Racoon(8) Deleting SPD Entries

• Previous message: Peter Sewell: "Re: Rigorous specification for TCP, UDP, and Sockets"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: <freebsd-net@freebsd.org>
Date: Tue, 29 Mar 2005 16:08:28 +0200

Hi,
I have a similar problem.
I’m using native kernel 2.6.9-1.667 in fedora core3 and ipsec-tools
-0.3.3-5.6
My peer (84.222.18.181) is a zyxel series 600 and I’m natted behind a
same router.
The network is:
 
Ipsec-sever (fc3) zyxel/NAT
internet zyxel ipsec
ipsec client
192.168.0.71------------------192.168.0.1/80.19.213.28------------------
---------------84.222.18.181/192.168.254.254-------------192.168.254.123
 
The dialog start, the connection is established, but I can’t ping
and after 360 sec, it go down.
 
The ipsec.conf:
#!/usr/bin/setkey -f
 
#configurazione per 192.168.0.71
 
#svuoto il SAD e SPD
flush;
spdflush;
 
#security policy
spdadd 192.168.0.71 192.168.254.123 any -P out ipsec
esp/tunnel/80.19.213.28-84.222.18.181/require;
spdadd 192.168.254.123 192.168.0.71 any -P in ipsec
esp/tunnel/84.222.18.181-80.19.213.28/require;
 
The racoon.conf
 
# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.
 
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
 
log debug3;
 
padding
{
        maximum_length 20; # maximum padding length.
        randomize off; # enable randomize length.
        strict_check off; # enable strict check.
        exclusive_tail off; # extract last one octet.
}
 
listen
{
        #isakmp ::1 [7000];
        isakmp 192.168.0.71 [500];
        isakmp_natt 192.168.0.71 [4500];
        #admin [7002]; #administrative's port by kmpstat
        strict_address; #required all addresses must be found
}
 
#specification of default various timer
timer
{
        #these values can be changed per remote node
        counter 5; #maximum trying count to send
        interval 20 sec; #maximum interval to resend
        persend 1; #the number of packets per a send
 
        #timer for a waiting to complete each phase
        phase1 180 sec;
        phase2 360 sec;
}
 
remote anonymous
{
        exchange_mode main;
        lifetime time 28800 sec; #sec,min,hour
        nat_traversal on;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm md5;
                authentication_method pre_shared_key;
                dh_group 1;
        }
}
 
sainfo anonymous
{
                lifetime time 28800 sec;
                encryption_algorithm 3des;
                authentication_algorithm hmac_md5;
                compression_algorithm deflate;
}
 
 
psk.txt is correctly setted ;-)
 
 
The racoon_start.sh
#!/bin/sh
/sbin/setkey -FP
sleep 1
/sbin/setkey -F
sleep 1
/sbin/setkey -f /etc/ipsec.conf
sleep 1
/sbin/setkey -DP
sleep 1
killall racoon
sleep 1
/usr/sbin/racoon -d -f /etc/racoon/racoon.conf
 
The short trace :
Mar 29 15:36:12 laptopemy kernel: device eth0 left promiscuous mode
Mar 29 15:36:14 laptopemy kernel: eth0: Promiscuous mode enabled.
Mar 29 15:36:14 laptopemy kernel: device eth0 entered promiscuous mode
Mar 29 15:36:47 laptopemy kernel: device eth0 left promiscuous mode
Mar 29 15:36:52 laptopemy kernel: eth0: Promiscuous mode enabled.
Mar 29 15:36:52 laptopemy kernel: device eth0 entered promiscuous mode
Mar 29 15:37:58 laptopemy kernel: device eth0 left promiscuous mode
Mar 29 15:38:08 laptopemy kernel: eth0: Promiscuous mode enabled.
Mar 29 15:38:08 laptopemy kernel: device eth0 entered promiscuous mode
Mar 29 15:48:07 laptopemy racoon: INFO: @(#)ipsec-tools 0.3.3
(http://ipsec-tools.sourceforge.net)
Mar 29 15:48:07 laptopemy racoon: INFO: @(#)This product linked OpenSSL
0.9.7a Feb 19 2003 (http://www.openssl.org/)
Mar 29 15:48:08 laptopemy racoon: WARNING: /etc/racoon/racoon.conf:9:
"debug3" it is osboleted. use "debug2"
Mar 29 15:48:08 laptopemy racoon: INFO: 192.168.0.71[4500] used as
isakmp port (fd=8)
Mar 29 15:48:08 laptopemy racoon: INFO: 192.168.0.71[4500] used for
NAT-T
Mar 29 15:48:08 laptopemy racoon: INFO: 192.168.0.71[500] used as isakmp
port (fd=9)
Mar 29 15:48:24 laptopemy racoon: INFO: IPsec-SA request for
84.222.18.181 queued due to no phase1 found.
Mar 29 15:48:24 laptopemy racoon: INFO: initiate new phase 1
negotiation: 80.19.213.28[500]<=>84.222.18.181[500]
Mar 29 15:48:24 laptopemy racoon: INFO: begin Identity Protection mode.
Mar 29 15:48:48 laptopemy racoon: INFO: ISAKMP-SA established
80.19.213.28[500]-84.222.18.181[500]
spi:5751c3384413cdd1:32fa62bc06fe123c
Mar 29 15:48:48 laptopemy racoon: INFO: initiate new phase 2
negotiation: 80.19.213.28[0]<=>84.222.18.181[0]
Mar 29 15:48:51 laptopemy racoon: WARNING: attribute has been modified.
Mar 29 15:48:52 laptopemy racoon: INFO: IPsec-SA established: ESP/Tunnel
84.222.18.181->80.19.213.28 spi=113195563(0x6bf3a2b)
Mar 29 15:48:52 laptopemy racoon: INFO: IPsec-SA established: ESP/Tunnel
80.19.213.28->84.222.18.181 spi=3612357826(0xd75034c2)
Mar 29 15:50:27 laptopemy racoon: INFO: purged IPsec-SA proto_id=ESP
spi=3612357826.
Mar 29 15:50:28 laptopemy racoon: INFO: purged ISAKMP-SA proto_id=ISAKMP
spi=5751c3384413cdd1:32fa62bc06fe123c.
Mar 29 15:50:29 laptopemy racoon: INFO: ISAKMP-SA deleted
80.19.213.28[500]-84.222.18.181[500]
spi:5751c3384413cdd1:32fa62bc06fe123c
 
Any idea?
I don’t know how to continue.
 
Thanks for all.
 
 
Dott. Emilio mastriani
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

• Previous message: Peter Sewell: "Re: Rigorous specification for TCP, UDP, and Sockets"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]