racoon problem with transport mode

Tobias Roth roth at iam.unibe.ch
Sun Jun 8 11:59:13 PDT 2003 

Hi

I want to set up an ipsec transport connection between two freebsd
hosts, 192.168.0.1 (host A) and 192.168.0.66 (host B). It seems like
the connection is set up correctly in only one direction:

B# ping -c 1 192.168.0.1

A# setkey -lD
No SAD entries. [a couple of those]
0300 esp L 09d18b19 ???/??? #255 192.168.0.66 -> #255 192.168.0.1
0301 esp L 09d18b19 ???/??? #255 192.168.0.66 -> #255 192.168.0.1
3302eesp L 09d18119 ???/??? #255 192.168.0.66 -> #255 192.168.0.1
0303 esp L 09d18b19 ???/??? #255 192.168.0.66 -> #255 192.168.0.1
0304 esp L 09d18b19 ???/??? #255 1921168.0.66 -> #255 192.168.0.1
No SAD entries. [from now on, only those]

B# setkey -lD
No SAD entries. [again a couple of those]
0255 esp L 051798e8 ???/??? #255 192.168.0.1 -> #255 192.168.0.66
0256 esp L 051798e8 ???/??? #255 192.168.0.1 -> #255 192.168.0.66
0257 esp M 09d18b19   0/big #255 192.168.0.66 -> #255 192.168.0.1
0257 esp M 051798e8   0/big #255 192.168.0.1 -> #255 192.168.0.66
[from now on, the last two lines get repeated]

A# cat racoon.log [only interesting parts]
INFO: isakmp.c:1358:isakmp_open(): 192.168.0.1[500] used as isakmp
      port (fd=5)
INFO: isakmp.c:894:isakmp_ph1begin_r(): respond new phase 1
      negotiation: 192.168.0.1[500]<=>192.168.0.66[500]
INFO: isakmp.c:899:isakmp_ph1begin_r(): begin Aggressive mode.
NOTIFY: oakley.c:2040:oakley_skeyid(): couldn't find the proper
        pskey, try to get one by the peer's address.
INFO: isakmp.c:2412:log_ph1established(): ISAKMP-SA established
      192.168.0.1[500]-192.168.0.66[500] spi:591b8a7c82d7c22f:
      2146f0ef2fc89438
INFO: isakmp.c:1049:isakmp_ph2begin_r(): respond new phase 2
      negotiation: 192.168.0.1[0]<=>192.168.0.66[0]
ERROR: pfkey.c:210:pfkey_handler(): pfkey UPDATE failed:
       Invalid argument
ERROR: pfkey.c:210:pfkey_handler(): pfkey ADD failed:
       Invalid argument
ERROR: pfkey.c:741:pfkey_timeover(): 192.168.0.66 give up to get
       IPsec-SA due to time up to wait.

B# cat racoon.log
INFO: isakmp.c:1358:isakmp_open(): 192.168.0.66[500] used as isakmp
      port (fd=5)
INFO: isakmp.c:1684:isakmp_post_acquire(): IPsec-SA request for
      192.168.0.1 queued due to no phase1 found.
INFO: isakmp.c:798:isakmp_ph1begin_i(): initiate new phase 1
      negotiation: 192.168.0.66[500]<=>192.168.0.1[500]
INFO: isakmp.c:803:isakmp_ph1begin_i(): begin Aggressive mode.
INFO: vendorid.c:128:check_vendorid(): received Vendor ID:KAME/racoon
NOTIFY: oakley.c:2040:oakley_skeyid(): couldn't find the proper
        pskey, try to get one by the peer's address.
INFO: isakmp.c:2412:log_ph1established(): ISAKMP-SA established
      192.168.0.66[500]-192.168.0.1[500] spi:591b8a7c82d7c22f:
      2146f0ef2fc89438
INFO: isakmp.c:942:isakmp_ph2begin_i(): initiate new phase 2
      negotiation: 192.168.0.66[0]<=>192.168.0.1[0]
INFO: pfkey.c:1110:pk_recvupdate(): IPsec-SA established:
      ESP/Transport 192.168.0.1->192.168.0.66 spi=85432552(0x51798e8)
INFO: pfkey.c:1322:pk_recvadd(): IPsec-SA established:
      ESP/Transport 192.168.0.66->192.168.0.1 spi=164727577(0x9d18b19)


When I flush the SPD, pinging from both sides works. Though when I ping
from A to B instead from B to A as above (with the SPs set), I get a
.ping: sendto: No such file or directory.

My racoon.conf files look correct to me:

A# cat racoon.conf [heavily snipped]
path pre_shared_key "/usr/local/etc/psk.txt"
listen
{
        isakmp 192.168.0.1 [500];
}
remote anonymous
{
[snip]
}
sainfo anonymous
{
[snip]
}

and on B the same except the listen part. The stuff I snipped is also
identical on both hosts, it has been taken from Dru Lavignes onlamp
tutorial (great work, btw!).

psk.txt has correct privileges and looks like this on both hosts:

192.168.0.66 secretkey
192.168.0.1  secretkey

A# setkey -DP [snipped a bit]
192.168.0.66[any] 192.168.0.1[any] any
        in ipsec
        esp/transport/192.168.0.66-192.168.0.1/require
192.168.0.1[any] 192.168.0.66[any] any
        out ipsec
        esp/transport/192.168.0.1-192.168.0.66/require


Ok, I think that's all information that is important. I don't really
know where to look for the problem, is it a problem at phase 2, or is
phase 1 briefly established and then somehow collapses, and therefor
the problem is at phase 1? Can I rule out a routing problem, due to
the fact that with a flushed SPD, pinging works? The firewall is set
to let everything pass, btw. Is it a problem that both hosts are on
the same subnet?

Any help is apreciated, and please tell me if you need more information.

thx in advance, t.

More information about the freebsd-questions mailing list