5.2 IPSec problems & crash

From: Branko F. <bfg_at_noviforum.si>
Date: Sun, 18 Jan 2004 22:16:47 +0100
Hi.

I'm having big troubles with IPSec after upgrading from 5.1 to 5.2.
IPSec tunnels stoped working after upgrade of the base system (i didn't
change racoon or setkey configuration) I'm using the latest racoon.

# pkg_info | grep racoon
racoon-20040114a    KAME racoon IKE daemon

============================================

# cat /etc/ipsec.conf
# flush old stuff first
flush;
spdflush;

# VPN tunnel
spdadd 192.168.200.0/24 192.168.2.0/24 any -P out ipsec
esp/tunnel/a.b.c.d-e.f.g.h/require;

spdadd 192.168.2.0/24 192.168.200.0/24 any -P out ipsec
esp/tunnel/e.f.g.h-a.b.c.d/require;

============================================

a.b.c.d is my internet address, e.f.g.h is remote router internet
address (it's linux 2.4 with freeswan 1.9.x)


============================================

# cat /usr/local/etc/racoon/racoon.conf
#
path include "/usr/local/etc/racoon" ;
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
path certificate "/usr/local/etc/racoon/cert" ;

log notify;
padding {
        maximum_length 20;      # maximum padding length.
        randomize off;          # enable randomize length.
        strict_check off;       # enable strict check.
        exclusive_tail off;     # extract last one octet.
}

# if no listen directive is specified, racoon will listen to all
# available interface addresses.
listen {
        isakmp a.b.c.d [500];
}

# Specification of default various timer.
timer
{
        # These value can be changed per remote node.
        counter 5;              # maximum trying count to send.
        interval 20 sec;        # maximum interval to resend.
        persend 1;              # the number of packets per a send.

        # timer for waiting to complete each phase.
        phase1 30 sec;
        phase2 15 sec;
}

# vpn tunnel
remote e.f.g.h {
        exchange_mode main;
        doi ipsec_doi;
        situation identity_only;
        my_identifier address;
        lifetime time 6 hour;
        proposal_check obey;

        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2;
        }
}
sainfo anonymous {
        pfs_group 2;
        lifetime time 6 hour;
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
}

============================================

racoon debug output

# racoon -F -d
Foreground mode.
2004-01-18 22:12:45: INFO: main.c:172:main(): _at_(#)package version
freebsd-20040114a
2004-01-18 22:12:45: INFO: main.c:174:main(): _at_(#)internal version
20001216 sakane_at_kame.net
2004-01-18 22:12:45: INFO: main.c:175:main(): _at_(#)This product linked
OpenSSL 0.9.7c 30 Sep 2003 (http://www.openssl.org/)
2004-01-18 22:12:45: DEBUG: pfkey.c:434:pfkey_init(): call
pfkey_send_register for AH
2004-01-18 22:12:45: DEBUG: pfkey.c:434:pfkey_init(): call
pfkey_send_register for ESP
2004-01-18 22:12:45: DEBUG: pfkey.c:434:pfkey_init(): call
pfkey_send_register for IPCOMP
2004-01-18 22:12:45: DEBUG: cftoken.l:578:yycf_set_buffer(): reading
config file /usr/local/etc/racoon/racoon.conf
2004-01-18 22:12:45: DEBUG: pfkey.c:2379:pk_checkalg(): compression
algorithm can not be checked because sadb message doesn't support it.
2004-01-18 22:12:45: INFO: isakmp.c:1356:isakmp_open(): a.b.c.d[500]
used as isakmp port (fd=5)
2004-01-18 22:12:45: DEBUG: pfkey.c:197:pfkey_handler(): get pfkey
X_SPDDUMP message
2004-01-18 22:12:45: DEBUG: pfkey.c:197:pfkey_handler(): get pfkey
X_SPDDUMP message
2004-01-18 22:12:45: DEBUG: policy.c:184:cmpspidxstrict():
sub:0xbfbfe9d0: 192.168.2.0/24[0] 192.168.200.0/24[0] proto=any dir=out
2004-01-18 22:12:45: DEBUG: policy.c:185:cmpspidxstrict(): db
:0x80a1c08: 192.168.200.0/24[0] 192.168.2.0/24[0] proto=any dir=out
2004-01-18 22:12:57: DEBUG: pfkey.c:197:pfkey_handler(): get pfkey
ACQUIRE message
2004-01-18 22:12:57: DEBUG: pfkey.c:1620:pk_recvacquire(): suitable
outbound SP found: 192.168.200.0/24[0] 192.168.2.0/24[0] proto=any
dir=out.
2004-01-18 22:12:57: DEBUG: policy.c:184:cmpspidxstrict():
sub:0xbfbfe9b0: 192.168.2.0/24[0] 192.168.200.0/24[0] proto=any dir=in
2004-01-18 22:12:57: DEBUG: policy.c:185:cmpspidxstrict(): db
:0x80a1c08: 192.168.200.0/24[0] 192.168.2.0/24[0] proto=any dir=out
2004-01-18 22:12:57: DEBUG: policy.c:184:cmpspidxstrict():
sub:0xbfbfe9b0: 192.168.2.0/24[0] 192.168.200.0/24[0] proto=any dir=in
2004-01-18 22:12:57: DEBUG: policy.c:185:cmpspidxstrict(): db
:0x80ac008: 192.168.2.0/24[0] 192.168.200.0/24[0] proto=any dir=out
2004-01-18 22:12:57: NOTIFY: pfkey.c:1640:pk_recvacquire(): no in-bound
policy found: 192.168.2.0/24[0] 192.168.200.0/24[0] proto=any dir=in
2004-01-18 22:12:57: DEBUG: pfkey.c:1675:pk_recvacquire(): new acquire
192.168.200.0/24[0] 192.168.2.0/24[0] proto=any dir=out
2004-01-18 22:12:57: DEBUG: sainfo.c:112:getsainfo(): anonymous sainfo
selected.
2004-01-18 22:12:57: DEBUG: proposal.c:828:printsaproto(): 
(proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel
reqid=0:0)
2004-01-18 22:12:57: DEBUG: proposal.c:862:printsatrns():  
(trns_id=3DES encklen=0 authtype=hmac-sha)
2004-01-18 22:12:57: DEBUG: remoteconf.c:118:getrmconf(): configuration
found for e.f.g.h.
2004-01-18 22:12:57: INFO: isakmp.c:1682:isakmp_post_acquire(): IPsec-SA
request for e.f.g.h queued due to no phase1 found.
2004-01-18 22:12:57: DEBUG: isakmp.c:791:isakmp_ph1begin_i(): ===
2004-01-18 22:12:57: INFO: isakmp.c:796:isakmp_ph1begin_i(): initiate
new phase 1 negotiation: a.b.c.d[500]<=>e.f.g.h[500]
2004-01-18 22:12:57: INFO: isakmp.c:801:isakmp_ph1begin_i(): begin
Identity Protection mode.
2004-01-18 22:12:57: DEBUG: isakmp.c:1994:isakmp_newcookie(): new
cookie:
074dda08a6707937
2004-01-18 22:12:57: DEBUG: isakmp.c:2111:set_isakmp_payload(): add
payload of len 48, next type 0
2004-01-18 22:12:57: DEBUG: isakmp.c:2246:isakmp_printpacket(): begin.
12:57.271958 a.b.c.d:500 -> e.f.g.h:500: isakmp 1.0 msgid 00000000:
phase 1 I ident:
    (sa: doi=ipsec situation=identity
        (p: #1 protoid=isakmp transform=1
            (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration
value=5460)(type=enc value=3des)(type=auth value=preshared)(type=hash
value=sha1)(type=group desc value=modp1024))))
2004-01-18 22:12:57: DEBUG: sockmisc.c:421:sendfromto(): sockname
a.b.c.d[500]
2004-01-18 22:12:57: DEBUG: sockmisc.c:423:sendfromto(): send packet
from a.b.c.d[500]
2004-01-18 22:12:57: DEBUG: sockmisc.c:425:sendfromto(): send packet to
e.f.g.h[500]
2004-01-18 22:12:57: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 80
bytes message will be sent to e.f.g.h[500]
2004-01-18 22:12:57: DEBUG: plog.c:193:plogdump():
074dda08 a6707937 00000000 00000000 01100200 00000000 00000050 00000034
00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c5460
80010005 80030001 80020002 80040002
2004-01-18 22:12:57: DEBUG: isakmp.c:1447:isakmp_ph1resend(): resend
phase1 packet 074dda08a6707937:0000000000000000
2004-01-18 22:13:17: DEBUG: sockmisc.c:421:sendfromto(): sockname
a.b.c.d[500]
2004-01-18 22:13:17: DEBUG: sockmisc.c:423:sendfromto(): send packet
from a.b.c.d[500]
2004-01-18 22:13:17: DEBUG: sockmisc.c:425:sendfromto(): send packet to
e.f.g.h[500]
2004-01-18 22:13:17: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 80
bytes message will be sent to e.f.g.h[500]
2004-01-18 22:13:17: DEBUG: plog.c:193:plogdump():
074dda08 a6707937 00000000 00000000 01100200 00000000 00000050 00000034
00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c5460
80010005 80030001 80020002 80040002
2004-01-18 22:13:17: DEBUG: isakmp.c:1447:isakmp_ph1resend(): resend
phase1 packet 074dda08a6707937:0000000000000000
2004-01-18 22:14:57: ERROR: isakmp.c:1435:isakmp_ph1resend(): phase1
negotiation failed due to time up. 074dda08a6707937:0000000000000000


============================================

My kernel config includes:

options         IPSEC
options         IPSEC_ESP
options         IPSEC_DEBUG


Ideas?

Brane

Received on Sun Jan 18 2004 - 12:16:59 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:38 UTC