'Re: [Ipsec-tools-devel] [Ipsec-tools-users] Failure matching sainfo when PFS is not configured'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipsec-tools-devel
Subject:    Re: [Ipsec-tools-devel] [Ipsec-tools-users] Failure matching sainfo when PFS is not configured
From:       Stephen Clark <sclark46 () earthlink ! net>
Date:       2014-02-13 16:46:11
Message-ID: 52FCF6D3.9020407 () earthlink ! net
[Download RAW message or body]

On 02/12/2014 07:18 PM, Melissa Jenkins wrote:
> > Fair enough.  From what you shared there is a "remoteid mismatch: 0 != 1"
> > reported, which says that the remote end is not sending the id requested from
> > your local peer.  Have you tried increasing the verbosity of the log and also
> > have a look at the remote peer's logs?
> > > Feb 11 06:45:30 bogons1vpn racoon: DEBUG: evaluating sainfo: loc='ANONYMOUS', \
> > >                 rmt='ANONYMOUS', peer='ANY', id=0
> > > Feb 11 06:45:30 bogons1vpn racoon: DEBUG: remoteid mismatch: 0 != 1
> > > 
> Yup - that’s because the ANONYMOUS sainfo doesn’t match because of the peer id.  As \
> I don’t want it to match this isn’t actually a problem :) 
> > > Feb 11 06:45:30 bogons1vpn racoon: DEBUG: evaluating sainfo: \
> > >                 loc=‘192.168.0.0/24', rmt=‘192.168.1.0/24', peer='ANY', id=1
> > > Feb 11 06:45:30 bogons1vpn racoon: DEBUG: check and compare ids : proto_id \
> > > mismatch 0 != 47
> This is the one that should match that isn’t :(
> 
> Unfortunately I am unable to get access to the remote log - I am currently logging \
> at DEBUG and I don’t really want to increase this as it has a negative impact on a \
> lot of other IPsecs! 
> I shall see if I can reproduce with a ipsec-tools to ipsec-tools configuration.
> 
> 
> On 13 Feb 2014, at 12:57, Mick<michaelkint
> > Alternatively, you may want to try posting at the ipsec-tools-devel list in
> > case you have come across a bug.
> Attached original mail below and copied
> 
> Thanks!
> Mel
> 
> Begin forwarded message:
> 
> > From: Melissa Jenkins<melissa-freebsd@littlebluecar.co.uk>
> > Subject: [Ipsec-tools-users] Failure matching sainfo when PFS is not configured
> > Date: 11 February 2014 20:27:35 GMT+13
> > To: "ipsec-tools-users@lists.sourceforge.net"<ipsec-tools-users@lists.sourceforge.net>
> >  
> > I’ve been trying to configure ipsec-tools to talk to a peer that prefers not to \
> > use PFS.  Our default configuration uses 3DES, but this specific VPN needs to be \
> > configured using AES256. 
> > I have confirmed that AES256 works correctly and when configured as the default \
> > the IPsec will establish. 
> > If the AES256 setting is configured using a ‘sainfo’ specific for that IPSec it \
> > will only work if pfs_group is configured. 
> > Without configuring pfs_group I always get the following logging.  It then \
> > proceeds to fail to match the PH2 proposed as it is using 3DES rather than the \
> > sainfo specified AES256. 
> > Feb 11 06:45:30 bogons1vpn racoon: DEBUG: getsainfo params: loc=‘192.168.0.0/24' \
> >                 rmt=‘192.168.1.0/24' peer=‘xxx.yyy.zzz.aaa' client='NULL' id=1
> > Feb 11 06:45:30 bogons1vpn racoon: DEBUG: evaluating sainfo: \
> >                 loc=‘192.168.0.0/24', rmt=‘192.168.1.0/24', peer='ANY', id=1
> > Feb 11 06:45:30 bogons1vpn racoon: DEBUG: check and compare ids : proto_id \
> > mismatch 0 != 47
It appears the remote is setup to only encrypt GRE traffic. (proto 47)

> > Feb 11 06:45:30 bogons1vpn racoon: DEBUG: evaluating sainfo: loc='ANONYMOUS', \
> >                 rmt='ANONYMOUS', peer='ANY', id=0
> > Feb 11 06:45:30 bogons1vpn racoon: DEBUG: remoteid mismatch: 0 != 1
> > 
> > I am using 8.0 rev 2 on FreeBSD 8.3.  I can’t see anything in the change log to \
> > suggest this would be different in later versions. I’ve had a peek in the code \
> > but I can’t see why setting PFS would change this situation. 
> > Thanks,
> > Mel
> > 
> > remote xxx.yyy.zzz.aaa
> > {
> > exchange_mode main;
> > doi ipsec_doi;
> > situation identity_only;
> > nonce_size 16;
> > initial_contact on;
> > proposal_check obey;
> > dpd_delay 120;
> > ph1id 1;
> > 
> > proposal {
> > encryption_algorithm aes 256;
> > hash_algorithm sha1;
> > authentication_method pre_shared_key;
> > dh_group modp1024;
> > lifetime time 7200 seconds;
> > }
> > }
> > 
> > sainfo subnet 192.168.0.0/24 any subnet 192.168.1.0/24 any
> > {
> > remoteid 1;
> > encryption_algorithm aes 256;
> > authentication_algorithm hmac_sha1;
> > compression_algorithm deflate;
> > lifetime time 3600 seconds;
> > }
> > ------------------------------------------------------------------------------
> > Android apps run on BlackBerry 10
> > Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
> > Now with support for Jelly Bean, Bluetooth, Mapview and more.
> > Get your Android app in front of a whole new audience.  Start now.
> > http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
> > _______________________________________________
> > Ipsec-tools-users mailing list
> > Ipsec-tools-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/ipsec-tools-users
> 
> ------------------------------------------------------------------------------
> Android apps run on BlackBerry 10
> Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
> Now with support for Jelly Bean, Bluetooth, Mapview and more.
> Get your Android app in front of a whole new audience.  Start now.
> http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
> _______________________________________________
> Ipsec-tools-devel mailing list
> Ipsec-tools-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel
> 
> 


-- 

"They that give up essential liberty to obtain temporary safety,
deserve neither liberty nor safety."  (Ben Franklin)

"The course of history shows that as a government grows, liberty
decreases."  (Thomas Jefferson)




------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________
Ipsec-tools-devel mailing list
Ipsec-tools-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic