[Openswan dev] interop failture openswan-2.0.0 klips with freebsd 4.8 racoon

Michael Richardson mcr at sandelman.ottawa.on.ca
Mon Mar 8 12:45:31 CET 2004 

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Paul" == Paul Wouters <paul at xelerance.com> writes:
    Paul> Interop between freebsd-4.8 with racoon and openswan-2.0.0 cvs
    Paul> with klips using PSK is failing. IP compression was not
    Paul> compiled into klips.

    Paul> The odd thing is, we both seem to have an IPsec SA that the
    Paul> other side doesn't recognise. This might be due to the
    Paul> negotiation. When openswan initiates, it triggers initiation
    Paul> on the other end. It seems racoon doesn't have a udp 500

  What revision of racoon?

Mar  1 13:09:36 bofh pluto[4775]: "fedoratest" #3: IPsec SA established {ESP=>0x09a85c7f <0xe96e67e0 AH=>0x08a80d14 <0xe96e67df}

Mar  1 14:10:35 ar racoon: INFO: pfkey.c:1110:pk_recvupdate(): IPsec-SA established: AH/Transport 193.110.157.17->62.16.0.39 spi=145231124(0x8a80d14)
Mar  1 14:10:35 ar racoon: INFO: pfkey.c:1110:pk_recvupdate(): IPsec-SA established: ESP/Transport 193.110.157.17->62.16.0.39 spi=162028671(0x9a85c7f)
Mar  1 14:10:35 ar racoon: INFO: pfkey.c:1322:pk_recvadd(): IPsec-SA established: AH/Transport 62.16.0.39->193.110.157.17 spi=3916326879(0xe96e67df)
Mar  1 14:10:35 ar racoon: INFO: pfkey.c:1322:pk_recvadd(): IPsec-SA established: ESP/Transport 62.16.0.39->193.110.157.17 spi=3916326880(0xe96e67e0) 

  What are these AH xforms there? What is all this stuff in transport?
  I think you misconfigured the racoon side to use ESP+AH. Did you
intend to do this? If so, WHY?

  In transport mode, the AH or the ESP could be applied first. (believe
it or not!) Maybe the order is wrong. The SPIs all look fine.

    Paul> "hole" to prevent this. So freebsd/racoon is always the
    Paul> initiator and we end up initiating two connections
    Paul> concurrently.

  racoon does put a hole in via IPsec policy for port-500.
  
- --
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQEyT/4qHRg3pndX9AQEafgP/aZPyCXqqZUiqLXTk30Vhv+swiiNZZGfF
VGLYSKPduHQd+8/KfT1HdWoZTjoG4b+jJaUGD922h1XD3tqiG8MrDOW365xPAS5u
sAVMTuqYcUvOIDhV92g2k25edBwMwVOHkpPxbJ4Rzk6k67b2yyBXmtLIIu+gIilg
A2L9vm1FDY8=
=LZJz
-----END PGP SIGNATURE-----

More information about the Dev mailing list