Windows 2000 <-> FreeBSD IPsec problem

haesu at towardex.com haesu at towardex.com
Fri Jan 9 12:23:50 PST 2004 

Hi,

I am trying to setup an IPSEC transport between a Windows 2000 box
and a FreeBSD server for a customer... Both systems are on live
public IP's and packets are not filtered by any intermediate systems
or firewalls/routers in between.

I have the following setup:

  Windows 2000 box: 1.1.1.2
  FreeBSD Server: 2.2.2.3
(The actual IP's have been changed to above to protect the innocent..)

I have racoon setup on the FreeBSD server with following configuration[1]

And I have Windows configured correctly (verified many times after Googling
and looking at various howto docs...) as well. I will provide more info about
how its setup on Windows if anyone wants specific detail. But basically its set
using the howto from http://asherah.dyndns.org/~josh/ipsec-howto.txt

But when I try to have Windows box ping 2.2.2.3 (going over ipsec that is), 
I get the following error in the freebsd server running racoon[2].

If anyone can assist with this, I would really appreciate it. I've been scratching
my head for a day trying to figure out what's going on.. Thanks!

-J

!<-------- [1] Racoon Configuration below --------->
path include "/usr/local/etc/racoon" ;

path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;

# "log" specifies logging level.  It is followed by either "notify", "debug"
# or "debug2".
#log debug;

# "padding" defines some parameter of padding.  You should not touch these.
padding
{
        maximum_length 20;      # maximum padding length.
        randomize off;          # enable randomize length.
        strict_check off;       # enable strict check.
        exclusive_tail off;     # extract last one octet.
}

# if no listen directive is specified, racoon will listen to all
# available interface addresses.
listen
{
        isakmp 1.1.1.2 [500];
}

# Specification of default various timer.
timer
{
        # These value can be changed per remote node.
        counter 5;              # maximum trying count to send.
        interval 20 sec;        # maximum interval to resend.
        persend 1;              # the number of packets per a send.

        # timer for waiting to complete each phase.
        phase1 15 sec;
        phase2 30 sec;
}

remote anonymous
{
        #exchange_mode aggressive,main;
        doi ipsec_doi;
        exchange_mode main,aggressive;
        nonce_size 32;
        situation identity_only;
        lifetime time 1 min;    # sec,min,hour
        initial_contact on;
        support_mip6 on;
        passive on;
        proposal_check claim;   # obey, strict or claim

        proposal {
                encryption_algorithm 3des;
                hash_algorithm md5;
                authentication_method pre_shared_key ;
                dh_group 2 ;
        }
}

sainfo anonymous
{
        pfs_group 1;
        lifetime time 36000 sec;
        encryption_algorithm 3des,des,cast128,blowfish ;
        authentication_algorithm hmac_sha1,hmac_md5;
        compression_algorithm deflate ;
}

!<--- End of [1]--->

!<-------- [2] Racoon Debug/Error msgs below --------->
# racoon -v -F -f /usr/local/etc/racoon/racoon.conf
Foreground mode.
2004-01-08 15:26:03: INFO: main.c:172:main(): @(#)package version freebsd-20030826a
2004-01-08 15:26:03: INFO: main.c:174:main(): @(#)internal version 20001216 sakane at kame.net
2004-01-08 15:26:03: INFO: main.c:175:main(): @(#)This product linked OpenSSL 0.9.7c 30 Sep 2003 (http://www.openssl.org/)
2004-01-08 15:26:03: WARNING: cftoken.l:514:yywarn(): racoon.conf:49: "support_mip6" it is obsoleted.  use "support_proxy".
2004-01-08 15:26:03: INFO: isakmp.c:1358:isakmp_open(): 1.1.1.2[500] used as isakmp port (fd=5)
2004-01-08 15:26:17: INFO: isakmp.c:894:isakmp_ph1begin_r(): respond new phase 1 negotiation: 1.1.1.2[500]<=>2.2.2.3[500]
2004-01-08 15:26:17: INFO: isakmp.c:899:isakmp_ph1begin_r(): begin Identity Protection mode.
2004-01-08 15:26:17: INFO: vendorid.c:128:check_vendorid(): received Vendor ID: MS NT5 ISAKMPOAKLEY
2004-01-08 15:26:17: ERROR: ipsec_doi.c:1318:get_transform(): Only a single transform payload is allowed during phase 1 processing.
2004-01-08 15:26:18: NOTIFY: isakmp.c:255:isakmp_handler(): the packet is retransmitted by 2.2.2.3[500].
2004-01-08 15:26:20: NOTIFY: isakmp.c:255:isakmp_handler(): the packet is retransmitted by 2.2.2.3[500].
2004-01-08 15:26:24: NOTIFY: isakmp.c:255:isakmp_handler(): the packet is retransmitted by 2.2.2.3[500].

More information about the freebsd-questions mailing list