racoon and weirdness....

From: Trish Lynch (trish@egobsd.org)
Date: 07/29/02 

Date: Mon, 29 Jul 2002 10:46:30 -0400 (EDT)
From: Trish Lynch <trish@egobsd.org>
To: <freebsd-security@freebsd.org>

I'm working on setting up IPSEC tunnels between a
KAME/racoon/FreeBSD-STABLE box and a Ravlin unit at a client's

WHat is happening with the one tunnel is this:

after a couple days, it times out, and neither side can reestablish
traffic between, the log in /var/log/daemon for racoon tells me the tunnel
*is* established, but I can;t ping through it. If I restart racoon, it all
starts working fine again.

The second issue is a second machine, with a cut/pasted config into
racoon.conf, with simply the endpoints changed, does not work at all.

I can ping the external interface of the Ravlin, but it doesn;t even
*begin* phase 1.

Here is the racoon.conf:

remote ravlin-ext-ip [500]
{
        exchange_mode main,aggressive;
        my_identifier address my-ext-ip;
        peers_identifier address ravlin-ext-ip;
        generate_policy on;
        nonce_size 16;
        lifetime time 3 hour; # sec,min,hour

        proposal {
                encryption_algorithm 3des;
                hash_algorithm md5;
                authentication_method pre_shared_key ;
                dh_group 1 ;
        }
}

remote ravlin-int-ip [500]
{
        exchange_mode main,aggressive;
        my_identifier address my-int-ip;
        peers_identifier address ravlin-int-ip;
        generate_policy on;
        nonce_size 16;
        lifetime time 3 hour; # sec,min,hour

        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key ;
                dh_group 2 ;
        }
}

sainfo address my-ext-ip/32[0] any address ravlin-ext-ip/32[0] any
{
# pfs_group 2;
        lifetime time 10800 sec;
        encryption_algorithm 3des ;
        authentication_algorithm hmac_md5,hmac_sha1;
        compression_algorithm deflate ;
}

sainfo address my-int-net/23[0] any address ravlin-int-net/24[0] any
{
       # pfs_group 2;
        lifetime time 10800 sec;
        encryption_algorithm 3des ;
        authentication_algorithm hmac_md5,hmac_sha1;
        compression_algorithm deflate ;
}

the gif interface is set up as such:

BSD2 == my machine BSD5 == Ravlin

            $IFCONFIG $GIF3 plumb
            $IFCONFIG $GIF3 mtu 1500
            $IFCONFIG $GIF3 inet $BSD2_IP $BSD5_IP netmask $NETMASK
            /usr/sbin/setkey -FP
            /usr/sbin/setkey -F
            /usr/sbin/setkey -c << EOF
            spdadd $BSD2_PUB_NET $BSD5_PUB_NET any -P out ipsec
            esp/tunnel/${BSD2_PUB_IP}-${BSD5_PUB_IP}/require;
            spdadd $BSD5_PUB_NET $BSD2_PUB_NET any -P in ipsec
            esp/tunnel/${BSD5_PUB_IP}-${BSD2_PUB_IP}/require;
EOF

Anyone wanna hit me with a cluebat?

-Trish 

--
Trish Lynch				            trish@egobsd.org
			Ecartis Core Team
Key fingerprint = B04E 67CA 3A12 9930 E91C  7730 4606 3618 B74A 2493
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message