ipsec changes in 5.2

Andrew Thomson andrewjt at applecomm.net
Tue Jan 20 21:04:57 PST 2004 

Can't quite access my laptop from work so I've replicated the scenario
here at work on my 5.2 desktop.

My host: 192.168.13.202
Firewall: 192.168.13.1

Just recompiled kernel with IPSEC options and installed racoon.

Install the following as per previous setup:

spdadd 192.168.13.202/32 0.0.0.0/0 any -P out ipsec
   esp/tunnel/192.168.13.202-192.168.13.1/require;
spdadd 0.0.0.0/0 192.168.13.202/32 any -P in ipsec
   esp/tunnel/192.168.13.1-192.168.13.202/require;

Have an all.log tail and a tcpdump on xl0 listening for my ip or the
firewall ip.

I then try a single ping to the firewall.

ping -c 1 192.168.13.1
PING 192.168.13.1 (192.168.13.1): 56 data bytes
64 bytes from 192.168.13.1: icmp_seq=0 ttl=64 time=0.373 ms

--- 192.168.13.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.373/0.373/0.373/0.000 ms
 ajt at itouch-1011:~ > ping -c 1 192.168.13.1
PING 192.168.13.1 (192.168.13.1): 56 data bytes

--- 192.168.13.1 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss

all.log

Jan 21 15:56:20 1011 racoon: INFO: isakmp.c:1682:isakmp_post_acquire():
IPsec-SA request for 192.168.13.1 queued due to no phase1 found. 
Jan 21 15:56:20 1011 racoon: INFO: isakmp.c:796:isakmp_ph1begin_i():
initiate new phase 1 negotiation:
192.168.13.202[500]<=>192.168.13.1[500] 
Jan 21 15:56:20 1011 racoon: INFO: isakmp.c:801:isakmp_ph1begin_i():
begin Aggressive mode.  
Jan 21 15:56:51 1011 racoon: ERROR: isakmp.c:1774:isakmp_chkph1there():
phase2 negotiation failed due to time up waiting for phase1. ESP
192.168.13.1->192.168.13.202  
Jan 21 15:56:51 1011 racoon: INFO: isakmp.c:1779:isakmp_chkph1there():
delete phase 2 handler. 
Jan 21 15:57:00 1011 racoon: INFO: isakmp.c:1701:isakmp_post_acquire():
request for establishing IPsec-SA was queued due to no phase1 found. 
Jan 21 15:57:32 1011 racoon: ERROR: isakmp.c:1774:isakmp_chkph1there():
phase2 negotiation failed due to time up waiting for phase1. ESP
192.168.13.1->192.168.13.202  

However as soon as I setkey -FP and try the ping again...

It works.. and it's only once SPD entries are cleared that I see
anything on xl0 - previously with the SPD in place there was nothing.
Especially the udp 500 communication that is obviously essential to
setting up the VPN appears..!

Any tips appreciated... Again this worked between a 5.0 <-> 4.9p1 host
setup.

thanks,

ajt.

On Wed, 2004-01-21 at 14:38, Kris Kennaway wrote:
> On Tue, Jan 20, 2004 at 10:29:51AM +1100, Andrew Thomson wrote:
> > I'm really more interested in changes wrt ipsec since 5.0! ;)
> > 
> > I just upgraded my laptop from 5.0 to 5.2 the other day and now my IPSEC
> > VPN doesn't work.
> > 
> > I run a VPN over my wireless adhoc network at home.
> > 
> > There are just two hosts on the network, the firewall and the laptop.
> > 
> > The firewall is running Freebsd 4.8.
> > 
> > When my laptop was on 5.0 the following setup worked a treat. However
> > since the upgrade, the VPN has stopped working.
> 
> Is anything logged by the kernel?  What does tcpdump show happening on
> the wire?
> 
> Kris

More information about the freebsd-questions mailing list