Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

IPSec troubles

0 views
Skip to first unread message

ruet...@mac.com

unread,
Mar 28, 2004, 5:13:48 PM3/28/04
to
Hello,

I have troubles setting up an IPSec Host-to-Host connection between
FreeBSD 5.2.1 and MacOS X 10.3.3:


Network Setup:

Cable-Modem-->FreeBSD Box, 192.168.0.1-->Apple Airport Station running
in Bridge Mode-->MacOS X Box, 192.168.0.10


/etc/ipsec.conf (FreeBSD)

spdadd 192.168.0.1/24 192.168.0.10/24 any -P out ipsec
esp/transport/192.168.0.1-192.168.0.10/require;
spdadd 192.168.0.10/24 192.168.0.1/24 any -P in ipsec
esp/transport/192.168.0.10-192.168.0.1/require;

/etc/ipsec.conf (MacOS X)

spdadd 192.168.0.10/24 192.168.0.1/24 any -P out ipsec
esp/transport/192.168.0.10-192.168.0.1/require;
spdadd 192.168.0.1/24 192.168.0.10/24 any -P in ipsec
esp/transport/192.168.0.1-192.168.0.10/require;

/usr/local/etc/racoon/racoon.conf (FreeBSD)

remote anonymous
{
#exchange_mode main,aggressive;
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;

#my_identifier address;
my_identifier user_fqdn "ro...@ruettimac.ch";
peers_identifier user_fqdn "ro...@ruettimac.ch";
#certificate_type x509 "mycert" "mypriv";

nonce_size 16;
lifetime time 1 min; # sec,min,hour
initial_contact on;
support_mip6 on;
proposal_check obey; # obey, strict or claim

proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}

sainfo anonymous
{
pfs_group 1;
lifetime time 30 sec;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}

/etc/racoon/remote/anonymous.conf (MacOS X)

remote anonymous
{
#exchange_mode main,aggressive;
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;

#my_identifier address;
my_identifier user_fqdn "ro...@ruettimac.ch";
peers_identifier user_fqdn "ro...@ruettimac.ch";
#certificate_type x509 "mycert" "mypriv";

nonce_size 16;
lifetime time 1 min; # sec,min,hour
initial_contact on;
support_mip6 on;
proposal_check obey; # obey, strict or claim

proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}

sainfo anonymous
{
pfs_group 1;
lifetime time 30 sec;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}

/usr/local/etc/racoon/psk.txt (FreeBSD)

192.168.0.1 7HdopoY72bNmewP
192.168.0.10 7HdopoY72bNmewP

/etc/racoon/psk.txt (MacOS X)

192.168.0.1 7HdopoY72bNmewP
192.168.0.10 7HdopoY72bNmewP

Debug output (FreeBSD)

Mar 28 22:55:54 protos racoon: DEBUG:
algorithm.c:614:alg_oakley_dhdef(): hmac(modp1024)
Mar 28 22:55:54 protos racoon: DEBUG: pfkey.c:2379:pk_checkalg():
compression algorithm can not be checked because sadb message doesn't
support it.
Mar 28 22:55:54 protos racoon: DEBUG: pfkey.c:197:pfkey_handler(): get
pfkey X_SPDDUMP message
Mar 28 22:55:54 protos racoon: DEBUG: pfkey.c:197:pfkey_handler(): get
pfkey X_SPDDUMP message
Mar 28 22:55:54 protos racoon: DEBUG: policy.c:184:cmpspidxstrict():
sub:0xbfbfec40: 192.168.0.1/24[0] 192.168.0.10/24[0] proto=any dir=out
Mar 28 22:55:54 protos racoon: DEBUG: policy.c:185:cmpspidxstrict(): db
:0x80a2c08: 192.168.0.10/24[0] 192.168.0.1/24[0] proto=any dir=in
Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:221:isakmp_handler(): ===
Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:222:isakmp_handler():
277 bytes message received from 192.168.0.10[500]
Mar 28 22:57:11 protos racoon: DEBUG: plog.c:193:plogdump(): a8d6f8dc
8b9041c1 00000000 00000000 01100400 00000000 00000115 04000034 00000001
00000001 00000028 01010
001 00000020 01010000 800b0001 800c003c 80010005 80030001 80020002
80040002 0a000084 f23e0504 edb10453 8212421a f817e04d 148782fb 81436b89
f73240d1 a69d3662 5cbb7e5a
cb234c8a 764c6357 87b6c7ee 6606ad2b daf088dc 27dfbac8 5c8ca5f5 20b7c274
4e6f22d7 a85e4237 36291558 2cc68a6e fc9f449c 9d9463e3 ebb1536b 068063f7
ac6f290e 6160f975 b059
aa6c dcccf25d ee5361aa d18ba202 b567ff46 05000014 d2b5d6de f4860836
93be994d 10fb9d3a 0d000019 03000000 726f6f74 40727565 7474696d 61632e63
68000000 144df379 28e9fc4f
d1b32621 70d515c6 62
Mar 28 22:57:11 protos racoon: DEBUG:
isakmp.c:2246:isakmp_printpacket(): begin.
Mar 28 22:57:11 protos racoon: DEBUG: remoteconf.c:129:getrmconf():
anonymous configuration selected for 192.168.0.10[500].
Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:887:isakmp_ph1begin_r():
===
Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:1110:isakmp_parsewoh():
begin.
Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:1137:isakmp_parsewoh():
seen nptype=1(sa)
Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:1137:isakmp_parsewoh():
seen nptype=4(ke)
Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:1137:isakmp_parsewoh():
seen nptype=10(nonce)
Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:1137:isakmp_parsewoh():
seen nptype=5(id)
Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:1137:isakmp_parsewoh():
seen nptype=13(vid)
Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:1176:isakmp_parsewoh():
succeed.
Mar 28 22:57:11 protos racoon: DEBUG: isakmp_agg.c:646:agg_r1recv():
received payload of type ke
Mar 28 22:57:11 protos racoon: DEBUG: isakmp_agg.c:646:agg_r1recv():
received payload of type nonce
Mar 28 22:57:11 protos racoon: DEBUG: isakmp_agg.c:646:agg_r1recv():
received payload of type id
Mar 28 22:57:11 protos racoon: DEBUG: isakmp_agg.c:646:agg_r1recv():
received payload of type vid
Mar 28 22:57:11 protos racoon: DEBUG: vendorid.c:137:check_vendorid():
received unknown Vendor ID
Mar 28 22:57:11 protos racoon: DEBUG: ipsec_doi.c:1117:get_proppair():
total SA len=48
Mar 28 22:57:11 protos racoon: DEBUG: plog.c:193:plogdump(): 00000001
00000001 00000028 01010001 00000020 01010000 800b0001 800c003c 80010005
80030001 80020002 80040
002
Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:1110:isakmp_parsewoh():
begin.
Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:1137:isakmp_parsewoh():
seen nptype=2(prop)
Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:1176:isakmp_parsewoh():
succeed.
Mar 28 22:57:11 protos racoon: DEBUG: ipsec_doi.c:1170:get_proppair():
proposal #1 len=40
Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:1110:isakmp_parsewoh():
begin.
Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:1137:isakmp_parsewoh():
seen nptype=3(trns)
Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:1176:isakmp_parsewoh():
succeed.
Mar 28 22:57:11 protos racoon: DEBUG: ipsec_doi.c:1311:get_transform():
transform #1 len=32
Mar 28 22:57:11 protos racoon: DEBUG:
ipsec_doi.c:1870:check_attr_isakmp(): type=Life Type, flag=0x8000,
lorv=seconds
Mar 28 22:57:11 protos racoon: DEBUG:
ipsec_doi.c:1870:check_attr_isakmp(): type=Life Duration, flag=0x8000,
lorv=60
Mar 28 22:57:11 protos racoon: DEBUG:
ipsec_doi.c:1870:check_attr_isakmp(): type=Encryption Algorithm,
flag=0x8000, lorv=3DES-CBC
Mar 28 22:57:11 protos racoon: DEBUG:
algorithm.c:386:alg_oakley_encdef(): encription(3des)
Mar 28 22:57:11 protos racoon: DEBUG:
ipsec_doi.c:1870:check_attr_isakmp(): type=Authentication Method,
flag=0x8000, lorv=pre-shared key
Mar 28 22:57:11 protos racoon: DEBUG:
ipsec_doi.c:1870:check_attr_isakmp(): type=Hash Algorithm, flag=0x8000,
lorv=SHA
Mar 28 22:57:11 protos racoon: DEBUG:
algorithm.c:256:alg_oakley_hashdef(): hash(sha1)
Mar 28 22:57:11 protos racoon: DEBUG:
ipsec_doi.c:1870:check_attr_isakmp(): type=Group Description,
flag=0x8000, lorv=1024-bit MODP group
Mar 28 22:57:11 protos racoon: DEBUG:
algorithm.c:614:alg_oakley_dhdef(): hmac(modp1024)
Mar 28 22:57:11 protos racoon: DEBUG: ipsec_doi.c:1213:get_proppair():
pair 1:
Mar 28 22:57:11 protos racoon: DEBUG: proposal.c:895:print_proppair0():
0x80a8dc0: next=0x0 tnext=0x0
Mar 28 22:57:11 protos racoon: DEBUG: ipsec_doi.c:1248:get_proppair():
proposal #1: 1 transform
Mar 28 22:57:11 protos racoon: DEBUG:
ipsec_doi.c:322:get_ph1approvalx(): prop#=1, prot-id=ISAKMP,
spi-size=0, #trns=1
Mar 28 22:57:11 protos racoon: DEBUG:
ipsec_doi.c:327:get_ph1approvalx(): trns#=1, trns-id=IKE
Mar 28 22:57:11 protos racoon: DEBUG: ipsec_doi.c:491:t2isakmpsa():
type=Life Type, flag=0x8000, lorv=seconds
Mar 28 22:57:11 protos racoon: DEBUG: ipsec_doi.c:491:t2isakmpsa():
type=Life Duration, flag=0x8000, lorv=60
Mar 28 22:57:11 protos racoon: DEBUG: ipsec_doi.c:491:t2isakmpsa():
type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
Mar 28 22:57:11 protos racoon: DEBUG: ipsec_doi.c:491:t2isakmpsa():
type=Authentication Method, flag=0x8000, lorv=pre-shared key
Mar 28 22:57:11 protos racoon: DEBUG: ipsec_doi.c:491:t2isakmpsa():
type=Hash Algorithm, flag=0x8000, lorv=SHA
Mar 28 22:57:11 protos racoon: DEBUG: ipsec_doi.c:491:t2isakmpsa():
type=Group Description, flag=0x8000, lorv=1024-bit MODP group
Mar 28 22:57:11 protos racoon: DEBUG:
ipsec_doi.c:338:get_ph1approvalx(): Compared: DB:Peer
Mar 28 22:57:11 protos racoon: DEBUG:
ipsec_doi.c:339:get_ph1approvalx(): (lifetime = 60:60)
Mar 28 22:57:11 protos racoon: DEBUG:
ipsec_doi.c:341:get_ph1approvalx(): (lifebyte = 0:0)
Mar 28 22:57:11 protos racoon: DEBUG:
ipsec_doi.c:343:get_ph1approvalx(): enctype = 3DES-CBC:3DES-CBC
Mar 28 22:57:11 protos racoon: DEBUG:
ipsec_doi.c:348:get_ph1approvalx(): (encklen = 0:0)
Mar 28 22:57:11 protos racoon: DEBUG:
ipsec_doi.c:350:get_ph1approvalx(): hashtype = SHA:SHA
Mar 28 22:57:11 protos racoon: DEBUG:
ipsec_doi.c:355:get_ph1approvalx(): authmethod = pre-shared
key:pre-shared key
Mar 28 22:57:11 protos racoon: DEBUG:
ipsec_doi.c:360:get_ph1approvalx(): dh_group = 1024-bit MODP
group:1024-bit MODP group
Mar 28 22:57:11 protos racoon: DEBUG:
ipsec_doi.c:248:get_ph1approval(): an acceptable proposal found.
Mar 28 22:57:11 protos racoon: DEBUG:
algorithm.c:614:alg_oakley_dhdef(): hmac(modp1024)
Mar 28 22:57:11 protos racoon: DEBUG: isakmp.c:1994:isakmp_newcookie():
new cookie: 0ad0e291b31fe9c0
Mar 28 22:57:11 protos racoon: DEBUG:
ipsec_doi.c:3238:ipsecdoi_setid1(): use ID type of User_FQDN
Mar 28 22:57:11 protos racoon: DEBUG:
oakley.c:300:oakley_dh_generate(): compute DH's private.
Mar 28 22:57:11 protos racoon: DEBUG: plog.c:193:plogdump(): 6753fee8
60c3a0f2 ae75b8f8 b01a3ebb 077d1c3d 32079cb0 a85027bc ce546f9a ba3f7f1d
3621cdc7 846570e1 5f9ea
ef5 ece52b65 8c704ae1 01ae7444 7490a9bd 72d9c58c 0366a656 38261e4e
fa4b56ce 10d8544a 8e86344d 32b78168 909a5847 c118c017 a17cd78a cbb543b7
98e1cb8e 5e8faed4 f28ddb5b
1783717e 244b075f
Mar 28 22:57:11 protos racoon: DEBUG:
oakley.c:302:oakley_dh_generate(): compute DH's public.
Mar 28 22:57:11 protos racoon: DEBUG: plog.c:193:plogdump(): 188b2e30
9cf45135 c1dc28fb 44f75b0b 0d6511c2 2d615c1c 032790c7 3a154392 582a65cf
3535dabc cd858f07 11b1d
229 e9a49744 aa3a1935 c9bff6cc 2a060706 6af1b688 0ca5f0e4 c8085d7d
de7a24db 7e70369f c913691a b4de01fe b98f3218 35480394 ac9ec110 33431e8c
a6098b94 0d29ad67 7be9cd11
059569db 7523ea0d
Mar 28 22:57:11 protos racoon: DEBUG: oakley.c:250:oakley_dh_compute():
compute DH's shared.
Mar 28 22:57:11 protos racoon: DEBUG: plog.c:193:plogdump(): 3a7b7282
97f70a35 423f1b4b cd893507 23188260 bb366f00 02bd5d60 1f85d97f ab60ce35
e4d1a4e8 975daf7a 34ba3
393 4282dba6 e30885e8 c8459602 f0d9f8dc 72048742 295d0035 5611342c
e51c20c0 17d2a64b 7c985bd4 c5424535 e9cb8e05 900484a4 2838807a b2656122
be5e1bb6 5b0e1003 e1087aa2
ab448b19 fb5bdf3b
Mar 28 22:57:21 protos racoon: DEBUG: isakmp.c:221:isakmp_handler(): ===
Mar 28 22:57:21 protos racoon: DEBUG: isakmp.c:222:isakmp_handler():
277 bytes message received from 192.168.0.10[500]
Mar 28 22:57:21 protos racoon: DEBUG: plog.c:193:plogdump(): a8d6f8dc
8b9041c1 00000000 00000000 01100400 00000000 00000115 04000034 00000001
00000001 00000028 01010
001 00000020 01010000 800b0001 800c003c 80010005 80030001 80020002
80040002 0a000084 f23e0504 edb10453 8212421a f817e04d 148782fb 81436b89
f73240d1 a69d3662 5cbb7e5a
cb234c8a 764c6357 87b6c7ee 6606ad2b daf088dc 27dfbac8 5c8ca5f5 20b7c274
4e6f22d7 a85e4237 36291558 2cc68a6e fc9f449c 9d9463e3 ebb1536b 068063f7
ac6f290e 6160f975 b059
aa6c dcccf25d ee5361aa d18ba202 b567ff46 05000014 d2b5d6de f4860836
93be994d 10fb9d3a 0d000019 03000000 726f6f74 40727565 7474696d 61632e63
68000000 144df379 28e9fc4f
d1b32621 70d515c6 62


Debug output (MacOS X)

Mar 28 23:05:24 localhost racoon: INFO:
isakmp.c:2038:isakmp_chkph1there(): delete phase 2 handler.
Mar 28 23:05:53 localhost racoon: ERROR:
isakmp.c:1694:isakmp_ph1resend(): phase1 negotiation failed due to time
up. 4445e17f3009917d:0000000000000000
Mar 28 23:06:13 localhost racoon: INFO:
isakmp.c:1941:isakmp_post_acquire(): IPsec-SA request for 192.168.0.1
queued due to no phase1 found.
Mar 28 23:06:13 localhost racoon: INFO:
isakmp.c:994:isakmp_ph1begin_i(): initiate new phase 1 negotiation:
192.168.0.10[500]<=>192.168.0.1[500]
Mar 28 23:06:13 localhost racoon: INFO:
isakmp.c:999:isakmp_ph1begin_i(): begin Aggressive mode.
Mar 28 23:06:44 localhost racoon: ERROR:
isakmp.c:2033:isakmp_chkph1there(): phase2 negotiation failed due to
time up waiting for phase1. ESP 192.168.0.1->192.168.0.1
0
Mar 28 23:06:44 localhost racoon: INFO:
isakmp.c:2038:isakmp_chkph1there(): delete phase 2 handler.

Something wrong with the setup?
Maybe incompatible versions of racoon (tip found in a FreeBSD
Mailinglist)?
racoon-20040116a <-----> racoon-20040114 (Big Endian)


Thanks for any help!

Cyrill

_______________________________________________
freeb...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net...@freebsd.org"

cri...@comcast.net

unread,
Mar 29, 2004, 4:42:54 PM3/29/04
to
On Mon, Mar 29, 2004 at 12:06:21AM +0200, Cyrill R?ttimann wrote:
> Hello,
>
> I have troubles setting up an IPSec Host-to-Host connection between
> FreeBSD 5.2.1 and MacOS X 10.3.3:

Last I knew, 5.2.1 still had broken IPsec. Specifically, the system
tries to apply the IPsec policy to the IKE traffic giving us a chicken
and egg problem. The Mac end timing out waiting to hear from the
FreeBSD system is consistent with this. Run 'tcpdump -n port 500' on
the FreeBSD system and watch for outgoing traffic, and have a look at
'netstat -sp ipsec' and see if the 'outbound packets with no SA
available' count is increasing.

The workaround was to not use IPSEC in the kernel, but FAST_IPSEC.
--
Crist J. Clark | cjc...@alum.mit.edu
| cjc...@jhu.edu
http://people.freebsd.org/~cjc/ | c...@freebsd.org

bzeeb...@lists.zabbadoz.net

unread,
Mar 30, 2004, 6:32:44 AM3/30/04
to
On Mon, 29 Mar 2004, Crist J. Clark wrote:

> > I have troubles setting up an IPSec Host-to-Host connection between
> > FreeBSD 5.2.1 and MacOS X 10.3.3:
>
> Last I knew, 5.2.1 still had broken IPsec. Specifically, the system
> tries to apply the IPsec policy to the IKE traffic giving us a chicken
> and egg problem.

you can "exclude" IKE traffic in the SPD manually. I am still unsure
if this IS a bug. Would need to go through RFCs in detail.

Just skipped through 2401 and what I have found is:


In host systems, applications MAY be allowed to select what security
processing is to be applied to the traffic they generate and consume.


and


The SPD is used to control the flow of ALL traffic through an IPsec
system, including security and key management traffic (e.g., ISAKMP)
from/to entities behind a security gateway. This means that ISAKMP
traffic must be explicitly accounted for in the SPD, else it will be
discarded.

So if I get the problem right racoon is unable to tell the kernel
that it's traffic should 'bypass' IPSec processing ?

If this is the remaining problem apart from the yet known (where KAME
people cannot find the time to review at the moment) I may look into
this; have setup my wireless connection on a 5.2.1 notebook (being
updated to HEAD soon) to use IPSec lately so I have a 'testbed' now.


--
Greetings

Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT
56 69 73 69 74 http://www.zabbadoz.net/

ruet...@mac.com

unread,
Mar 30, 2004, 7:01:49 AM3/30/04
to
Hello,


> If this is the remaining problem apart from the yet known (where KAME
> people cannot find the time to review at the moment) I may look into
> this; have setup my wireless connection on a 5.2.1 notebook (being
> updated to HEAD soon) to use IPSec lately so I have a 'testbed' now.

Please can you report if IPSec is working with current or the latest
stable?

With 5.2.1, you are lost completely. IPSec with kernel options do not
work and if you enable FAST_IPSEC (which should work), you end up not
able to compile the kernel. There was a patch mentioned to solve this,
but for me it did not work.

<http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet6/in6_pcb.c.diff?
r1=1.47&r2=1.48>


Regards,

Cyrill

bzeeb...@lists.zabbadoz.net

unread,
Mar 30, 2004, 7:36:39 AM3/30/04
to
On Tue, 30 Mar 2004, Cyrill R=FCttimann wrote:

Hi,

> > If this is the remaining problem apart from the yet known (where KAME
> > people cannot find the time to review at the moment) I may look into
> > this; have setup my wireless connection on a 5.2.1 notebook (being
> > updated to HEAD soon) to use IPSec lately so I have a 'testbed' now.
>
> Please can you report if IPSec is working with current or the latest
> stable?
>
> With 5.2.1, you are lost completely. IPSec with kernel options do not
> work and if you enable FAST_IPSEC (which should work), you end up not
> able to compile the kernel. There was a patch mentioned to solve this,
> but for me it did not work.

I have been able to use IPSEC (do not know about FAST_IPSEC) with
5.2.1R miniinst installation on following setup:

notebook(wi0) <---> AP(bridge) <----> (fxp2)router

I am now on a 5.2.1R with a private kernel incooperated some of my
IPSEC related patches from HEAD (not all) and it also works.

What I had to do had been "excluding IKE traffic" by doing s.th.
like this (router side config):

spdadd ROUTER[500] NOTEBOOK[500] udp
-P out none ;

spdadd NOTEBOOK[500] ROUTER[500] udp
-P in none ;

This for sure is not the most nifty way to do but it works.

--=20
Greetings

Bjoern A. Zeeb=09=09=09=09bzeeb at Zabbadoz dot NeT
56 69 73 69 74=09=09=09=09http://www.zabbadoz.net/

cri...@comcast.net

unread,
Mar 30, 2004, 6:48:49 PM3/30/04
to
On Tue, Mar 30, 2004 at 11:22:08AM +0000, Bjoern A. Zeeb wrote:
> On Mon, 29 Mar 2004, Crist J. Clark wrote:
>
> > > I have troubles setting up an IPSec Host-to-Host connection between
> > > FreeBSD 5.2.1 and MacOS X 10.3.3:
> >
> > Last I knew, 5.2.1 still had broken IPsec. Specifically, the system
> > tries to apply the IPsec policy to the IKE traffic giving us a chicken
> > and egg problem.
>
> you can "exclude" IKE traffic in the SPD manually. I am still unsure
> if this IS a bug. Would need to go through RFCs in detail.

[snip RFC2401 quotes]

I don't think we do. I mispoke... er, typed. IPsec _policy_ must be
applied to every packet (or socket). However, IKE traffic should skip
IPsec _processing,_ i.e. the IPsec policy should dictate the IKE
traffic skip IPsec processing.

> So if I get the problem right racoon is unable to tell the kernel
> that it's traffic should 'bypass' IPSec processing ?

Yes. Racoon can _no longer_ tell the kernel to bypass using KAME
IPsec. This used to work. A working racoon binary stopped working as
of a kernel upgrade between 5.<mumble-mumble> and 5.<mumble-mumble>.
Racoon will still work fine with FAST_IPSEC.

Racoon tells the kernel that the IKE socket should be 'bypassed' in
IPsec processing in the racoon/sockmisc.c:setsockopt_bypass function.


--
Crist J. Clark | cjc...@alum.mit.edu
| cjc...@jhu.edu
http://people.freebsd.org/~cjc/ | c...@freebsd.org

richard_...@yahoo.com

unread,
Apr 2, 2004, 6:25:19 PM4/2/04
to
Hello,

This thread has been very helpful. I'm using FreeBSD
5.2.1 REL with kernels recompiled to support IPSEC.
I've found the "trick" to exclude port 500 UDP packets
allows ISAKMP traffic to be exchanged, e.g:

spdadd 192.168.20.1[500] 192.168.21.1[500] udp -P out
none;
spdadd 192.168.21.1[500] 192.168.20.1[500] udp -P in
none;

Unfortunately, I cannot follow this ipsec.conf entry
with something like this for 'any' protocol:

spdadd 192.168.20.1 192.168.21.1 any -P out ipsec
esp/tunnel/192.168.20.1-192.168.21.1/require;
spdadd 192.168.21.1 192.168.20.1 any -P in ipsec
esp/tunnel/192.168.21.1-192.168.20.1/require;

If I try to ping 192.168.20.1 from 192.168.21.1, I get
this error on 192.168.20.1 from racoon:

2004-04-02 18:10:43: ERROR:
isakmp_quick.c:2064:get_proposal_r(): policy found,
but no IPsec required: 192.168.20.1/32[0]
192.168.21.1/32[0] proto=any dir=out
2004-04-02 18:10:43: ERROR:
isakmp_quick.c:1071:quick_r1recv(): failed to get
proposal for responder.
2004-04-02 18:10:43: ERROR:
isakmp.c:1061:isakmp_ph2begin_r(): failed to
pre-process packet.

No traffic is exchanged.

I've found that replacing the 'any' entry in the
ipsec.conf with new entries for 'icmp' and 'tcp' allow
those protocols to be protected by IPSec, e.g. for
tcp:

spdadd 192.168.20.1 192.168.21.1 tcp -P out ipsec
esp/tunnel/192.168.20.1-192.168.21.1/require;
spdadd 192.168.21.1 192.168.20.1 tcp -P in ipsec
esp/tunnel/192.168.21.1-192.168.20.1/require;

Unfortunately, I can't add an entry for 'udp' as that
appears to conflict with the udp entry for port 500.

I tried 'ip' in place of 'any', but that didn't seem
to encrypt any traffic at all.

Is my only alternative to upgrade from 5.2.1 to
CURRENT if I want everything to be protected by IPSec
(besides ISAKMP)?

Thank you,

Richard
http://www.taosecurity.com

__________________________________
Do you Yahoo!?
Yahoo! Small Business $15K Web Design Giveaway
http://promotions.yahoo.com/design_giveaway/

0 new messages