racoon still also broken

Pawel Biernacki kaktus at dragonflybsd.pl
Thu Oct 14 15:55:57 PDT 2004


On Thu, 14 Oct 2004, Andrew Atrens wrote:                                       

> Pawel Biernacki wrote:
>
>> On 2004-10-14, Andrew Atrens <atrens at xxxxxxxxxxxxxxxxxx> wrote:
>>> As an aside, racoon is also broken.
>>>
>>> I'm using ethereal on both sides of the link and I can see
>>> both racoon daemons sending udp packets - on both sides of the
>>> link, but neither appear to 'see' other's packets.
>>>
>>> Eventually, the daemons both die with -
>>> 2004-10-14 12:28:44: INFO: isakmp.c:909:isakmp_ph1begin_r(): begin
>>> Aggressive mode.
>>> 2004-10-14 12:29:03: ERROR: sockmisc.c:318:recvfromto(): recvmsg
>>> (Resource temporarily unavailable)
>>>
>>> Not sure what the error means. I suppose it's either a listening
>>> problem, or a delivery problem. At any rate it looks like it's in
>>> the stack somewhere.
>>>
>>
>> i've a strange problem with stopping racoon. after establish any
>> ipseced
>> connection the only way to stop racoon is kill -9. tested with IPSEC
>> and
>> FAST_IPSEC.
>>
>> apocalypse# /usr/local/etc/rc.d/racoon.sh stop
>> Stopping racoon.
>> Waiting for PIDS: 1138, 1138, 1138, 1138, 1138, 1138, 1138, 1138, 1138,
>> 1138, 1138, 1138, 1138, 1138, 1138, 1138, 1138, 1138, 1138,^C
>>
>
> Yeah I see this too.
>
> Once the link goes down, racoon just doesn't want to let go.
>
> Out of curiousity are you using tunnel or transport mode ?

tunnel mode                                                                     

>
> All my testing is with transport mode. I applied your FAST_IPSEC patch
> to
> try it out, and it didn't work. Perhaps it could be related to some
> incompatibility with my earlier patch.
>
> Another question, what encryption are you using ?  I only started having
> problems when I enabled encryption. Null (simple) encryption seems to
> work
> without my patch.

3des encryption                                                                 

it's logs from racoon, with FAST_IPSEC. i don't see any problems related
to your
>>> 2004-10-14 12:29:03: ERROR: sockmisc.c:318:recvfromto(): recvmsg
>>> (Resource temporarily unavailable)

Oct 15 00:59:29 apocalypse racoon: 2004-10-15 00:59:29: INFO:
isakmp.c:1368:isakmp_open(): 212.xx.xx.xx[500] used as isakmp port (fd=11)
Oct 15 00:59:41 apocalypse racoon: 2004-10-15 00:59:41: INFO:
isakmp.c:1694:isakmp_post_acquire(): IPsec-SA request for 195.xx.xx.xx
queued due to no phase1 found.
Oct 15 00:59:41 apocalypse racoon: 2004-10-15 00:59:41: INFO:
isakmp.c:808:isakmp_ph1begin_i(): initiate new phase 1 negotiation:
212.xx.xx.xx[500]<=>195.xx.xx.xx[500]
Oct 15 00:59:41 apocalypse racoon: 2004-10-15 00:59:41: INFO:
isakmp.c:813:isakmp_ph1begin_i(): begin Aggressive mode.
Oct 15 01:00:01 apocalypse racoon: 2004-10-15 01:00:01: INFO:
vendorid.c:128:check_vendorid(): received Vendor ID: KAME/racoon
Oct 15 01:00:01 apocalypse racoon: 2004-10-15 01:00:01: INFO:
isakmp.c:2459:log_ph1established(): ISAKMP-SA established
212.xx.xx.xx[500]-195.xx.xx.xx[500] spi:xxxxxxxxxxxxxxxx:xxxxxxxxxxxxxxxx
Oct 15 01:00:01 apocalypse racoon: 2004-10-15 01:00:01: INFO:
isakmp.c:952:isakmp_ph2begin_i(): initiate new phase 2 negotiation:
212.xx.xx.xx[0]<=>195.xx.xx.xx[0]

-- 






More information about the Submit mailing list