IPsec tunnel between XP and FreeBSD

From: Y S (sunny_mcl@yahoo.com)
Date: 08/27/02

• Next message: Peter C. Lai: "Re: List administrivia, was: Re: I Finally got It 2096"
• Previous message: Pat Lashley: "Re: Administrivia: Discussion - Making this list subscriber-only"
• In reply to: Jeremy Suo-Anttila: "Linux_Base marked as forbidden. Anyone know when this will be resolved?"
• Next in thread: Bill Fumerola: "Re: IPsec tunnel between XP and FreeBSD"
• Reply: Bill Fumerola: "Re: IPsec tunnel between XP and FreeBSD"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 27 Aug 2002 11:58:16 -0700 (PDT)
From: Y S <sunny_mcl@yahoo.com>
To: freebsd-security@FreeBSD.ORG

I am trying to setup an IPsec tunnel between XP client and FreeBSD box.
Seems the Phase 2 Exchange doesn't work.

My setup:

Windows XP (10.10.10.6):

ipseccmd -f 10.10.10.6=* -t 10.10.10.20 -n esp[3des,md5] -a preshare:"xxx" -1s 3des-md5-2 -1p

Freebsd (10.10.10.20):

SPD:

10.10.10.6[any] 0.0.0.0/0[any] any
        in ipsec
        esp/tunnel/10.10.10.6-10.10.10.20/require
        spid=7 seq=1 pid=565
        refcnt=1
0.0.0.0/0[any] 10.10.10.6[any] any
        out ipsec
        esp/tunnel/10.10.10.20-10.10.10.6/require
        spid=8 seq=0 pid=565
        refcnt=1

racoon conf:

path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
padding
{
 maximum_length 20; # maximum padding length.
 randomize off; # enable randomize length.
 strict_check off; # enable strict check.
 exclusive_tail off; # extract last one octet.
}

timer
{
 # These value can be changed per remote node.
 counter 5; # maximum trying count to send.
 interval 20 sec; # maximum interval to resend.
 persend 1; # the number of packets per a send.

 # timer for waiting to complete each phase.
 phase1 90 sec;
 phase2 60 sec;
}

remote anonymous
{
 exchange_mode main;
 doi ipsec_doi;
 situation identity_only;

 nonce_size 16;
 lifetime time 4 hour; # sec,min,hour
 initial_contact on;
 support_mip6 on;
 proposal_check obey; # obey, strict or claim

 proposal {
  encryption_algorithm 3des;
  hash_algorithm md5;
  authentication_method pre_shared_key;
  dh_group 2 ;
 }
}

sainfo anonymous
{
        pfs_group 1;
        lifetime time 30 sec;
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate ;
}

and the racoon dump file (60K) may be too big for the email. looks like the only ERROR lines are:

---------------------------------------------------------------------

.......

2002-08-26 19:10:26: DEBUG: isakmp.c:1109:isakmp_parsewoh(): begin.
2002-08-26 19:10:26: DEBUG: isakmp.c:1136:isakmp_parsewoh(): seen nptype=8(hash)
2002-08-26 19:10:26: DEBUG: isakmp.c:1136:isakmp_parsewoh(): seen nptype=11(notify)
2002-08-26 19:10:26: DEBUG: isakmp.c:1175:isakmp_parsewoh(): succeed.
2002-08-26 19:10:26: ERROR: isakmp_inf.c:776:isakmp_info_recv_n(): unknown notify message, no phase2 handle found.
2002-08-26 19:10:26: DEBUG: isakmp_inf.c:798:isakmp_info_recv_n(): notification message 18:INVALID-ID-INFORMATION, doi=1 proto_id=3 spi=00000000(size=4).
2002-08-26 19:10:37: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey ACQUIRE message
2002-08-26 19:10:37: DEBUG2: plog.c:193:plogdump():

......

2002-08-26 19:11:20: DEBUG: pfkey.c:1503:pk_recvacquire(): ignore the acquire becuase ph2 found
2002-08-26 19:11:26: ERROR: pfkey.c:738:pfkey_timeover(): 10.10.10.6 give up to get IPsec-SA due to time up to wait.
2002-08-26 19:11:26: DEBUG: schedule.c:210:sched_scrub_param(): an undead schedule has been deleted.

.......

------------------------------------------------------------------------------------

I don't know why windows send an INVALID-ID-INFORMATION.

Looks like that causes the Quick mode SA establishing fails?

Any suggestion?

Thanks a lot!

(btw, transparent mode XP <-> freebsd and tunnel mode freebsd -> freebsd go pretty well)

Sunny

---------------------------------
Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Next message: Peter C. Lai: "Re: List administrivia, was: Re: I Finally got It 2096"
• Previous message: Pat Lashley: "Re: Administrivia: Discussion - Making this list subscriber-only"
• In reply to: Jeremy Suo-Anttila: "Linux_Base marked as forbidden. Anyone know when this will be resolved?"
• Next in thread: Bill Fumerola: "Re: IPsec tunnel between XP and FreeBSD"
• Reply: Bill Fumerola: "Re: IPsec tunnel between XP and FreeBSD"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: how to set up a network? ... freebsd machine with NIC connected to the same hub ... i am going to use the freebsd system for web server development. ... > site from IE on the windows system. ... >software in addition to the basic OS setup? ... (freebsd-newbies) Re: Backup procedure question / theory ... May I suggest that you try rsync for this? ... For windows cwrsync works fine as client for Windows XP. ... It's rather easy to setup and can be triggered by the windows machine since it runs as a .bat or .cmd. ... With some nifty scripting you can setup the FreeBSD side to rotate the backups. ... (freebsd-questions) FreeBSD to Windows No Reboot ... Is there a way I can go from FreeBSD to windows without rebooting? ... program in FreeBSD and do i have to turn off the SLIP sl0 for it to ... Try the all-new Yahoo! ... (freebsd-questions) Re: Removing FreeBSD from my machine ... >> install windows xp. ... > I'm afraid you can no longer remove freebsd from ... > freebsd partition and create your new windows ... > Do you Yahoo!? ... (freebsd-questions) Re: Giving FreeBSD multiple personalities ... with different hostnames and network (ppp vs ... My case is dual-booting with windows, with the option to boot the ... "real" freebsd setup inside vmware from windows. ... (comp.unix.bsd.freebsd.misc)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint