[Users] The more I'm using FreeS/Wan the more I'm fascinating

Dominique Blas Fri, 01 Aug 2003 05:32:13 -0700

After 3 years of FreeS/Wan usage I'm yet discovering fantastic (in the true sens of 
the term) behaviours ...


Look at the following guys.
Theses 2 logs come from 2 machines between which I'm desesparatly attempt to establish 
an X.509 tunnel.
The receiving part is correctly configured since others machines have already 
established a similar tunnel with it.
Each of these machine is running FreeS/Wan 1.99.6.1 with kernel 2.4.20 (and kernel 
module 1.99_kb3).
Fine.
When I copy the ipsec.conf / ipsec.secrets from one of these machines on an old 
machine (kernel 2.4.5, module kernel 1.91 but FreeS/wan 1.99.6.1)
I want to enter in the group here is the magnificent behaviour :

This machine sends the correct IKE proposition that is to say : 3DES_CBC-MD5-MODP1536 
as the others do.
At this step the whole proposition packet sent by the old machine is the same at those 
sent by newer machines.

BUT, CONTRARY to the propositions received by the new machines on the VPNhead, the 
proposition received from the old machine LACKS MODP1536 PART !

So, could someone EXPLAIN TO ME HOW such a magical thing can occur : a PART OF THE 
PROPOSITION VANISHED DURING THE EXCHANGE ?


As you see thereafter, the first proposition sent is 3DES_CBC-MD5-MODP1536. Check the 
whole proposition packet at the end.
On the receiving part, you can see the packet received is identical to the one sent. 
OK ?
But DESPITE this OBVIOUS observation, MODP1536 is NOT decoded !!!!

BTW I daresay the tunnel between this old machine and the VPNhead can reliabily be 
established using a shared key. That is the way it has been working since 2 years.
I just wanted to switch to X.506 on this particular link ... as I did everywhere else.

I think I'm going to pray for my soul in a monastery as soon as tomorrow,

db

SENT
====

Jul 11 00:43:04 svin-switch1 pluto[30656]: |    transform number: 0
Jul 11 00:43:04 svin-switch1 pluto[30656]: |    transform ID: KEY_IKE
Jul 11 00:43:04 svin-switch1 pluto[30656]: | ******emit ISAKMP Oakley attribute:
Jul 11 00:43:04 svin-switch1 pluto[30656]: |    af+type: OAKLEY_LIFE_TYPE
Jul 11 00:43:04 svin-switch1 pluto[30656]: |    length/value: 1
Jul 11 00:43:04 svin-switch1 pluto[30656]: |     [1 is OAKLEY_LIFE_SECONDS]
Jul 11 00:43:04 svin-switch1 pluto[30656]: | ******emit ISAKMP Oakley attribute:
Jul 11 00:43:04 svin-switch1 pluto[30656]: |    af+type: OAKLEY_LIFE_DURATION
Jul 11 00:43:04 svin-switch1 pluto[30656]: |    length/value: 3600
Jul 11 00:43:04 svin-switch1 pluto[30656]: | ******emit ISAKMP Oakley attribute:
Jul 11 00:43:04 svin-switch1 pluto[30656]: |    af+type: OAKLEY_ENCRYPTION_ALGORITHM
Jul 11 00:43:04 svin-switch1 pluto[30656]: |    length/value: 5
Jul 11 00:43:04 svin-switch1 pluto[30656]: |     [5 is OAKLEY_3DES_CBC]
Jul 11 00:43:04 svin-switch1 pluto[30656]: | ******emit ISAKMP Oakley attribute:
Jul 11 00:43:04 svin-switch1 pluto[30656]: |    af+type: OAKLEY_HASH_ALGORITHM
Jul 11 00:43:04 svin-switch1 pluto[30656]: |    length/value: 1
Jul 11 00:43:04 svin-switch1 pluto[30656]: |     [1 is OAKLEY_MD5]
Jul 11 00:43:04 svin-switch1 pluto[30656]: | ******emit ISAKMP Oakley attribute:
Jul 11 00:43:04 svin-switch1 pluto[30656]: |    af+type: OAKLEY_AUTHENTICATION_METHOD
Jul 11 00:43:04 svin-switch1 pluto[30656]: |    length/value: 3
Jul 11 00:43:04 svin-switch1 pluto[30656]: |     [3 is OAKLEY_RSA_SIG]
Jul 11 00:43:04 svin-switch1 pluto[30656]: | ******emit ISAKMP Oakley attribute:
Jul 11 00:43:04 svin-switch1 pluto[30656]: |    af+type: OAKLEY_GROUP_DESCRIPTION
Jul 11 00:43:04 svin-switch1 pluto[30656]: |    length/value: 5
Jul 11 00:43:04 svin-switch1 pluto[30656]: |     [5 is OAKLEY_GROUP_MODP1536 
(extension)]
Jul 11 00:43:04 svin-switch1 pluto[30656]: | emitting length of ISAKMP Transform 
Payload (ISAKMP): 32
...

Jul 11 00:43:04 svin-switch1 pluto[30656]: | emitting length of ISAKMP Transform 
Payload (ISAKMP): 32
Jul 11 00:43:04 svin-switch1 pluto[30656]: | emitting length of ISAKMP Proposal 
Payload: 200
Jul 11 00:43:04 svin-switch1 pluto[30656]: | emitting length of ISAKMP Security 
Association Payload: 212
Jul 11 00:43:04 svin-switch1 pluto[30656]: | emitting length of ISAKMP Message: 240
Jul 11 00:43:04 svin-switch1 pluto[30656]: | sending 240 bytes for main_outI1 through 
wp1 to RX.RX.RX.RX:500:
Jul 11 00:43:04 svin-switch1 pluto[30656]: |   9c 90 ab 56  f4 e1 cd b6  00 00 00 00  
00 00 00 00
Jul 11 00:43:04 svin-switch1 pluto[30656]: |   01 10 02 00  00 00 00 00  00 00 00 f0  
00 00 00 d4
Jul 11 00:43:04 svin-switch1 pluto[30656]: |   00 00 00 01  00 00 00 01  00 00 00 c8  
00 01 00 06
Jul 11 00:43:04 svin-switch1 pluto[30656]: |   03 00 00 20  00 01 00 00  80 0b 00 01  
80 0c 0e 10
Jul 11 00:43:04 svin-switch1 pluto[30656]: |   80 01 00 05  80 02 00 01  80 03 00 03  
80 04 00 05
Jul 11 00:43:04 svin-switch1 pluto[30656]: |   03 00 00 20  01 01 00 00  80 0b 00 01  
80 0c 0e 10
Jul 11 00:43:04 svin-switch1 pluto[30656]: |   80 01 00 05  80 02 00 02  80 03 00 03  
80 04 00 05
Jul 11 00:43:04 svin-switch1 pluto[30656]: |   03 00 00 20  02 01 00 00  80 0b 00 01  
80 0c 0e 10
Jul 11 00:43:04 svin-switch1 pluto[30656]: |   80 01 00 05  80 02 00 01  80 03 00 03  
80 04 00 02
Jul 11 00:43:04 svin-switch1 pluto[30656]: |   03 00 00 20  03 01 00 00  80 0b 00 01  
80 0c 0e 10
Jul 11 00:43:04 svin-switch1 pluto[30656]: |   80 01 00 05  80 02 00 02  80 03 00 03  
80 04 00 02
Jul 11 00:43:04 svin-switch1 pluto[30656]: |   03 00 00 20  04 01 00 00  80 0b 00 01  
80 0c 0e 10
Jul 11 00:43:04 svin-switch1 pluto[30656]: |   80 01 00 05  80 02 00 01  80 03 00 03  
80 04 00 01
Jul 11 00:43:04 svin-switch1 pluto[30656]: |   00 00 00 20  05 01 00 00  80 0b 00 01  
80 0c 0e 10
Jul 11 00:43:04 svin-switch1 pluto[30656]: |   80 01 00 05  80 02 00 02  80 03 00 03  
80 04 00 01
Jul 11 00:43:04 svin-switch1 pluto[30656]: | inserting event EVENT_RETRANSMIT, timeout 
in 10 seconds for #1


RECEIVED
========

Jul 11 00:43:04 sbru-gateway pluto[5503]: | *received 240 bytes from TX.TX.TX.TX:500 
on eth1
Jul 11 00:43:04 sbru-gateway pluto[5503]: |   9c 90 ab 56  f4 e1 cd b6  00 00 00 00  
00 00 00 00
Jul 11 00:43:04 sbru-gateway pluto[5503]: |   01 10 02 00  00 00 00 00  00 00 00 f0  
00 00 00 d4
Jul 11 00:43:04 sbru-gateway pluto[5503]: |   00 00 00 01  00 00 00 01  00 00 00 c8  
00 01 00 06
Jul 11 00:43:04 sbru-gateway pluto[5503]: |   03 00 00 20  00 01 00 00  80 0b 00 01  
80 0c 0e 10
Jul 11 00:43:04 sbru-gateway pluto[5503]: |   80 01 00 05  80 02 00 01  80 03 00 03  
80 04 00 05
Jul 11 00:43:04 sbru-gateway pluto[5503]: |   03 00 00 20  01 01 00 00  80 0b 00 01  
80 0c 0e 10
Jul 11 00:43:04 sbru-gateway pluto[5503]: |   80 01 00 05  80 02 00 02  80 03 00 03  
80 04 00 05
Jul 11 00:43:04 sbru-gateway pluto[5503]: |   03 00 00 20  02 01 00 00  80 0b 00 01  
80 0c 0e 10
Jul 11 00:43:04 sbru-gateway pluto[5503]: |   80 01 00 05  80 02 00 01  80 03 00 03  
80 04 00 02
Jul 11 00:43:04 sbru-gateway pluto[5503]: |   03 00 00 20  03 01 00 00  80 0b 00 01  
80 0c 0e 10
Jul 11 00:43:04 sbru-gateway pluto[5503]: |   80 01 00 05  80 02 00 02  80 03 00 03  
80 04 00 02
Jul 11 00:43:04 sbru-gateway pluto[5503]: |   03 00 00 20  04 01 00 00  80 0b 00 01  
80 0c 0e 10
Jul 11 00:43:04 sbru-gateway pluto[5503]: |   80 01 00 05  80 02 00 01  80 03 00 03  
80 04 00 01
Jul 11 00:43:04 sbru-gateway pluto[5503]: |   00 00 00 20  05 01 00 00  80 0b 00 01  
80 0c 0e 10
Jul 11 00:43:04 sbru-gateway pluto[5503]: |   80 01 00 05  80 02 00 02  80 03 00 03  
80 04 00 01

Jul 11 00:43:04 sbru-gateway pluto[5503]: |    number of transforms: 6
Jul 11 00:43:04 sbru-gateway pluto[5503]: | *****parse ISAKMP Transform Payload 
(ISAKMP):
Jul 11 00:43:04 sbru-gateway pluto[5503]: |    next payload type: ISAKMP_NEXT_T
Jul 11 00:43:04 sbru-gateway pluto[5503]: |    length: 32
Jul 11 00:43:04 sbru-gateway pluto[5503]: |    transform number: 0
Jul 11 00:43:04 sbru-gateway pluto[5503]: |    transform ID: KEY_IKE
Jul 11 00:43:04 sbru-gateway pluto[5503]: | ******parse ISAKMP Oakley attribute:
Jul 11 00:43:04 sbru-gateway pluto[5503]: |    af+type: OAKLEY_LIFE_TYPE
Jul 11 00:43:04 sbru-gateway pluto[5503]: |    length/value: 1
Jul 11 00:43:04 sbru-gateway pluto[5503]: |    [1 is OAKLEY_LIFE_SECONDS]
Jul 11 00:43:04 sbru-gateway pluto[5503]: | ******parse ISAKMP Oakley attribute:
Jul 11 00:43:04 sbru-gateway pluto[5503]: |    af+type: OAKLEY_LIFE_DURATION
Jul 11 00:43:04 sbru-gateway pluto[5503]: |    length/value: 3600
Jul 11 00:43:04 sbru-gateway pluto[5503]: | ******parse ISAKMP Oakley attribute:
Jul 11 00:43:04 sbru-gateway pluto[5503]: |    af+type: OAKLEY_ENCRYPTION_ALGORITHM
Jul 11 00:43:04 sbru-gateway pluto[5503]: |    length/value: 5
Jul 11 00:43:04 sbru-gateway pluto[5503]: |    [5 is OAKLEY_3DES_CBC]
Jul 11 00:43:04 sbru-gateway pluto[5503]: | ike_alg_enc_ok(ealg=5,key_len=0): 
blocksize=8, keyminlen=192, keydeflen=192, keymaxlen=192, ret=1
Jul 11 00:43:04 sbru-gateway pluto[5503]: | ******parse ISAKMP Oakley attribute:
Jul 11 00:43:04 sbru-gateway pluto[5503]: |    af+type: OAKLEY_HASH_ALGORITHM
Jul 11 00:43:04 sbru-gateway pluto[5503]: |    length/value: 1
Jul 11 00:43:04 sbru-gateway pluto[5503]: |    [1 is OAKLEY_MD5]
Jul 11 00:43:04 sbru-gateway pluto[5503]: | ******parse ISAKMP Oakley attribute:
Jul 11 00:43:04 sbru-gateway pluto[5503]: |    af+type: OAKLEY_AUTHENTICATION_METHOD
Jul 11 00:43:04 sbru-gateway pluto[5503]: |    length/value: 3
Jul 11 00:43:04 sbru-gateway pluto[5503]: |    [3 is OAKLEY_RSA_SIG]
Jul 11 00:43:04 sbru-gateway pluto[5503]: | *****parse ISAKMP Transform Payload 
(ISAKMP):
Jul 11 00:43:04 sbru-gateway pluto[5503]: |    next payload type: ISAKMP_NEXT_T

[Users] The more I'm using FreeS/Wan the more I'm fascinating

Reply via email to