From: Stephen C. <scl...@ea...> - 2008-07-24 12:43:27
|
VANHULLEBUS Yvan wrote: > On Tue, Jul 22, 2008 at 04:46:14PM -0400, Stephen Clark wrote: >> Hello List, > > Hi. > >> I just upgraded from ipsec-tool-0.6.6 ro 0.7 > > Good :-) > > >> The Debug messages are far more informative. I am getting some messages >> that I don't quite understand though: >> >> >> 2008-07-22 16:39:23: DEBUG: Cannot record event: event queue overflowed >> 2008-07-22 16:39:23: DEBUG: Cannot record event: event queue overflowed > > Looks like your event list queue is full.... probably because you > didn't read it with racoonctl ? > > > >> and : >> 2008-07-22 16:41:23: DEBUG: configuration found for x.x.x.133. >> 2008-07-22 16:41:23: DEBUG: getsainfo params: loc='10.255.1.180', >> rmt='10.255.254.0/24', peer='x.x.x.133', id=0 >> 2008-07-22 16:41:23: DEBUG: getsainfo pass #1 >> 2008-07-22 16:41:23: DEBUG: evaluating sainfo: loc='10.255.253.0/24', >> rmt='10.255.4.10', peer='ANY', id=0 >> 2008-07-22 16:41:23: DEBUG: evaluating sainfo: loc='10.255.4.10', >> rmt='10.255.253.0/24', peer='ANY', id=0 >> 2008-07-22 16:41:23: DEBUG: evaluating sainfo: loc='10.255.254.0/24', >> rmt='10.255.3.10', peer='ANY', id=0 >> 2008-07-22 16:41:23: DEBUG: evaluating sainfo: loc='10.255.3.10', >> rmt='10.255.254.0/24', peer='ANY', id=0 >> 2008-07-22 16:41:23: DEBUG: getsainfo pass #2 >> 2008-07-22 16:41:23: DEBUG: evaluating sainfo: loc='10.255.253.0/24', >> rmt='10.255.4.10', peer='ANY', id=0 >> 2008-07-22 16:41:23: DEBUG: check and compare ids : value mismatch (IPv4_subnet) >> 2008-07-22 16:41:23: DEBUG: cmpid target: '10.255.1.180' >> 2008-07-22 16:41:23: DEBUG: cmpid source: '10.255.253.0/24' >> 2008-07-22 16:41:23: DEBUG: evaluating sainfo: loc='10.255.4.10', >> rmt='10.255.253.0/24', peer='ANY', id=0 >> 2008-07-22 16:41:23: DEBUG: check and compare ids : value mismatch (IPv4_address) >> 2008-07-22 16:41:23: DEBUG: cmpid target: '10.255.1.180' >> 2008-07-22 16:41:23: DEBUG: cmpid source: '10.255.4.10' >> 2008-07-22 16:41:23: DEBUG: evaluating sainfo: loc='10.255.254.0/24', >> rmt='10.255.3.10', peer='ANY', id=0 >> 2008-07-22 16:41:23: DEBUG: check and compare ids : value mismatch (IPv4_subnet) >> 2008-07-22 16:41:23: DEBUG: cmpid target: '10.255.1.180' >> 2008-07-22 16:41:23: DEBUG: cmpid source: '10.255.254.0/24' >> 2008-07-22 16:41:23: DEBUG: evaluating sainfo: loc='10.255.3.10', >> rmt='10.255.254.0/24', peer='ANY', id=0 >> 2008-07-22 16:41:23: DEBUG: check and compare ids : value mismatch (IPv4_address) >> 2008-07-22 16:41:23: DEBUG: cmpid target: '10.255.1.180' Hi, So this is saying that I am getting something from 10.255.1.180 and it doesn't match anything on this side? The other end is CISCO vpn concentrator with over 200 vpns coming in and I am trying to determine if it is misconfigured. this is my racoon.conf file: path include "/usr/local/etc/racoon" ; #include "remote.conf" ; # search this file for pre_shared_key with various ID key. path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; # racoon will look for certificate file in the directory, # if the certificate/certificate request payload is received. path certificate "/usr/local/etc/cert" ; # "log" specifies logging level. It is followed by either "info", "notify", # "debug" or "debug2". log debug; # "padding" defines some parameter of padding. You should not touch these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 15 sec; } #if no listen directive is specified, racoon will listen to all #available interface addresses. listen { #isakmp ::1 [7000]; #strict_address; # required all addresses must be bound isakmp x.x.149.209 [500]; } remote x.x.x.133 { exchange_mode main,aggressive; doi ipsec_doi; situation identity_only; my_identifier address; peers_identifier address; nonce_size 16; lifetime time 6000 sec; initial_contact on; support_proxy on; proposal_check obey; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } } sainfo address 10.255.3.10/32 any address 10.255.254.0/24 any { lifetime time 3600 sec; encryption_algorithm 3des; authentication_algorithm hmac_sha1; compression_algorithm deflate; } sainfo address 10.255.254.0/24 any address 10.255.3.10/32 any { lifetime time 3600 sec; encryption_algorithm 3des; authentication_algorithm hmac_sha1; compression_algorithm deflate; } remote x.x.12.3 { exchange_mode main,aggressive; doi ipsec_doi; situation identity_only; my_identifier address; peers_identifier address; nonce_size 16; lifetime time 6000 sec; initial_contact on; support_proxy on; proposal_check obey; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } } sainfo address 10.255.4.10/32 any address 10.255.253.0/24 any { lifetime time 3600 sec; encryption_algorithm 3des; authentication_algorithm hmac_sha1; compression_algorithm deflate; } sainfo address 10.255.253.0/24 any address 10.255.4.10/32 any { lifetime time 3600 sec; encryption_algorithm 3des; authentication_algorithm hmac_sha1; compression_algorithm deflate; } I have two vpn tunnels going to two different cisco vpn concentrators one is working fine. The other one seems to be working with 0.7 tools with the noted information above - with 0.6.6 the vpn itself kept being renegotiated every couple of minutes. This the security policy: 10.255.4.10[any] 10.254.150.1[any] any in none spid=6 seq=7 pid=75172 refcnt=1 10.255.253.0/24[any] 10.255.4.10[any] any in ipsec esp/tunnel/x.x.12.3-x.x.149.209/require spid=8 seq=6 pid=75172 refcnt=1 10.255.3.10[any] 10.254.150.1[any] any in none spid=10 seq=5 pid=75172 refcnt=1 10.255.254.0/24[any] 10.255.3.10[any] any in ipsec esp/tunnel/x.x.42.133-x.x.149.209/require spid=12 seq=4 pid=75172 refcnt=1 10.254.150.1[any] 10.255.4.10[any] any out none spid=5 seq=3 pid=75172 refcnt=1 10.255.4.10[any] 10.255.253.0/24[any] any out ipsec esp/tunnel/x.x.149.209-x.x.12.3/require spid=7 seq=2 pid=75172 refcnt=1 10.254.150.1[any] 10.255.3.10[any] any out none spid=9 seq=1 pid=75172 refcnt=1 10.255.3.10[any] 10.255.254.0/24[any] any out ipsec esp/tunnel/x.x.149.209-x.x.42.133/require spid=11 seq=0 pid=75172 refcnt=1 Thanks so much for your response and keep up the great work. Steve >> 2008-07-22 16:41:23: DEBUG: cmpid source: '10.255.3.10' >> 2008-07-22 16:41:23: ERROR: failed to get sainfo. >> 2008-07-22 16:41:23: ERROR: failed to get sainfo. >> 2008-07-22 16:41:23: ERROR: failed to pre-process packet. >> 2008-07-22 16:41:23: DEBUG: IV freed >> >> Is the above telling me I am getting a packet from 10.255.1.180 from >> the remote side? > > That's just because we added some debug in get_sainfo() function to > help understanding things when negociation fails due to network > proposals mismatch.... > > > Yvan. > -- "They that give up essential liberty to obtain temporary safety, deserve neither liberty nor safety." (Ben Franklin) "The course of history shows that as a government grows, liberty decreases." (Thomas Jefferson) |