From: Brad R. <Brad@BradRubenstein.com> - 2004-09-16 06:25:26
|
When I started setting up ipsec, i was remotely (ssh) connected to the = host on which I ran setkey, and it looked like the remote computer was = frozen, but in fact it was just that the remote internet connection was = locked up because it was no longer accepting unencrypted packets from me = due to the policies I'd added (and the rest of the setup was broken = anyway). Of course, rebooting is certainly an effective way to flush = the SPD table. I was being dimwitted, but I thought I'd mention it, in case you were = accidentally encrypting the communication channel you were debugging on. Brad ----- Original Message -----=20 From: Boris=20 To: ips...@li...=20 Sent: Thursday, September 16, 2004 1:02 AM Subject: [Ipsec-tools-devel] [Critical] Systems FREE when initiating = IPSEC connection. Hello, I am having troubles connecting two sides. I am running Linux = 2.6.9-rc2-bk2 with ipsec-tools 0.4rc1. (all the latest) Here is the = network layout 172.16.1.0/24 =3D> 142.161.x.x = <=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D> 69.196.x.x =3D> 172.16.2.0/24 On the 142,161.x.x, I have eth0:1 aliased as 172.16.1.1. (eth0 is = 142.161.x.x) On the 69.196.x.x, I have eth0:1 aliased as 172.16.2.1. (eth0 is = 69.196.x.x) *** 142.161.x.x machine *** /etc/ipsec.conf #!/usr/sbin/setkey -f # # Flush SAD and SPD flush; spdflush; # Create policies for racoon spdadd 172.16.1.0/24 172.16.2.0/24 any -P out ipsec esp/tunnel/142.161.x.x-69.196.x.x/require; spdadd 172.16.2.0/24 172.16.1.0/24 any -P in ipsec esp/tunnel/69.196.x.x-142.161.x.x/require; /etc/racoon/psk.txt 69.196.x.x mekmitasdigoat /etc/racoon/racoon.conf path pre_shared_key "/etc/racoon/psk.txt"; remote 69.196.x.x { exchange_mode main; proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key; dh_group modp1024; } } sainfo address 172.16.1.0/24 any address 172.16.2.0/24 any { pfs_group modp768; encryption_algorithm 3des; authentication_algorithm hmac_md5; compression_algorithm deflate; *** 142.161.x.x machine *** /etc/ipsec.conf #!/usr/sbin/setkey -f # # Flush SAD and SPD flush; spdflush; # Create policies for racoon spdadd 172.16.1.0/24 172.16.2.0/24 any -P in ipsec esp/tunnel/142.161.x.x-69.196.x.x/require; spdadd 172.16.2.0/24 172.16.1.0/24 any -P out ipsec esp/tunnel/69.196.x.x-142.161.x.x/require; /etc/racoon/psk.txt 142.161.x.x mekmitasdigoat /etc/racoon/racoon.conf path pre_shared_key "/etc/racoon/psk.txt"; remote 142.161.x.x { exchange_mode main; proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key; dh_group modp1024; } } sainfo address 172.16.2.0/24 any address 172.16.1.0/24 any { pfs_group modp768; encryption_algorithm 3des; authentication_algorithm hmac_md5; compression_algorithm deflate; } ****************** when running racoon on the 142.161.x.x, this is what I get root@www:/etc# racoon -Fvf /etc/racoon/racoon.conf Foreground mode. 2004-09-15 23:29:53: INFO: @(#)ipsec-tools 0.5pre = (http://ipsec-tools.sourceforge.net) 2004-09-15 23:29:53: INFO: @(#)This product linked OpenSSL 0.9.7d 17 = Mar 2004 (http://www.openssl.org/) 2004-09-15 23:29:53: INFO: 142.161.x.x[500] used as isakmp port = (fd=3D6) 2004-09-15 23:29:53: INFO: 172.16.1.1[500] used as isakmp port = (fd=3D7) 2004-09-15 23:29:53: INFO: 10.0.0.1[500] used as isakmp port (fd=3D8) 2004-09-15 23:29:53: INFO: 192.168.0.1[500] used as isakmp port = (fd=3D9) 2004-09-15 23:29:53: INFO: 127.0.0.1[500] used as isakmp port = (fd=3D10) 2004-09-15 23:30:16: INFO: respond new phase 1 negotiation: = 142.161.x.x[500]<=3D>69.196.x.x[500] 2004-09-15 23:30:16: INFO: begin Identity Protection mode. 2004-09-15 23:30:16: INFO: ISAKMP-SA established = 142.161.x.x[500]-69.196.x.x[500] spi:90135c910af98258:874e08f71a62dac9 on the 69.196.x.x side, this is what I get racoon -Fvf /etc/racoon/racoon.conf Foreground mode. 2004-09-16 00:25:44: INFO: @(#)ipsec-tools 0.5pre = (http://ipsec-tools.sourceforge.net) 2004-09-16 00:25:44: INFO: @(#)This product linked OpenSSL 0.9.7a Feb = 19 2003 (http://www.openssl.org/) 2004-09-16 00:25:44: INFO: 127.0.0.1[500] used as isakmp port (fd=3D6) 2004-09-16 00:25:44: INFO: 172.16.2.1[500] used as isakmp port = (fd=3D7) 2004-09-16 00:25:44: INFO: 69.196.x.x[500] used as isakmp port = (fd=3D8) 2004-09-16 00:26:03: INFO: IPsec-SA request for 142.161.x.x queued due = to no phase1 found. 2004-09-16 00:26:03: INFO: initiate new phase 1 negotiation: = 69.196.x.x[500]<=3D>142.161.x.x[500] 2004-09-16 00:26:03: INFO: begin Identity Protection mode. 2004-09-16 00:26:03: INFO: ISAKMP-SA established = 69.196.x.x[500]-142.161.x.x[500] spi:90135c910af98258:874e08f71a62dac9 2004-09-16 00:26:04: INFO: initiate new phase 2 negotiation: = 69.196.x.x[0]<=3D>142.161.x.x[0] This is an example if I try to ping the 172.16.1.1 from the 69.196.x.x = side. It looks like it starting to connect but then the 69.196.x.x side = *COMPLETELY* freezes. The only thing you can do is manually reboot the = computer. If I try to ping the 172.16.2.1 from the 142.161.x.x side, the = 142.161.x.x side *completely* freezes. What the hell am I doing wrong? = Also, I dont think this has anything to do with it but on the = 142.161.x.x side, i compiled ipsec-tools with gcc 3.4.2 and ipsec-tools = has this problem make[3]: Entering directory `/tmp/zz/src/racoon' gcc -g -O2 -I./../include-glibc -include = ./../include-glibc/glibc-bugs.h -DINET6 -I./missing -DHAVE_CONFIG_H = -I./../include-glibc -include ./../include-glibc/glibc-bugs.h -DINET6 = -I./missing -Wall -Werror -Wno-unused -DYIPS_DEBUG -DIPSEC -I. -I. = -DSYSCONFDIR=3D\"/usr/etc\" -Wno-sign-compare -DYY_NO_UNPUT = -I./../libipsec -c sockmisc.c sockmisc.c: In function `saddrwop2str': sockmisc.c:841: warning: null argument where non-null required (arg 1) make[3]: *** [sockmisc.o] Error 1 if I edit the src/racoon/Makefile and remove the -Werror, it compiles = fine but I dont think this has anything to do with it? Or does it? Any help would be GREATLY appreciated! |