[Ipsec-tools-devel] Phase 2 rekey error with racoon

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

I got the following error message while testing racoon under Slackware
Linux:

I tested ipsec-tools-0.4, ipsec-tools-0.5 with Linux kernel 2.6.8,
Linux-2.6.9,

And Linux-2.6.10 and got the same error.=20

=20

"ERROR: pfkey ADD failed: File exists".=20

=20

The message surfaced when racoon attempted a phase 2 sa rekey.

And it only occurs with endpoint addresses on the same subnet. And

The last octet of the addresses differ by a value of 1.=20

=20

For example :

=20

Box A has endpoint address 10.85.124.6, and Box B has endpoint address
10.85.124.7.

If  Box A  initiates a connection  with Box B, phase 1  and phase 2 are
established normally.

Phase 2 rekeying is also normal.

=20

However if Box B initiates the connection to Box A,  again phase 1 and
phase 2 are=20

Established normally. However  phase 2 rekeying fails with the error
message described.

=20

This problem occurs when Box A and Box B has endpoint addresses in which
the last octet

Differ by a value of 1. To be most specific addresses in the range
10.85.124.6 to 10.85.124.254

Exhibit the problem.  In fact "anything.85.124.6 " to
"anything.85.124.254" has the problem.

And there may be more subnets as well.

=20

Here is a sample of Box A  racoon.conf file,  Box B is just the reverse.

=20

path include "/etc/racoondir" ;

path pre_shared_key "/etc/racoondir/psk.txt" ;

path certificate "/etc/racoondir/cert" ;

log notify;

padding

{

      maximum_length 20;      # maximum padding length.

      randomize off;          # enable randomize length.

      strict_check off; # enable strict check.

      exclusive_tail off;     # extract last one octet.

}

listen

{

      isakmp 10.85.124.6 [500];

}

=20

timer

{

      counter 5;        # maximum trying count to send.

      interval 20 sec;  # maximum interval to resend.

      persend 1;        # the number of packets per a send.

      phase1 30 sec;

      phase2 15 sec;

}

remote 10.85.124.7

{

      exchange_mode main,aggressive;

      doi ipsec_doi;

      situation identity_only;

=20

      nonce_size 16;

      lifetime time 24 hour;  # sec,min,hour

      proposal_check obey;    # obey, strict, exact or claim

      proposal {

            encryption_algorithm 3des;

            hash_algorithm md5;

            authentication_method pre_shared_key ;

            dh_group 2;

      }

}

=20

sainfo address 192.168.1.0/24 any address 172.24.1.0/24 any

{

      lifetime time 15 min;

      encryption_algorithm 3des ;

      authentication_algorithm hmac_md5;

      compression_algorithm deflate ;

}=20

sainfo address 172.24.1.0/24 any address 192.168.1.0/24 any

{

      lifetime time 15 min;

      encryption_algorithm 3des ;

      authentication_algorithm hmac_md5;

      compression_algorithm deflate ;

}

=20

=20

Rivan=20

=20

=20

=20

=20