'(KAME-snap 4356) setup error? (WAS: IPsec policy based on protocol)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snap-users
Subject:    (KAME-snap 4356) setup error? (WAS: IPsec policy based on protocol)
From:       "Koster, R.P." <R.P.Koster () kpn ! com>
Date:       2001-03-30 9:41:34
[Download RAW message or body]

I hope anyone can point out whats wrong with my setup. I tried many things
and can't find out what's going wrong here.

PROBLEM:
Racoon crashes (core dump) while negotiating Phase 1. This happens on the
initiator side.
The only thing that works fine is a policy in which ALL trafic between two
machines is encrypted using ESP in either transport or tunnel mode. With all
other SPD configurations Racoon crashes.
(Racoon does not crash however after lots of debugging plog() lines where
added (in several Racoon source files) to localise the problem. The
receiving side however does not get an acceptable offer, the SA payload
might be invalid?)

SYSTEM:
FreeBSD 4.2-RELEASE
KAME SNAP (different versions tried, current of Mon 26 March)
(Also tried old pre-compiled downloaded version of Racoon, but with the same
result.)

It even happens on machines that are setup seperate from each other, but
they have FreeBSD 4.2-RELEASE in common as OS.

STEPS TO INSTALL KAME (kernel + userland):
-steps from kame/INSTALL executed (openssl is in a different location
however)
-steps from kame/freebsd4/INSTALL executed

Could this be an OpenSSL topic? As far as I know the one supplied with
FreeBSD 4.2-RELEASE is used and compilation of KAME goes fine.

Paul
(I leave parts of my previous post here, because someone might see something
odd in the config files.)

-----Original Message-----
From: Koster, R.P. [mailto:R.P.Koster@kpn.com]
Sent: woensdag 28 maart 2001 10:24
To: snap-users@kame.net
Subject: (KAME-snap 4344) RE: IPsec policy based on protocol 

>It seems that IPsec policies can only be specified for the UDP and TCP
>protocol or ANY protocol. Why is there no support for other IP protocols
>(like Windows 2000 does for example) like ICMP (#1) or RSVP (#46)?
>
>It is possible to add such filters to the SPD but behaviour is not as
>expected: core dump in case of ICMP, RSVP is left unprotected.
>
>Will there be any support in the future for other IP protocols in Kame? It
>does not seem a big step if support for TCP and UDP is already there and
>there are no such things as source and destination port numbers.

	could you throw us the *exact* configuration on your side, not just
	the description?  (you can inhibit secret keys if you want to)

machine 1 "hand"
spdadd 10.0.0.2/32 10.0.1.2/32 46 -P out ipsec esp/transport//require;
spdadd 10.0.1.2/32 10.0.0.2/32 46 -P in ipsec  esp/transport//require;

machine 2 "foot"
spdadd 10.0.1.2/32 10.0.0.2/32 46 -P out ipsec esp/transport//require;
spdadd 10.0.0.2/32 10.0.1.2/32 46 -P in ipsec  esp/transport//require;

racoon.conf "hand" :
path certificate "/usr/openssl/certs" ;

# "log" specifies logging level.  It is followed by either "notify", "debug"
# or "debug2".
#log debug;

remote anonymous
{
	#exchange_mode main,aggressive,base;
	exchange_mode aggressive,main,base;

	#If my_identifier is omitted then the default
	#my_identifier address is assumed
	#my_identifier fqdn "server.kame.net";
	#certificate_type x509 "foo@kame.net.cert" "foo@kame.net.priv" ;
	certificate_type x509 "hand.pem" "kosterr@hand.arm.net.priv" ;
	my_identifier asn1dn;

	lifetime time 24 hour ;	# sec,min,hour

	#initial_contact off

	# phase 1 proposal (for ISAKMP SA)
	proposal {
		encryption_algorithm 3des;
		hash_algorithm sha1;
		authentication_method rsasig ;
		dh_group 2 ;
	}

	# the configuration makes racoon (as a responder) to obey the
	# initiator's lifetime and PFS group proposal.
	# this makes testing so much easier.
	proposal_check obey;
}

# phase 2 proposal (for IPsec SA).
# actual phase 2 proposal will obey the following items:
# - kernel IPsec policy configuration (like "esp/transport//use)
# - permutation of the crypto/hash/compression algorithms presented below
sainfo anonymous
{
	pfs_group 2;
	lifetime time 12 hour ;
	lifetime byte 50 MB ;
	encryption_algorithm 3des, cast128, blowfish, des, twofish, rijndael
;
	authentication_algorithm hmac_sha1, hmac_md5 ;
	compression_algorithm deflate ;
}

racoon.conf "foot":
identical to "hand" exept that a different certificate is used:
certificate_type x509 "foot.pem" "kosterr@foot.leg.net.priv" ;

The (outdated?) man page also states that other protocols than UDP, TCP and
ANY are not possible.

Regards,
Paul

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic