Menu
▾
▴
Re: [Ipsec-tools-devel] ipsec-tools 0.7 and FreeBSD 6.3
|
From: Stephen C. <scl...@ea...> - 2008-07-24 12:43:27
|
VANHULLEBUS Yvan wrote:
> On Tue, Jul 22, 2008 at 04:46:14PM -0400, Stephen Clark wrote:
>> Hello List,
>
> Hi.
>
>> I just upgraded from ipsec-tool-0.6.6 ro 0.7
>
> Good :-)
>
>
>> The Debug messages are far more informative. I am getting some messages
>> that I don't quite understand though:
>>
>>
>> 2008-07-22 16:39:23: DEBUG: Cannot record event: event queue overflowed
>> 2008-07-22 16:39:23: DEBUG: Cannot record event: event queue overflowed
>
> Looks like your event list queue is full.... probably because you
> didn't read it with racoonctl ?
>
>
>
>> and :
>> 2008-07-22 16:41:23: DEBUG: configuration found for x.x.x.133.
>> 2008-07-22 16:41:23: DEBUG: getsainfo params: loc='10.255.1.180',
>> rmt='10.255.254.0/24', peer='x.x.x.133', id=0
>> 2008-07-22 16:41:23: DEBUG: getsainfo pass #1
>> 2008-07-22 16:41:23: DEBUG: evaluating sainfo: loc='10.255.253.0/24',
>> rmt='10.255.4.10', peer='ANY', id=0
>> 2008-07-22 16:41:23: DEBUG: evaluating sainfo: loc='10.255.4.10',
>> rmt='10.255.253.0/24', peer='ANY', id=0
>> 2008-07-22 16:41:23: DEBUG: evaluating sainfo: loc='10.255.254.0/24',
>> rmt='10.255.3.10', peer='ANY', id=0
>> 2008-07-22 16:41:23: DEBUG: evaluating sainfo: loc='10.255.3.10',
>> rmt='10.255.254.0/24', peer='ANY', id=0
>> 2008-07-22 16:41:23: DEBUG: getsainfo pass #2
>> 2008-07-22 16:41:23: DEBUG: evaluating sainfo: loc='10.255.253.0/24',
>> rmt='10.255.4.10', peer='ANY', id=0
>> 2008-07-22 16:41:23: DEBUG: check and compare ids : value mismatch (IPv4_subnet)
>> 2008-07-22 16:41:23: DEBUG: cmpid target: '10.255.1.180'
>> 2008-07-22 16:41:23: DEBUG: cmpid source: '10.255.253.0/24'
>> 2008-07-22 16:41:23: DEBUG: evaluating sainfo: loc='10.255.4.10',
>> rmt='10.255.253.0/24', peer='ANY', id=0
>> 2008-07-22 16:41:23: DEBUG: check and compare ids : value mismatch (IPv4_address)
>> 2008-07-22 16:41:23: DEBUG: cmpid target: '10.255.1.180'
>> 2008-07-22 16:41:23: DEBUG: cmpid source: '10.255.4.10'
>> 2008-07-22 16:41:23: DEBUG: evaluating sainfo: loc='10.255.254.0/24',
>> rmt='10.255.3.10', peer='ANY', id=0
>> 2008-07-22 16:41:23: DEBUG: check and compare ids : value mismatch (IPv4_subnet)
>> 2008-07-22 16:41:23: DEBUG: cmpid target: '10.255.1.180'
>> 2008-07-22 16:41:23: DEBUG: cmpid source: '10.255.254.0/24'
>> 2008-07-22 16:41:23: DEBUG: evaluating sainfo: loc='10.255.3.10',
>> rmt='10.255.254.0/24', peer='ANY', id=0
>> 2008-07-22 16:41:23: DEBUG: check and compare ids : value mismatch (IPv4_address)
>> 2008-07-22 16:41:23: DEBUG: cmpid target: '10.255.1.180'
Hi,
So this is saying that I am getting something from 10.255.1.180 and it
doesn't match anything on this side? The other end is CISCO vpn
concentrator with over 200 vpns coming in and I am trying to determine
if it is misconfigured.
this is my racoon.conf file:
path include "/usr/local/etc/racoon" ;
#include "remote.conf" ;
# search this file for pre_shared_key with various ID key.
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
# racoon will look for certificate file in the directory,
# if the certificate/certificate request payload is received.
path certificate "/usr/local/etc/cert" ;
# "log" specifies logging level. It is followed by either "info", "notify",
# "debug" or "debug2".
log debug;
# "padding" defines some parameter of padding. You should not touch these.
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
# Specification of default various timer.
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
# timer for waiting to complete each phase.
phase1 30 sec;
phase2 15 sec;
}
#if no listen directive is specified, racoon will listen to all
#available interface addresses.
listen
{
#isakmp ::1 [7000];
#strict_address; # required all addresses must be bound
isakmp x.x.149.209 [500];
}
remote x.x.x.133
{
exchange_mode main,aggressive;
doi ipsec_doi;
situation identity_only;
my_identifier address;
peers_identifier address;
nonce_size 16;
lifetime time 6000 sec;
initial_contact on;
support_proxy on;
proposal_check obey;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo address 10.255.3.10/32 any address 10.255.254.0/24 any
{
lifetime time 3600 sec;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 10.255.254.0/24 any address 10.255.3.10/32 any
{
lifetime time 3600 sec;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
remote x.x.12.3
{
exchange_mode main,aggressive;
doi ipsec_doi;
situation identity_only;
my_identifier address;
peers_identifier address;
nonce_size 16;
lifetime time 6000 sec;
initial_contact on;
support_proxy on;
proposal_check obey;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo address 10.255.4.10/32 any address 10.255.253.0/24 any
{
lifetime time 3600 sec;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 10.255.253.0/24 any address 10.255.4.10/32 any
{
lifetime time 3600 sec;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
I have two vpn tunnels going to two different cisco vpn concentrators one is
working fine. The other one seems to be working with 0.7 tools with the noted
information above - with 0.6.6 the vpn itself kept being renegotiated every
couple of minutes.
This the security policy:
10.255.4.10[any] 10.254.150.1[any] any
in none
spid=6 seq=7 pid=75172
refcnt=1
10.255.253.0/24[any] 10.255.4.10[any] any
in ipsec
esp/tunnel/x.x.12.3-x.x.149.209/require
spid=8 seq=6 pid=75172
refcnt=1
10.255.3.10[any] 10.254.150.1[any] any
in none
spid=10 seq=5 pid=75172
refcnt=1
10.255.254.0/24[any] 10.255.3.10[any] any
in ipsec
esp/tunnel/x.x.42.133-x.x.149.209/require
spid=12 seq=4 pid=75172
refcnt=1
10.254.150.1[any] 10.255.4.10[any] any
out none
spid=5 seq=3 pid=75172
refcnt=1
10.255.4.10[any] 10.255.253.0/24[any] any
out ipsec
esp/tunnel/x.x.149.209-x.x.12.3/require
spid=7 seq=2 pid=75172
refcnt=1
10.254.150.1[any] 10.255.3.10[any] any
out none
spid=9 seq=1 pid=75172
refcnt=1
10.255.3.10[any] 10.255.254.0/24[any] any
out ipsec
esp/tunnel/x.x.149.209-x.x.42.133/require
spid=11 seq=0 pid=75172
refcnt=1
Thanks so much for your response and keep up the great work.
Steve
>> 2008-07-22 16:41:23: DEBUG: cmpid source: '10.255.3.10'
>> 2008-07-22 16:41:23: ERROR: failed to get sainfo.
>> 2008-07-22 16:41:23: ERROR: failed to get sainfo.
>> 2008-07-22 16:41:23: ERROR: failed to pre-process packet.
>> 2008-07-22 16:41:23: DEBUG: IV freed
>>
>> Is the above telling me I am getting a packet from 10.255.1.180 from
>> the remote side?
>
> That's just because we added some debug in get_sainfo() function to
> help understanding things when negociation fails due to network
> proposals mismatch....
>
>
> Yvan.
>
--
"They that give up essential liberty to obtain temporary safety,
deserve neither liberty nor safety." (Ben Franklin)
"The course of history shows that as a government grows, liberty
decreases." (Thomas Jefferson)
|