Subject: IPsec/racoon problems with VAX?
To: None <port-vax@netbsd.org, current-users@netbsd.org>
From: Olaf Seibert <rhialto@polderland.nl>
List: current-users
Date: 04/21/2001 14:11:16
I am trying to get IPsec working between my VAX (10.0.0.7) and my Alpha
(10.0.0.5). For this I am using NetBSD 1.5 (release version, with IPSEC
and IPSEC_ESP), and the latest racoon from pkgsrc, racoon-20010418a. I
am trying to follow the procedure as outlined in the Daemonnews article
at http://www.daemonnews.org/200101/ipsec-howto.html . I increased the
timeouts significantly, because the VAX is fairly slow, especially when
printing all the debugging output.
I am asking here before I report to KAME's send-pr system.
There seems to be a problem that occurs on the VAX side and not on the
Alpha side, despite identical configuration on both sides. I copied the
configuration files from one machine to the other (and I am using
swapped IP adresses in them of course).
To start with, I don't know much about the details of what I am doing, I
am simply seeing asymmetry in INFO output of racoon, with an ERROR
message on the VAX side only:
ERROR: pfkey.c:217:pfkey_handler(): pfkey UPDATE failed: Invalid argument
I was naughty, and patched racoon to ignore the condition, which results
in the output shown at the end. (Once, I saw the same message on the
Alpha side, but I could not reproduce it)
The output of setkey -D looks nicely symmetrical on both machines after
this: entries for both directions are shown. Well, sometimes. In more
recent attempts, the VAX only shows one entry (10.0.0.7 10.0.0.5, the
info for outgoing data I presume). Tcpdump while doing a ping shows ESP
packets flowing from the VAX, and back, but ping itself reports 100%
packet loss.
Also, interrupting racoon seems to give a crash and core dump most of
the time, just on the VAX, not on the Alpha.
Foreground mode.
2001-04-21 13:35:09: INFO: main.c:153:main(): @(#)racoon 20001216 sakane@ydc.co.jp
2001-04-21 13:35:09: INFO: main.c:154:main(): @(#)This product linked software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)
2001-04-21 13:35:09: WARNING: pfkey.c:2055:pk_checkalg(): compression algorithm can not be checked.
2001-04-21 13:35:09: INFO: isakmp.c:1278:isakmp_open(): 127.0.0.1[500] used as isakmp port (fd=6)
2001-04-21 13:35:09: INFO: isakmp.c:1278:isakmp_open(): ::1[500] used as isakmp port (fd=7)
2001-04-21 13:35:09: INFO: isakmp.c:1278:isakmp_open(): fe80::1%lo0[500] used as isakmp port (fd=8)
2001-04-21 13:35:09: INFO: isakmp.c:1278:isakmp_open(): fe80::a00:2bff:fe1b:4b9e%le0[500] used as isakmp port (fd=9)
2001-04-21 13:35:09: INFO: isakmp.c:1278:isakmp_open(): 10.0.0.7[500] used as isakmp port (fd=10)
2001-04-21 13:35:12: INFO: isakmp.c:1610:isakmp_post_acquire(): IPsec-SA request for 10.0.0.5 queued due to no phase1 found.
2001-04-21 13:35:12: INFO: isakmp.c:782:isakmp_ph1begin_i(): initiate new phase 1 negotiation: 10.0.0.7[500]<=>10.0.0.5[500]
2001-04-21 13:35:12: INFO: isakmp.c:787:isakmp_ph1begin_i(): begin Aggressive mode.
2001-04-21 13:35:33: INFO: vendorid.c:128:check_vendorid(): received Vendor ID: KAME/racoon
2001-04-21 13:35:53: INFO: isakmp.c:2326:log_ph1established(): ISAKMP-SA established 10.0.0.7[500]-10.0.0.5[500] spi:26668c166fcaf76f:b8ada6d133ac1c7e
2001-04-21 13:36:35: ERROR: pfkey.c:217:pfkey_handler(): pfkey UPDATE failed: Invalid argument
2001-04-21 13:36:35: INFO: pfkey.c:1127:pk_recvupdate(): IPsec-SA established: ESP/Transport 10.0.0.5->10.0.0.7 spi=188906975(0xb427ddf)
2001-04-21 13:36:35: INFO: pfkey.c:1313:pk_recvadd(): IPsec-SA established: ESP/Transport 10.0.0.7->10.0.0.5 spi=31570581(0x1e1ba95)
^C2001-04-21 13:40:21: INFO: session.c:276:check_sigreq(): caught signal 2
Segmentation fault (core dumped)
-Olaf.
--
___ Olaf 'Rhialto' Seibert - rhialto@polder --Soep van de dag, wat zal dat zijn
\X/ land.nl --wat kan dat wezen, beter maar het ergste vrezen -Boy Bensdorp