[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSec between OpenBSD and FreeBSD



On Thu, Jan 09, 2003 at 08:20:20PM +0100, Hakan Olsson wrote:
> On Thu, 9 Jan 2003, Matthias Teege wrote:
> ...
> > 191947.597497 Default exchange_setup_p1: expected exchange type ID_PROT
> > got AGGRESSIVE
> 
> Racoon tries to negotiate an Aggressive Mode phase 1 negotiation, isakmpd
> expected a Main Mode (or Identity Protection, i.e ID_PROT).
> 
> Either change racoon to do main mode, or change
> 
> [your-main-mode-definition]
> EXCHANGE_TYPE=       AGGRESSIVE
> ...
> 
> (instead of EXCHANGE_TYPE= ID_PROT).
> 
> My recommendation is to do main mode, but the change above is an easy way

Ok, I've change my setting and know the tunnel works. But isakmpd and
racoon still talk to my and after a while the tunnel goes down and the
traffic is unencrypted. Then the tunnel resync und works again. I
didnt set the »require« Parameter on the racoon side for testing.

Is it correct that if I use the require parameter the link goes
completly down if the tunnel get out of sync?

Here a snapshot from the logs:
racoon
2003-01-10 11:10:30: ERROR: isakmp.c:490:isakmp_main(): can't start the quick mode, there is no ISAKMP-SA, 377ce1659d6feb98:842c27e7f0bbb1d3:0000bd66
2003-01-10 11:10:30: ERROR: isakmp.c:466:isakmp_main(): unknown Informational exchange received.
2003-01-10 11:10:39: INFO: pfkey.c:1368:pk_recvexpire(): IPsec-SA expired: ESP/Tunnel 192.168.9.11->192.168.9.9 spi=3872608019(0xe6d34f13)
2003-01-10 11:10:39: INFO: isakmp.c:942:isakmp_ph2begin_i(): initiate new phase 2 negotiation: 192.168.9.11[0]<=>192.168.9.9[0]
2003-01-10 11:10:39: INFO: pfkey.c:1368:pk_recvexpire(): IPsec-SA expired: ESP/Tunnel 192.168.9.9->192.168.9.11 spi=105615754(0x64b918a)
2003-01-10 11:10:39: INFO: pfkey.c:1110:pk_recvupdate(): IPsec-SA established: ESP/Tunnel 192.168.9.9->192.168.9.11 spi=221412988(0xd327e7c)
2003-01-10 11:10:39: INFO: pfkey.c:1322:pk_recvadd(): IPsec-SA established: ESP/Tunnel 192.168.9.11->192.168.9.9 spi=1972190009(0x758d3b39)
2003-01-10 11:10:41: ERROR: isakmp.c:490:isakmp_main(): can't start the quick mode, there is no ISAKMP-SA, 377ce1659d6feb98:842c27e7f0bbb1d3:0000bd66
2003-01-10 11:10:41: ERROR: isakmp.c:466:isakmp_main(): unknown Informational exchange received.
2003-01-10 11:10:54: ERROR: isakmp.c:490:isakmp_main(): can't start the quick mode, there is no ISAKMP-SA, 377ce1659d6feb98:842c27e7f0bbb1d3:0000bd66
2003-01-10 11:10:54: ERROR: isakmp.c:466:isakmp_main(): unknown Informational exchange received.

isakmpd
111109.542122 Default transport_send_messages: giving up on message 0x16c700
111109.550065 Default message_recv: invalid cookie(s) 377ce1659d6feb98 f14c7914fa39f6f0
111109.550169 Default dropped message from 192.168.9.11 port 500 due to notification type INVALID_COOKIE
111220.496952 Default message_recv: invalid cookie(s) 13cbfae5d89d4c6d a1d28ca436a8b04d
111220.497162 Default dropped message from 192.168.9.11 port 500 due to notification type INVALID_COOKIE

Thanks for the helping hand.

Matthias

-- 
Matthias Teege -- matthias_(_at_)_mteege_(_dot_)_de -- http://www.mteege.de
make world not war
PGP-Key auf Anfrage



Visit your host, monkey.org