ipsec-tools 0.6.6 problem

Robert Usle robertus.n at gmail.com
Sat Dec 30 09:52:22 PST 2006 

On 12/30/06, VANHULLEBUS Yvan <vanhu_bsd at zeninc.net> wrote:
> On Thu, Dec 28, 2006 at 05:51:42PM +0100, Robert Usle wrote:
> > Hello list & Yvan.
>
> Hi.
>
>
>
> [...]
> > listen
> > {
> >        #isakmp ::1 [7000];
> >        isakmp 89.217.11.250 [500];
> >        isakmp 10.0.5.1 [500];
> >        #admin [7002];          # administrative port for racoonctl.
> >        #strict_address;        # requires that all addresses must be bound.
> > }
>
> Those addresses don't match the ifconfig output you sent in your
> previous mail, is that normal ?

Yes, sorry. I was trying to mask a real IP.. that's not the one I have
attached to my interface.
For security reasons.

> [....]
> > remote anonymous {
> >  exchange_mode aggressive,main,base;
>
> This is a quite ugly config (I fear it comes from ipsec-tools
> examples....), but it is not related to your problem.

Tried many others.

> [....]
> > 2006-12-28 17:30:49: INFO: 10.0.5.1[500] used as isakmp port (fd=5)
> > 2006-12-28 17:30:49: INFO: 89.217.11.250[500] used as isakmp port (fd=6)
> > 2006-12-28 17:30:49: DEBUG: get pfkey X_SPDDUMP message
> > 2006-12-28 17:30:49: DEBUG: get pfkey X_SPDDUMP message
> > 2006-12-28 17:30:49: DEBUG: sub:0xbfbff524: 0.0.0.0/0[0]
> > 192.168.2.0/24[0] proto=any dir=out
> > 2006-12-28 17:30:49: DEBUG: db :0x80a5408: 192.168.2.0/24[0]
> > 0.0.0.0/0[0] proto=any dir=in
>
> Could you also give us the output of "setkey -D -P"

Sure.
192.168.2.0/24[any] 0.0.0.0/0[any] any
        in ipsec
        esp/tunnel/10.0.5.40-10.0.5.1/require
        spid=53 seq=1 pid=7738
        refcnt=1
0.0.0.0/0[any] 192.168.2.0/24[any] any
        out ipsec
        esp/tunnel/10.0.5.1-10.0.5.40/require
        spid=54 seq=0 pid=7738
        refcnt=1


> > 2006-12-28 17:30:49: DEBUG: msg 1 not interesting
> > 2006-12-28 17:30:49: DEBUG: caught rtm:2, need update interface address list
> > 2006-12-28 17:30:49: DEBUG: msg 1 not interesting
> > 2006-12-28 17:30:49: DEBUG: caught rtm:2, need update interface address list
> > 2006-12-28 17:30:49: DEBUG: msg 1 not interesting
> > 2006-12-28 17:30:49: DEBUG: caught rtm:2, need update interface address list
> > 2006-12-28 17:30:50: DEBUG: msg 5 not interesting
> > 2006-12-28 17:30:50: DEBUG: msg 1 not interesting
> > 2006-12-28 17:30:50: DEBUG: caught rtm:2, need update interface address list
> > 2006-12-28 17:30:50: DEBUG: msg 1 not interesting
> > and so on..... infinite loop with 'caught rtm;2, need update interface
> > address list
>
> Strange. The most common reason for an interface update is
> entering/leaving promiscous mode, or changing IP configuration, but I
> guess you don't do that many times per second....

I am not aware of any changes made. I am running snort, but even if I
shutdown it,
racoon still makes the loop.

here's my ifconfig output:


fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=40<POLLING>
        inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
        ether 00:03:47:c6:af:e6
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=1<RXCSUM>
        inet  89.217.11.250 netmask 0xfffffff8 broadcast 89.217.11.255
        ether 00:04:75:c1:d7:76
        media: Ethernet autoselect (10baseT/UTP)
        status: active
xl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=1<RXCSUM>
        inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
        ether 00:01:02:e2:40:78
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=40<POLLING>
        inet 10.0.5.1 netmask 0xffffff00 broadcast 10.0.5.255
        ether 00:e0:4c:e9:ec:83
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
rl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=40<POLLING>
        inet 10.0.6.1 netmask 0xffffff00 broadcast 10.0.6.255
        ether 00:0a:cd:08:61:7d
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
rl2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=40<POLLING>
        inet 192.168.10.1 netmask 0xffffff00 broadcast 192.168.10.255
        ether 00:0a:cd:08:61:6d
        media: Ethernet autoselect (none)
        status: no carrier
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet 127.0.0.1 netmask 0xff000000
tun0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
        inet 10.0.8.1 --> 10.0.8.2 netmask 0xffffffff

tun0 (is an openvpn interface)
As you can see POLLING is enabled on some of them.

> Just to ba sure: do you have strange messages on console related to IP
> configuration ?
>
>
> [...]
> > There are 2 setkey commands now, (/usr/sbin/ & /usr/local/sbin)
> > can I use both ?
>
> For very basic usage, yes, but as you are using ipsec-tool's racoon,
> it is better to also use ipsec-tool's setkey, which is the
> /usr/local/sbin one.
>
>
> > Also, sometimes I'm getting 'unsupported PF_KEY message REGISTER'
> > after running setkey
>
> ?
>
> Are you sure your kernel has been correctly compiled/installed ???

I compiled it twice. No errors,
standard make buildkernel/installkernel KERNCONF=TUNED

Actually, I've managed to create an ipsec connection between this box
& other FreeBSD
box.. The problem appears when I'm trying to connect it with asmax
br-604g router,
which in fact is a piece of sh... I've already trashed it.

The main problem is that the racoon dies from time to time, and that
it puts so many interface related messages.

Maybe I should reestablish the VPN connection between these 2 bsd
boxes, and check
if problems occur.

Thanks and Hapy New Year !
-- 
Robert

More information about the freebsd-net mailing list