32 ipsecgw-node1 racoon: INFO: respond new phase 2 negotiation: 111.111.111.1[0]<=>77.115.20.16[0] Dec 14 12:43:32 ipsecgw-node1 racoon: alg_oakley_encdef_decrypt(aes klen=128 size=272): 0.000011 Dec 14 12:43:32 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5 size=248): 0.000008 Dec 14 12:43:32 ipsecgw-node1 racoon: INFO: Update the generated policy : 10.10.52.2/32[0] 10.10.0.0/16[0] proto=any dir=in Dec 14 12:43:32 ipsecgw-node1 racoon: ERROR: encmode mismatched: my:Tunnel peer:UDP-Tunnel Dec 14 12:43:32 ipsecgw-node1 racoon: ERROR: not matched Dec 14 12:43:32 ipsecgw-node1 racoon: ERROR: no suitable policy found. Dec 14 12:43:32 ipsecgw-node1 racoon: ERROR: failed to pre-process packet. Dec 14 12:43:32 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5 size=16): 0.000006 Dec 14 12:43:32 ipsecgw-node1 racoon: alg_oakley_encdef_encrypt(aes klen=128 size=48): 0.000005 Dec 14 12:43:35 ipsecgw-node1 racoon: alg_oakley_encdef_decrypt(aes klen=128 size=64): 0.000007 Dec 14 12:43:35 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5 size=36): 0.000007 Dec 14 12:43:35 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5 size=36): 0.000006 Dec 14 12:43:35 ipsecgw-node1 racoon: alg_oakley_encdef_encrypt(aes klen=128 size=64): 0.000005 Dec 14 12:43:36 ipsecgw-node1 racoon: INFO: respond new phase 2 negotiation: 111.111.111.1[0]<=>77.115.20.16[0] Dec 14 12:43:36 ipsecgw-node1 racoon: alg_oakley_encdef_decrypt(aes klen=128 size=272): 0.000009 Dec 14 12:43:36 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5 size=248): 0.000008 Dec 14 12:43:36 ipsecgw-node1 racoon: INFO: Update the generated policy : 10.10.52.2/32[0] 10.10.0.0/16[0] proto=any dir=in Dec 14 12:43:36 ipsecgw-node1 racoon: ERROR: encmode mismatched: my:Tunnel peer:UDP-Tunnel Dec 14 12:43:36 ipsecgw-node1 racoon: ERROR: not matched Dec 14 12:43:36 ipsecgw-node1 racoon: ERROR: no suitable policy found. Dec 14 12:43:36 ipsecgw-node1 racoon: ERROR: failed to pre-process packet. Dec 14 12:43:36 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5 size=16): 0.000007 Dec 14 12:43:36 ipsecgw-node1 racoon: alg_oakley_encdef_encrypt(aes klen=128 size=48): 0.000005 Dec 14 12:43:42 ipsecgw-node1 racoon: INFO: respond new phase 2 negotiation: 111.111.111.1[0]<=>77.115.20.16[0] Dec 14 12:43:42 ipsecgw-node1 racoon: alg_oakley_encdef_decrypt(aes klen=128 size=272): 0.000014 Dec 14 12:43:42 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5 size=248): 0.000008 Dec 14 12:43:42 ipsecgw-node1 racoon: INFO: Update the generated policy : 10.10.52.2/32[0] 10.10.0.0/16[0] proto=any dir=in Dec 14 12:43:42 ipsecgw-node1 racoon: ERROR: encmode mismatched: my:Tunnel peer:UDP-Tunnel Dec 14 12:43:42 ipsecgw-node1 racoon: ERROR: not matched Dec 14 12:43:42 ipsecgw-node1 racoon: ERROR: no suitable policy found. Dec 14 12:43:42 ipsecgw-node1 racoon: ERROR: failed to pre-process packet. Dec 14 12:43:42 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5 size=16): 0.000006 Dec 14 12:43:42 ipsecgw-node1 racoon: alg_oakley_encdef_encrypt(aes klen=128 size=48): 0.000006 The most interesting part is: Dec 14 12:43:42 ipsecgw-node1 racoon: ERROR: not matched Dec 14 12:43:42 ipsecgw-node1 racoon: ERROR: no suitable policy found. Dec 14 12:43:42 ipsecgw-node1 racoon: ERROR: failed to pre-process packet. Sometimes i can see also: racoon: ERROR: pfkey X_SPDDELETE failed: No such file or directory Any idea ? Best Regards, Daniel |