[Ipsec-tools-devel] Racoon problem - ERROR: invalid value of DOI 0x00000034

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi all,

I've met a problem about invalid value of DOI when setup ipsec with transport mode between 2 machine (10.38.7.238 <--> 10.38.7.239).
Here is my configuration

------------------------ Machine 10.38.7.238----------
----- setkey.conf-------
flush;
spdflush;
spdadd 10.38.7.239 10.38.7.238 any -P in ipsec ah/transport//require;
spdadd 10.38.7.238 10.38.7.239 any -P out ipsec ah/transport//require;

---- racoon.conf---------
path pre_shared_key "/home/khuong/data/psk.txt" ;

listen {
        adminsock disabled;
        isakmp 10.38.7.238;
}

remote anonymous
{
        exchange_mode main ;
        my_identifier address ;
        doi ipsec_doi;
        lifetime time 24 hour ;
        esp_frag 552;
        ike_frag on;
        proposal {
                encryption_algorithm des;
                hash_algorithm md5;
                authentication_method pre_shared_key ;
                dh_group 2 ;
        }
}
sainfo anonymous
{
        pfs_group 2;
        lifetime time 12 hour ;
        encryption_algorithm des ;
        authentication_algorithm hmac_md5 ;
        compression_algorithm deflate ;
}

--------------------------- Machine 10.38.7.239------------------------
------ setkey.conf-------------
flush;
spdflush;
spdadd 10.38.7.239 10.38.7.238 any -P out ipsec ah/transport//require;
spdadd 10.38.7.238 10.38.7.239 any -P in ipsec ah/transport//require;

------ racoon.conf ------------
path pre_shared_key "/home/khuong/data/psk.txt" ;

listen {
        adminsock disabled;
        isakmp 10.38.7.239;
}

remote anonymous
{
        exchange_mode main ;
        my_identifier address ;
        doi ipsec_doi;
        lifetime time 24 hour ;
        esp_frag 552;
        ike_frag on;
        proposal {
                encryption_algorithm des;
                hash_algorithm md5;
                authentication_method pre_shared_key ;
                dh_group 2 ;
        }
}
sainfo anonymous
{
        pfs_group 2;
        lifetime time 12 hour ;
        encryption_algorithm des ;
        authentication_algorithm hmac_md5 ;
        compression_algorithm deflate ;
}

After run setkey and racoon commands, I try ping from machine 238 to machine 239 and met the problem about DOI value. Below is the log

-------- On machine 238 --------------------
1970-01-01 01:12:21: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
1970-01-01 01:12:21: INFO: @(#)This product linked OpenSSL 0.9.7f 22 Mar 2005 (http://www.openssl.org/)
1970-01-01 01:12:21: DEBUG: call pfkey_send_register for AH
1970-01-01 01:12:21: DEBUG: call pfkey_send_register for ESP
1970-01-01 01:12:21: DEBUG: call pfkey_send_register for IPCOMP
1970-01-01 01:12:21: DEBUG: reading config file racoon.conf
1970-01-01 01:12:21: WARNING: racoon.conf:4: "disabled" admin port support not compiled in
1970-01-01 01:12:21: WARNING: racoon.conf:14: "552" Your kernel does not support esp_frag
1970-01-01 01:12:21: DEBUG: compression algorithm can not be checked because sadb message doesn't support it.
1970-01-01 01:12:21: INFO: 10.38.7.238[500] used as isakmp port (fd=5)
1970-01-01 01:12:21: INFO: 10.38.7.238[500] used for NAT-T
1970-01-01 01:12:21: DEBUG: get pfkey X_SPDDUMP message
1970-01-01 01:12:21: DEBUG: get pfkey X_SPDDUMP message
1970-01-01 01:12:21: DEBUG: sub:0xbfba95c8: 10.38.7.239/32[0] 10.38.7.238/32[0] proto=any dir=fwd
1970-01-01 01:12:21: DEBUG: db :0x1008a160: 10.38.7.239/32[0] 10.38.7.238/32[0] proto=any dir=in
1970-01-01 01:12:21: DEBUG: get pfkey X_SPDDUMP message
1970-01-01 01:12:21: DEBUG: sub:0xbfba95c8: 10.38.7.238/32[0] 10.38.7.239/32[0] proto=any dir=out
1970-01-01 01:12:21: DEBUG: db :0x1008a160: 10.38.7.239/32[0] 10.38.7.238/32[0] proto=any dir=in
1970-01-01 01:12:21: DEBUG: sub:0xbfba95c8: 10.38.7.238/32[0] 10.38.7.239/32[0] proto=any dir=out
1970-01-01 01:12:21: DEBUG: db :0x1008a3a0: 10.38.7.239/32[0] 10.38.7.238/32[0] proto=any dir=fwd
1970-01-01 01:12:38: DEBUG: get pfkey ACQUIRE message
1970-01-01 01:12:38: DEBUG: suitable outbound SP found: 10.38.7.238/32[0] 10.38.7.239/32[0] proto=any dir=out.
1970-01-01 01:12:38: DEBUG: sub:0xbfba959c: 10.38.7.239/32[0] 10.38.7.238/32[0] proto=any dir=in
1970-01-01 01:12:38: DEBUG: db :0x1008a160: 10.38.7.239/32[0] 10.38.7.238/32[0] proto=any dir=in
1970-01-01 01:12:38: DEBUG: suitable inbound SP found: 10.38.7.239/32[0] 10.38.7.238/32[0] proto=any dir=in.
1970-01-01 01:12:38: DEBUG: new acquire 10.38.7.238/32[0] 10.38.7.239/32[0] proto=any dir=out
1970-01-01 01:12:38: DEBUG: anonymous sainfo selected.
1970-01-01 01:12:38: DEBUG:  (proto_id=AH spisize=4 spi=00000000 spi_p=00000000 encmode=Transport reqid=0:0)
1970-01-01 01:12:38: DEBUG:   (trns_id=MD5 authtype=hmac-md5)
1970-01-01 01:12:38: DEBUG: anonymous configuration selected for 10.38.7.239.
1970-01-01 01:12:38: INFO: IPsec-SA request for 10.38.7.239 queued due to no phase1 found.
1970-01-01 01:12:38: DEBUG: ===
1970-01-01 01:12:38: INFO: initiate new phase 1 negotiation: 10.38.7.238[500]<=>10.38.7.239[500]
1970-01-01 01:12:38: INFO: begin Identity Protection mode.
1970-01-01 01:12:38: DEBUG: new cookie:
d4cf2492bc097ba2
1970-01-01 01:12:38: DEBUG: add payload of len 52, next type 13
1970-01-01 01:12:38: DEBUG: add payload of len 16, next type 0
1970-01-01 01:12:38: DEBUG: 104 bytes from 10.38.7.238[500] to 10.38.7.239[500]
1970-01-01 01:12:38: DEBUG: sockname 10.38.7.238[500]
1970-01-01 01:12:38: DEBUG: send packet from 10.38.7.238[500]
1970-01-01 01:12:38: DEBUG: send packet to 10.38.7.239[500]
1970-01-01 01:12:38: DEBUG: src4 10.38.7.238[500]
1970-01-01 01:12:38: DEBUG: dst4 10.38.7.239[500]
1970-01-01 01:12:38: DEBUG: 1 times of 104 bytes message will be sent to 10.38.7.239[500]
1970-01-01 01:12:38: DEBUG:
d4cf2492 bc097ba2 00000000 00000000 01100200 00000000 00000068 0d000038
00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 000c0004
00015180 80010001 80030001 80020001 80040002 00000014 afcad713 68a1f1c9
6b8696fc 77570100
1970-01-01 01:12:38: DEBUG: resend phase1 packet d4cf2492bc097ba2:0000000000000000
1970-01-01 01:12:38: DEBUG: ===
1970-01-01 01:12:38: DEBUG: 104 bytes message received from 10.38.7.239[500] to 10.38.7.238[500]
1970-01-01 01:12:38: DEBUG:
d4cf2492 bc097ba2 48b361df 992759d7 01100200 00000000 00000068 0d000038
00000034 00000001 0000002c 01010001 00000024 01010000 800b0001 000c0004
00015180 80010001 80030001 80020001 80040002 00000014 afcad713 68a1f1c9
6b8696fc 77570100
1970-01-01 01:12:38: DEBUG: begin.
1970-01-01 01:12:38: DEBUG: seen nptype=1(sa)
1970-01-01 01:12:38: DEBUG: seen nptype=13(vid)
1970-01-01 01:12:38: DEBUG: succeed.
1970-01-01 01:12:38: INFO: received Vendor ID: DPD
1970-01-01 01:12:38: DEBUG: total SA len=52
1970-01-01 01:12:38: DEBUG:
00000034 00000001 0000002c 01010001 00000024 01010000 800b0001 000c0004
00015180 80010001 80030001 80020001 80040002
1970-01-01 01:12:38: ERROR: invalid value of DOI 0x00000034.
1970-01-01 01:12:38: ERROR: failed to get valid proposal.

------------------- On machine 239 -----------------------
1970-01-01 01:04:51: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
1970-01-01 01:04:51: INFO: @(#)This product linked OpenSSL 0.9.7f 22 Mar 2005 (http://www.openssl.org/)
1970-01-01 01:04:51: DEBUG: call pfkey_send_register for AH
1970-01-01 01:04:51: DEBUG: call pfkey_send_register for ESP
1970-01-01 01:04:51: DEBUG: call pfkey_send_register for IPCOMP
1970-01-01 01:04:51: DEBUG: reading config file racoon.conf
1970-01-01 01:04:51: WARNING: racoon.conf:4: "disabled" admin port support not compiled in
1970-01-01 01:04:51: WARNING: racoon.conf:14: "552" Your kernel does not support esp_frag
1970-01-01 01:04:51: DEBUG: compression algorithm can not be checked because sadb message doesn't support it.
1970-01-01 01:04:51: INFO: 10.38.7.239[500] used as isakmp port (fd=5)
1970-01-01 01:04:51: INFO: 10.38.7.239[500] used for NAT-T
1970-01-01 01:04:52: DEBUG: get pfkey X_SPDDUMP message
1970-01-01 01:04:52: DEBUG: get pfkey X_SPDDUMP message
1970-01-01 01:04:52: DEBUG: sub:0xbfc235d8: 10.38.7.238/32[0] 10.38.7.239/32[0] proto=any dir=in
1970-01-01 01:04:52: DEBUG: db :0x1008a160: 10.38.7.239/32[0] 10.38.7.238/32[0] proto=any dir=out
1970-01-01 01:04:52: DEBUG: get pfkey X_SPDDUMP message
1970-01-01 01:04:52: DEBUG: sub:0xbfc235d8: 10.38.7.238/32[0] 10.38.7.239/32[0] proto=any dir=fwd
1970-01-01 01:04:52: DEBUG: db :0x1008a160: 10.38.7.239/32[0] 10.38.7.238/32[0] proto=any dir=out
1970-01-01 01:04:52: DEBUG: sub:0xbfc235d8: 10.38.7.238/32[0] 10.38.7.239/32[0] proto=any dir=fwd
1970-01-01 01:04:52: DEBUG: db :0x1008a3a0: 10.38.7.238/32[0] 10.38.7.239/32[0] proto=any dir=in
1970-01-01 01:04:56: DEBUG: ===
1970-01-01 01:04:56: DEBUG: 104 bytes message received from 10.38.7.238[500] to 10.38.7.239[500]
1970-01-01 01:04:56: DEBUG:
d4cf2492 bc097ba2 00000000 00000000 01100200 00000000 00000068 0d000038
00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 000c0004
00015180 80010001 80030001 80020001 80040002 00000014 afcad713 68a1f1c9
6b8696fc 77570100
1970-01-01 01:04:56: DEBUG: anonymous configuration selected for 10.38.7.238.
1970-01-01 01:04:56: DEBUG: ===
1970-01-01 01:04:56: INFO: respond new phase 1 negotiation: 10.38.7.239[500]<=>10.38.7.238[500]
1970-01-01 01:04:56: INFO: begin Identity Protection mode.
1970-01-01 01:04:56: DEBUG: begin.
1970-01-01 01:04:56: DEBUG: seen nptype=1(sa)
1970-01-01 01:04:56: DEBUG: seen nptype=13(vid)
1970-01-01 01:04:56: DEBUG: succeed.
1970-01-01 01:04:56: INFO: received Vendor ID: DPD
1970-01-01 01:04:56: DEBUG: total SA len=52
1970-01-01 01:04:56: DEBUG:
00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 000c0004
00015180 80010001 80030001 80020001 80040002
1970-01-01 01:04:56: DEBUG: begin.
1970-01-01 01:04:56: DEBUG: seen nptype=2(prop)
1970-01-01 01:04:56: DEBUG: succeed.
1970-01-01 01:04:56: DEBUG: proposal #1 len=44
1970-01-01 01:04:56: DEBUG: begin.
1970-01-01 01:04:56: DEBUG: seen nptype=3(trns)
1970-01-01 01:04:56: DEBUG: succeed.
1970-01-01 01:04:56: DEBUG: transform #1 len=36
1970-01-01 01:04:56: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
1970-01-01 01:04:56: DEBUG: type=Life Duration, flag=0x0000, lorv=4
1970-01-01 01:04:56: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=DES-CBC
1970-01-01 01:04:56: DEBUG: encryption(des)
1970-01-01 01:04:56: DEBUG: type=Authentication Method, flag=0x8000, lorv=pre-shared key
1970-01-01 01:04:56: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=MD5
1970-01-01 01:04:56: DEBUG: hash(md5)
1970-01-01 01:04:56: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group
1970-01-01 01:04:56: DEBUG: hmac(modp1024)
1970-01-01 01:04:56: DEBUG: pair 1:
1970-01-01 01:04:56: DEBUG:  0x1008ad50: next=(nil) tnext=(nil)
1970-01-01 01:04:56: DEBUG: proposal #1: 1 transform
1970-01-01 01:04:56: DEBUG: prop#=1, prot-id=ISAKMP, spi-size=0, #trns=1
1970-01-01 01:04:56: DEBUG: trns#=1, trns-id=IKE
1970-01-01 01:04:56: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
1970-01-01 01:04:56: DEBUG: type=Life Duration, flag=0x0000, lorv=4
1970-01-01 01:04:56: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=DES-CBC
1970-01-01 01:04:56: DEBUG: type=Authentication Method, flag=0x8000, lorv=pre-shared key
1970-01-01 01:04:56: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=MD5
1970-01-01 01:04:56: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group
1970-01-01 01:04:56: DEBUG: Compared: DB:Peer
1970-01-01 01:04:56: DEBUG: (lifetime = 86400:86400)
1970-01-01 01:04:56: DEBUG: (lifebyte = 0:0)
1970-01-01 01:04:56: DEBUG: enctype = DES-CBC:DES-CBC
1970-01-01 01:04:56: DEBUG: (encklen = 0:0)
1970-01-01 01:04:56: DEBUG: hashtype = MD5:MD5
1970-01-01 01:04:56: DEBUG: authmethod = pre-shared key:pre-shared key
1970-01-01 01:04:56: DEBUG: dh_group = 1024-bit MODP group:1024-bit MODP group
1970-01-01 01:04:56: DEBUG: an acceptable proposal found.
1970-01-01 01:04:56: DEBUG: hmac(modp1024)
1970-01-01 01:04:56: DEBUG: new cookie:
48b361df992759d7
1970-01-01 01:04:56: DEBUG: add payload of len 52, next type 13
1970-01-01 01:04:56: DEBUG: add payload of len 16, next type 0
1970-01-01 01:04:56: DEBUG: 104 bytes from 10.38.7.239[500] to 10.38.7.238[500]
1970-01-01 01:04:56: DEBUG: sockname 10.38.7.239[500]
1970-01-01 01:04:56: DEBUG: send packet from 10.38.7.239[500]
1970-01-01 01:04:56: DEBUG: send packet to 10.38.7.238[500]
1970-01-01 01:04:56: DEBUG: src4 10.38.7.239[500]
1970-01-01 01:04:56: DEBUG: dst4 10.38.7.238[500]
1970-01-01 01:04:56: DEBUG: 1 times of 104 bytes message will be sent to 10.38.7.238[500]
1970-01-01 01:04:56: DEBUG:
d4cf2492 bc097ba2 48b361df 992759d7 01100200 00000000 00000068 0d000038
00000034 00000001 0000002c 01010001 00000024 01010000 800b0001 000c0004
00015180 80010001 80030001 80020001 80040002 00000014 afcad713 68a1f1c9
6b8696fc 77570100
1970-01-01 01:04:56: DEBUG: resend phase1 packet d4cf2492bc097ba2:48b361df992759d7

Who met the prolem before? and thanks for any help to troubleshoot it.

-- Anh Khuong--