Menu
▾
▴
Re: [Ipsec-tools-devel] [Critical] Systems FREE when initiating IPSEC connection.
|
From: Brad R. <Brad@BradRubenstein.com> - 2004-09-16 06:25:26
|
When I started setting up ipsec, i was remotely (ssh) connected to the =
host on which I ran setkey, and it looked like the remote computer was =
frozen, but in fact it was just that the remote internet connection was =
locked up because it was no longer accepting unencrypted packets from me =
due to the policies I'd added (and the rest of the setup was broken =
anyway). Of course, rebooting is certainly an effective way to flush =
the SPD table.
I was being dimwitted, but I thought I'd mention it, in case you were =
accidentally encrypting the communication channel you were debugging on.
Brad
----- Original Message -----=20
From: Boris=20
To: ips...@li...=20
Sent: Thursday, September 16, 2004 1:02 AM
Subject: [Ipsec-tools-devel] [Critical] Systems FREE when initiating =
IPSEC connection.
Hello, I am having troubles connecting two sides. I am running Linux =
2.6.9-rc2-bk2 with ipsec-tools 0.4rc1. (all the latest) Here is the =
network layout
172.16.1.0/24 =3D> 142.161.x.x =
<=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D> 69.196.x.x =3D> 172.16.2.0/24
On the 142,161.x.x, I have eth0:1 aliased as 172.16.1.1. (eth0 is =
142.161.x.x)
On the 69.196.x.x, I have eth0:1 aliased as 172.16.2.1. (eth0 is =
69.196.x.x)
*** 142.161.x.x machine ***
/etc/ipsec.conf
#!/usr/sbin/setkey -f
#
# Flush SAD and SPD
flush;
spdflush;
# Create policies for racoon
spdadd 172.16.1.0/24 172.16.2.0/24 any -P out ipsec
esp/tunnel/142.161.x.x-69.196.x.x/require;
spdadd 172.16.2.0/24 172.16.1.0/24 any -P in ipsec
esp/tunnel/69.196.x.x-142.161.x.x/require;
/etc/racoon/psk.txt
69.196.x.x mekmitasdigoat
/etc/racoon/racoon.conf
path pre_shared_key "/etc/racoon/psk.txt";
remote 69.196.x.x {
exchange_mode main;
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group modp1024;
}
}
sainfo address 172.16.1.0/24 any address 172.16.2.0/24 any {
pfs_group modp768;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
*** 142.161.x.x machine ***
/etc/ipsec.conf
#!/usr/sbin/setkey -f
#
# Flush SAD and SPD
flush;
spdflush;
# Create policies for racoon
spdadd 172.16.1.0/24 172.16.2.0/24 any -P in ipsec
esp/tunnel/142.161.x.x-69.196.x.x/require;
spdadd 172.16.2.0/24 172.16.1.0/24 any -P out ipsec
esp/tunnel/69.196.x.x-142.161.x.x/require;
/etc/racoon/psk.txt
142.161.x.x mekmitasdigoat
/etc/racoon/racoon.conf
path pre_shared_key "/etc/racoon/psk.txt";
remote 142.161.x.x {
exchange_mode main;
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group modp1024;
}
}
sainfo address 172.16.2.0/24 any address 172.16.1.0/24 any {
pfs_group modp768;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
******************
when running racoon on the 142.161.x.x, this is what I get
root@www:/etc# racoon -Fvf /etc/racoon/racoon.conf
Foreground mode.
2004-09-15 23:29:53: INFO: @(#)ipsec-tools 0.5pre =
(http://ipsec-tools.sourceforge.net)
2004-09-15 23:29:53: INFO: @(#)This product linked OpenSSL 0.9.7d 17 =
Mar 2004 (http://www.openssl.org/)
2004-09-15 23:29:53: INFO: 142.161.x.x[500] used as isakmp port =
(fd=3D6)
2004-09-15 23:29:53: INFO: 172.16.1.1[500] used as isakmp port =
(fd=3D7)
2004-09-15 23:29:53: INFO: 10.0.0.1[500] used as isakmp port (fd=3D8)
2004-09-15 23:29:53: INFO: 192.168.0.1[500] used as isakmp port =
(fd=3D9)
2004-09-15 23:29:53: INFO: 127.0.0.1[500] used as isakmp port =
(fd=3D10)
2004-09-15 23:30:16: INFO: respond new phase 1 negotiation: =
142.161.x.x[500]<=3D>69.196.x.x[500]
2004-09-15 23:30:16: INFO: begin Identity Protection mode.
2004-09-15 23:30:16: INFO: ISAKMP-SA established =
142.161.x.x[500]-69.196.x.x[500] spi:90135c910af98258:874e08f71a62dac9
on the 69.196.x.x side, this is what I get
racoon -Fvf /etc/racoon/racoon.conf
Foreground mode.
2004-09-16 00:25:44: INFO: @(#)ipsec-tools 0.5pre =
(http://ipsec-tools.sourceforge.net)
2004-09-16 00:25:44: INFO: @(#)This product linked OpenSSL 0.9.7a Feb =
19 2003 (http://www.openssl.org/)
2004-09-16 00:25:44: INFO: 127.0.0.1[500] used as isakmp port (fd=3D6)
2004-09-16 00:25:44: INFO: 172.16.2.1[500] used as isakmp port =
(fd=3D7)
2004-09-16 00:25:44: INFO: 69.196.x.x[500] used as isakmp port =
(fd=3D8)
2004-09-16 00:26:03: INFO: IPsec-SA request for 142.161.x.x queued due =
to no phase1 found.
2004-09-16 00:26:03: INFO: initiate new phase 1 negotiation: =
69.196.x.x[500]<=3D>142.161.x.x[500]
2004-09-16 00:26:03: INFO: begin Identity Protection mode.
2004-09-16 00:26:03: INFO: ISAKMP-SA established =
69.196.x.x[500]-142.161.x.x[500] spi:90135c910af98258:874e08f71a62dac9
2004-09-16 00:26:04: INFO: initiate new phase 2 negotiation: =
69.196.x.x[0]<=3D>142.161.x.x[0]
This is an example if I try to ping the 172.16.1.1 from the 69.196.x.x =
side. It looks like it starting to connect but then the 69.196.x.x side =
*COMPLETELY* freezes. The only thing you can do is manually reboot the =
computer. If I try to ping the 172.16.2.1 from the 142.161.x.x side, the =
142.161.x.x side *completely* freezes. What the hell am I doing wrong? =
Also, I dont think this has anything to do with it but on the =
142.161.x.x side, i compiled ipsec-tools with gcc 3.4.2 and ipsec-tools =
has this problem
make[3]: Entering directory `/tmp/zz/src/racoon'
gcc -g -O2 -I./../include-glibc -include =
./../include-glibc/glibc-bugs.h -DINET6 -I./missing -DHAVE_CONFIG_H =
-I./../include-glibc -include ./../include-glibc/glibc-bugs.h -DINET6 =
-I./missing -Wall -Werror -Wno-unused -DYIPS_DEBUG -DIPSEC -I. -I. =
-DSYSCONFDIR=3D\"/usr/etc\" -Wno-sign-compare -DYY_NO_UNPUT =
-I./../libipsec -c sockmisc.c
sockmisc.c: In function `saddrwop2str':
sockmisc.c:841: warning: null argument where non-null required (arg 1)
make[3]: *** [sockmisc.o] Error 1
if I edit the src/racoon/Makefile and remove the -Werror, it compiles =
fine but I dont think this has anything to do with it? Or does it?
Any help would be GREATLY appreciated!
|