IPSEC problem

[e_string69]

I am trying to move from RedHat 7 to current Gentoo. Freeswan to 2.6 ipsec-tools. I see the following error in my log:

Aug 30 09:26:58 redhat racoon: ERROR: unknown notify message, no phase2 handle found.
Aug 30 09:26:58 redhat racoon: DEBUG: notification message 11:INVALID-SPI, doi=1 proto_id=1 spi=cfa9bed3(size=4).

I have tested Pentium II and III machines. The configuration is the same. The Pentium II with kernel-2.6.11-gentoo-r3 works. Pentium II and III with kernel-2.6.12-gentoo-r9 does not.

configuration:

redhat ~ # cat /etc/ipsec.conf
#!/usr/sbin/setkey -f

flush;
spdflush;

# Create policies for racoon
spdadd 0.0.0.0/0 172.23.150.16/29 any -P in ipsec
esp/tunnel/204.29.246.4-70.114.157.81/require;

spdadd 172.23.150.16/29 0.0.0.0/0 any -P out ipsec
esp/tunnel/70.114.157.81-204.29.246.4/require;



redhat ~ # cat /etc/racoon/racoon.conf
path pre_shared_key "/etc/racoon/psk.txt" ;
log debug2;
remote 204.29.246.4
{
exchange_mode main;
lifetime time 8 hour;
generate_policy on;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo address 172.23.150.16/29 any address 0.0.0.0/0 any
{
pfs_group 2
lifetime time 8 hour ;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}




Preshared key authentication in psk.txt

# IPv4/v6 addresses
204.29.246.4 supersecretkey
#206.175.161.182 mekmitasdigoat
#3ffe:501:410:ffff:200:86ff:fe05:80fa mekmitasdigoat
#3ffe:501:410:ffff:210:4bff:fea2:8baa mekmitasdigoat
# USER_FQDN
#sakane@kame.net mekmitasdigoat
# FQDN

[e_string69]

I see the same problem after installing 2005.1. Same configuration. This trouble seems to appear after emerge --update --deep world.

[e_string69]

Is there something I am missing? I am trying to build an IPSEC router with site to site VPN straight from 2005.1 disk. There is nothing unusuall about my setup. I have been sure to not deviate from the latest install documentation. Apps used are dhcp dhcpcd bind samba ipsec-tools iptables ntp sshd.

I have tried to rebuild this system several times. It is a PentiumIII. The problem seems to occur after updating the system. The other side is a Cisco concentrator. sha1 3des group2 preshared key.

The log indicates the following error:

Aug 30 09:26:58 redhat racoon: ERROR: unknown notify message, no phase2 handle found.
Aug 30 09:26:58 redhat racoon: DEBUG: notification message 11:INVALID-SPI, doi=1 proto_id=1 spi=cfa9bed3(size=4).

[groovin]

i havent touched racoon in a long time so i dont think i can help you much, but...

have you tried different exchange_mode values like aggressive?

if this only pops up after emerge, then my guess would be to see what exactly emerge is updating/changing on your system and work from there.

otherwise... if youre only using these boxes as routers to connect two remote sites... might i suggest using m0n0wall www.m0n0.ch/wall - it runs racoon (ipsec-tools) on freebsd with a configurable web interface! super easy to use and all you need for a router is a old computer with 2 nics, a cdrom drive, and a floppy drive. No HD Needed. there is even a CF card version. ive used it at my company for the last 2 years... we have it running a good chunk of our vpn operations.

it doesnt have bind or samba built in, but i am going along the lines of thinking that you shouldnt run services like those (especially bind) on a router.

[e_string69]

I have looked at your suggestions in the past and find that they are too simple. The Smoothwall DHCP server is not full featured, for example. It may take a while to find this problem. Thank you for your reply.