[prev in list] [next in list] [prev in thread] [next in thread]
List: openikev2-users
Subject: [openikev2-users] Fwd: message exchange not happening..log attached
From: "=?ISO-8859-1?Q?Pedro_J._Fern=E1ndez_Ruiz?=" <pedroj.fernandez () dif ! um ! es>
Date: 2007-03-13 10:05:57
Message-ID: eee6cb920703130305q5e758d46r49c26ee9d1fa875e () mail ! gmail ! com
[Download RAW message or body]
---------- Forwarded message ----------
From: Pedro J. Fernández Ruiz <pedroj.fernandez@gmail.com>
Date: 12-mar-2007 16:23
Subject: Re: message exchange not happening..log attached
To: Mahendra Prajapat <mahendra.p@samsung.com>
Hi!, I think it is that is happening:
The policies aren't set properly. You need to create the policies that
allow IKEv2 messages to go without encryption. OpenIKEv2 can help you
to do this easily, just putting the generate_allow_policies equal to
true in the policies statement. See the example below. I hope could be
useful for you.
Regards!
policies{
# Indicates that the SPD will be flushed before adding the new ones
flush_before = true
# Indicate if the the allow policies must be automatically
generated. These policies
# allow IPv4 and IPv6 IKE traffic and ICMPv6 Neighbor
Solicitation and Neighbor Advertisement
generate_allow_policies = true
# Define a policy to be added in the SPD
policy{
# Source address range of the traffic matching this policy
src_selector = 192.168.1.0/24
# Source port of the traffic matching this policy (0 = any port)
src_port = 0
# Destination address range of the traffic matching this policy
dst_selector = 192.168.2.15/32
# Destination port of the traffic matching this policy (0
= any port)
dst_port = 0
# IP protocol of the traffic matching this policy (tcp,
udp, icmp, icmpv6 or any number)
ip_proto = tcp
# Direction of the policy (in, out, fwd, all). If all is
selected, the policy is assumed as out
# and the symmetric in and fwd directions are
automatically generated
dir = all
# IPsec protocol to be used (esp, ah, none). If none is
used, then ipsec will
# not be used for such traffic.
ipsec_proto = esp
# IPsec mode to be applied (transport, tunnel)
mode = transport
# Source tunnel address (only needed when tunnel mode is selected)
src_tunnel = 192.168.1.1
# Destination tunnel address (only needed when tunnel mode
is selected)
dst_tunnel = 192.168.2.15
# Policy priority
priority = 1000
}
policy{
src_selector = 192.168.2.15/32
dst_selector = 192.168.1.1/24
ip_proto = tcp
dir = in
ipsec_proto = esp
}
}
2007/3/12, Mahendra Prajapat <mahendra.p@samsung.com>:
>
>
>
> Dear Mr. Pedro,
>
>
>
> Thanx a lot for your earliest reply....
>
>
>
> I am still facing one issue............message exchange is not starting...
>
> I am using PFKEY instead of XFRM as IPsec interface.
>
>
>
> From log I can see:- Every thing is running fine but message exchange
>
> is not starting….From debugger I can see it is waiting for some
> notification.
>
> It is stopping in openikev2.cpp at waitforExitNotify()
>
>
>
> void waitForExitNotify(){
>
>
>
> this->exit_semaphore->wait();
>
>
>
> }
>
>
>
> If you can tell how message exchange can be started….then I shall be highly
> thankful to you
>
>
>
> For your information log is attached with this mail…
>
>
>
> Looking for your positive response…
>
>
>
> Thanks and Regards,
>
> Mahendra Kumar Prajapat
>
>
>
>
>
> LOG…………………….
>
>
>
> [01;37m[2007/03/12 19:07:11.781] [01;37m[INFOR] OpenIKEv2: Running version
> 0.93: Mode=[BACKGROUND] PID=[7155] [01;37m
>
> [01;37m[2007/03/12 19:07:11.782] [01;37m[INFOR] OpenIKEv2: Executable MD5
> Checksum:
> MD5SUM=[4B:00:1C:87:7C:3F:D0:82:EE:CC:7C:0B:0F:F1:A4:32]
> [01;37m
>
> [01;37m[2007/03/12 19:07:11.782] [01;35m[THRDS] OpenIKEv2: Starting:
> Thread ID=[-1209062816] (Main thread) [01;37m
>
> [01;37m[2007/03/12 19:07:11.783] [01;37m[INFOR] UDPSocket: Listening from
> interface: Name=[eth0] Address=[107.108.82.133#500] [01;37m
>
> [01;37m[2007/03/12 19:07:11.783] [01;37m[INFOR] UDPSocket: Listening from
> interface: Name=[eth0]
> Address=[fe80::218:8bff:fe06:70ba%eth0#500] [01;37m
>
> [01;37m[2007/03/12 19:07:11.793] [01;35m[THRDS] NetworkController: Start:
> Thread ID=[20] Cookie Threshold=[5 half-opened IKE SAs] Max. Cookie Time=[20
> seconds] [01;37m
>
> [01;37m[2007/03/12 19:07:12.180] [01;36m[IPSEC] IPSecController: PF_KEY:
> Updating policies: Found Policies=[2] [01;37m
>
> [00;36m <IPSEC_POLICY> {
>
> id = 8
>
> direction = DIR_IN
>
> SRC SELECTOR ADDRESS = 107.108.72.28/32
>
> DST SELECTOR ADDRESS = 107.108.82.133/32
>
> ip protocol = UDP
>
> src port = 500
>
> dst port = 500
>
> <SA_REQUEST> {
>
> mode = TUNNEL_MODE
>
> ipsec protocol = PROTO_ESP
>
> level = LEVEL_REQUIRE
>
> request id = 0
>
> SRC TUNNEL ADDRESS = 107.108.72.28
>
> DST TUNNEL ADDRESS = 107.108.82.133
>
> }
>
> }
>
> [01;37m
>
> [00;36m <IPSEC_POLICY> {
>
> id = 1
>
> direction = DIR_OUT
>
> SRC SELECTOR ADDRESS = 107.108.82.133/32
>
> DST SELECTOR ADDRESS = 107.108.72.28/32
>
> ip protocol = UDP
>
> src port = 500
>
> dst port = 500
>
> <SA_REQUEST> {
>
> mode = TUNNEL_MODE
>
> ipsec protocol = PROTO_ESP
>
> level = LEVEL_REQUIRE
>
> request id = 0
>
> SRC TUNNEL ADDRESS = 107.108.82.133
>
> DST TUNNEL ADDRESS = 107.108.72.28
>
> }
>
> }
>
> [01;37m
>
> [01;37m[2007/03/12 19:07:27.931] [01;35m[THRDS] IPSecController: Start:
> Thread ID=[21] Implementation=[PFKEYv2] [01;37m
>
> [01;37m[2007/03/12 19:07:27.936] [01;36m[CONFG] OpenIKEv2: Reading data
> from file: Path=[/etc/openikev2/openikev2.conf] [01;37m
>
> [00;36m <CONFIGURATION> {
>
> <GENERAL_CONFIGURATION> {
>
> cookie threshold = 5
>
> cookie lifetime = 20
>
> ike max halfopen time = 30
>
> vendor id = openikev2-0.93
>
> <ATTRIBUTE_MAP> {
>
> eap_users_filename = /etc/openikev2/eap_users.txt [STR]
>
> }
>
> }
>
> <PEERS> {
>
> <PEER_CONFIGURATION> {
>
> role = ROLE_INITIATOR
>
> <PEER_IDs> {
>
> <ID> {
>
> id type = ID_IPV4_ADDR
>
> identification data = 107.108.72.28
>
> }
>
> }
>
> <IKE_CONFIGURATION> {
>
> <PROPOSAL> {
>
> proposal # = 0
>
> <PROTOCOL> {
>
> id = PROTO_IKE
>
> spi size = 8
>
> spi value = [00:00:00:00:00:00:00:00]
>
> <TRANSFORM> {
>
> type = ENCR
>
> id = ENCR_AES_CBC
>
> <ATTRIBUTE> {
>
> format = ATTR_FORMAT_TV
>
> type = ATTR_KEY_LEN
>
> TVvalue = 256
>
> }
>
> }
>
> <TRANSFORM> {
>
> type = INTEG
>
> id = AUTH_HMAC_SHA1_96
>
> }
>
> <TRANSFORM> {
>
> type = PRF
>
> id = PRF_HMAC_SHA1
>
> }
>
> <TRANSFORM> {
>
> type = DH
>
> id = 2
>
> }
>
> }
>
> }
>
> <ID> {
>
> id type = ID_IPV4_ADDR
>
> identification data = 107.108.82.133
>
> }
>
> auth method = AUTH_METHOD_PSK
>
> peer auth method = AUTH_METHOD_PSK
>
> preshared key =
>
>
> [74:68:69:73:20:66:69:6C:65:20:63:61:6E:20:62:65:20:77:68:61:74:65:76:65:72:20:6B:69:6E:64:20:6F:
>
>
> 66:20:66:69:6C:65:3A:20:54:58:54:2C:20:4A:50:47:2C:20:47:5A:49:50:2C:20:2E:2E:2E]
>
> peer preshared key =
>
>
> [74:68:69:73:20:66:69:6C:65:20:63:61:6E:20:62:65:20:77:68:61:74:65:76:65:72:20:6B:69:6E:64:20:6F:
>
>
> 66:20:66:69:6C:65:3A:20:54:58:54:2C:20:4A:50:47:2C:20:47:5A:49:50:2C:20:2E:2E:2E]
>
> request configuration = NO
>
> retransmition time = 5
>
> retransmition factor = 2
>
> rekey time = 120
>
> ike max exchange retransmitions = 3
>
> use eap = NO
>
> hash & url support = NO
>
> send CERT payload = YES
>
> send CERTREQ payload = YES
>
> <CERTIFICATE_CONTROLLER> {
>
> <CA_CERTIFICATES> {
>
> }
>
> <MY_CERTIFICATES> {
>
> }
>
> <MY_HASH_URL_CERTIFICATES> {
>
> }
>
> <BLACK_LIST> {
>
> }
>
> <WHITE_LIST> {
>
> }
>
> }
>
> <ATTRIBUTE_MAP> {
>
> configuration_method = none [STR]
>
> use_uname = NO [BOOL]
>
> }
>
> }
>
> <IPSEC_CONFIGURATION> {
>
> <PROPOSAL> {
>
> proposal # = 0
>
> <PROTOCOL> {
>
> id = PROTO_ESP
>
> spi size = 4
>
> spi value = [00:00:00:00]
>
> <TRANSFORM> {
>
> type = ENCR
>
> id = ENCR_3DES
>
> }
>
> <TRANSFORM> {
>
> type = INTEG
>
> id = AUTH_HMAC_SHA1_96
>
> }
>
> }
>
> }
>
> <PROPOSAL> {
>
> proposal # = 0
>
> <PROTOCOL> {
>
> id = PROTO_AH
>
> spi size = 4
>
> spi value = [00:00:00:00]
>
> <TRANSFORM> {
>
> type = INTEG
>
> id = AUTH_HMAC_SHA1_96
>
> }
>
> }
>
> }
>
> max_allocations_soft = 268435455
>
> max_allocations_hard = 268435455
>
> max_bytes_soft = 268435455
>
> max_bytes_hard = 268435455
>
> lifetime_soft = 500
>
> lifetime_hard = 268435455
>
> <ATTRIBUTE_MAP> {
>
> }
>
> }
>
> }
>
> }
>
> }
>
> [01;37m
>
> [01;37m[2007/03/12 19:07:27.936] [01;35m[THRDS] AlarmController: Start:
> Thread ID=[22] [01;37m
>
>
>
>
>
>
>
>
>
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Pedro Javier Fernández Ruiz
Faculty of Computer Science - University of Murcia
Murcia - Spain
Phone: +34 968 364644 (Dibulibu) - Mobile: +34 657112324
e-mails:
pedroj.fernandez@dif.um.es
pedroj.fernandez@gmail.com
pedrojavier.fernandez@alu.um.es
pedroj@um.es
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Pedro Javier Fernández Ruiz
Faculty of Computer Science - University of Murcia
Murcia - Spain
Phone: +34 968 364644 (Dibulibu) - Mobile: +34 657112324
e-mails:
pedroj.fernandez@dif.um.es
pedroj.fernandez@gmail.com
pedrojavier.fernandez@alu.um.es
pedroj@um.es
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
_______________________________________________
openikev2-users mailing list
openikev2-users@dif.um.es
https://correo.dif.um.es/cgi-bin/mailman/listinfo/openikev2-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic