'Re: [Ipsec-tools-devel] what is wrong with my conf ?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipsec-tools-devel
Subject:    Re: [Ipsec-tools-devel] what is wrong with my conf ?
From:       Daniel Chojecki <daniel.chojecki () gmail ! com>
Date:       2008-02-11 11:11:25
Message-ID: 47B02D5D.6090200 () gmail ! com
[Download RAW message or body]

VANHULLEBUS Yvan pisze:

> Can you test again, with ipsec-tools-0.7-beta2+new kernel and/or with
> ipsec-tools-0.7+old kernel ?

i have checked with old kernel and ipsec-tools - the same.
Meantime i have installed latest 2.6.24.2 kernel.

I have found something strange in logs:

Feb 11 12:02:12 ipsecgw-node1 racoon: INFO: @(#)ipsec-tools 0.7 
(http://ipsec-tools.sourceforge.net)
Feb 11 12:02:12 ipsecgw-node1 racoon: INFO: @(#)This product linked 
OpenSSL 0.9.8d 28 Sep 2006 (http://www.openssl.org/)
Feb 11 12:02:12 ipsecgw-node1 racoon: INFO: Reading configuration from 
"/usr/local/etc/racoon.conf"
Feb 11 12:02:12 ipsecgw-node1 racoon: INFO: Resize address pool from 0 
to 255
Feb 11 12:02:12 ipsecgw-node1 racoon: NOTIFY: NAT-T is enabled, 
autoconfiguring ports
Feb 11 12:02:12 ipsecgw-node1 racoon: INFO: 127.0.0.1[500] used as 
isakmp port (fd=7)
Feb 11 12:02:12 ipsecgw-node1 racoon: INFO: 127.0.0.1[500] used for NAT-T
Feb 11 12:02:12 ipsecgw-node1 racoon: INFO: 127.0.0.1[4500] used as 
isakmp port (fd=8)
Feb 11 12:02:12 ipsecgw-node1 racoon: INFO: 127.0.0.1[4500] used for NAT-T
Feb 11 12:02:12 ipsecgw-node1 racoon: INFO: xxx.xxx.xxx.xxx[500] used as 
isakmp port (fd=9)
Feb 11 12:02:12 ipsecgw-node1 racoon: INFO: xxx.xxx.xxx.xxx[500] used 
for NAT-T
Feb 11 12:02:12 ipsecgw-node1 racoon: INFO: xxx.xxx.xxx.xxx[4500] used 
as isakmp port (fd=10)
Feb 11 12:02:12 ipsecgw-node1 racoon: INFO: xxx.xxx.xxx.xxx[4500] used 
for NAT-T
Feb 11 12:02:12 ipsecgw-node1 racoon: INFO: 10.10.51.31[500] used as 
isakmp port (fd=11)
Feb 11 12:02:12 ipsecgw-node1 racoon: INFO: 10.10.51.31[500] used for NAT-T
Feb 11 12:02:12 ipsecgw-node1 racoon: INFO: 10.10.51.31[4500] used as 
isakmp port (fd=12)
Feb 11 12:02:12 ipsecgw-node1 racoon: INFO: 10.10.51.31[4500] used for NAT-T
Feb 11 12:02:20 ipsecgw-node1 racoon: INFO: respond new phase 1 
negotiation: xxx.xxx.xxx.xxx[500]<=>77.112.75.7[500]
Feb 11 12:02:20 ipsecgw-node1 racoon: INFO: begin Identity Protection mode.
Feb 11 12:02:20 ipsecgw-node1 racoon: INFO: received Vendor ID: 
draft-ietf-ipsra-isakmp-xauth-06.txt
Feb 11 12:02:20 ipsecgw-node1 racoon: INFO: received Vendor ID: 
draft-ietf-ipsec-nat-t-ike-02
Feb 11 12:02:20 ipsecgw-node1 racoon: INFO: received Vendor ID: RFC 3947
Feb 11 12:02:20 ipsecgw-node1 racoon: INFO: received broken Microsoft 
ID: FRAGMENTATION
Feb 11 12:02:20 ipsecgw-node1 racoon: INFO: received Vendor ID: DPD
Feb 11 12:02:20 ipsecgw-node1 racoon: INFO: received Vendor ID: CISCO-UNITY
Feb 11 12:02:20 ipsecgw-node1 racoon: INFO: Selected NAT-T version: RFC 3947
Feb 11 12:02:20 ipsecgw-node1 racoon: INFO: Adding xauth VID payload.
Feb 11 12:02:20 ipsecgw-node1 racoon: INFO: Hashing xxx.xxx.xxx.xxx[500] 
with algo #1
Feb 11 12:02:20 ipsecgw-node1 racoon: INFO: NAT-D payload #0 verified
Feb 11 12:02:20 ipsecgw-node1 racoon: INFO: Hashing 77.112.75.7[500] 
with algo #1
Feb 11 12:02:20 ipsecgw-node1 racoon: INFO: NAT-D payload #1 verified
Feb 11 12:02:20 ipsecgw-node1 racoon: INFO: NAT not detected
Feb 11 12:02:20 ipsecgw-node1 racoon: INFO: Hashing 77.112.75.7[500] 
with algo #1
Feb 11 12:02:20 ipsecgw-node1 racoon: INFO: Hashing xxx.xxx.xxx.xxx[500] 
with algo #1
Feb 11 12:02:20 ipsecgw-node1 racoon: INFO: Adding remote and local 
NAT-D payloads.
Feb 11 12:02:20 ipsecgw-node1 racoon: INFO: NAT-T: ports changed to: 
77.112.75.7[4500]<->xxx.xxx.xxx.xxx[4500]
Feb 11 12:02:20 ipsecgw-node1 racoon: WARNING: No ID match.
Feb 11 12:02:20 ipsecgw-node1 racoon: INFO: No SIG was passed, but 
hybrid auth is enabled
Feb 11 12:02:20 ipsecgw-node1 racoon: INFO: Sending Xauth request
Feb 11 12:02:20 ipsecgw-node1 racoon: INFO: ISAKMP-SA established 
xxx.xxx.xxx.xxx[4500]-77.112.75.7[4500] 
spi:efde654ae2b59094:204399046e28df30
Feb 11 12:02:21 ipsecgw-node1 racoon: INFO: Using port 0
Feb 11 12:02:21 ipsecgw-node1 racoon: INFO: ldap returned modecfg 
address 10.10.52.2
Feb 11 12:02:21 ipsecgw-node1 racoon: INFO: ldap returned modecfg 
netmask 255.255.255.0
Feb 11 12:02:21 ipsecgw-node1 racoon: INFO: attempting ldap bind for dn 
'uid=boka,ou=Users,dc=DOM,dc=PL'
Feb 11 12:02:21 ipsecgw-node1 racoon: INFO: login succeeded for user "boka"
Feb 11 12:02:31 ipsecgw-node1 racoon: INFO: respond new phase 2 
negotiation: xxx.xxx.xxx.xxx[4500]<=>77.112.75.7[4500]
Feb 11 12:02:31 ipsecgw-node1 racoon: INFO: no policy found, try to 
generate the policy : 10.10.52.2/32[0] 10.10.0.0/16[0] proto=any dir=in
Feb 11 12:02:31 ipsecgw-node1 racoon: INFO: IPsec-SA established: 
ESP/Tunnel 77.112.75.7[0]->xxx.xxx.xxx.xxx[0] spi=143322318(0x88aecce)
Feb 11 12:02:31 ipsecgw-node1 racoon: INFO: IPsec-SA established: 
ESP/Tunnel xxx.xxx.xxx.xxx[4500]->77.112.75.7[4500] 
spi=3103342626(0xb8f94022)


Feb 11 12:02:31 ipsecgw-node1 racoon: ERROR: pfkey X_SPDUPDATE failed: 
Invalid argument
Feb 11 12:02:31 ipsecgw-node1 racoon: ERROR: pfkey X_SPDUPDATE failed: 
Invalid argument

Is is right ?

Best Regards
Daniel

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Ipsec-tools-devel mailing list
Ipsec-tools-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic