Re: Simple IPSEC client with certificate - phase 1 time out

[christos%zoulas.com@localhost (Christos Zoulas)]

On Mar 5,  4:32pm, frank%phoenix.owl.de@localhost (Frank Wille) wrote:
-- Subject: Re: Simple IPSEC client with certificate - phase 1 time out

| Christos Zoulas wrote:
| 
| > If your server is behind NAT, I think that got broken at some point.
| 
| Oh no! :(

Yes, it is almost working... The tunnel is up, and 3 out of 4 SAD's are
present; the 4th one comes up as larval and then times out... 

| > I meant to debug this... I guess I should just do it...
| 
| That would be so great! I can provide you with any information you need
| and can do all sorts of tests. Also with big endian hardware.
| 
| BTW, there is a strange problem with adding SAs in the 7.0 kernel.
| Maybe it doesn't work on big endian?

I don't know. make sure you have IPSEC_DEBUG in your kernel and you'll
get a lot of useful info.

| 1. NetBSD/macppc 7.0 (PowerBook G4):
| # setkey -c
| add 10.0.0.1 10.0.0.2 esp 1234 -E aes-cbc "testtesttesttest";
| Invalid argument.
| # setkey -D
| No SAD entries.
| 
| 2. NetBSD/amd64 7.0 (Asus i3):
| # setkey -c
| add 10.0.0.1 10.0.0.2 esp 1234 -E aes-cbc "testtesttesttest";
| # setkey -D
| 10.0.0.1 10.0.0.2 
|     esp mode=any spi=1234(0x000004d2) reqid=0(0x00000000)
|     E: aes-cbc  74657374 74657374 74657374 74657374
|     seq=0x00000000 replay=0 flags=0x00000040 state=mature 
|     created: Mar  5 15:53:31 2016   current: Mar  5 16:20:54 2016
|     diff: 1643(s)   hard: 0(s)  soft: 0(s)
|     last: Mar  5 11:41:33 2016  hard: 0(s)  soft: 0(s)
|     current: 0(bytes)   hard: 0(bytes)  soft: 0(bytes)
|     allocated: 0    hard: 0 soft: 0
|     sadb_seq=0 pid=2037 refcnt=1
| 
| 
| So the "pfkey ADD failed" is not present on x86, but the "pfkey UPDATED
| failed" is still there. I was able to see the SA to be updated for a short
| time in "larval" state when phase 2 was established:

The updated failed is fine (No such file or directory means it was not
present), and then it succeeds adding it.

| # setkey -D
| 192.168.0.21[4500] 78.48.238.147[4500] 
|     esp-udp mode=tunnel spi=17572466(0x010c2272) reqid=0(0x00000000)
|     E: aes-cbc  d5bd6bf8 2d5fd2f7 49c5ebdc d20c6299
|     A: hmac-md5  3bd33ccd cd06e211 b5b7b926 399089e7
|     seq=0x00000002 replay=4 flags=0x00000000 state=mature 
|     created: Mar  5 14:57:06 2016   current: Mar  5 14:57:14 2016
|     diff: 8(s)  hard: 28800(s)  soft: 23040(s)
|     last: Mar  5 14:57:07 2016  hard: 0(s)  soft: 0(s)
|     current: 320(bytes) hard: 0(bytes)  soft: 0(bytes)
|     allocated: 2    hard: 0 soft: 0
|     sadb_seq=1 pid=660 refcnt=2
| 78.48.238.147 192.168.0.21 
|     esp mode=tunnel spi=120588728(0x073009b8) reqid=0(0x00000000)
|     seq=0x00000000 replay=0 flags=0x00000000 state=larval 
|     sadb_seq=0 pid=660 refcnt=1

I hope to fix the problem soon... It has been broken forever.

christos