#34 Racoon cannot establish connection

closed
nobody
5
2015-01-06
2006-07-22
Anonymous
No

Hello guys! I need your help.
Racoon can't establish connection. I have 2 hosts
belonging to one network - 10.75.99.166 and
10.75.99.167 and FreeBSD 4.10 and ipsec-tools 0.6.6
(installed from the source code, not form the ports
collection) on both of them. Firewall is not set up
(alloow all traffic in and out).

RACOON.LOG on the 1 host (10.75.99.167):

2006-07-20 09:45:00: INFO: @(#)ipsec-tools 0.6.6
(http://ipsec-tools.sourceforge
.net)
2006-07-20 09:45:00: INFO: @(#)This product linked
OpenSSL 0.9.7d 17 Mar 2004 (h
ttp://www.openssl.org/)
2006-07-20 09:45:00: INFO: 127.0.0.1[500] used as
isakmp port (fd=5)
2006-07-20 09:45:00: INFO: fe80::1%lo0[500] used as
isakmp port (fd=6)
2006-07-20 09:45:00: INFO: ::1[500] used as isakmp
port (fd=7)
2006-07-20 09:45:00: INFO: 10.75.99.167[500] used as
isakmp port (fd=8)
2006-07-20 09:45:00: INFO: fe80::230:84ff:fe0f:e5dd%rl0
[500] used as isakmp port
(fd=9)

THE NEXT LINE APPEARS AFTER SETTING
SECURITY POLICIES (WITH SETKEY SPDADD), AND
THE FOLLOWING ONES AFTER TRYING TO PING
HOST 2 (10.75.99.166)

2006-07-20 09:52:47: INFO: unsupported PF_KEY
message REGISTER
2006-07-20 09:54:27: INFO: IPsec-SA request for
10.75.99.166 queued due to no ph
ase1 found.
2006-07-20 09:54:27: INFO: initiate new phase 1
negotiation: 10.75.99.167[500]<=
>10.75.99.166[500]
2006-07-20 09:54:27: INFO: begin Identity Protection
mode.
2006-07-20 09:54:58: ERROR: phase2 negotiation failed
due to time up waiting for
phase1. ESP 10.75.99.166[0]->10.75.99.167[0]
2006-07-20 09:54:58: INFO: delete phase 2 handler.
2006-07-20 09:55:00: INFO: request for establishing
IPsec-SA was queued due to n
o phase1 found.
2006-07-20 09:55:28: ERROR: phase1 negotiation failed
due to time up. 6abcce46eb
c8ea55:0000000000000000
2006-07-20 09:55:32: ERROR: phase2 negotiation failed
due to time up waiting for
phase1. ESP 10.75.99.166[0]->10.75.99.167[0]
2006-07-20 09:55:32: INFO: delete phase 2 handler.

RACOON.LOG on the 2 host (10.75.99.166) :

2006-07-20 09:52:01: INFO: @(#)ipsec-tools 0.6.6
(http://ipsec-tools.sourceforge
.net)
2006-07-20 09:52:01: INFO: @(#)This product linked
OpenSSL 0.9.7d 17 Mar 2004 (h
ttp://www.openssl.org/)
2006-07-20 09:52:01: INFO: 127.0.0.1[500] used as
isakmp port (fd=5)
2006-07-20 09:52:01: INFO: fe80::1%lo0[500] used as
isakmp port (fd=6)
2006-07-20 09:52:01: INFO: ::1[500] used as isakmp
port (fd=7)
2006-07-20 09:52:01: INFO: 192.168.0.1[500] used as
isakmp port (fd=8)
2006-07-20 09:52:01: INFO: fe80::230:4fff:fe08:4f85%rl1
[500] used as isakmp port
(fd=9)
2006-07-20 09:52:01: INFO: 10.75.99.166[500] used as
isakmp port (fd=10)
2006-07-20 09:52:01: INFO: fe80::202:44ff:fe8b:4ed3%rl0
[500] used as isakmp port
(fd=11)
2006-07-20 09:52:58: INFO: unsupported PF_KEY
message REGISTER

2006-07-20 09:56:22: INFO: respond new phase 1
negotiation: 10.75.99.166[500]<=>
10.75.99.167[500]
2006-07-20 09:56:22: INFO: begin Identity Protection
mode.
2006-07-20 09:56:22: INFO: request for establishing
IPsec-SA was queued due to n
o phase1 found.
2006-07-20 09:56:32: NOTIFY: the packet is
retransmitted by 10.75.99.167[500].
2006-07-20 09:56:42: NOTIFY: the packet is
retransmitted by 10.75.99.167[500].
2006-07-20 09:56:52: NOTIFY: the packet is
retransmitted by 10.75.99.167[500].
2006-07-20 09:56:53: ERROR: phase2 negotiation failed
due to time up waiting for
phase1. ESP 10.75.99.167[0]->10.75.99.166[0]
2006-07-20 09:56:53: INFO: delete phase 2 handler.
2006-07-20 09:57:03: NOTIFY: the packet is
retransmitted by 10.75.99.167[500].
2006-07-20 09:57:12: INFO: request for establishing
IPsec-SA was queued due to n
o phase1 found.
2006-07-20 09:57:13: NOTIFY: the packet is
retransmitted by 10.75.99.167[500].
2006-07-20 09:57:22: ERROR: phase1 negotiation failed
due to time up. 6abcce46eb
c8ea55:4babaf5d82e8cf88
2006-07-20 09:57:43: ERROR: phase2 negotiation failed
due to time up waiting for
phase1. ESP 10.75.99.167[0]->10.75.99.166[0]
2006-07-20 09:57:43: INFO: delete phase 2 handler.

I use RACOON.CONF from the samples from an ipsec-
tools package:

# $KAME: racoon.conf.sample,v 1.28 2002/10/18
14:33:28 itojun Exp $

# "path" affects "include" directives. "path" must be
specified before any
# "include" directive with relative file path.
# you can overwrite "path" directive afterwards, however,
doing so may add
# more confusion.
#path include "/usr/local/v6/etc" ;
#include "remote.conf" ;

# the file should contain key ID/key pairs, for pre-shared
key authentication.

path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;

# racoon will look for certificate file in the directory,
# if the certificate/certificate request payload is received.
#path certificate "/usr/local/openssl/certs" ;

# "log" specifies logging level. It is followed by
either "notify", "debug"
# or "debug2".
#log debug;

remote anonymous
{
#exchange_mode main,aggressive,base;
exchange_mode main,base;

#my_identifier fqdn "server.kame.net";
#certificate_type
x509 "foo@kame.net.cert" "foo@kame.net.priv" ;

lifetime time 24 hour ; # sec,min,hour

#initial_contact off ;
#passive on ;

# phase 1 proposal (for ISAKMP SA)
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}

# the configuration makes racoon (as a responder)
to obey the
# initiator's lifetime and PFS group proposal.
# this makes testing so much easier.
proposal_check obey;
}

# phase 2 proposal (for IPsec SA).
# actual phase 2 proposal will obey the following items:
# - kernel IPsec policy configuration
(like "esp/transport//use)
# - permutation of the crypto/hash/compression
algorithms presented below
sainfo anonymous
{
pfs_group 2;
lifetime time 12 hour ;
encryption_algorithm 3des, cast128, blowfish 448,
des, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}

On both machines I run racoon with following
parameters:

/usr/local/sbin/racoon -
f /usr/local/etc/racoon/racoon.conf -l /var/log/racoon.log

And then the scripts setting security policies. On host 1:

#!/bin/sh
skeycmd="/usr/sbin/setkey"

$skeycmd -FP
$skeycmd -F

$skeycmd -c << EOF

spdadd 10.75.99.167/32 10.75.99.166/32 any -P out
ipsec esp/transport//require;
spdadd 10.75.99.166/32 10.75.99.167/32 any -P in
ipsec esp/transport//require;
EOF

On host 2:

#!/bin/sh
skeycmd="/usr/sbin/setkey"

$skeycmd -FP
$skeycmd -F

$skeycmd -c << EOF

spdadd 10.75.99.166/32 10.75.99.167/32 any -P out
ipsec esp/transport//require;
spdadd 10.75.99.167/32 10.75.99.166/32 any -P in
ipsec esp/transport//require;
EOF

Thanks everyone for help. Maxim maksymk@ukr.net

Discussion

  • Timo Teras

    Timo Teras - 2009-01-16
    • status: open --> closed
     
  • Timo Teras

    Timo Teras - 2009-01-16

    Closing all sourceforge.net bugs. If this issue has not been cared for please submit a new bug report to https://trac.ipsec-tools.net/ issue tracker. Thank you.

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks