Re: Problems with IPSec
On Tue, Oct 01, 2002 at 02:41:24PM +, Scott Penno wrote: I have a FreeBSD box running -STABLE which has had IPSec working with other hosts for quite some time without a problem. I've just setup another FreeBSD box running 5.0-RC1 and am trying to establish a VPN tunnel but am not getting too far. I'm using racoon and when attempting the negotiation with debugging enabled, the following message appears: 2003-01-20 12:00:23: ERROR: pfkey.c:207:pfkey_handler(): pfkey ADD failed: Invalid argument and the following message is logged via syslog: Jan 20 12:00:23 atlas kernel: key_mature: invalid AH key length 160 (128-128 allowed) Tried rebuilding racoon? i had just upgraded a machine that was following -STABLE and blowfish suddenly wasn't supported, and if i used aes or 3des it complained like you've got. I did a portupgrade -f racoon suddenly all worked fine again.. YMMV (: [not subscribed to -questions either] -- Ben. ben @ mumble . org . uk To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Problems with IPSec
Thanks for the information Ben. I have upgraded racoon and everything is working fine. Regards, Scott. - Original Message - From: Ben [EMAIL PROTECTED] To: Scott Penno [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, January 30, 2003 9:25 AM Subject: Re: Problems with IPSec On Tue, Oct 01, 2002 at 02:41:24PM +, Scott Penno wrote: I have a FreeBSD box running -STABLE which has had IPSec working with other hosts for quite some time without a problem. I've just setup another FreeBSD box running 5.0-RC1 and am trying to establish a VPN tunnel but am not getting too far. I'm using racoon and when attempting the negotiation with debugging enabled, the following message appears: 2003-01-20 12:00:23: ERROR: pfkey.c:207:pfkey_handler(): pfkey ADD failed: Invalid argument and the following message is logged via syslog: Jan 20 12:00:23 atlas kernel: key_mature: invalid AH key length 160 (128-128 allowed) Tried rebuilding racoon? i had just upgraded a machine that was following -STABLE and blowfish suddenly wasn't supported, and if i used aes or 3des it complained like you've got. I did a portupgrade -f racoon suddenly all worked fine again.. YMMV (: [not subscribed to -questions either] -- Ben. ben @ mumble . org . uk To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Problems with IPSec
Hi all,
Wasn't sure where I should ask for help with this problem, so I'm starting
here. If there's a more appropriate place, please let me know.
I have a FreeBSD box running -STABLE which has had IPSec working with other
hosts for quite some time without a problem. I've just setup another
FreeBSD box running 5.0-RC1 and am trying to establish a VPN tunnel but am
not getting too far. I'm using racoon and when attempting the negotiation
with debugging enabled, the following message appears:
2003-01-20 12:00:23: ERROR: pfkey.c:207:pfkey_handler(): pfkey ADD failed:
Invalid argument
and the following message is logged via syslog:
Jan 20 12:00:23 atlas kernel: key_mature: invalid AH key length 160 (128-128
allowed)
The relevant section of racoon.conf which is identical on both boxes is:
sainfo anonymous
{
pfs_group 1;
lifetime time 86400 sec;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1 ;
compression_algorithm deflate ;
}
The box running -STABLE has been working fine with this configuration so I'm
assuming the problem is with the box running 5.0-RC1. Interestingly, I've
also tried using des as the encryption algorithm and hmac_md5 as the
authentication algorithm and I receive the following error message:
racoon: failed to parse configuration file.
If anyone has any suggestions for a fix, or how I go about further
diagnosing this problem, I'd love to hear from you.
Regards,
Scott.
PS: Please CC replies as I'm not subscribed to the list.
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message
Re: Problems with IPSec
I have a FreeBSD box running -STABLE which has had IPSec working with other
hosts for quite some time without a problem. I've just setup another
FreeBSD box running 5.0-RC1 and am trying to establish a VPN tunnel but am
not getting too far. I'm using racoon and when attempting the negotiation
with debugging enabled, the following message appears:
2003-01-20 12:00:23: ERROR: pfkey.c:207:pfkey_handler(): pfkey ADD failed:
Invalid argument
and the following message is logged via syslog:
Jan 20 12:00:23 atlas kernel: key_mature: invalid AH key length 160 (128-128
allowed)
The relevant section of racoon.conf which is identical on both boxes is:
sainfo anonymous
{
pfs_group 1;
lifetime time 86400 sec;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1 ;
compression_algorithm deflate ;
}
The box running -STABLE has been working fine with this configuration so I'm
assuming the problem is with the box running 5.0-RC1. Interestingly, I've
also tried using des as the encryption algorithm and hmac_md5 as the
authentication algorithm and I receive the following error message:
racoon: failed to parse configuration file.
If anyone has any suggestions for a fix, or how I go about further
diagnosing this problem, I'd love to hear from you.
Regards,
Scott.
It looks like the AH key length needs to be forced to 128 bits???
From:
http://www.qnx.com/developer/docs/momentics_nc_docs/neutrino/utilities/r/racoon.conf.html
For algorithms that can take variable-length keys, algorithm names can be followed by
a key length, like blowfish 448.
Have you tried something along the lines of '3des 128' ?
Just a guess.
-Daxbert
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message
Re: Problems with IPSec
On Fri, 3 Jan 2003, Scott Penno wrote:
Hi all,
Wasn't sure where I should ask for help with this problem, so I'm starting
here. If there's a more appropriate place, please let me know.
I have a FreeBSD box running -STABLE which has had IPSec working with other
hosts for quite some time without a problem. I've just setup another
FreeBSD box running 5.0-RC1 and am trying to establish a VPN tunnel but am
not getting too far. I'm using racoon and when attempting the negotiation
with debugging enabled, the following message appears:
2003-01-20 12:00:23: ERROR: pfkey.c:207:pfkey_handler(): pfkey ADD failed:
Invalid argument
and the following message is logged via syslog:
Jan 20 12:00:23 atlas kernel: key_mature: invalid AH key length 160 (128-128
allowed)
The relevant section of racoon.conf which is identical on both boxes is:
sainfo anonymous
{
pfs_group 1;
lifetime time 86400 sec;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1 ;
compression_algorithm deflate ;
}
The box running -STABLE has been working fine with this configuration so I'm
assuming the problem is with the box running 5.0-RC1. Interestingly, I've
also tried using des as the encryption algorithm and hmac_md5 as the
authentication algorithm and I receive the following error message:
racoon: failed to parse configuration file.
If anyone has any suggestions for a fix, or how I go about further
diagnosing this problem, I'd love to hear from you.
What's the result of setkey -PD on both boxes?
Sanitize the addresses of the public IPs, but leave the private IPs as is.
Dru
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message
Re: Problems with IPSec
Thanks for the suggestion. I'm fairly sure that in the cases of DES, 3DES,
MD5 and SHA1, the keylength is fixed. In any case, when I tried this,
racoon failed while parsing the configuration complaining that a key length
was not allowed.
Scott.
- Original Message -
From: Daxbert [EMAIL PROTECTED]
To: Scott Penno [EMAIL PROTECTED];
[EMAIL PROTECTED]
Sent: Thursday, January 23, 2003 11:12 AM
Subject: Re: Problems with IPSec
I have a FreeBSD box running -STABLE which has had IPSec working with
other
hosts for quite some time without a problem. I've just setup another
FreeBSD box running 5.0-RC1 and am trying to establish a VPN tunnel but am
not getting too far. I'm using racoon and when attempting the negotiation
with debugging enabled, the following message appears:
2003-01-20 12:00:23: ERROR: pfkey.c:207:pfkey_handler(): pfkey ADD failed:
Invalid argument
and the following message is logged via syslog:
Jan 20 12:00:23 atlas kernel: key_mature: invalid AH key length 160
(128-128
allowed)
The relevant section of racoon.conf which is identical on both boxes is:
sainfo anonymous
{
pfs_group 1;
lifetime time 86400 sec;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1 ;
compression_algorithm deflate ;
}
The box running -STABLE has been working fine with this configuration so
I'm
assuming the problem is with the box running 5.0-RC1. Interestingly, I've
also tried using des as the encryption algorithm and hmac_md5 as the
authentication algorithm and I receive the following error message:
racoon: failed to parse configuration file.
If anyone has any suggestions for a fix, or how I go about further
diagnosing this problem, I'd love to hear from you.
Regards,
Scott.
It looks like the AH key length needs to be forced to 128 bits???
From:
http://www.qnx.com/developer/docs/momentics_nc_docs/neutrino/utilities/r/rac
oon.conf.html
For algorithms that can take variable-length keys, algorithm names can be
followed by a key length, like blowfish 448.
Have you tried something along the lines of '3des 128' ?
Just a guess.
-Daxbert
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message
