From: SourceForge.net <no...@so...> - 2009-01-16 11:05:33
|
Support Requests item #1515248, was opened at 2006-06-30 20:09 Message generated for change (Comment added) made by fabled80 You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541483&aid=1515248&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None >Status: Closed Priority: 5 Private: No Submitted By: Nobody/Anonymous (nobody) Assigned to: Nobody/Anonymous (nobody) Summary: bsd to bsd connect problem Initial Comment: two FreeBSD 5.4 connected through a switch, can't get working secure connection. seems one of servers can't get a SA to another..... LAN1(192.168.3.0)-server1(LAN192.168.3.1,real10.1.0.1) - switch - server2(LAN192.168.75.1,real10.1.0.2)-LAN2(192.168.75.0) (tunnel interface 192.168.77.1 - 192.168.77.2) (time not sinchronized, ping comes from left server's LAN to right server's LAN so 17:13:17 on left comes earlier than 17:13:11 on right) left server's racoon generates <INFO: ISAKMP-SA established 10.1.0.1[500]-10.1.0.2[500] spi:e09cf4c49045c8f5:6bfa85c2ab99c534> then <ERROR: pfkey UPDATE failed: No such file or directory> then <INFO: IPsec-SA established: ESP 10.1.0.1[0]->10.1.0.2[0] spi=126211579(0x785d5fb)> right server's racoon generates <INFO: ISAKMP-SA established 10.1.0.2[500]-10.1.0.1[500] spi:e09cf4c49045c8f5:6bfa85c2ab99c534> then <INFO: IPsec-SA established: ESP/Tunnel 10.1.0.1[0]->10.1.0.2[0] spi=126211579(0x785d5fb)> then <INFO: IPsec-SA established: ESP/Tunnel 10.1.0.2[0]->10.1.0.1[0] spi=37127331(0x23684a3)> left server's racoon generates <ERROR: 10.1.0.2 give up to get IPsec-SA due to time up to wait.> in 10min timeout server's SAs expire <log> left server Jun 30 17:09:43 tika racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net) Jun 30 17:09:43 tika racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) Jun 30 17:09:43 tika racoon: INFO: 10.1.0.1[500] used as isakmp port (fd=6) Jun 30 17:13:17 tika racoon: INFO: IPsec-SA request for 10.1.0.2 queued due to no phase1 found. Jun 30 17:13:17 tika racoon: INFO: initiate new phase 1 negotiation: 10.1.0.1[500]<=>10.1.0.2[500] Jun 30 17:13:17 tika racoon: INFO: begin Aggressive mode. Jun 30 17:13:17 tika racoon: oakley_dh_generate(MODP1024): 0.010355 Jun 30 17:13:17 tika racoon: phase1(agg I msg1): 0.033098 Jun 30 17:13:17 tika racoon: INFO: received Vendor ID: DPD Jun 30 17:13:17 tika racoon: oakley_dh_compute(MODP1024): 0.011844 Jun 30 17:13:17 tika racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address. Jun 30 17:13:17 tika racoon: alg_oakley_hmacdef_one(hmac_sha1 size=32): 0.000036 Jun 30 17:13:17 tika racoon: alg_oakley_hmacdef_one(hmac_sha1 size=145): 0.000012 Jun 30 17:13:17 tika racoon: alg_oakley_hmacdef_one(hmac_sha1 size=165): 0.000013 Jun 30 17:13:17 tika racoon: alg_oakley_hmacdef_one(hmac_sha1 size=165): 0.000012 Jun 30 17:13:17 tika racoon: alg_oakley_hmacdef_one(hmac_sha1 size=1): 0.000011 Jun 30 17:13:17 tika racoon: alg_oakley_hmacdef_one(hmac_sha1 size=20): 0.000012 Jun 30 17:13:17 tika racoon: alg_oakley_hmacdef_one(hmac_sha1 size=328): 0.000014 Jun 30 17:13:17 tika racoon: oakley_validate_auth(pre-shared key): 0.000037 Jun 30 17:13:17 tika racoon: alg_oakley_hmacdef_one(hmac_sha1 size=328): 0.000014 Jun 30 17:13:17 tika racoon: phase1(agg I msg2): 0.028888 Jun 30 17:13:17 tika racoon: phase1(Aggressive): 0.164386 Jun 30 17:13:17 tika racoon: alg_oakley_hmacdef_one(hmac_sha1 size=32): 0.000011 Jun 30 17:13:17 tika racoon: alg_oakley_encdef_encrypt(3des klen=192 size=56): 0.000048 Jun 30 17:13:17 tika racoon: INFO: ISAKMP-SA established 10.1.0.1[500]-10.1.0.2[500] spi:e09cf4c49045c8f5:6bfa85c2ab99c534 Jun 30 17:13:17 tika racoon: alg_oakley_encdef_decrypt(3des klen=192 size=56): 0.000011 Jun 30 17:13:17 tika racoon: alg_oakley_hmacdef_one(hmac_sha1 size=32): 0.000012 Jun 30 17:13:18 tika racoon: INFO: initiate new phase 2 negotiation: 10.1.0.1[0]<=>10.1.0.2[0] Jun 30 17:13:18 tika racoon: oakley_dh_generate(MODP1024): 0.010265 Jun 30 17:13:18 tika racoon: alg_oakley_hmacdef_one(hmac_sha1 size=240): 0.000016 Jun 30 17:13:18 tika racoon: alg_oakley_encdef_encrypt(3des klen=192 size=264): 0.000021 Jun 30 17:13:18 tika racoon: phase2(quick I msg1): 0.010455 Jun 30 17:13:19 tika racoon: alg_oakley_encdef_decrypt(3des klen=192 size=264): 0.000019 Jun 30 17:13:19 tika racoon: alg_oakley_hmacdef_one(hmac_sha1 size=256): 0.000014 Jun 30 17:13:19 tika racoon: alg_oakley_hmacdef_one(hmac_sha1 size=37): 0.000010 Jun 30 17:13:19 tika racoon: alg_oakley_encdef_encrypt(3des klen=192 size=32): 0.000009 Jun 30 17:13:19 tika racoon: oakley_dh_compute(MODP1024): 0.011977 Jun 30 17:13:19 tika racoon: alg_oakley_hmacdef_one(hmac_sha1 size=165): 0.000014 Jun 30 17:13:19 tika racoon: alg_oakley_hmacdef_one(hmac_sha1 size=185): 0.000013 Jun 30 17:13:19 tika last message repeated 2 times Jun 30 17:13:19 tika racoon: alg_oakley_hmacdef_one(hmac_sha1 size=165): 0.000011 Jun 30 17:13:19 tika racoon: alg_oakley_hmacdef_one(hmac_sha1 size=185): 0.000013 Jun 30 17:13:19 tika racoon: alg_oakley_hmacdef_one(hmac_sha1 size=185): 0.000012 Jun 30 17:13:19 tika racoon: alg_oakley_hmacdef_one(hmac_sha1 size=185): 0.000013 Jun 30 17:13:19 tika racoon: phase2(quick I msg2): 0.012571 Jun 30 17:13:19 tika racoon: ERROR: pfkey UPDATE failed: No such file or directory Jun 30 17:13:19 tika racoon: INFO: IPsec-SA established: ESP 10.1.0.1[0]->10.1.0.2[0] spi=126211579(0x785d5fb) Jun 30 17:14:18 tika racoon: ERROR: 10.1.0.2 give up to get IPsec-SA due to time up to wait. Jun 30 17:23:17 tika racoon: INFO: ISAKMP-SA expired 10.1.0.1[500]-10.1.0.2[500] spi:e09cf4c49045c8f5:6bfa85c2ab99c534 Jun 30 17:23:18 tika racoon: INFO: ISAKMP-SA deleted 10.1.0.1[500]-10.1.0.2[500] spi:e09cf4c49045c8f5:6bfa85c2ab99c534 <log> right server Jun 30 17:12:46 first racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net) Jun 30 17:12:46 first racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) Jun 30 17:12:46 first racoon: INFO: 10.1.0.2[500] used as isakmp port (fd=6) Jun 30 17:13:11 first racoon: INFO: respond new phase 1 negotiation: 10.1.0.2[500]<=>10.1.0.1[500] Jun 30 17:13:11 first racoon: INFO: begin Aggressive mode. Jun 30 17:13:11 first racoon: INFO: received Vendor ID: DPD Jun 30 17:13:11 first racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address. Jun 30 17:13:11 first racoon: INFO: ISAKMP-SA established 10.1.0.2[500]-10.1.0.1[500] spi:e09cf4c49045c8f5:6bfa85c2ab99c534 Jun 30 17:13:12 first racoon: INFO: respond new phase 2 negotiation: 10.1.0.2[0]<=>10.1.0.1[0] Jun 30 17:13:13 first racoon: INFO: IPsec-SA established: ESP/Tunnel 10.1.0.1[0]->10.1.0.2[0] spi=126211579(0x785d5fb) Jun 30 17:13:13 first racoon: INFO: IPsec-SA established: ESP/Tunnel 10.1.0.2[0]->10.1.0.1[0] spi=37127331(0x23684a3) Jun 30 17:23:11 first racoon: INFO: ISAKMP-SA expired 10.1.0.2[500]-10.1.0.1[500] spi:e09cf4c49045c8f5:6bfa85c2ab99c534 Jun 30 17:23:12 first racoon: INFO: ISAKMP-SA deleted 10.1.0.2[500]-10.1.0.1[500] spi:e09cf4c49045c8f5:6bfa85c2ab99c534 configure options # This file is auto-generated by 'make config'. # No user-servicable parts inside! # Options for ipsec-tools-0.6.6 _OPTIONS_READ=ipsec-tools-0.6.6 WITH_DEBUG=true WITH_IPV6=true WITHOUT_ADMINPORT=true WITH_STATS=true WITH_DPD=true WITH_NATT=true WITH_FRAG=true WITHOUT_HYBRID=true WITHOUT_PAM=true WITHOUT_GSSAPI=true WITHOUT_RADIUS=true WITHOUT_SAUNSPEC=true WITHOUT_RC5=true WITHOUT_IDEA=true -------------------------------left server configs--------------------------- rc.conf hostname=”tika” gateway_enable=”YES” ifconfig_fxp0=”192.168.3.1/24” ifconfig_fxp1=”10.1.0.1/24” defaultrouter=”10.1.0.2” gif_interfaces=”gif0” gifconfig_gif0=”10.1.0.1 10.1.0.2” ifconfig_gif0=”192.168.77.1 192.168.77.2” static_routes=”gif_route” gif_route=”192.168.75.0/24 192.168.77.2” racoon_enable=”YES” ipsec_enable=”YES” Psk.txt 10.1.0.2 rambo ipsec.conf flush; spdflush; spdadd 192.168.3.0/24 192.168.75.0/24 any -P out ipsec esp/tunnel/10.1.0.1-10.1.0.2/require; spdadd 192.168.75.0/24 192.168.3.0/24 any -P in ipsec esp/tunnel/10.1.0.2-10.1.0.1/require; racoon.conf path include "/usr/local/etc/racoon"; path pre_shared_key "/usr/local/etc/racoon/psk.txt"; log notify; padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } listen { isakmp 10.1.0.1 [500]; } timer { counter 10; # maximum trying count to send. interval 50 sec; # maximum interval to resend. persend 1; # the number of packets per send. # maximum time to wait for completing each phase. phase1 60 sec; phase2 60 sec; } remote 10.1.0.2 { exchange_mode aggressive,main; doi ipsec_doi; situation identity_only; my_identifier address; peers_identifier address; nonce_size 16; lifetime time 10 min; # sec,min,hour proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } } sainfo anonymous { pfs_group 2; encryption_algorithm 3des; authentication_algorithm hmac_sha1; compression_algorithm deflate; } -------------------------------right server configs--------------------------- rc.conf hostname=”first” gateway_enable=”YES” ifconfig_fxp0=”192.168.75.1/24” ifconfig_fxp1=”10.1.0.2/24” defaultrouter=”10.1.0.1” gif_interfaces=”gif0” gifconfig_gif0=”10.1.0.2 10.1.0.1” ifconfig_gif0=”192.168.77.2 192.168.77.1” static_routes=”gif_route” gif_route=”192.168.3.0/24 192.168.77.1” racoon_enable=”YES” ipsec_enable=”YES psk.txt 10.1.0.1 rambo ipsec.conf flush; spdflush; spdadd 192.168.75.0/24 192.168.3.0/24 any -P out ipsec esp/tunnel/10.1.0.2-10.1.0.1/require; spdadd 192.168.3.0/24 192.168.75.0/24 any -P in ipsec esp/tunnel/10.1.0.1-10.1.0.2/require; racoon.conf path include "/usr/local/etc/racoon"; path pre_shared_key "/usr/local/etc/racoon/psk.txt"; log notify; padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } listen { isakmp 10.1.0.2 [500]; } timer { counter 10; # maximum trying count to send. interval 50 sec; # maximum interval to resend. persend 1; # the number of packets per send. # maximum time to wait for completing each phase. phase1 60 sec; phase2 60 sec; } remote 10.1.0.1 { exchange_mode aggressive,main; doi ipsec_doi; situation identity_only; my_identifier address; peers_identifier address; nonce_size 16; lifetime time 10 min; # sec,min,hour proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } } sainfo anonymous { pfs_group 2; encryption_algorithm 3des; authentication_algorithm hmac_sha1; compression_algorithm deflate; } --------------------------end of configs----------------------------------- any suggestions what can cause such a problem are appreciated. ipsec&racoon disabled tunnel pings all the ways, firewall disabled. servers are default routers for their LAN's. differrent netcards & switches didn't help.... ---------------------------------------------------------------------- Comment By: Timo Teräs (fabled80) Date: 2009-01-16 13:05 Message: Closing all sourceforge.net bugs. If this issue has not been cared for please submit a new bug report to https://trac.ipsec-tools.net/ issue tracker. Thank you. ---------------------------------------------------------------------- Comment By: Nobody/Anonymous (nobody) Date: 2006-07-16 02:06 Message: Logged In: NO possibly someth with a gigabit ethernet interface(?) just the same configuration made a on the other hardware resulted success. p.s. thanks to everybody ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541483&aid=1515248&group_id=74601 |