Re: IpSec (racoon) и WinXP

From

Andrew Lutov (2:5000/26)

To

Alexey Popov (2:5054/37.63)

Date

2005-12-23T13:39:46Z

Area

RU.UNIX.BSD

From: "Andrew Lutov" <andrew_l @ newmail.ru>

Hello, Alexey!

 ??>>>> на новые ключи, один из старых ключей (на стороне FreeBSD от WinXP)
 ??>>>> "залипает" и канал перестает функционировать до следующего обмена
 ??>>>> ключами (в данном случае стоит минимум - 300 секунд).
 ??>>
 AP>>> echo net.key.preferred_oldsa=0 >> /etc/sysctl.conf
 ??>>
 ??>> На самом деле net.key.prefered_oldsa  :)
 AP> gateway# sysctl -a | grep prefer
 AP> net.key.preferred_oldsa: 0
 AP> gateway#

%sysctl -a | grep key
...
net.key.prefered_oldsa: 0


Это на 4.11R/


 ??>> Не помогло  :(
 AP> А что говорит racoon?

Непосредственно до и в момент перехода на новый ключ (после чего все 
заканччивается):


2005-12-23 13:36:39: DEBUG: pfkey.c:197:pfkey_handler(): get pfkey 
X_SPDEXPIRE message
2005-12-23 13:36:39: DEBUG: policy.c:184:cmpspidxstrict(): sub:0xbfbff928: 
8.1.5.181/32[0] 8.1.5.201/32[0] proto=icmp dir=in
2005-12-23 13:36:39: DEBUG: policy.c:185:cmpspidxstrict(): db :0x809ce08: 
8.1.5.181/32[0] 8.1.5.201/32[0] proto=icmp dir=in
2005-12-23 13:36:39: DEBUG: pfkey.c:197:pfkey_handler(): get pfkey 
X_SPDEXPIRE message
2005-12-23 13:36:39: DEBUG: policy.c:184:cmpspidxstrict(): sub:0xbfbff928: 
8.1.5.201/32[0] 8.1.5.181/32[0] proto=icmp dir=out
2005-12-23 13:36:39: DEBUG: policy.c:185:cmpspidxstrict(): db :0x80a5208: 
8.1.5.201/32[0] 8.1.5.181/32[0] proto=icmp dir=out
2005-12-23 13:36:40: DEBUG: isakmp.c:233:isakmp_handler(): ===
2005-12-23 13:36:40: DEBUG: isakmp.c:234:isakmp_handler(): 84 bytes message 
received from 8.1.5.181[500]
2005-12-23 13:36:40: DEBUG: plog.c:193:plogdump():
111fa4ca 23e681ec 4abb6a60 9e2c1ae9 08100501 fb2c86c4 00000054 baf14905
2488d376 3c037401 dac17132 708fba6f b495906b a4a8760f 82cc9372 8235c98b
a5997eae f4d0cf28 51305a24 f2d5b89d 9b7f282d
2005-12-23 13:36:40: DEBUG: isakmp_inf.c:115:isakmp_info_recv(): receive 
Information.
2005-12-23 13:36:40: DEBUG: oakley.c:2608:oakley_newiv2(): compute IV for 
phase2
2005-12-23 13:36:40: DEBUG: oakley.c:2609:oakley_newiv2(): phase1 last IV:
2005-12-23 13:36:40: DEBUG: plog.c:193:plogdump():
19f3ae6f 644b8577 fb2c86c4
2005-12-23 13:36:40: DEBUG: algorithm.c:256:alg_oakley_hashdef(): hash(sha1)
2005-12-23 13:36:40: DEBUG: algorithm.c:386:alg_oakley_encdef(): 
encription(3des)
2005-12-23 13:36:40: DEBUG: oakley.c:2641:oakley_newiv2(): phase2 IV 
computed:
2005-12-23 13:36:40: DEBUG: plog.c:193:plogdump():
1950f6e9 e2845642
2005-12-23 13:36:40: DEBUG: oakley.c:2684:oakley_do_decrypt(): begin 
decryption.
2005-12-23 13:36:40: DEBUG: algorithm.c:386:alg_oakley_encdef(): 
encription(3des)
2005-12-23 13:36:40: DEBUG: oakley.c:2698:oakley_do_decrypt(): IV was saved 
for next processing:
2005-12-23 13:36:40: DEBUG: plog.c:193:plogdump():
2005-12-23 13:36:39: DEBUG: pfkey.c:197:pfkey_handler(): get pfkey 
X_SPDEXPIRE message
2005-12-23 13:36:40: DEBUG: algorithm.c:386:alg_oakley_encdef(): 
encription(3des)
2005-12-23 13:36:40: DEBUG: oakley.c:2723:oakley_do_decrypt(): with key:
2005-12-23 13:36:40: DEBUG: plog.c:193:plogdump():
8db98dc3 866e4e0c e69934a6 56102a8a 0d639fc6 b37aa36b
2005-12-23 13:36:40: DEBUG: oakley.c:2731:oakley_do_decrypt(): decrypted 
payload by IV:
2005-12-23 13:36:40: DEBUG: plog.c:193:plogdump():
f2d5b89d 9b7f282d
2005-12-23 13:36:40: DEBUG: oakley.c:2734:oakley_do_decrypt(): decrypted 
payload, but not trimed.
2005-12-23 13:36:40: DEBUG: plog.c:193:plogdump():
0c000018 43b4fda2 73d5ab0f 99faff56 5c55780f 86cc60ea 0000001c 00000001
01100001 111fa4ca 23e681ec 4abb6a60 9e2c1ae9 00000000
2005-12-23 13:36:40: DEBUG: oakley.c:2743:oakley_do_decrypt(): padding len=0
2005-12-23 13:36:40: DEBUG: oakley.c:2757:oakley_do_decrypt(): skip to trim 
padding.
2005-12-23 13:36:40: DEBUG: oakley.c:2772:oakley_do_decrypt(): decrypted.
2005-12-23 13:36:40: DEBUG: plog.c:193:plogdump():
111fa4ca 23e681ec 4abb6a60 9e2c1ae9 08100501 fb2c86c4 00000054 0c000018
43b4fda2 73d5ab0f 99faff56 5c55780f 86cc60ea 0000001c 00000001 01100001
111fa4ca 23e681ec 4abb6a60 9e2c1ae9 00000000
2005-12-23 13:36:40: DEBUG: oakley.c:806:oakley_compute_hash1(): HASH with:
2005-12-23 13:36:40: DEBUG: plog.c:193:plogdump():
fb2c86c4 0000001c 00000001 01100001 111fa4ca 23e681ec 4abb6a60 9e2c1ae9
2005-12-23 13:36:40: DEBUG: algorithm.c:326:alg_oakley_hmacdef(): 
hmac(hmac_sha1)
2005-12-23 13:36:40: DEBUG: oakley.c:816:oakley_compute_hash1(): HASH 
computed:
2005-12-23 13:36:40: DEBUG: plog.c:193:plogdump():
43b4fda2 73d5ab0f 99faff56 5c55780f 86cc60ea
2005-12-23 13:36:40: DEBUG: isakmp_inf.c:207:isakmp_info_recv(): hash 
validated.
2005-12-23 13:36:40: DEBUG: isakmp.c:1122:isakmp_parsewoh(): begin.
2005-12-23 13:36:40: DEBUG: isakmp.c:1149:isakmp_parsewoh(): seen 
nptype=8(hash)
2005-12-23 13:36:40: DEBUG: isakmp.c:1149:isakmp_parsewoh(): seen 
nptype=12(delete)
2005-12-23 13:36:40: DEBUG: isakmp.c:1188:isakmp_parsewoh(): succeed.
2005-12-23 13:36:40: INFO: isakmp_inf.c:890:purge_isakmp_spi(): purged 
ISAKMP-SA proto_id=ISAKMP spi
=111fa4ca23e681ec:4abb6a609e2c1ae9.
2005-12-23 13:36:40: DEBUG: isakmp_inf.c:1316:isakmp_info_recv_d(): purged 
SAs.
2005-12-23 13:36:41: INFO: isakmp.c:1574:isakmp_ph1delete(): ISAKMP-SA 
deleted 8.1.5.201[500]-8.1.5.181[500] spi:111fa4ca23e681ec:4abb6a609e2c1ae9

-- 
А5 увидимся е2 ли 


--- ifmail v.2.14.os-p7
 * Origin: Garant-Siberia fidonet station (2:5000/26@fidonet)
SEEN-BY: 46/50 400/520 814 450/1024 463/68 464/36 562 910 465/213 550/5068
SEEN-BY: 5000/0 1 2 3 20 26 27 28 52 61 67 68 79 81 94 104 111 116 130 170 363
SEEN-BY: 5000/5000 5002/76 5002 5004/75 1111 5005/14 5009/14 5010/77 275
SEEN-BY: 5011/13 5012/46 5013/21 5015/10 28 5019/31 5020/545 715 2395 2871
SEEN-BY: 5020/4441 5021/29 5025/3 5027/16 5029/34 5030/115 1957 5035/38
SEEN-BY: 5036/34 5045/7 5053/16 5054/1 4 8 9 11 28 35 36 37 45 63 66 67 70 75
SEEN-BY: 5054/84 85 5055/177 5057/119 5059/9 5062/10 5063/3 5069/7 5070/66
SEEN-BY: 5077/70 5080/1003 5085/13 5090/1029 5095/20 5096/18 6000/254 6001/10
SEEN-BY: 6090/1

PATH: 5000/26 5000 5020/545 5054/1 37