From: Rivan B. <rb...@fm...> - 2005-03-02 13:59:39
|
I got the following error message while testing racoon under Slackware Linux: I tested ipsec-tools-0.4, ipsec-tools-0.5 with Linux kernel 2.6.8, Linux-2.6.9, And Linux-2.6.10 and got the same error.=20 =20 "ERROR: pfkey ADD failed: File exists".=20 =20 The message surfaced when racoon attempted a phase 2 sa rekey. And it only occurs with endpoint addresses on the same subnet. And The last octet of the addresses differ by a value of 1.=20 =20 For example : =20 Box A has endpoint address 10.85.124.6, and Box B has endpoint address 10.85.124.7. If Box A initiates a connection with Box B, phase 1 and phase 2 are established normally. Phase 2 rekeying is also normal. =20 However if Box B initiates the connection to Box A, again phase 1 and phase 2 are=20 Established normally. However phase 2 rekeying fails with the error message described. =20 This problem occurs when Box A and Box B has endpoint addresses in which the last octet Differ by a value of 1. To be most specific addresses in the range 10.85.124.6 to 10.85.124.254 Exhibit the problem. In fact "anything.85.124.6 " to "anything.85.124.254" has the problem. And there may be more subnets as well. =20 Here is a sample of Box A racoon.conf file, Box B is just the reverse. =20 path include "/etc/racoondir" ; path pre_shared_key "/etc/racoondir/psk.txt" ; path certificate "/etc/racoondir/cert" ; log notify; padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } listen { isakmp 10.85.124.6 [500]; } =20 timer { counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. phase1 30 sec; phase2 15 sec; } remote 10.85.124.7 { exchange_mode main,aggressive; doi ipsec_doi; situation identity_only; =20 nonce_size 16; lifetime time 24 hour; # sec,min,hour proposal_check obey; # obey, strict, exact or claim proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key ; dh_group 2; } } =20 sainfo address 192.168.1.0/24 any address 172.24.1.0/24 any { lifetime time 15 min; encryption_algorithm 3des ; authentication_algorithm hmac_md5; compression_algorithm deflate ; }=20 sainfo address 172.24.1.0/24 any address 192.168.1.0/24 any { lifetime time 15 min; encryption_algorithm 3des ; authentication_algorithm hmac_md5; compression_algorithm deflate ; } =20 =20 Rivan=20 =20 =20 =20 =20 |