[Openswan Users] [IPv6]Interoperability issue between openswan and Racoon2
Yatong Cui
yacui at redhat.com
Fri Oct 15 05:19:13 EDT 2010
Hi all,
I’m doing the TAHI IKEv2 interoperability test for the RHEL6 and encounter some problems. Hope advanced users can help me solve this problem.
1 General Description of the Problem:
==============================
I can set up the secure communication both two RHEL6 with openswan and two FREEBSD8.1 with racoon2, yet when I try to use RHEL6 to interoperate with the FREEBSD8.1, the phase 1 SAs doesn’t exactly match.
2 Description of the Test Enviroment:
=====================================
Openswan on RHEL6--------------------Router-------------------Racoon2 on freebsd 8.1
(Initiator) (Responder)
Openswan: openswan-2.6.24-9.el6.x86_64
Racoon2: “PORTVERSION= 20090327c”
3 Configurations on RHEL6:
======================================
[root at TAR-EN1 ~]# cat /etc/ipsec.conf
config setup
crlcheckinterval="180"
strictcrlpolicy=no
protostack=netkey
plutodebug=all
nat_traversal=yes
conn %default
ikelifetime="60m"
keylife="20m"
rekeymargin="3m"
keyingtries=1
ike=3des-sha1;modp1024
phase2alg=3des-sha1
authby=secret
ikev2=yes
rekey=yes
conn TAHI
connaddrfamily=ipv6
left=2001:db8:1:1:20c:29ff:fe0c:3ed1
right=2001:db8:1:2:20c:29ff:fe4d:489
leftid=2001:db8:1:1:20c:29ff:fe0c:3ed1
rightid=2001:db8:1:2:20c:29ff:fe4d:489
type=transport
compress=no
auto=add
[root at TAR-EN1 ~]# cat /etc/ipsec.secrets
: PSK "IKETEST123!"
4 Configuration on FREEBSD8.1
============================
TAR-EN2# cd /usr/local/etc/racoon2/
TAR-EN2# cat racoon2.conf
include "/usr/local/etc/racoon2/vals.conf";
interface
{
ike {
2001:db8:1:2:20c:29ff:fe4d:489 port 500;
};
spmd {
unix "/var/run/racoon2/spmif";
};
spmd_password "/usr/local/etc/racoon2/spmd.pwd";
};
resolver
{
resolver off;
};
include "/usr/local/etc/racoon2/default.conf";
include "/usr/local/etc/racoon2/transport_ike.conf";
TAR-EN2# cat vals.conf
setval {
### Directory Settings ###
# Preshared key file directory : specify if you want to use preshared keys
PSKDIR "/usr/local/etc/racoon2/psk";
### Preshared Key Setting ###
# Preshared Key file name
# You can generate it by pskgen.
PRESHRD_KEY "tahi.psk";
### Transport Mode Settings ###
# Your IP Address
MY_IPADDRESS 2001:db8:1:2:20c:29ff:fe4d:489;
# Peer's IP Address
PEERS_IPADDRESS 2001:db8:1:1:20c:29ff:fe0c:3ed1;
### Scripts
## IKEv2
IKESAUP_SCR "/usr/local/etc/racoon2/hook/ikesa-up";
IKESADOWN_SCR "/usr/local/etc/racoon2/hook/ikesa-down";
CHILDUP_SCR "/usr/local/etc/racoon2/hook/child-up";
CHILDOWN_SCR "/usr/local/etc/racoon2/hook/child-down";
IKESAREKEY_SCR "/usr/local/etc/racoon2/hook/ikesa-rekey";
CHILDREKEY_SCR "/usr/local/etc/racoon2/hook/child-rekey";
MIGRATION_SCR "/usr/local/etc/racoon2/hook/migration";
## IKEv1
PH1UP_SCR "/usr/local/etc/racoon2/hook/ph1-up";
PH1DOWN_SCR "/usr/local/etc/racoon2/hook/ph1-down";
};
TAR-EN2# cat default.conf
default
{
remote {
acceptable_kmp { ikev2; };
ikev2 {
logmode normal;
kmp_sa_lifetime_time infinite;
kmp_sa_lifetime_byte infinite;
max_retry_to_send 3;
interval_to_send 10 sec;
times_per_send 1;
kmp_enc_alg { 3des_cbc; };
kmp_hash_alg { hmac_sha1; };
kmp_prf_alg { hmac_sha1;};
kmp_dh_group { modp1024; };
kmp_auth_method { psk; };
random_pad_content on;
random_padlen on;
max_padlen 50 bytes;
};
};
policy {
ipsec_mode transport;
ipsec_level require;
};
ipsec {
ipsec_sa_lifetime_time infinite;
ipsec_sa_lifetime_byte infinite;
};
sa {
esp_enc_alg { 3des_cbc; };
esp_auth_alg { hmac_sha1; };
};
};
ipsec ipsec_esp {
ipsec_sa_lifetime_time 28800 sec;
sa_index esp_01;
};
sa esp_01 {
sa_protocol esp;
esp_enc_alg { 3des_cbc; };
esp_auth_alg { hmac_sha1; };
};
TAR-EN2# cat transport_ike.conf
remote ike_trans_remote {
acceptable_kmp { ikev2; };
ikev2 {
my_id ipaddr 2001:db8:1:2:20c:29ff:fe4d:489;
peers_id ipaddr 2001:db8:1:1:20c:29ff:fe0c:3ed1;
peers_ipaddr 2001:db8:1:1:20c:29ff:fe0c:3ed1 port 500;
kmp_auth_method { psk; };
pre_shared_key "/usr/local/etc/racoon2/psk/tahi.psk";
};
selector_index ike_trans_sel_in;
};
selector ike_trans_sel_out {
direction outbound;
src 2001:db8:1:2:20c:29ff:fe4d:489;
dst 2001:db8:1:1:20c:29ff:fe0c:3ed1;
upper_layer_protocol "any";
policy_index ike_trans_policy;
};
selector ike_trans_sel_in {
direction inbound;
dst 2001:db8:1:2:20c:29ff:fe4d:489;
src 2001:db8:1:1:20c:29ff:fe0c:3ed1;
upper_layer_protocol "any";
policy_index ike_trans_policy;
};
policy ike_trans_policy {
action auto_ipsec;
remote_index ike_trans_remote;
ipsec_mode transport;
ipsec_index { ipsec_esp; };
ipsec_level require;
};
5. Logging and Detailed Message on FREEBSD
===================================
Firstly I start the daemon with
#spmd –ddd -F
#iked –ddd –F
Then after RHEL initiates the connection,the following messages can be seen:
(the other normal DEBUG messages are omitted for simplicity)
[PROTO_WARN]:ikev2.c:1003:ikev2_check_new_request(): 0:2001:db8:1:2:20c:29ff:fe4d:489[500] - 2001:db8:1:1:20c:29ff:fe0c:3ed1[500]:0x284022f0:message to a nonexistent ike_sa
6.Logging and Detailed Message on RHEL6.0
======================================
[root at TAR-EN1 ~]# ipsec auto --up TAHI
no default routes detected
133 "TAHI" #1: STATE_PARENT_I1: initiate
133 "TAHI" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
134 "TAHI" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=oakley_3des_cbc_192 integ=sha1_96 prf=oakley_sha group=modp1024}
218 "TAHI" #2: STATE_PARENT_I2: INVALID_ID_INFORMATION
010 "TAHI" #2: STATE_PARENT_I2: retransmission; will wait 20s for response
010 "TAHI" #2: STATE_PARENT_I2: retransmission; will wait 40s for response
So from the above log information, I think the problem is that the ike_sa of two side doesn’t exactly match, yet from the configuration perspective, I’ve set the encryption and authentication using same algorithm. What would you think I need to change so that their secure communication can be set up ?
Many thanks for your help in advance.
More information about the Users
mailing list