ipsec-tools 0.6.6 problem

Hello list & Yvan.

This is my second post regarding the one from:
http://osdir.com/ml/freebsd-net@xxxxxxxxxxx/msg20572.html

Sorry for not replying, but my email provider simply sucks.

Here's more info.

--------------------------------- racoon.conf
path include "/usr/local/etc/racoon";

path pre_shared_key "/usr/local/etc/racoon/psk.txt";

path certificate "/usr/local/etc/racoon/cert";

log debug;

padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}

listen
{
#isakmp ::1 [7000];
isakmp 89.217.11.250 [500];
isakmp 10.0.5.1 [500];
#admin [7002]; # administrative port for racoonctl.
#strict_address; # requires that all addresses must be bound.
}

timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 2 sec; # maximum interval to resend.
persend 1; # the number of packets per send.

# maximum time to wait for completing each phase.
phase1 60 sec;
phase2 15 sec;
}
remote anonymous {
exchange_mode aggressive,main,base;
lifetime time 24 hour;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}

sainfo anonymous {
lifetime time 12 hour ;
encryption_algorithm des, 3des, des_iv64, des_iv32, null_enc,
rijndael, blowfish;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate ;
}

-----

kernel config:
machine i386
cpu I686_CPU
ident TUNED
maxusers 512

makeoptions COPTFLAGS="-O2 -pipe"

# FIREWALL and TrafficShaper
options IPFIREWALL
options IPFIREWALL_FORWARD
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFW2
options IPDIVERT
options DUMMYNET

options DEVICE_POLLING
options HZ=2000

options MATH_EMULATE #Support for x87 emulation
options INET #InterNETworking
#options INET6 #IPv6 communications protocols
options FFS #Berkeley Fast Filesystem
options FFS_ROOT #FFS usable as root device [keep this!]
options SOFTUPDATES #Enable FFS soft updates support
options UFS_DIRHASH #Improve performance on big directories
options MFS #Memory Filesystem
#options MD_ROOT #MD is a potential root device
#options NFS #Network Filesystem
#options NFS_ROOT #NFS usable as root device, NFS required
#options MSDOSFS #MSDOS Filesystem
options CD9660 #ISO 9660 Filesystem
options CD9660_ROOT #CD-ROM usable as root, CD9660 required
options PROCFS #Process filesystem
...skipping...
pseudo-device ether # Ethernet support
#pseudo-device sl 1 # Kernel SLIP
#pseudo-device ppp 1 # Kernel PPP
#pseudo-device tun # Packet tunnel.
pseudo-device pty # Pseudo-ttys (telnet etc)
pseudo-device md # Memory "disks"
pseudo-device gif # IPv6 and IPv4 tunneling
#pseudo-device faith 1 # IPv6-to-IPv4 relaying (translation)

# The `bpf' pseudo-device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
pseudo-device bpf #Berkeley packet filter

# USB support
#device uhci # UHCI PCI->USB interface
#device ohci # OHCI PCI->USB interface
#device usb # USB Bus (required)
#device ugen # Generic
#device uhid # "Human Interface Devices"
#device ukbd # Keyboard
#device ulpt # Printer
#device umass # Disks/Mass storage - Requires scbus and da
#device ums # Mouse
#device uscanner # Scanners
#device urio # Diamond Rio MP3 Player
## USB Ethernet, requires mii
#device aue # ADMtek USB ethernet
#device cue # CATC USB ethernet
#device kue # Kawasaki LSI USB ethernet
#
# FireWire support
#device firewire # FireWire bus code
#device sbp # SCSI over FireWire (Requires scbus and da)
#device fwe # Ethernet over FireWire (non-standard!)

#options DISABLE_PSE

# Quota
options QUOTA #enable disk quotas


options IPSEC #IP security
options IPSEC_ESP #IP security (crypto; define w/ IPSEC)

----------------------------------------------------------------------------------------


----uname -a
FreeBSD wall.s93l.pl 4.11-STABLE FreeBSD 4.11-STABLE #5: Sat Nov 18
09:14:30 CET 2006 root@xxxxxxxxxxxx:/usr/obj/usr/src/sys/TUNED
i386

--- /var/log/racoon.log
2006-12-28 17:30:49: INFO: @(#)ipsec-tools 0.6.6
(http://ipsec-tools.sourceforge.net)
2006-12-28 17:30:49: INFO: @(#)This product linked OpenSSL 0.9.7d-p1
17 Mar 2004 (http://www.openssl.org/)
2006-12-28 17:30:49: DEBUG: hmac(modp1024)
2006-12-28 17:30:49: DEBUG: compression algorithm can not be checked
because sadb message doesn't support it.
2006-12-28 17:30:49: INFO: 10.0.5.1[500] used as isakmp port (fd=5)
2006-12-28 17:30:49: INFO: 89.217.11.250[500] used as isakmp port (fd=6)
2006-12-28 17:30:49: DEBUG: get pfkey X_SPDDUMP message
2006-12-28 17:30:49: DEBUG: get pfkey X_SPDDUMP message
2006-12-28 17:30:49: DEBUG: sub:0xbfbff524: 0.0.0.0/0[0]
192.168.2.0/24[0] proto=any dir=out
2006-12-28 17:30:49: DEBUG: db :0x80a5408: 192.168.2.0/24[0]
0.0.0.0/0[0] proto=any dir=in
2006-12-28 17:30:49: DEBUG: msg 1 not interesting
2006-12-28 17:30:49: DEBUG: caught rtm:2, need update interface address list
2006-12-28 17:30:49: DEBUG: msg 1 not interesting
2006-12-28 17:30:49: DEBUG: caught rtm:2, need update interface address list
2006-12-28 17:30:49: DEBUG: msg 1 not interesting
2006-12-28 17:30:49: DEBUG: caught rtm:2, need update interface address list
2006-12-28 17:30:50: DEBUG: msg 5 not interesting
2006-12-28 17:30:50: DEBUG: msg 1 not interesting
2006-12-28 17:30:50: DEBUG: caught rtm:2, need update interface address list
2006-12-28 17:30:50: DEBUG: msg 1 not interesting
and so on..... infinite loop with 'caught rtm;2, need update interface
address list
---------------------------------------

I was trying to establish a vpn connection with Win XP host, now trying
with asmax br-604G.

There are 2 setkey commands now, (/usr/sbin/ & /usr/local/sbin)
can I use both ?

Also, sometimes I'm getting 'unsupported PF_KEY message REGISTER'
after running setkey

Let me know if you need more info,

--
Robert
_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Booting problems
    ... am going nuts compiling my kernel of release 4.11. ... options SOFTUPDATES #Enable FFS soft updates support ... device isa ... pseudo-device splash ...
    (freebsd-questions)
  • Booting problems
    ... am going nuts compiling my kernel of release 4.11. ... options SOFTUPDATES #Enable FFS soft updates support ... device isa ... pseudo-device splash ...
    (freebsd-questions)
  • Re: Web pages for algorithm instruction/documentation.
    ... of code with line numbers and support some sort of inline ... Currently I experiment with is a script making indeed ... padding: 2em 1em; ... display: block; ...
    (comp.infosystems.www.authoring.html)
  • Re: Web pages for algorithm instruction/documentation.
    ... of code with line numbers and support some sort of inline ... padding: 2em 1em; ... float: left; ... display: block; ...
    (comp.infosystems.www.authoring.html)
  • Re: OT: Absolutely batty
    ... There's padding for support and padding for cleavage. ... 34FF tits you need the support. ... bounce than the "extreme" level, ...
    (uk.rec.motorcycles)