ipsec-tools 0.6.6 problem
Robert Usle
robertus.n at gmail.com
Thu Dec 28 09:20:26 PST 2006
Hello list & Yvan.
This is my second post regarding the one from:
http://osdir.com/ml/freebsd-net@freebsd.org/msg20572.html
Sorry for not replying, but my email provider simply sucks.
Here's more info.
--------------------------------- racoon.conf
path include "/usr/local/etc/racoon";
path pre_shared_key "/usr/local/etc/racoon/psk.txt";
path certificate "/usr/local/etc/racoon/cert";
log debug;
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
listen
{
#isakmp ::1 [7000];
isakmp 89.217.11.250 [500];
isakmp 10.0.5.1 [500];
#admin [7002]; # administrative port for racoonctl.
#strict_address; # requires that all addresses must be bound.
}
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 2 sec; # maximum interval to resend.
persend 1; # the number of packets per send.
# maximum time to wait for completing each phase.
phase1 60 sec;
phase2 15 sec;
}
remote anonymous {
exchange_mode aggressive,main,base;
lifetime time 24 hour;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous {
lifetime time 12 hour ;
encryption_algorithm des, 3des, des_iv64, des_iv32, null_enc,
rijndael, blowfish;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate ;
}
-----
kernel config:
machine i386
cpu I686_CPU
ident TUNED
maxusers 512
makeoptions COPTFLAGS="-O2 -pipe"
# FIREWALL and TrafficShaper
options IPFIREWALL
options IPFIREWALL_FORWARD
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFW2
options IPDIVERT
options DUMMYNET
options DEVICE_POLLING
options HZ=2000
options MATH_EMULATE #Support for x87 emulation
options INET #InterNETworking
#options INET6 #IPv6 communications protocols
options FFS #Berkeley Fast Filesystem
options FFS_ROOT #FFS usable as root device [keep this!]
options SOFTUPDATES #Enable FFS soft updates support
options UFS_DIRHASH #Improve performance on big directories
options MFS #Memory Filesystem
#options MD_ROOT #MD is a potential root device
#options NFS #Network Filesystem
#options NFS_ROOT #NFS usable as root device, NFS required
#options MSDOSFS #MSDOS Filesystem
options CD9660 #ISO 9660 Filesystem
options CD9660_ROOT #CD-ROM usable as root, CD9660 required
options PROCFS #Process filesystem
...skipping...
pseudo-device ether # Ethernet support
#pseudo-device sl 1 # Kernel SLIP
#pseudo-device ppp 1 # Kernel PPP
#pseudo-device tun # Packet tunnel.
pseudo-device pty # Pseudo-ttys (telnet etc)
pseudo-device md # Memory "disks"
pseudo-device gif # IPv6 and IPv4 tunneling
#pseudo-device faith 1 # IPv6-to-IPv4 relaying (translation)
# The `bpf' pseudo-device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
pseudo-device bpf #Berkeley packet filter
# USB support
#device uhci # UHCI PCI->USB interface
#device ohci # OHCI PCI->USB interface
#device usb # USB Bus (required)
#device ugen # Generic
#device uhid # "Human Interface Devices"
#device ukbd # Keyboard
#device ulpt # Printer
#device umass # Disks/Mass storage - Requires scbus and da
#device ums # Mouse
#device uscanner # Scanners
#device urio # Diamond Rio MP3 Player
## USB Ethernet, requires mii
#device aue # ADMtek USB ethernet
#device cue # CATC USB ethernet
#device kue # Kawasaki LSI USB ethernet
#
# FireWire support
#device firewire # FireWire bus code
#device sbp # SCSI over FireWire (Requires scbus and da)
#device fwe # Ethernet over FireWire (non-standard!)
#options DISABLE_PSE
# Quota
options QUOTA #enable disk quotas
options IPSEC #IP security
options IPSEC_ESP #IP security (crypto; define w/ IPSEC)
----------------------------------------------------------------------------------------
----uname -a
FreeBSD wall.s93l.pl 4.11-STABLE FreeBSD 4.11-STABLE #5: Sat Nov 18
09:14:30 CET 2006 root at wall.s93l.pl:/usr/obj/usr/src/sys/TUNED
i386
--- /var/log/racoon.log
2006-12-28 17:30:49: INFO: @(#)ipsec-tools 0.6.6
(http://ipsec-tools.sourceforge.net)
2006-12-28 17:30:49: INFO: @(#)This product linked OpenSSL 0.9.7d-p1
17 Mar 2004 (http://www.openssl.org/)
2006-12-28 17:30:49: DEBUG: hmac(modp1024)
2006-12-28 17:30:49: DEBUG: compression algorithm can not be checked
because sadb message doesn't support it.
2006-12-28 17:30:49: INFO: 10.0.5.1[500] used as isakmp port (fd=5)
2006-12-28 17:30:49: INFO: 89.217.11.250[500] used as isakmp port (fd=6)
2006-12-28 17:30:49: DEBUG: get pfkey X_SPDDUMP message
2006-12-28 17:30:49: DEBUG: get pfkey X_SPDDUMP message
2006-12-28 17:30:49: DEBUG: sub:0xbfbff524: 0.0.0.0/0[0]
192.168.2.0/24[0] proto=any dir=out
2006-12-28 17:30:49: DEBUG: db :0x80a5408: 192.168.2.0/24[0]
0.0.0.0/0[0] proto=any dir=in
2006-12-28 17:30:49: DEBUG: msg 1 not interesting
2006-12-28 17:30:49: DEBUG: caught rtm:2, need update interface address list
2006-12-28 17:30:49: DEBUG: msg 1 not interesting
2006-12-28 17:30:49: DEBUG: caught rtm:2, need update interface address list
2006-12-28 17:30:49: DEBUG: msg 1 not interesting
2006-12-28 17:30:49: DEBUG: caught rtm:2, need update interface address list
2006-12-28 17:30:50: DEBUG: msg 5 not interesting
2006-12-28 17:30:50: DEBUG: msg 1 not interesting
2006-12-28 17:30:50: DEBUG: caught rtm:2, need update interface address list
2006-12-28 17:30:50: DEBUG: msg 1 not interesting
and so on..... infinite loop with 'caught rtm;2, need update interface
address list
---------------------------------------
I was trying to establish a vpn connection with Win XP host, now trying
with asmax br-604G.
There are 2 setkey commands now, (/usr/sbin/ & /usr/local/sbin)
can I use both ?
Also, sometimes I'm getting 'unsupported PF_KEY message REGISTER'
after running setkey
Let me know if you need more info,
--
Robert
More information about the freebsd-net
mailing list