Subject: IPSEC and racoon-20010831a
To: None <netbsd-users@netbsd.org>
From: David S. <davids@idiom.com>
List: netbsd-users
Date: 09/26/2001 13:36:32
I've been experimenting with IPSEC in transport (host-to-host) mode on a
couple of 1.5.1 systems.  Manual keying seems to work fine - no errors
in the syslogs and 'tcpdump' seems to indicate that packets between the
two hosts are being encrypted and authentication headers attached.  But
I haven't been successful implementing IKE with 'racoon' (20010831a).
I've followed the instructions at 
http://www.netbsd.org/Documentation/network/ipsec/#config_ike and the
example in the 'racoon.conf' man page pretty closely, but I get errors
like

	Sep 26 12:55:25 malign racoon: ERROR: pfkey.c:738:pfkey_timeover(): 128.95.48.163 give up to get IPsec-SA due to time up to wait.

	Sep 26 12:55:32 malign racoon: ERROR: isakmp.c:1086:isakmp_ph2begin_r(): failed to pre-process packet.

in the syslogs at both ends of the connection, and 'tcpdump' seems to
indicate that neither ESP or AH is being used for the traffic between
the two hosts.  Also, 'setkey -D' produces quite different results.
The 'racoon.conf' man page states that "IKE negotiation can fail due to 
timing constraint changes" if the log level is too high, so I tried 
setting that level to 'notify'.  That didn't help.  As I'm uder the 
(perhaps mistaken) impression that 'blowfish' is faster than some of 
the other algorithms, I tried specifying that as the encryption
algorithm in the "phase 1" and "phase 2" proposal sections of the 
configuration file.  That also didn't help.

Anybody have any suggestions?  There are some timer settings available
in the 'racoon' configuration, but I'm not sure which ones to tweak.
I'm also using two creaky old SPARC machines for these experiments.
Maybe they're just too slow for IKE?  There's lots of other 
information I could report to help sort this problem out - my actual
'racoon.conf' file, my 'ipsec.conf', 'setkey -D' output, 'tcpdump'
output, ...  If any of that might be useful, I'd be happy to send
it along.

Thanks in advance for any help.

David Simas
davids@idiom.com