Re: vpn1/fw1 NG to ipsec/racoon troubles, help please ...
From: Matthew Grooms (mgrooms@seton.org)
Date: 07/29/02
- Next message: Duncan Patton a Campbell is Dhu: "Re: racoon and weirdness...."
- Previous message: Brett Glass: "Re: counter apache DoS attacks?"
- Maybe in reply to: Matthew Grooms: "vpn1/fw1 NG to ipsec/racoon troubles, help please ..."
- Next in thread: Crist J. Clark: "Re: vpn1/fw1 NG to ipsec/racoon troubles, help please ..."
- Reply: Crist J. Clark: "Re: vpn1/fw1 NG to ipsec/racoon troubles, help please ..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 29 Jul 2002 14:49:22 -0500 From: "Matthew Grooms" <mgrooms@seton.org> To: <dlavigne6@cogeco.ca>, <freebsd-questions@FreeBSD.org>, <freebsd-security@FreeBSD.org>
Ok, Im a moron. I was trying to use the gif griver whan I shouldn't
have. As soon as I changed the setkey parameters to a non tunnel device
config it started negotiating.
ie ..# delete all existing SPD and SAD entries
setkey -FP
setkey -F
setkey -c << EOF
spdadd 10.22.200.0/24 10.20.0.0/16 any -P out ipsec
esp/tunnel/66.90.146.202-65.118.63.252/require;
spdadd 10.22.200.0/24 10.21.0.0/16 any -P out ipsec
esp/tunnel/66.90.146.202-65.118.63.252/require;
spdadd 10.22.200.0/24 10.23.0.0/16 any -P out ipsec
esp/tunnel/66.90.146.202-65.118.63.252/require;
spdadd 10.20.0.0/16 10.22.200.0/24 any -P in ipsec
esp/tunnel/65.118.63.252-66.90.146.202/require;
spdadd 10.21.0.0/16 10.22.200.0/24 any -P in ipsec
esp/tunnel/65.118.63.252-66.90.146.202/require;
spdadd 10.23.0.0/16 10.22.200.0/24 any -P in ipsec
esp/tunnel/65.118.63.252-66.90.146.202/require;
EOF
When the connection is initiated from the bsd side, traffic passes
through the vpn1 box, enencrypted and routed to the remote host without
a problem. Unfotunately, the response from the remote host gets caught
up on the return trip. I am guessing this is because the bsd and vpn1
box agree on an outbound ( from the bsd boxs perspective ) proposal but
cannot agree on an inbound proposal. The checkpoint error logs say
'encryption failure : no response from peer'. However, here is some
tcpdump output that shows bi-directional communications. Im not sure how
to interperate this. Any ideas anyone?
tcpdump: listening on eth0
14:36:16.766265 65.118.63.252.isakmp > 66.90.146.202.isakmp: isakmp:
phase 1 I agg: [|sa] (DF)
14:36:17.266091 66.90.146.202.isakmp > 65.118.63.252.isakmp: isakmp:
phase 1 R agg: [|sa]
14:36:17.284486 65.118.63.252.isakmp > 66.90.146.202.isakmp: isakmp:
phase 1 I agg:
(hash: len=16) (DF)
14:36:17.387671 65.118.63.252.isakmp > 66.90.146.202.isakmp: isakmp:
phase 1 I agg:
(hash: len=16) (DF)
14:36:17.487667 65.118.63.252.isakmp > 66.90.146.202.isakmp: isakmp:
phase 1 I agg:
(hash: len=16) (DF)
14:36:17.816164 65.118.63.252.isakmp > 66.90.146.202.isakmp: isakmp:
phase 2/others I oakley-quick[E]: [|hash] (DF)
14:36:18.387787 66.90.146.202.isakmp > 65.118.63.252.isakmp: isakmp:
phase 2/others R inf[E]: [|hash]
14:36:19.817694 65.118.63.252.isakmp > 66.90.146.202.isakmp: isakmp:
phase 2/others I oakley-quick[E]: [|hash] (DF)
14:36:19.989945 66.90.146.202.isakmp > 65.118.63.252.isakmp: isakmp:
phase 2/others R inf[E]: [|hash]
14:36:21.817694 65.118.63.252.isakmp > 66.90.146.202.isakmp: isakmp:
phase 2/others I oakley-quick[E]: [|hash] (DF)
14:36:21.939733 66.90.146.202.isakmp > 65.118.63.252.isakmp: isakmp:
phase 2/others R inf[E]: [|hash]
14:36:23.817694 65.118.63.252.isakmp > 66.90.146.202.isakmp: isakmp:
phase 2/others I oakley-quick[E]: [|hash] (DF)
14:36:23.902725 66.90.146.202.isakmp > 65.118.63.252.isakmp: isakmp:
phase 2/others R inf[E]: [|hash]
14:36:25.817695 65.118.63.252.isakmp > 66.90.146.202.isakmp: isakmp:
phase 2/others I oakley-quick[E]: [|hash] (DF)
14:36:25.887740 66.90.146.202.isakmp > 65.118.63.252.isakmp: isakmp:
phase 2/others R inf[E]: [|hash]
14:36:27.817694 65.118.63.252.isakmp > 66.90.146.202.isakmp: isakmp:
phase 2/others I oakley-quick[E]: [|hash] (DF)
14:36:27.893544 66.90.146.202.isakmp > 65.118.63.252.isakmp: isakmp:
phase 2/others R inf[E]: [|hash]
14:36:29.817750 65.118.63.252.isakmp > 66.90.146.202.isakmp: isakmp:
phase 2/others I oakley-quick[E]: [|hash] (DF)
14:36:29.904151 66.90.146.202.isakmp > 65.118.63.252.isakmp: isakmp:
phase 2/others R inf[E]: [|hash]
14:36:33.817767 65.118.63.252.isakmp > 66.90.146.202.isakmp: isakmp:
phase 2/others I oakley-quick[E]: [|hash] (DF)
14:36:33.891523 66.90.146.202.isakmp > 65.118.63.252.isakmp: isakmp:
phase 2/others R inf[E]: [|hash]
14:36:37.817766 65.118.63.252.isakmp > 66.90.146.202.isakmp: isakmp:
phase 2/others I oakley-quick[E]: [|hash] (DF)
14:36:37.897711 66.90.146.202.isakmp > 65.118.63.252.isakmp: isakmp:
phase 2/others R inf[E]: [|hash]
14:36:41.817772 65.118.63.252.isakmp > 66.90.146.202.isakmp: isakmp:
phase 2/others I oakley-quick[E]: [|hash] (DF)
14:36:41.894646 66.90.146.202.isakmp > 65.118.63.252.isakmp: isakmp:
phase 2/others R inf[E]: [|hash]
14:36:45.817771 65.118.63.252.isakmp > 66.90.146.202.isakmp: isakmp:
phase 2/others I oakley-quick[E]: [|hash] (DF)
14:36:45.891121 66.90.146.202.isakmp > 65.118.63.252.isakmp: isakmp:
phase 2/others R inf[E]: [|hash]
14:36:49.817775 65.118.63.252.isakmp > 66.90.146.202.isakmp: isakmp:
phase 2/others I oakley-quick[E]: [|hash] (DF)
14:36:49.883577 66.90.146.202.isakmp > 65.118.63.252.isakmp: isakmp:
phase 2/others R inf[E]: [|hash]
-Matthew
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Duncan Patton a Campbell is Dhu: "Re: racoon and weirdness...."
- Previous message: Brett Glass: "Re: counter apache DoS attacks?"
- Maybe in reply to: Matthew Grooms: "vpn1/fw1 NG to ipsec/racoon troubles, help please ..."
- Next in thread: Crist J. Clark: "Re: vpn1/fw1 NG to ipsec/racoon troubles, help please ..."
- Reply: Crist J. Clark: "Re: vpn1/fw1 NG to ipsec/racoon troubles, help please ..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
