Re: Problems with IPSec
On Tue, Oct 01, 2002 at 02:41:24PM +, Scott Penno wrote: I have a FreeBSD box running -STABLE which has had IPSec working with other hosts for quite some time without a problem. I've just setup another FreeBSD box running 5.0-RC1 and am trying to establish a VPN tunnel but am not getting too far. I'm using racoon and when attempting the negotiation with debugging enabled, the following message appears: 2003-01-20 12:00:23: ERROR: pfkey.c:207:pfkey_handler(): pfkey ADD failed: Invalid argument and the following message is logged via syslog: Jan 20 12:00:23 atlas kernel: key_mature: invalid AH key length 160 (128-128 allowed) Tried rebuilding racoon? i had just upgraded a machine that was following -STABLE and blowfish suddenly wasn't supported, and if i used aes or 3des it complained like you've got. I did a portupgrade -f racoon suddenly all worked fine again.. YMMV (: [not subscribed to -questions either] -- Ben. ben @ mumble . org . uk To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Problems with IPSec
Thanks for the information Ben. I have upgraded racoon and everything is working fine. Regards, Scott. - Original Message - From: Ben [EMAIL PROTECTED] To: Scott Penno [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, January 30, 2003 9:25 AM Subject: Re: Problems with IPSec On Tue, Oct 01, 2002 at 02:41:24PM +, Scott Penno wrote: I have a FreeBSD box running -STABLE which has had IPSec working with other hosts for quite some time without a problem. I've just setup another FreeBSD box running 5.0-RC1 and am trying to establish a VPN tunnel but am not getting too far. I'm using racoon and when attempting the negotiation with debugging enabled, the following message appears: 2003-01-20 12:00:23: ERROR: pfkey.c:207:pfkey_handler(): pfkey ADD failed: Invalid argument and the following message is logged via syslog: Jan 20 12:00:23 atlas kernel: key_mature: invalid AH key length 160 (128-128 allowed) Tried rebuilding racoon? i had just upgraded a machine that was following -STABLE and blowfish suddenly wasn't supported, and if i used aes or 3des it complained like you've got. I did a portupgrade -f racoon suddenly all worked fine again.. YMMV (: [not subscribed to -questions either] -- Ben. ben @ mumble . org . uk To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Problems with IPSec
Hi all, Wasn't sure where I should ask for help with this problem, so I'm starting here. If there's a more appropriate place, please let me know. I have a FreeBSD box running -STABLE which has had IPSec working with other hosts for quite some time without a problem. I've just setup another FreeBSD box running 5.0-RC1 and am trying to establish a VPN tunnel but am not getting too far. I'm using racoon and when attempting the negotiation with debugging enabled, the following message appears: 2003-01-20 12:00:23: ERROR: pfkey.c:207:pfkey_handler(): pfkey ADD failed: Invalid argument and the following message is logged via syslog: Jan 20 12:00:23 atlas kernel: key_mature: invalid AH key length 160 (128-128 allowed) The relevant section of racoon.conf which is identical on both boxes is: sainfo anonymous { pfs_group 1; lifetime time 86400 sec; encryption_algorithm 3des ; authentication_algorithm hmac_sha1 ; compression_algorithm deflate ; } The box running -STABLE has been working fine with this configuration so I'm assuming the problem is with the box running 5.0-RC1. Interestingly, I've also tried using des as the encryption algorithm and hmac_md5 as the authentication algorithm and I receive the following error message: racoon: failed to parse configuration file. If anyone has any suggestions for a fix, or how I go about further diagnosing this problem, I'd love to hear from you. Regards, Scott. PS: Please CC replies as I'm not subscribed to the list. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Problems with IPSec
I have a FreeBSD box running -STABLE which has had IPSec working with other hosts for quite some time without a problem. I've just setup another FreeBSD box running 5.0-RC1 and am trying to establish a VPN tunnel but am not getting too far. I'm using racoon and when attempting the negotiation with debugging enabled, the following message appears: 2003-01-20 12:00:23: ERROR: pfkey.c:207:pfkey_handler(): pfkey ADD failed: Invalid argument and the following message is logged via syslog: Jan 20 12:00:23 atlas kernel: key_mature: invalid AH key length 160 (128-128 allowed) The relevant section of racoon.conf which is identical on both boxes is: sainfo anonymous { pfs_group 1; lifetime time 86400 sec; encryption_algorithm 3des ; authentication_algorithm hmac_sha1 ; compression_algorithm deflate ; } The box running -STABLE has been working fine with this configuration so I'm assuming the problem is with the box running 5.0-RC1. Interestingly, I've also tried using des as the encryption algorithm and hmac_md5 as the authentication algorithm and I receive the following error message: racoon: failed to parse configuration file. If anyone has any suggestions for a fix, or how I go about further diagnosing this problem, I'd love to hear from you. Regards, Scott. It looks like the AH key length needs to be forced to 128 bits??? From: http://www.qnx.com/developer/docs/momentics_nc_docs/neutrino/utilities/r/racoon.conf.html For algorithms that can take variable-length keys, algorithm names can be followed by a key length, like blowfish 448. Have you tried something along the lines of '3des 128' ? Just a guess. -Daxbert To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Problems with IPSec
On Fri, 3 Jan 2003, Scott Penno wrote: Hi all, Wasn't sure where I should ask for help with this problem, so I'm starting here. If there's a more appropriate place, please let me know. I have a FreeBSD box running -STABLE which has had IPSec working with other hosts for quite some time without a problem. I've just setup another FreeBSD box running 5.0-RC1 and am trying to establish a VPN tunnel but am not getting too far. I'm using racoon and when attempting the negotiation with debugging enabled, the following message appears: 2003-01-20 12:00:23: ERROR: pfkey.c:207:pfkey_handler(): pfkey ADD failed: Invalid argument and the following message is logged via syslog: Jan 20 12:00:23 atlas kernel: key_mature: invalid AH key length 160 (128-128 allowed) The relevant section of racoon.conf which is identical on both boxes is: sainfo anonymous { pfs_group 1; lifetime time 86400 sec; encryption_algorithm 3des ; authentication_algorithm hmac_sha1 ; compression_algorithm deflate ; } The box running -STABLE has been working fine with this configuration so I'm assuming the problem is with the box running 5.0-RC1. Interestingly, I've also tried using des as the encryption algorithm and hmac_md5 as the authentication algorithm and I receive the following error message: racoon: failed to parse configuration file. If anyone has any suggestions for a fix, or how I go about further diagnosing this problem, I'd love to hear from you. What's the result of setkey -PD on both boxes? Sanitize the addresses of the public IPs, but leave the private IPs as is. Dru To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Problems with IPSec
Thanks for the suggestion. I'm fairly sure that in the cases of DES, 3DES, MD5 and SHA1, the keylength is fixed. In any case, when I tried this, racoon failed while parsing the configuration complaining that a key length was not allowed. Scott. - Original Message - From: Daxbert [EMAIL PROTECTED] To: Scott Penno [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Thursday, January 23, 2003 11:12 AM Subject: Re: Problems with IPSec I have a FreeBSD box running -STABLE which has had IPSec working with other hosts for quite some time without a problem. I've just setup another FreeBSD box running 5.0-RC1 and am trying to establish a VPN tunnel but am not getting too far. I'm using racoon and when attempting the negotiation with debugging enabled, the following message appears: 2003-01-20 12:00:23: ERROR: pfkey.c:207:pfkey_handler(): pfkey ADD failed: Invalid argument and the following message is logged via syslog: Jan 20 12:00:23 atlas kernel: key_mature: invalid AH key length 160 (128-128 allowed) The relevant section of racoon.conf which is identical on both boxes is: sainfo anonymous { pfs_group 1; lifetime time 86400 sec; encryption_algorithm 3des ; authentication_algorithm hmac_sha1 ; compression_algorithm deflate ; } The box running -STABLE has been working fine with this configuration so I'm assuming the problem is with the box running 5.0-RC1. Interestingly, I've also tried using des as the encryption algorithm and hmac_md5 as the authentication algorithm and I receive the following error message: racoon: failed to parse configuration file. If anyone has any suggestions for a fix, or how I go about further diagnosing this problem, I'd love to hear from you. Regards, Scott. It looks like the AH key length needs to be forced to 128 bits??? From: http://www.qnx.com/developer/docs/momentics_nc_docs/neutrino/utilities/r/rac oon.conf.html For algorithms that can take variable-length keys, algorithm names can be followed by a key length, like blowfish 448. Have you tried something along the lines of '3des 128' ? Just a guess. -Daxbert To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message