On Mar 5, 4:32pm, fr...@phoenix.owl.de (Frank Wille) wrote: -- Subject: Re: Simple IPSEC client with certificate - phase 1 time out
| Christos Zoulas wrote: | | > If your server is behind NAT, I think that got broken at some point. | | Oh no! :( Yes, it is almost working... The tunnel is up, and 3 out of 4 SAD's are present; the 4th one comes up as larval and then times out... | > I meant to debug this... I guess I should just do it... | | That would be so great! I can provide you with any information you need | and can do all sorts of tests. Also with big endian hardware. | | BTW, there is a strange problem with adding SAs in the 7.0 kernel. | Maybe it doesn't work on big endian? I don't know. make sure you have IPSEC_DEBUG in your kernel and you'll get a lot of useful info. | 1. NetBSD/macppc 7.0 (PowerBook G4): | # setkey -c | add 10.0.0.1 10.0.0.2 esp 1234 -E aes-cbc "testtesttesttest"; | Invalid argument. | # setkey -D | No SAD entries. | | 2. NetBSD/amd64 7.0 (Asus i3): | # setkey -c | add 10.0.0.1 10.0.0.2 esp 1234 -E aes-cbc "testtesttesttest"; | # setkey -D | 10.0.0.1 10.0.0.2 | esp mode=any spi=1234(0x000004d2) reqid=0(0x00000000) | E: aes-cbc 74657374 74657374 74657374 74657374 | seq=0x00000000 replay=0 flags=0x00000040 state=mature | created: Mar 5 15:53:31 2016 current: Mar 5 16:20:54 2016 | diff: 1643(s) hard: 0(s) soft: 0(s) | last: Mar 5 11:41:33 2016 hard: 0(s) soft: 0(s) | current: 0(bytes) hard: 0(bytes) soft: 0(bytes) | allocated: 0 hard: 0 soft: 0 | sadb_seq=0 pid=2037 refcnt=1 | | | So the "pfkey ADD failed" is not present on x86, but the "pfkey UPDATED | failed" is still there. I was able to see the SA to be updated for a short | time in "larval" state when phase 2 was established: The updated failed is fine (No such file or directory means it was not present), and then it succeeds adding it. | # setkey -D | 192.168.0.21[4500] 78.48.238.147[4500] | esp-udp mode=tunnel spi=17572466(0x010c2272) reqid=0(0x00000000) | E: aes-cbc d5bd6bf8 2d5fd2f7 49c5ebdc d20c6299 | A: hmac-md5 3bd33ccd cd06e211 b5b7b926 399089e7 | seq=0x00000002 replay=4 flags=0x00000000 state=mature | created: Mar 5 14:57:06 2016 current: Mar 5 14:57:14 2016 | diff: 8(s) hard: 28800(s) soft: 23040(s) | last: Mar 5 14:57:07 2016 hard: 0(s) soft: 0(s) | current: 320(bytes) hard: 0(bytes) soft: 0(bytes) | allocated: 2 hard: 0 soft: 0 | sadb_seq=1 pid=660 refcnt=2 | 78.48.238.147 192.168.0.21 | esp mode=tunnel spi=120588728(0x073009b8) reqid=0(0x00000000) | seq=0x00000000 replay=0 flags=0x00000000 state=larval | sadb_seq=0 pid=660 refcnt=1 I hope to fix the problem soon... It has been broken forever. christos
