RE: Racoon IPSEC issues

From: Colin Legendre (sudz@ns3g.com)
Date: 10/19/01


From: "Colin Legendre" <sudz@ns3g.com>
To: <sudz@ns3g.com>, <anderson@centtech.com>, <freebsd-security@FreeBSD.ORG>
Date: Fri, 19 Oct 2001 14:15:40 -0400


What version of racoon you running?

Colin Legendre CCNA, MCP
sudz@ns3g.com
http://www.ns3g.com

-----Original Message-----
From: Colin Legendre [mailto:sudz@ns3g.com]
Sent: Friday, October 19, 2001 1:49 PM
To: anderson@centtech.com; freebsd-security@FreeBSD.ORG
Subject: RE: Racoon IPSEC issues

I started having this problem with a win2k-freebsd4.4 setup. It was working
fine until I upgraded racoon from 20010831a to 20011016a then this problem
started.

BTW any idea how to roll back to racoon 20010831a?

Colin Legendre CCNA, MCP
sudz@ns3g.com
http://www.ns3g.com

-----Original Message-----
From: owner-freebsd-security@FreeBSD.ORG
[mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Eric Anderson
Sent: Thursday, September 06, 2001 10:03 AM
To: freebsd-security@FreeBSD.ORG
Subject: Racoon IPSEC issues

Ok, I have been setting up VPN's using IPSEC tunnel mode (ESP) with
Racoon on FreeBSD 4.2 for some time now. I have 4 currently running
just fine, and the 3 newest VPN don't work. It appears as though the
Racoon's aren't talking to each other correctly. I have 1 VPN "server"
that all the clients connect to, and the clients are small machines
running from compact flash cards (a stripped down 30Mb freebsd 4.2
setup). I use the GIF interfaces to connect the vpn's together. I have
gif0,1,3,4 are connected to VPN's that are up and running. Not that the
gif's have anything to do with it, just extra info. Is there something
I'm missing? I have tried configuring the non-working boxes just like
the working ones, etc. I'm out of ideas!

Here are some blurps from my logs on the vpn "server" box:

2001-09-06 08:51:55: INFO: isakmp.c:965:isakmp_ph2begin_r(): responde
new phase 2 negotiation: xx.yy.zz.60[0]<=>xx.yy.zz.128[0]
2001-09-06 08:51:55: ERROR: proposal.c:951:set_proposal_from_policy():
not supported nested SA. Ignore.
2001-09-06 08:51:55: ERROR: proposal.c:999:set_proposal_from_policy():
There is a difference between the in/out bound policies.
2001-09-06 08:51:55: ERROR: isakmp_quick.c:1901:get_proposal_r(): failed
to create saprop.
2001-09-06 08:51:55: ERROR: isakmp_quick.c:1025:quick_r1recv(): failed
to get proposal for responder.
2001-09-06 08:51:55: ERROR: isakmp.c:975:isakmp_ph2begin_r(): failed to
pre-process packet.
2001-09-06 08:52:00: INFO: isakmp.c:1618:isakmp_post_acquire(): request
for establishing IPsec-SA was queued due to no phase1 found.
2001-09-06 08:52:19: INFO: isakmp.c:854:isakmp_ph1begin_r(): responde
new phase 1 negotiation: xx.yy.zz.60[500]<=>xx.yy.zz.128[500]
2001-09-06 08:52:19: INFO: isakmp.c:859:isakmp_ph1begin_r(): begin
Aggressive mode.
2001-09-06 08:52:20: INFO: isakmp.c:2313:log_ph1established(): ISAKMP-SA
established xx.yy.zz.60[500]-xx.yy.zz.128[500] spi:9c0e0730a89724fc:3
4e869a34c12cf49
2001-09-06 08:52:21: INFO: isakmp.c:965:isakmp_ph2begin_r(): responde
new phase 2 negotiation: xx.yy.zz.60[0]<=>xx.yy.zz.128[0]
2001-09-06 08:52:21: ERROR: proposal.c:951:set_proposal_from_policy():
not supported nested SA. Ignore.
2001-09-06 08:52:21: ERROR: proposal.c:999:set_proposal_from_policy():
There is a difference between the in/out bound policies.
2001-09-06 08:52:21: ERROR: isakmp_quick.c:1901:get_proposal_r(): failed
to create saprop.
2001-09-06 08:52:21: ERROR: isakmp_quick.c:1025:quick_r1recv(): failed
to get proposal for responder.
2001-09-06 08:52:21: ERROR: isakmp.c:975:isakmp_ph2begin_r(): failed to
pre-process packet.
2001-09-06 08:52:32: INFO: isakmp.c:1618:isakmp_post_acquire(): request
for establishing IPsec-SA was queued due to no phase1 found.
2001-09-06 08:52:32: ERROR: isakmp.c:1676:isakmp_chkph1there(): phase1
negotiation failed due to time up.
2001-09-06 08:52:32: INFO: isakmp.c:1678:isakmp_chkph1there(): delete
phase 2 handler.

Help please!

--
----------------------------------------------------------------------------
---
Eric Anderson	 anderson@centtech.com    Centaur Technology    (512)
418-5792
Truth is more marvelous than mystery.
----------------------------------------------------------------------------
---
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message


Relevant Pages

  • RE: Racoon IPSEC issues
    ... I started having this problem with a win2k-freebsd4.4 setup. ... BTW any idea how to roll back to racoon 20010831a? ... and the 3 newest VPN don't work. ... with "unsubscribe freebsd-security" in the body of the message ...
    (FreeBSD-Security)
  • Re: Racoon IPSEC issues
    ... > I started having this problem with a win2k-freebsd4.4 setup. ... > BTW any idea how to roll back to racoon 20010831a? ... > Colin Legendre CCNA, MCP ... > to create saprop. ...
    (FreeBSD-Security)
  • RE: isakmpd for freebsd howto
    ... compatible with racoon at all. ... with "unsubscribe freebsd-security" in the body of the message ... Information in this electronic mail message is confidential and may be legally privileged. ... It is intended solely for the addressee. ...
    (FreeBSD-Security)
  • Re: Problems setting up IPSec on RHEL 3
    ... Thanks for the reply Paul - RedHat are still mulling over those bugs, ... The network setup is like this: ... >racoon without the initscripts, or install openswan instead of racoon ...
    (RedHat)
  • Creating IPSec VPN between FreeBSD and Linksys WRV54G
    ... I have setup many IPSec FreeBSD VPN's using racoon and gif interfaces. ... The router and the BSD box are establishing IKE no problem according ...
    (freebsd-questions)