Hi. I'm having big troubles with IPSec after upgrading from 5.1 to 5.2. IPSec tunnels stoped working after upgrade of the base system (i didn't change racoon or setkey configuration) I'm using the latest racoon. # pkg_info | grep racoon racoon-20040114a KAME racoon IKE daemon ============================================ # cat /etc/ipsec.conf # flush old stuff first flush; spdflush; # VPN tunnel spdadd 192.168.200.0/24 192.168.2.0/24 any -P out ipsec esp/tunnel/a.b.c.d-e.f.g.h/require; spdadd 192.168.2.0/24 192.168.200.0/24 any -P out ipsec esp/tunnel/e.f.g.h-a.b.c.d/require; ============================================ a.b.c.d is my internet address, e.f.g.h is remote router internet address (it's linux 2.4 with freeswan 1.9.x) ============================================ # cat /usr/local/etc/racoon/racoon.conf # path include "/usr/local/etc/racoon" ; path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; path certificate "/usr/local/etc/racoon/cert" ; log notify; padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # if no listen directive is specified, racoon will listen to all # available interface addresses. listen { isakmp a.b.c.d [500]; } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 15 sec; } # vpn tunnel remote e.f.g.h { exchange_mode main; doi ipsec_doi; situation identity_only; my_identifier address; lifetime time 6 hour; proposal_check obey; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } } sainfo anonymous { pfs_group 2; lifetime time 6 hour; encryption_algorithm 3des; authentication_algorithm hmac_sha1; compression_algorithm deflate; } ============================================ racoon debug output # racoon -F -d Foreground mode. 2004-01-18 22:12:45: INFO: main.c:172:main(): _at_(#)package version freebsd-20040114a 2004-01-18 22:12:45: INFO: main.c:174:main(): _at_(#)internal version 20001216 sakane_at_kame.net 2004-01-18 22:12:45: INFO: main.c:175:main(): _at_(#)This product linked OpenSSL 0.9.7c 30 Sep 2003 (http://www.openssl.org/) 2004-01-18 22:12:45: DEBUG: pfkey.c:434:pfkey_init(): call pfkey_send_register for AH 2004-01-18 22:12:45: DEBUG: pfkey.c:434:pfkey_init(): call pfkey_send_register for ESP 2004-01-18 22:12:45: DEBUG: pfkey.c:434:pfkey_init(): call pfkey_send_register for IPCOMP 2004-01-18 22:12:45: DEBUG: cftoken.l:578:yycf_set_buffer(): reading config file /usr/local/etc/racoon/racoon.conf 2004-01-18 22:12:45: DEBUG: pfkey.c:2379:pk_checkalg(): compression algorithm can not be checked because sadb message doesn't support it. 2004-01-18 22:12:45: INFO: isakmp.c:1356:isakmp_open(): a.b.c.d[500] used as isakmp port (fd=5) 2004-01-18 22:12:45: DEBUG: pfkey.c:197:pfkey_handler(): get pfkey X_SPDDUMP message 2004-01-18 22:12:45: DEBUG: pfkey.c:197:pfkey_handler(): get pfkey X_SPDDUMP message 2004-01-18 22:12:45: DEBUG: policy.c:184:cmpspidxstrict(): sub:0xbfbfe9d0: 192.168.2.0/24[0] 192.168.200.0/24[0] proto=any dir=out 2004-01-18 22:12:45: DEBUG: policy.c:185:cmpspidxstrict(): db :0x80a1c08: 192.168.200.0/24[0] 192.168.2.0/24[0] proto=any dir=out 2004-01-18 22:12:57: DEBUG: pfkey.c:197:pfkey_handler(): get pfkey ACQUIRE message 2004-01-18 22:12:57: DEBUG: pfkey.c:1620:pk_recvacquire(): suitable outbound SP found: 192.168.200.0/24[0] 192.168.2.0/24[0] proto=any dir=out. 2004-01-18 22:12:57: DEBUG: policy.c:184:cmpspidxstrict(): sub:0xbfbfe9b0: 192.168.2.0/24[0] 192.168.200.0/24[0] proto=any dir=in 2004-01-18 22:12:57: DEBUG: policy.c:185:cmpspidxstrict(): db :0x80a1c08: 192.168.200.0/24[0] 192.168.2.0/24[0] proto=any dir=out 2004-01-18 22:12:57: DEBUG: policy.c:184:cmpspidxstrict(): sub:0xbfbfe9b0: 192.168.2.0/24[0] 192.168.200.0/24[0] proto=any dir=in 2004-01-18 22:12:57: DEBUG: policy.c:185:cmpspidxstrict(): db :0x80ac008: 192.168.2.0/24[0] 192.168.200.0/24[0] proto=any dir=out 2004-01-18 22:12:57: NOTIFY: pfkey.c:1640:pk_recvacquire(): no in-bound policy found: 192.168.2.0/24[0] 192.168.200.0/24[0] proto=any dir=in 2004-01-18 22:12:57: DEBUG: pfkey.c:1675:pk_recvacquire(): new acquire 192.168.200.0/24[0] 192.168.2.0/24[0] proto=any dir=out 2004-01-18 22:12:57: DEBUG: sainfo.c:112:getsainfo(): anonymous sainfo selected. 2004-01-18 22:12:57: DEBUG: proposal.c:828:printsaproto(): (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0) 2004-01-18 22:12:57: DEBUG: proposal.c:862:printsatrns(): (trns_id=3DES encklen=0 authtype=hmac-sha) 2004-01-18 22:12:57: DEBUG: remoteconf.c:118:getrmconf(): configuration found for e.f.g.h. 2004-01-18 22:12:57: INFO: isakmp.c:1682:isakmp_post_acquire(): IPsec-SA request for e.f.g.h queued due to no phase1 found. 2004-01-18 22:12:57: DEBUG: isakmp.c:791:isakmp_ph1begin_i(): === 2004-01-18 22:12:57: INFO: isakmp.c:796:isakmp_ph1begin_i(): initiate new phase 1 negotiation: a.b.c.d[500]<=>e.f.g.h[500] 2004-01-18 22:12:57: INFO: isakmp.c:801:isakmp_ph1begin_i(): begin Identity Protection mode. 2004-01-18 22:12:57: DEBUG: isakmp.c:1994:isakmp_newcookie(): new cookie: 074dda08a6707937 2004-01-18 22:12:57: DEBUG: isakmp.c:2111:set_isakmp_payload(): add payload of len 48, next type 0 2004-01-18 22:12:57: DEBUG: isakmp.c:2246:isakmp_printpacket(): begin. 12:57.271958 a.b.c.d:500 -> e.f.g.h:500: isakmp 1.0 msgid 00000000: phase 1 I ident: (sa: doi=ipsec situation=identity (p: #1 protoid=isakmp transform=1 (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=5460)(type=enc value=3des)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024)))) 2004-01-18 22:12:57: DEBUG: sockmisc.c:421:sendfromto(): sockname a.b.c.d[500] 2004-01-18 22:12:57: DEBUG: sockmisc.c:423:sendfromto(): send packet from a.b.c.d[500] 2004-01-18 22:12:57: DEBUG: sockmisc.c:425:sendfromto(): send packet to e.f.g.h[500] 2004-01-18 22:12:57: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 80 bytes message will be sent to e.f.g.h[500] 2004-01-18 22:12:57: DEBUG: plog.c:193:plogdump(): 074dda08 a6707937 00000000 00000000 01100200 00000000 00000050 00000034 00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c5460 80010005 80030001 80020002 80040002 2004-01-18 22:12:57: DEBUG: isakmp.c:1447:isakmp_ph1resend(): resend phase1 packet 074dda08a6707937:0000000000000000 2004-01-18 22:13:17: DEBUG: sockmisc.c:421:sendfromto(): sockname a.b.c.d[500] 2004-01-18 22:13:17: DEBUG: sockmisc.c:423:sendfromto(): send packet from a.b.c.d[500] 2004-01-18 22:13:17: DEBUG: sockmisc.c:425:sendfromto(): send packet to e.f.g.h[500] 2004-01-18 22:13:17: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 80 bytes message will be sent to e.f.g.h[500] 2004-01-18 22:13:17: DEBUG: plog.c:193:plogdump(): 074dda08 a6707937 00000000 00000000 01100200 00000000 00000050 00000034 00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c5460 80010005 80030001 80020002 80040002 2004-01-18 22:13:17: DEBUG: isakmp.c:1447:isakmp_ph1resend(): resend phase1 packet 074dda08a6707937:0000000000000000 2004-01-18 22:14:57: ERROR: isakmp.c:1435:isakmp_ph1resend(): phase1 negotiation failed due to time up. 074dda08a6707937:0000000000000000 ============================================ My kernel config includes: options IPSEC options IPSEC_ESP options IPSEC_DEBUG Ideas? Brane
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:38 UTC