IPsec tunnel between XP and FreeBSD

From: Y S (sunny_mcl@yahoo.com)
Date: 08/27/02


Date: Tue, 27 Aug 2002 11:58:16 -0700 (PDT)
From: Y S <sunny_mcl@yahoo.com>
To: freebsd-security@FreeBSD.ORG

I am trying to setup an IPsec tunnel between XP client and FreeBSD box.
Seems the Phase 2 Exchange doesn't work.

My setup:

Windows XP (10.10.10.6):

ipseccmd -f 10.10.10.6=* -t 10.10.10.20 -n esp[3des,md5] -a preshare:"xxx" -1s 3des-md5-2 -1p

Freebsd (10.10.10.20):

SPD:

10.10.10.6[any] 0.0.0.0/0[any] any
        in ipsec
        esp/tunnel/10.10.10.6-10.10.10.20/require
        spid=7 seq=1 pid=565
        refcnt=1
0.0.0.0/0[any] 10.10.10.6[any] any
        out ipsec
        esp/tunnel/10.10.10.20-10.10.10.6/require
        spid=8 seq=0 pid=565
        refcnt=1

racoon conf:

path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
padding
{
 maximum_length 20; # maximum padding length.
 randomize off; # enable randomize length.
 strict_check off; # enable strict check.
 exclusive_tail off; # extract last one octet.
}

timer
{
 # These value can be changed per remote node.
 counter 5; # maximum trying count to send.
 interval 20 sec; # maximum interval to resend.
 persend 1; # the number of packets per a send.

 # timer for waiting to complete each phase.
 phase1 90 sec;
 phase2 60 sec;
}

remote anonymous
{
 exchange_mode main;
 doi ipsec_doi;
 situation identity_only;

 nonce_size 16;
 lifetime time 4 hour; # sec,min,hour
 initial_contact on;
 support_mip6 on;
 proposal_check obey; # obey, strict or claim

 proposal {
  encryption_algorithm 3des;
  hash_algorithm md5;
  authentication_method pre_shared_key;
  dh_group 2 ;
 }
}

sainfo anonymous
{
        pfs_group 1;
        lifetime time 30 sec;
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate ;
}

and the racoon dump file (60K) may be too big for the email. looks like the only ERROR lines are:

 

---------------------------------------------------------------------

.......

2002-08-26 19:10:26: DEBUG: isakmp.c:1109:isakmp_parsewoh(): begin.
2002-08-26 19:10:26: DEBUG: isakmp.c:1136:isakmp_parsewoh(): seen nptype=8(hash)
2002-08-26 19:10:26: DEBUG: isakmp.c:1136:isakmp_parsewoh(): seen nptype=11(notify)
2002-08-26 19:10:26: DEBUG: isakmp.c:1175:isakmp_parsewoh(): succeed.
2002-08-26 19:10:26: ERROR: isakmp_inf.c:776:isakmp_info_recv_n(): unknown notify message, no phase2 handle found.
2002-08-26 19:10:26: DEBUG: isakmp_inf.c:798:isakmp_info_recv_n(): notification message 18:INVALID-ID-INFORMATION, doi=1 proto_id=3 spi=00000000(size=4).
2002-08-26 19:10:37: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey ACQUIRE message
2002-08-26 19:10:37: DEBUG2: plog.c:193:plogdump():

......

2002-08-26 19:11:20: DEBUG: pfkey.c:1503:pk_recvacquire(): ignore the acquire becuase ph2 found
2002-08-26 19:11:26: ERROR: pfkey.c:738:pfkey_timeover(): 10.10.10.6 give up to get IPsec-SA due to time up to wait.
2002-08-26 19:11:26: DEBUG: schedule.c:210:sched_scrub_param(): an undead schedule has been deleted.

.......

------------------------------------------------------------------------------------

I don't know why windows send an INVALID-ID-INFORMATION.

Looks like that causes the Quick mode SA establishing fails?

Any suggestion?

Thanks a lot!

(btw, transparent mode XP <-> freebsd and tunnel mode freebsd -> freebsd go pretty well)

 

Sunny

 

---------------------------------
Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message