Created attachment 322883 [details] My configuration files. prefixed with gw: gateway configuration, prefixed with client:client configuration Description: ipsec-tools 0.7.1 do not more establish sa. I have a gaetway with a interface connected with a wireless router. My wireless laptop (with kubuntu 8.10 and ipsec-tools 0.7) are connected with the gateway with ipsec tunnel. After upgrade to ipsec 0.7.1 no connection are made. I downgrade to ipsec-tools 0.7 and work fine. Version-Release number of selected component (if applicable): 0.7.1 How reproducible: ever Steps to Reproduce: 1. upgrade to ipsec-tools 0.7.1 2. start setkey 3. start racoon Actual results: no tunnel established Expected results: tunnel established Additional info: Output (/var/log/messages) on the gateway: Nov 7 16:20:00 tango racoon: INFO: @(#)ipsec-tools 0.7 (http://ipsec-tools.sourceforge.net) Nov 7 16:20:00 tango racoon: INFO: @(#)This product linked OpenSSL 0.9.8g 19 Oct 2007 (http://www.openssl.org/) Nov 7 16:20:00 tango racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf" Nov 7 16:20:00 tango racoon: INFO: Resize address pool from 0 to 255 Nov 7 16:20:00 tango racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=16) Nov 7 16:20:00 tango racoon: INFO: 127.0.0.1[500] used for NAT-T Nov 7 16:20:00 tango racoon: INFO: 192.168.1.254[500] used as isakmp port (fd=17) Nov 7 16:20:00 tango racoon: INFO: 192.168.1.254[500] used for NAT-T Nov 7 16:20:00 tango racoon: INFO: 192.168.2.254[500] used as isakmp port (fd=18) Nov 7 16:20:00 tango racoon: INFO: 192.168.2.254[500] used for NAT-T Nov 7 16:20:00 tango racoon: INFO: 10.1.1.254[500] used as isakmp port (fd=19) Nov 7 16:20:00 tango racoon: INFO: 10.1.1.254[500] used for NAT-T Nov 7 16:20:00 tango racoon: INFO: ::1[500] used as isakmp port (fd=20) Nov 7 16:20:00 tango racoon: INFO: fe80::2e0:7dff:fe89:544a%eth3[500] used as isakmp port (fd=21) Nov 7 16:20:00 tango racoon: INFO: fe80::208:54ff:feb0:a674%eth0[500] used as isakmp port (fd=22) Nov 7 16:25:00 tango racoon: ERROR: libipsec failed pfkey check (Invalid SA type) Nov 7 16:25:00 tango racoon: ERROR: libipsec failed pfkey check (Invalid SA type) Nov 7 16:25:00 tango racoon: INFO: unsupported PF_KEY message REGISTER In Client side it's all ok (/var/log/syslog) Nov 7 16:25:58 valsa racoon: INFO: @(#)ipsec-tools 0.7 (http://ipsec-tools.sourceforge.net) Nov 7 16:25:58 valsa racoon: INFO: @(#)This product linked OpenSSL 0.9.8g 19 Oct 2007 (http://www.openssl.org/) Nov 7 16:25:58 valsa racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf" Nov 7 16:25:58 valsa racoon: INFO: Resize address pool from 0 to 255 Nov 7 16:25:58 valsa racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=8) Nov 7 16:25:58 valsa racoon: INFO: 127.0.0.1[500] used for NAT-T Nov 7 16:25:58 valsa racoon: INFO: 192.168.2.100[500] used as isakmp port (fd=13) Nov 7 16:25:58 valsa racoon: INFO: 192.168.2.100[500] used for NAT-T Nov 7 16:25:58 valsa racoon: INFO: ::1[500] used as isakmp port (fd=23) Nov 7 16:25:58 valsa racoon: INFO: fe80::20d:f0ff:fe17:1ced%wlan0[500] used as isakmp port (fd=24) Nov 7 16:26:03 valsa racoon: INFO: IPsec-SA request for 192.168.2.254 queued due to no phase1 found. Nov 7 16:26:03 valsa racoon: INFO: initiate new phase 1 negotiation: 192.168.2.100[500]<=>192.168.2.254[500] Nov 7 16:26:03 valsa racoon: INFO: begin Identity Protection mode. Nov 7 16:26:03 valsa racoon: INFO: received Vendor ID: DPD Nov 7 16:26:03 valsa racoon: INFO: ISAKMP-SA established 192.168.2.100[500]-192.168.2.254[500] spi:176a0c583d87bbc5:9a4ee8736fd28ee7 Nov 7 16:26:04 valsa racoon: INFO: initiate new phase 2 negotiation: 192.168.2.100[500]<=>192.168.2.254[500] Nov 7 16:26:04 valsa racoon: INFO: IPsec-SA established: ESP/Tunnel 192.168.2.254[0]->192.168.2.100[0] spi=260814603(0xf8bb70b) Nov 7 16:26:04 valsa racoon: INFO: IPsec-SA established: ESP/Tunnel 192.168.2.100[500]->192.168.2.254[500] spi=25536301(0x185a72d) PS: Excuse my poor english!!!
The client side as of the second log is running 0.7.1 or 0.7 version? Can you please try to run the gateway with log level debug2 and attach or paste the output?
Client side run ipsec-tools version 0.7
Created attachment 322901 [details] client-racoon.log (tail -f /var/log/syslog), client-racoon-debug.log (racoon -d -F), gw-racoon.log (tail -f /var/log/messages), gw-racoon-debug.log (racoon -d -F)
Created attachment 322904 [details] client-racoon.log (tail -f /var/log/syslog), client-racoon-debug.log (racoon -d -F), gw-racoon.log (tail -f /var/log/messages), gw-racoon-debug.log (racoon -d -F)
The racoon.log is racoon.tgz, excuse me!
If client is ipsec-tools version 0.7.1, also do not work!
I download ipsec-tools veriosn 0.7.1 from sourceforge ,recompile without patch and racoon work fine!!!
Ditto here folks. An IPSec tunnel that worked with old ipsec-tools doesn't come up any more: ------------------------------------ Nov 8 15:29:57 beauty racoon: INFO: initiate new phase 2 negotiation: <to_IP>[500]<=><from_IP>[500] Nov 8 15:29:57 beauty racoon: WARNING: ignore RESPONDER-LIFETIME notification. Nov 8 15:29:57 beauty racoon: WARNING: attribute has been modified. Nov 8 15:29:57 beauty racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5 Nov 8 15:29:57 beauty racoon: ERROR: pfkey add failed. Nov 8 15:29:57 beauty racoon: ERROR: failed to process packet. Nov 8 15:29:57 beauty racoon: ERROR: phase2 negotiation failed. Nov 8 15:30:26 beauty racoon: INFO: initiate new phase 2 negotiation: <to_IP>[500]<=><from_IP>[500] Nov 8 15:30:26 beauty racoon: WARNING: ignore RESPONDER-LIFETIME notification. Nov 8 15:30:26 beauty racoon: WARNING: attribute has been modified. Nov 8 15:30:26 beauty racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5 Nov 8 15:30:26 beauty racoon: ERROR: pfkey add failed. Nov 8 15:30:26 beauty racoon: ERROR: failed to process packet. Nov 8 15:30:26 beauty racoon: ERROR: phase2 negotiation failed. ------------------------------------ Reverting back to the old version of ipsec-tools RPM immediately fixes the problem.
Regarding comment #8, I'm connecting to a PIX there.
*** Bug 470738 has been marked as a duplicate of this bug. ***
ipsec-tools-0.7.1-6.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/ipsec-tools-0.7.1-6.fc9
The ipsec-tools-0.7.1-6.fc9.x86_64.rpm works for me.
ipsec-tools-0.7.1-6.fc9.i386 works here. Thanks you.
Just gave it +1 karma in bodhi.
ipsec-tools-0.7.1-6.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
Thank you, ipsec-tools now work fine!!!