IPSec troubles

From: Cyrill Rüttimann (ruettimac_at_mac.com)
Date: 03/29/04

  • Next message: Bruce M Simpson: "Re: PCI ADSL card and PPPoA"
    To: freebsd-net@freebsd.org
    Date: Mon, 29 Mar 2004 00:06:21 +0200
    
    

    Hello,

    I have troubles setting up an IPSec Host-to-Host connection between
    FreeBSD 5.2.1 and MacOS X 10.3.3:

    Network Setup:

    Cable-Modem-->FreeBSD Box, 192.168.0.1-->Apple Airport Station running
    in Bridge Mode-->MacOS X Box, 192.168.0.10

    /etc/ipsec.conf (FreeBSD)

    spdadd 192.168.0.1/24 192.168.0.10/24 any -P out ipsec
    esp/transport/192.168.0.1-192.168.0.10/require;
    spdadd 192.168.0.10/24 192.168.0.1/24 any -P in ipsec
    esp/transport/192.168.0.10-192.168.0.1/require;

    /etc/ipsec.conf (MacOS X)

    spdadd 192.168.0.10/24 192.168.0.1/24 any -P out ipsec
    esp/transport/192.168.0.10-192.168.0.1/require;
    spdadd 192.168.0.1/24 192.168.0.10/24 any -P in ipsec
    esp/transport/192.168.0.1-192.168.0.10/require;

    /usr/local/etc/racoon/racoon.conf (FreeBSD)

    remote anonymous
    {
             #exchange_mode main,aggressive;
             exchange_mode aggressive,main;
             doi ipsec_doi;
             situation identity_only;

             #my_identifier address;
             my_identifier user_fqdn "root@ruettimac.ch";
             peers_identifier user_fqdn "root@ruettimac.ch";
             #certificate_type x509 "mycert" "mypriv";

             nonce_size 16;
             lifetime time 1 min; # sec,min,hour
             initial_contact on;
             support_mip6 on;
             proposal_check obey; # obey, strict or claim

             proposal {
                     encryption_algorithm 3des;
                     hash_algorithm sha1;
                     authentication_method pre_shared_key ;
                     dh_group 2 ;
             }
    }

    sainfo anonymous
    {
             pfs_group 1;
             lifetime time 30 sec;
             encryption_algorithm 3des ;
             authentication_algorithm hmac_sha1;
             compression_algorithm deflate ;
    }

    /etc/racoon/remote/anonymous.conf (MacOS X)

    remote anonymous
    {
             #exchange_mode main,aggressive;
             exchange_mode aggressive,main;
             doi ipsec_doi;
             situation identity_only;

             #my_identifier address;
             my_identifier user_fqdn "root@ruettimac.ch";
             peers_identifier user_fqdn "root@ruettimac.ch";
             #certificate_type x509 "mycert" "mypriv";

             nonce_size 16;
             lifetime time 1 min; # sec,min,hour
             initial_contact on;
             support_mip6 on;
             proposal_check obey; # obey, strict or claim

             proposal {
                     encryption_algorithm 3des;
                     hash_algorithm sha1;
                     authentication_method pre_shared_key ;
                     dh_group 2 ;
             }
    }

    sainfo anonymous
    {
             pfs_group 1;
             lifetime time 30 sec;
             encryption_algorithm 3des ;
             authentication_algorithm hmac_sha1;
             compression_algorithm deflate ;
    }

    /usr/local/etc/racoon/psk.txt (FreeBSD)

    192.168.0.1 7HdopoY72bNmewP
    192.168.0.10 7HdopoY72bNmewP

    /etc/racoon/psk.txt (MacOS X)

    192.168.0.1 7HdopoY72bNmewP
    192.168.0.10 7HdopoY72bNmewP

    Debug output (FreeBSD)

    Mar 28 22:55:54 protos racoon: DEBUG:
    algorithm.c:614:alg_oakley_dhdef(): hmac(modp1024)
    Mar 28 22:55:54 protos racoon: DEBUG: pfkey.c:2379:pk_checkalg():
    compression algorithm can not be checked because sadb message doesn't
    support it.
    Mar 28 22:55:54 protos racoon: DEBUG: pfkey.c:197:pfkey_handler(): get
    pfkey X_SPDDUMP message
    Mar 28 22:55:54 protos racoon: DEBUG: pfkey.c:197:pfkey_handler(): get
    pfkey X_SPDDUMP message
    Mar 28 22:55:54 protos racoon: DEBUG: policy.c:184:cmpspidxstrict():
    sub:0xbfbfec40: 192.168.0.1/24[0] 192.168.0.10/24[0] proto=any dir=out
    Mar 28 22:55:54 protos racoon: DEBUG: policy.c:185:cmpspidxstrict(): db
    :0x80a2c08: 192.168.0.10/24[0] 192.168.0.1/24[0] proto=any dir=in
    Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:221:isakmp_handler(): ===
    Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:222:isakmp_handler():
    277 bytes message received from 192.168.0.10[500]
    Mar 28 22:57:11 protos racoon: DEBUG: plog.c:193:plogdump(): a8d6f8dc
    8b9041c1 00000000 00000000 01100400 00000000 00000115 04000034 00000001
    00000001 00000028 01010
    001 00000020 01010000 800b0001 800c003c 80010005 80030001 80020002
    80040002 0a000084 f23e0504 edb10453 8212421a f817e04d 148782fb 81436b89
    f73240d1 a69d3662 5cbb7e5a
    cb234c8a 764c6357 87b6c7ee 6606ad2b daf088dc 27dfbac8 5c8ca5f5 20b7c274
    4e6f22d7 a85e4237 36291558 2cc68a6e fc9f449c 9d9463e3 ebb1536b 068063f7
    ac6f290e 6160f975 b059
    aa6c dcccf25d ee5361aa d18ba202 b567ff46 05000014 d2b5d6de f4860836
    93be994d 10fb9d3a 0d000019 03000000 726f6f74 40727565 7474696d 61632e63
    68000000 144df379 28e9fc4f
      d1b32621 70d515c6 62
    Mar 28 22:57:11 protos racoon: DEBUG:
    isakmp.c:2246:isakmp_printpacket(): begin.
    Mar 28 22:57:11 protos racoon: DEBUG: remoteconf.c:129:getrmconf():
    anonymous configuration selected for 192.168.0.10[500].
    Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:887:isakmp_ph1begin_r():
    ===
    Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:1110:isakmp_parsewoh():
    begin.
    Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:1137:isakmp_parsewoh():
    seen nptype=1(sa)
    Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:1137:isakmp_parsewoh():
    seen nptype=4(ke)
    Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:1137:isakmp_parsewoh():
    seen nptype=10(nonce)
    Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:1137:isakmp_parsewoh():
    seen nptype=5(id)
    Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:1137:isakmp_parsewoh():
    seen nptype=13(vid)
    Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:1176:isakmp_parsewoh():
    succeed.
    Mar 28 22:57:11 protos racoon: DEBUG: isakmp_agg.c:646:agg_r1recv():
    received payload of type ke
    Mar 28 22:57:11 protos racoon: DEBUG: isakmp_agg.c:646:agg_r1recv():
    received payload of type nonce
    Mar 28 22:57:11 protos racoon: DEBUG: isakmp_agg.c:646:agg_r1recv():
    received payload of type id
    Mar 28 22:57:11 protos racoon: DEBUG: isakmp_agg.c:646:agg_r1recv():
    received payload of type vid
    Mar 28 22:57:11 protos racoon: DEBUG: vendorid.c:137:check_vendorid():
    received unknown Vendor ID
    Mar 28 22:57:11 protos racoon: DEBUG: ipsec_doi.c:1117:get_proppair():
    total SA len=48
    Mar 28 22:57:11 protos racoon: DEBUG: plog.c:193:plogdump(): 00000001
    00000001 00000028 01010001 00000020 01010000 800b0001 800c003c 80010005
    80030001 80020002 80040
    002
    Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:1110:isakmp_parsewoh():
    begin.
    Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:1137:isakmp_parsewoh():
    seen nptype=2(prop)
    Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:1176:isakmp_parsewoh():
    succeed.
    Mar 28 22:57:11 protos racoon: DEBUG: ipsec_doi.c:1170:get_proppair():
    proposal #1 len=40
    Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:1110:isakmp_parsewoh():
    begin.
    Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:1137:isakmp_parsewoh():
    seen nptype=3(trns)
    Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:1176:isakmp_parsewoh():
    succeed.
    Mar 28 22:57:11 protos racoon: DEBUG: ipsec_doi.c:1311:get_transform():
    transform #1 len=32
    Mar 28 22:57:11 protos racoon: DEBUG:
    ipsec_doi.c:1870:check_attr_isakmp(): type=Life Type, flag=0x8000,
    lorv=seconds
    Mar 28 22:57:11 protos racoon: DEBUG:
    ipsec_doi.c:1870:check_attr_isakmp(): type=Life Duration, flag=0x8000,
    lorv=60
    Mar 28 22:57:11 protos racoon: DEBUG:
    ipsec_doi.c:1870:check_attr_isakmp(): type=Encryption Algorithm,
    flag=0x8000, lorv=3DES-CBC
    Mar 28 22:57:11 protos racoon: DEBUG:
    algorithm.c:386:alg_oakley_encdef(): encription(3des)
    Mar 28 22:57:11 protos racoon: DEBUG:
    ipsec_doi.c:1870:check_attr_isakmp(): type=Authentication Method,
    flag=0x8000, lorv=pre-shared key
    Mar 28 22:57:11 protos racoon: DEBUG:
    ipsec_doi.c:1870:check_attr_isakmp(): type=Hash Algorithm, flag=0x8000,
    lorv=SHA
    Mar 28 22:57:11 protos racoon: DEBUG:
    algorithm.c:256:alg_oakley_hashdef(): hash(sha1)
    Mar 28 22:57:11 protos racoon: DEBUG:
    ipsec_doi.c:1870:check_attr_isakmp(): type=Group Description,
    flag=0x8000, lorv=1024-bit MODP group
    Mar 28 22:57:11 protos racoon: DEBUG:
    algorithm.c:614:alg_oakley_dhdef(): hmac(modp1024)
    Mar 28 22:57:11 protos racoon: DEBUG: ipsec_doi.c:1213:get_proppair():
    pair 1:
    Mar 28 22:57:11 protos racoon: DEBUG: proposal.c:895:print_proppair0():
      0x80a8dc0: next=0x0 tnext=0x0
    Mar 28 22:57:11 protos racoon: DEBUG: ipsec_doi.c:1248:get_proppair():
    proposal #1: 1 transform
    Mar 28 22:57:11 protos racoon: DEBUG:
    ipsec_doi.c:322:get_ph1approvalx(): prop#=1, prot-id=ISAKMP,
    spi-size=0, #trns=1
    Mar 28 22:57:11 protos racoon: DEBUG:
    ipsec_doi.c:327:get_ph1approvalx(): trns#=1, trns-id=IKE
    Mar 28 22:57:11 protos racoon: DEBUG: ipsec_doi.c:491:t2isakmpsa():
    type=Life Type, flag=0x8000, lorv=seconds
    Mar 28 22:57:11 protos racoon: DEBUG: ipsec_doi.c:491:t2isakmpsa():
    type=Life Duration, flag=0x8000, lorv=60
    Mar 28 22:57:11 protos racoon: DEBUG: ipsec_doi.c:491:t2isakmpsa():
    type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
    Mar 28 22:57:11 protos racoon: DEBUG: ipsec_doi.c:491:t2isakmpsa():
    type=Authentication Method, flag=0x8000, lorv=pre-shared key
    Mar 28 22:57:11 protos racoon: DEBUG: ipsec_doi.c:491:t2isakmpsa():
    type=Hash Algorithm, flag=0x8000, lorv=SHA
    Mar 28 22:57:11 protos racoon: DEBUG: ipsec_doi.c:491:t2isakmpsa():
    type=Group Description, flag=0x8000, lorv=1024-bit MODP group
    Mar 28 22:57:11 protos racoon: DEBUG:
    ipsec_doi.c:338:get_ph1approvalx(): Compared: DB:Peer
    Mar 28 22:57:11 protos racoon: DEBUG:
    ipsec_doi.c:339:get_ph1approvalx(): (lifetime = 60:60)
    Mar 28 22:57:11 protos racoon: DEBUG:
    ipsec_doi.c:341:get_ph1approvalx(): (lifebyte = 0:0)
    Mar 28 22:57:11 protos racoon: DEBUG:
    ipsec_doi.c:343:get_ph1approvalx(): enctype = 3DES-CBC:3DES-CBC
    Mar 28 22:57:11 protos racoon: DEBUG:
    ipsec_doi.c:348:get_ph1approvalx(): (encklen = 0:0)
    Mar 28 22:57:11 protos racoon: DEBUG:
    ipsec_doi.c:350:get_ph1approvalx(): hashtype = SHA:SHA
    Mar 28 22:57:11 protos racoon: DEBUG:
    ipsec_doi.c:355:get_ph1approvalx(): authmethod = pre-shared
    key:pre-shared key
    Mar 28 22:57:11 protos racoon: DEBUG:
    ipsec_doi.c:360:get_ph1approvalx(): dh_group = 1024-bit MODP
    group:1024-bit MODP group
    Mar 28 22:57:11 protos racoon: DEBUG:
    ipsec_doi.c:248:get_ph1approval(): an acceptable proposal found.
    Mar 28 22:57:11 protos racoon: DEBUG:
    algorithm.c:614:alg_oakley_dhdef(): hmac(modp1024)
    Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:1994:isakmp_newcookie():
    new cookie: 0ad0e291b31fe9c0
    Mar 28 22:57:11 protos racoon: DEBUG:
    ipsec_doi.c:3238:ipsecdoi_setid1(): use ID type of User_FQDN
    Mar 28 22:57:11 protos racoon: DEBUG:
    oakley.c:300:oakley_dh_generate(): compute DH's private.
    Mar 28 22:57:11 protos racoon: DEBUG: plog.c:193:plogdump(): 6753fee8
    60c3a0f2 ae75b8f8 b01a3ebb 077d1c3d 32079cb0 a85027bc ce546f9a ba3f7f1d
    3621cdc7 846570e1 5f9ea
    ef5 ece52b65 8c704ae1 01ae7444 7490a9bd 72d9c58c 0366a656 38261e4e
    fa4b56ce 10d8544a 8e86344d 32b78168 909a5847 c118c017 a17cd78a cbb543b7
    98e1cb8e 5e8faed4 f28ddb5b
    1783717e 244b075f
    Mar 28 22:57:11 protos racoon: DEBUG:
    oakley.c:302:oakley_dh_generate(): compute DH's public.
    Mar 28 22:57:11 protos racoon: DEBUG: plog.c:193:plogdump(): 188b2e30
    9cf45135 c1dc28fb 44f75b0b 0d6511c2 2d615c1c 032790c7 3a154392 582a65cf
    3535dabc cd858f07 11b1d
    229 e9a49744 aa3a1935 c9bff6cc 2a060706 6af1b688 0ca5f0e4 c8085d7d
    de7a24db 7e70369f c913691a b4de01fe b98f3218 35480394 ac9ec110 33431e8c
    a6098b94 0d29ad67 7be9cd11
    059569db 7523ea0d
    Mar 28 22:57:11 protos racoon: DEBUG: oakley.c:250:oakley_dh_compute():
    compute DH's shared.
    Mar 28 22:57:11 protos racoon: DEBUG: plog.c:193:plogdump(): 3a7b7282
    97f70a35 423f1b4b cd893507 23188260 bb366f00 02bd5d60 1f85d97f ab60ce35
    e4d1a4e8 975daf7a 34ba3
    393 4282dba6 e30885e8 c8459602 f0d9f8dc 72048742 295d0035 5611342c
    e51c20c0 17d2a64b 7c985bd4 c5424535 e9cb8e05 900484a4 2838807a b2656122
    be5e1bb6 5b0e1003 e1087aa2
    ab448b19 fb5bdf3b
    Mar 28 22:57:21 protos racoon: DEBUG: isakmp.c:221:isakmp_handler(): ===
    Mar 28 22:57:21 protos racoon: DEBUG: isakmp.c:222:isakmp_handler():
    277 bytes message received from 192.168.0.10[500]
    Mar 28 22:57:21 protos racoon: DEBUG: plog.c:193:plogdump(): a8d6f8dc
    8b9041c1 00000000 00000000 01100400 00000000 00000115 04000034 00000001
    00000001 00000028 01010
    001 00000020 01010000 800b0001 800c003c 80010005 80030001 80020002
    80040002 0a000084 f23e0504 edb10453 8212421a f817e04d 148782fb 81436b89
    f73240d1 a69d3662 5cbb7e5a
    cb234c8a 764c6357 87b6c7ee 6606ad2b daf088dc 27dfbac8 5c8ca5f5 20b7c274
    4e6f22d7 a85e4237 36291558 2cc68a6e fc9f449c 9d9463e3 ebb1536b 068063f7
    ac6f290e 6160f975 b059
    aa6c dcccf25d ee5361aa d18ba202 b567ff46 05000014 d2b5d6de f4860836
    93be994d 10fb9d3a 0d000019 03000000 726f6f74 40727565 7474696d 61632e63
    68000000 144df379 28e9fc4f
      d1b32621 70d515c6 62

    Debug output (MacOS X)

    Mar 28 23:05:24 localhost racoon: INFO:
    isakmp.c:2038:isakmp_chkph1there(): delete phase 2 handler.
    Mar 28 23:05:53 localhost racoon: ERROR:
    isakmp.c:1694:isakmp_ph1resend(): phase1 negotiation failed due to time
    up. 4445e17f3009917d:0000000000000000
    Mar 28 23:06:13 localhost racoon: INFO:
    isakmp.c:1941:isakmp_post_acquire(): IPsec-SA request for 192.168.0.1
    queued due to no phase1 found.
    Mar 28 23:06:13 localhost racoon: INFO:
    isakmp.c:994:isakmp_ph1begin_i(): initiate new phase 1 negotiation:
    192.168.0.10[500]<=>192.168.0.1[500]
    Mar 28 23:06:13 localhost racoon: INFO:
    isakmp.c:999:isakmp_ph1begin_i(): begin Aggressive mode.
    Mar 28 23:06:44 localhost racoon: ERROR:
    isakmp.c:2033:isakmp_chkph1there(): phase2 negotiation failed due to
    time up waiting for phase1. ESP 192.168.0.1->192.168.0.1
    0
    Mar 28 23:06:44 localhost racoon: INFO:
    isakmp.c:2038:isakmp_chkph1there(): delete phase 2 handler.

    Something wrong with the setup?
    Maybe incompatible versions of racoon (tip found in a FreeBSD
    Mailinglist)?
    racoon-20040116a <-----> racoon-20040114 (Big Endian)

    Thanks for any help!

    Cyrill

    _______________________________________________
    freebsd-net@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-net
    To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"


  • Next message: Bruce M Simpson: "Re: PCI ADSL card and PPPoA"