[Bug 203308] wildcard patch in ipsec-tools breaks aggressive tunnels

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Thu Sep 24 12:19:05 UTC 2015 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203308

            Bug ID: 203308
           Summary: wildcard patch in ipsec-tools breaks aggressive
                    tunnels
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: Individual Port(s)
          Assignee: freebsd-ports-bugs at FreeBSD.org
          Reporter: andywhite at gmail.com

see Bug 196930

the wildcard patch (required for l2tp etc) breaks aggressive mode tunnels. 
changing the tunnels to main mode resolves the problem.  

with patch applied but no wildcard in the psk file

racoon: INFO: IPsec-SA request for X.X.255.179 queued due to no phase1 found.
racoon: INFO: initiate new phase 1 negotiation:
X.X.255.182[500]<=>X.X.255.179[500]
racoon: INFO: begin Aggressive mode.
racoon: INFO: received Vendor ID: RFC 3947
racoon: INFO: received Vendor ID: DPD
racoon: [X.X.255.179] INFO: Selected NAT-T version: RFC 3947
racoon: [X.X.255.182] INFO: Hashing X.X.255.182[500] with algo #2
racoon: INFO: NAT-D payload #-1 verified
racoon: [X.X.255.179] INFO: Hashing X.X.255.179[500] with algo #2
racoon: INFO: NAT-D payload #0 verified
racoon: INFO: NAT not detected
racoon: [X.X.255.179] NOTIFY: couldn't find the proper pskey, try to get one by
the peer's address.
racoon: INFO: Adding remote and local NAT-D payloads.
racoon: [X.X.255.179] INFO: Hashing X.X.255.179[500] with algo #2
racoon: [X.X.255.182] INFO: Hashing X.X.255.182[500] with algo #2
racoon: INFO: ISAKMP-SA established X.X.255.182[500]-X.X.255.179[500]
spi:78e9f4efeaccc1a8:949caf456c915321
racoon: INFO: initiate new phase 2 negotiation:
X.X.255.182[500]<=>X.X.255.179[500]
racoon: INFO: IPsec-SA established: ESP/Tunnel
X.X.255.182[500]->X.X.255.179[500] spi=43872531(0x29d7113)
racoon: INFO: IPsec-SA established: ESP/Tunnel
X.X.255.182[500]->X.X.255.179[500] spi=19415386(0x128415a)


adding a wildcard to the psk, no other configuration change

racoon: INFO: IPsec-SA request for X.X.255.179 queued due to no phase1 found.
racoon: INFO: initiate new phase 1 negotiation:
X.X.255.182[500]<=>X.X.255.179[500]
racoon: INFO: begin Aggressive mode.
racoon: INFO: received Vendor ID: RFC 3947
racoon: INFO: received Vendor ID: DPD
racoon: [X.X.255.179] INFO: Selected NAT-T version: RFC 3947
racoon: [X.X.255.182] INFO: Hashing X.X.255.182[500] with algo #2
racoon: INFO: NAT-D payload #-1 verified
racoon: [X.X.255.179] INFO: Hashing X.X.255.179[500] with algo #2
racoon: INFO: NAT-D payload #0 verified
racoon: INFO: NAT not detected
racoon: ERROR: HASH mismatched

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-ports-bugs mailing list