Re: ipsec-tools 0.6.6 problem

From: VANHULLEBUS Yvan <vanhu_bsd@xxxxxxxxxx>
Date: Sat, 30 Dec 2006 16:28:59 +0100

On Thu, Dec 28, 2006 at 05:51:42PM +0100, Robert Usle wrote:

Hello list & Yvan.

Hi.

[...]

listen
{
#isakmp ::1 [7000];
isakmp 89.217.11.250 [500];
isakmp 10.0.5.1 [500];
#admin [7002]; # administrative port for racoonctl.
#strict_address; # requires that all addresses must be bound.
}

Those addresses don't match the ifconfig output you sent in your
previous mail, is that normal ?

[....]

remote anonymous {
exchange_mode aggressive,main,base;

This is a quite ugly config (I fear it comes from ipsec-tools
examples....), but it is not related to your problem.

[....]

2006-12-28 17:30:49: INFO: 10.0.5.1[500] used as isakmp port (fd=5)
2006-12-28 17:30:49: INFO: 89.217.11.250[500] used as isakmp port (fd=6)
2006-12-28 17:30:49: DEBUG: get pfkey X_SPDDUMP message
2006-12-28 17:30:49: DEBUG: get pfkey X_SPDDUMP message
2006-12-28 17:30:49: DEBUG: sub:0xbfbff524: 0.0.0.0/0[0]
192.168.2.0/24[0] proto=any dir=out
2006-12-28 17:30:49: DEBUG: db :0x80a5408: 192.168.2.0/24[0]
0.0.0.0/0[0] proto=any dir=in

Could you also give us the output of "setkey -D -P" ?

2006-12-28 17:30:49: DEBUG: msg 1 not interesting
2006-12-28 17:30:49: DEBUG: caught rtm:2, need update interface address list
2006-12-28 17:30:49: DEBUG: msg 1 not interesting
2006-12-28 17:30:49: DEBUG: caught rtm:2, need update interface address list
2006-12-28 17:30:49: DEBUG: msg 1 not interesting
2006-12-28 17:30:49: DEBUG: caught rtm:2, need update interface address list
2006-12-28 17:30:50: DEBUG: msg 5 not interesting
2006-12-28 17:30:50: DEBUG: msg 1 not interesting
2006-12-28 17:30:50: DEBUG: caught rtm:2, need update interface address list
2006-12-28 17:30:50: DEBUG: msg 1 not interesting
and so on..... infinite loop with 'caught rtm;2, need update interface
address list

Strange. The most common reason for an interface update is
entering/leaving promiscous mode, or changing IP configuration, but I
guess you don't do that many times per second....

Just to ba sure: do you have strange messages on console related to IP
configuration ?

[...]

There are 2 setkey commands now, (/usr/sbin/ & /usr/local/sbin)
can I use both ?

For very basic usage, yes, but as you are using ipsec-tool's racoon,
it is better to also use ipsec-tool's setkey, which is the
/usr/local/sbin one.

Also, sometimes I'm getting 'unsupported PF_KEY message REGISTER'
after running setkey

?

Are you sure your kernel has been correctly compiled/installed ???

Yvan.

--
NETASQ
http://www.netasq.com
_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"

Follow-Ups:
- Re: ipsec-tools 0.6.6 problem
  - From: Robert Usle

References:
- ipsec-tools 0.6.6 problem
  - From: Robert Usle

Prev by Date: Re: [Fwd: Re: bge Ierr rate increase from 5.3R -> 6.1R]
Next by Date: Re: [was] addition to ipfw (read vlans from bridge)..
Previous by thread: Re: ipsec-tools 0.6.6 problem
Next by thread: Re: ipsec-tools 0.6.6 problem
Index(es):
- Date
- Thread

Relevant Pages

Re: IPSec VPN with c2600 router
... here is the full IPSEC and ISAKMP configuration and the full DEBUG ... 32K bytes of non-volatile configuration memory. ... crypto map mobile-map client authentication list vpnuser ...
(comp.dcom.sys.cisco)
IPSec VPN with c2600 router
... VPN access. ... the configuration which apparently does not work. ... crypto isakmp client configuration group vpnuser ... 1d12h: ISAKMP: processing vendor id payload ...
(comp.dcom.sys.cisco)
Re: PIX to PIX VPN Failing
... > ISAKMP: attributes in transform: ... > crypto map remotes-map 30 match address 100 ... > crypto map remotes-map client configuration address initiate ... > isakmp policy 8 authentication pre-share ...
(comp.dcom.sys.cisco)