Menu
▾
▴
[Ipsec-tools-devel] what is wrong with my conf ?
|
From: Daniel C. <dan...@gm...> - 2007-12-14 12:21:00
|
Hello,
i had a working configuration on slackware 12.0 with
ipsec-tools-0.7-beta2 until i had upgraded to ipsec-tools-0.7 and
2.6.23.9 vanilla kernel
This is my conf:
path certificate "/etc/ipsec/racoon/certs";
remote anonymous {
exchange_mode aggressive,main;
certificate_type x509 "newcert.pem" "newkey.bezhasla.pem";
proposal_check claim;
generate_policy on;
nat_traversal on;
dpd_delay 20;
ike_frag on;
verify_cert on;
my_identifier asn1dn;
peers_identifier asn1dn;
proposal {
encryption_algorithm aes;
hash_algorithm md5;
authentication_method hybrid_rsa_server;
dh_group 2;}}
mode_cfg {
auth_source ldap;
conf_source ldap;
dns4 10.10.51.5;
wins4 10.10.12.247;
pfs_group 2;}
ldapcfg
{ version 3;
host "rhea";
port 389;
base "dc=SITE,dc=PL";
subtree on;
bind_dn "cn=Manager,dc=SITE,dc=PL";
bind_pw "haslo";
attr_addr "homePhone";
attr_mask "homePostalAddress";
}
sainfo anonymous {
pfs_group 2;
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_md5;
compression_algorithm deflate; }
./configure script looks like:
./configure \
--enable-adminport \
--enable-natt \
--enable-dpd \
--enable-hybrid \
--enable-frag \
--enable-stats \
--enable-fastquit \
--disable-ipv6 \
--enable-broken-natt \
--with-libldap=/usr/local/openldap-2.3.32 \
--enable-security-context=no
In log i have:
Dec 14 12:43:19 ipsecgw-node1 racoon: INFO: respond new phase 1
negotiation: 111.111.111.1[500]<=>77.115.20.16[500]
Dec 14 12:43:19 ipsecgw-node1 racoon: INFO: begin Aggressive mode.
Dec 14 12:43:19 ipsecgw-node1 racoon: INFO: received Vendor ID:
draft-ietf-ipsra-isakmp-xauth-06.txt
Dec 14 12:43:19 ipsecgw-node1 racoon: INFO: received Vendor ID:
draft-ietf-ipsec-nat-t-ike-02
Dec 14 12:43:19 ipsecgw-node1 racoon: INFO: received Vendor ID: RFC 3947
Dec 14 12:43:19 ipsecgw-node1 racoon: INFO: received broken Microsoft
ID: FRAGMENTATION
Dec 14 12:43:19 ipsecgw-node1 racoon: INFO: received Vendor ID: DPD
Dec 14 12:43:19 ipsecgw-node1 racoon: INFO: received Vendor ID: CISCO-UNITY
Dec 14 12:43:19 ipsecgw-node1 racoon: WARNING: No ID match.
Dec 14 12:43:19 ipsecgw-node1 racoon: INFO: Selected NAT-T version: RFC 3947
Dec 14 12:43:19 ipsecgw-node1 racoon: oakley_dh_generate(MODP1024): 0.008084
Dec 14 12:43:19 ipsecgw-node1 racoon: oakley_dh_compute(MODP1024): 0.008051
Dec 14 12:43:19 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5
size=128): 0.000008
Dec 14 12:43:19 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5
size=145): 0.000007
Dec 14 12:43:19 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5
size=161): 0.000007
Dec 14 12:43:19 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5
size=161): 0.000007
Dec 14 12:43:19 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5
size=477): 0.000008
Dec 14 12:43:19 ipsecgw-node1 racoon: INFO: Adding remote and local
NAT-D payloads.
Dec 14 12:43:19 ipsecgw-node1 racoon: INFO: Hashing 77.115.20.16[500]
with algo #1
Dec 14 12:43:19 ipsecgw-node1 racoon: INFO: Hashing 111.111.111.1[500]
with algo #1
Dec 14 12:43:19 ipsecgw-node1 racoon: INFO: Adding xauth VID payload.
Dec 14 12:43:19 ipsecgw-node1 racoon: phase1(agg R msg1): 0.021371
Dec 14 12:43:22 ipsecgw-node1 racoon: NOTIFY: the packet is
retransmitted by 77.115.20.16[500].
Dec 14 12:43:25 ipsecgw-node1 racoon: INFO: NAT-T: ports changed to:
77.115.20.16[4500]<->111.111.111.1[4500]
Dec 14 12:43:25 ipsecgw-node1 racoon: alg_oakley_encdef_decrypt(aes
klen=128 size=64): 0.000010
Dec 14 12:43:25 ipsecgw-node1 racoon: INFO: Hashing 111.111.111.1[4500]
with algo #1
Dec 14 12:43:25 ipsecgw-node1 racoon: INFO: NAT-D payload #0 verified
Dec 14 12:43:25 ipsecgw-node1 racoon: INFO: Hashing 77.115.20.16[4500]
with algo #1
Dec 14 12:43:25 ipsecgw-node1 racoon: INFO: NAT-D payload #1 verified
Dec 14 12:43:25 ipsecgw-node1 racoon: INFO: NAT not detected
Dec 14 12:43:25 ipsecgw-node1 racoon: INFO: No SIG was passed, but
hybrid auth is enabled
Dec 14 12:43:25 ipsecgw-node1 racoon: phase1(???): 0.000145
Dec 14 12:43:25 ipsecgw-node1 racoon: phase1(Aggressive): 6.084209
Dec 14 12:43:25 ipsecgw-node1 racoon: INFO: Sending Xauth request
Dec 14 12:43:25 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5
size=24): 0.000006
Dec 14 12:43:25 ipsecgw-node1 racoon: alg_oakley_encdef_encrypt(aes
klen=128 size=48): 0.000004
Dec 14 12:43:25 ipsecgw-node1 racoon: INFO: ISAKMP-SA established
111.111.111.1[4500]-77.115.20.16[4500] spi:65d60ff876bebfa8:1548b2078e590e4a
Dec 14 12:43:25 ipsecgw-node1 racoon: alg_oakley_encdef_decrypt(aes
klen=128 size=48): 0.000005
Dec 14 12:43:25 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5
size=32): 0.000007
Dec 14 12:43:25 ipsecgw-node1 racoon: alg_oakley_encdef_decrypt(aes
klen=128 size=64): 0.000005
Dec 14 12:43:25 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5
size=40): 0.000007
Dec 14 12:43:25 ipsecgw-node1 racoon: INFO: Using port 0
Dec 14 12:43:25 ipsecgw-node1 racoon: INFO: ldap returned modecfg
address 10.10.52.2
Dec 14 12:43:25 ipsecgw-node1 racoon: INFO: ldap returned modecfg
netmask 255.255.255.0
Dec 14 12:43:25 ipsecgw-node1 racoon: INFO: attempting ldap bind for dn
'uid=boka,ou=Users,dc=SITE,dc=PL'
Dec 14 12:43:25 ipsecgw-node1 racoon: INFO: login succeeded for user "boka"
Dec 14 12:43:25 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5
size=16): 0.000007
Dec 14 12:43:25 ipsecgw-node1 racoon: alg_oakley_encdef_encrypt(aes
klen=128 size=48): 0.000006
Dec 14 12:43:25 ipsecgw-node1 racoon: alg_oakley_encdef_decrypt(aes
klen=128 size=32): 0.000006
Dec 14 12:43:25 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5
size=16): 0.000007
Dec 14 12:43:25 ipsecgw-node1 racoon: alg_oakley_encdef_decrypt(aes
klen=128 size=64): 0.000005
Dec 14 12:43:25 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5
size=44): 0.000007
Dec 14 12:43:25 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5
size=76): 0.000007
Dec 14 12:43:25 ipsecgw-node1 racoon: alg_oakley_encdef_encrypt(aes
klen=128 size=96): 0.000006
Dec 14 12:43:32 ipsecgw-node1 racoon: INFO: respond new phase 2
negotiation: 111.111.111.1[0]<=>77.115.20.16[0]
Dec 14 12:43:32 ipsecgw-node1 racoon: alg_oakley_encdef_decrypt(aes
klen=128 size=272): 0.000011
Dec 14 12:43:32 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5
size=248): 0.000008
Dec 14 12:43:32 ipsecgw-node1 racoon: INFO: Update the generated policy
: 10.10.52.2/32[0] 10.10.0.0/16[0] proto=any dir=in
Dec 14 12:43:32 ipsecgw-node1 racoon: ERROR: encmode mismatched:
my:Tunnel peer:UDP-Tunnel
Dec 14 12:43:32 ipsecgw-node1 racoon: ERROR: not matched
Dec 14 12:43:32 ipsecgw-node1 racoon: ERROR: no suitable policy found.
Dec 14 12:43:32 ipsecgw-node1 racoon: ERROR: failed to pre-process packet.
Dec 14 12:43:32 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5
size=16): 0.000006
Dec 14 12:43:32 ipsecgw-node1 racoon: alg_oakley_encdef_encrypt(aes
klen=128 size=48): 0.000005
Dec 14 12:43:35 ipsecgw-node1 racoon: alg_oakley_encdef_decrypt(aes
klen=128 size=64): 0.000007
Dec 14 12:43:35 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5
size=36): 0.000007
Dec 14 12:43:35 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5
size=36): 0.000006
Dec 14 12:43:35 ipsecgw-node1 racoon: alg_oakley_encdef_encrypt(aes
klen=128 size=64): 0.000005
Dec 14 12:43:36 ipsecgw-node1 racoon: INFO: respond new phase 2
negotiation: 111.111.111.1[0]<=>77.115.20.16[0]
Dec 14 12:43:36 ipsecgw-node1 racoon: alg_oakley_encdef_decrypt(aes
klen=128 size=272): 0.000009
Dec 14 12:43:36 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5
size=248): 0.000008
Dec 14 12:43:36 ipsecgw-node1 racoon: INFO: Update the generated policy
: 10.10.52.2/32[0] 10.10.0.0/16[0] proto=any dir=in
Dec 14 12:43:36 ipsecgw-node1 racoon: ERROR: encmode mismatched:
my:Tunnel peer:UDP-Tunnel
Dec 14 12:43:36 ipsecgw-node1 racoon: ERROR: not matched
Dec 14 12:43:36 ipsecgw-node1 racoon: ERROR: no suitable policy found.
Dec 14 12:43:36 ipsecgw-node1 racoon: ERROR: failed to pre-process packet.
Dec 14 12:43:36 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5
size=16): 0.000007
Dec 14 12:43:36 ipsecgw-node1 racoon: alg_oakley_encdef_encrypt(aes
klen=128 size=48): 0.000005
Dec 14 12:43:42 ipsecgw-node1 racoon: INFO: respond new phase 2
negotiation: 111.111.111.1[0]<=>77.115.20.16[0]
Dec 14 12:43:42 ipsecgw-node1 racoon: alg_oakley_encdef_decrypt(aes
klen=128 size=272): 0.000014
Dec 14 12:43:42 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5
size=248): 0.000008
Dec 14 12:43:42 ipsecgw-node1 racoon: INFO: Update the generated policy
: 10.10.52.2/32[0] 10.10.0.0/16[0] proto=any dir=in
Dec 14 12:43:42 ipsecgw-node1 racoon: ERROR: encmode mismatched:
my:Tunnel peer:UDP-Tunnel
Dec 14 12:43:42 ipsecgw-node1 racoon: ERROR: not matched
Dec 14 12:43:42 ipsecgw-node1 racoon: ERROR: no suitable policy found.
Dec 14 12:43:42 ipsecgw-node1 racoon: ERROR: failed to pre-process packet.
Dec 14 12:43:42 ipsecgw-node1 racoon: alg_oakley_hmacdef_one(hmac_md5
size=16): 0.000006
Dec 14 12:43:42 ipsecgw-node1 racoon: alg_oakley_encdef_encrypt(aes
klen=128 size=48): 0.000006
The most interesting part is:
Dec 14 12:43:42 ipsecgw-node1 racoon: ERROR: not matched
Dec 14 12:43:42 ipsecgw-node1 racoon: ERROR: no suitable policy found.
Dec 14 12:43:42 ipsecgw-node1 racoon: ERROR: failed to pre-process packet.
Sometimes i can see also:
racoon: ERROR: pfkey X_SPDDELETE failed: No such file or directory
Any idea ?
Best Regards,
Daniel
|