racoon for host to host IPSEC
Hi folks,
I am using debain unstable with kernel 2.6.4.1 SMP, racoon 2.4.3. and try to do host to host IPsec, always get the error:
isakmp_parsewoh(): invalid length of payload
though the manual IPSEC is ok using sample from http://www.ipsec-howto.org/t1.html.
anyone has some clue?
thanks.
min
/////log file
Apr 4 19:24:28 mailsrv racoon: DEBUG: oakley.c:2713:oakley_do_decrypt(): decrypted payload by IV:
Apr 4 19:24:28 mailsrv racoon: DEBUG: plog.c:196:plogdump(): 9f004601 b8d3e6b0
Apr 4 19:24:28 mailsrv racoon: DEBUG: oakley.c:2716:oakley_do_decrypt(): decrypted payload, but not trimed.
Apr 4 19:24:28 mailsrv racoon: DEBUG: plog.c:196:plogdump(): 95d71d17 e6a945af 4fb1e501 0c6dde24 03040067 a920cf08 fe047cce 8938adaf a864efb2 60ab96b8
Apr 4 19:24:28 mailsrv racoon: DEBUG: oakley.c:2725:oakley_do_decrypt(): padding len=185
Apr 4 19:24:28 mailsrv racoon: DEBUG: oakley.c:2739:oakley_do_decrypt(): skip to trim padding.
Apr 4 19:24:28 mailsrv racoon: DEBUG: oakley.c:2754:oakley_do_decrypt(): decrypted.
Apr 4 19:24:28 mailsrv racoon: DEBUG: plog.c:196:plogdump(): 1df68693 b5ab4638 ec24219f 2ee98677 05100201 00000000 00000044 95d71d17 e6a945af 4fb1e501 0c6dde24 03040067 a920cf08 fe047cce 8938adaf a864efb2 60ab96b8
Apr 4 19:24:28 mailsrv racoon: DEBUG: isakmp.c:1109:isakmp_parsewoh(): begin.
Apr 4 19:24:28 mailsrv racoon: DEBUG: isakmp.c:1136:isakmp_parsewoh(): seen nptype=5(id)
Apr 4 19:24:28 mailsrv racoon: DEBUG: isakmp.c:1142:isakmp_parsewoh(): invalid length of payload
Apr 4 19:24:38 mailsrv racoon: ERROR: isakmp.c:1454:isakmp_ph1resend(): phase1 negotiation failed due to time up. 1df68693b5ab4638:ec24219f2ee98677
/// config file
@mailsrv:/etc/racoon$ more racoon.conf
#
# Simple racoon.conf
#
#
# Please look in /usr/share/doc/racoon/examples for
# the example that comes with the source.
#
# Please read racoon.conf(5) for details, and also
# read setkey(8).
#
# Also read the Linux IPSEC Howto up at
# http://www.ipsec-howto.org/t1.html
#
log debug4;
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
#remote 172.31.1.1 {
# exchange_mode main,aggressive;
# proposal {
# encryption_algorithm 3des;
# hash_algorithm sha1;
# authentication_method pre_shared_key;
# dh_group modp1024;
# }
# generate_policy off;
#}
#
#sainfo address 192.168.203.10[any] any address 192.168.22.0/24[any] any {
# pfs_group modp768;
# encryption_algorithm 3des;
# authentication_algorithm hmac_md5;
# compression_algorithm deflate;
#}
padding
{
maximum_length 120; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
# exclusive_tail off; # extract last one octet.
}
remote anonymous {
exchange_mode main,aggressive,base;
lifetime time 24 hour;
my_identifier address 192.168.1.30;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous {
pfs_group 2;
lifetime time 12 hour;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
mailsrv:~# more ipsec2.conf
#!/usr/sbin/setkey -f
#
# Flush SAD and SPD
flush;
spdflush;
# Create policies for racoon
spdadd 192.168.1.105 192.168.1.30 any -P in ipsec
esp/transport//require;
# ah/transport//require;
spdadd 192.168.1.30 192.168.1.105 any -P out ipsec
esp/transport//require;
# ah/transport//require;
mailsrv:/etc/racoon# more psk.txt
# IPv4/v6 addresses
192.168.1.105 mekmitasdigoat
# 3ffe:501:410:ffff:210:4bff:fea2:8baa mekmitasdigoat
# USER_FQDN
#sakane@kame.net mekmitasdigoat
# FQDN
#kame hoge
Reply to: