bin/57302: racoon goes for a loop when proposal isn't known

To: gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: bin/57302: racoon goes for a loop when proposal isn't known
From: andrew.cagney%gmail.com@localhost
Date: Mon, 27 Mar 2023 19:50:01 +0000 (UTC)

>Number:         57302
>Category:       bin
>Synopsis:       racoon goes for a loop when proposal isn't known
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Mar 27 19:50:00 +0000 2023
>Originator:     cagney
>Release:        NetBSD east 10.0_BETA NetBSD 10.0_BETA (GENERIC)
>Organization:
>Environment:
NetBSD east 10.0_BETA NetBSD 10.0_BETA (GENERIC)
>Description:
The responder (racoon) is configured with the first example lifted almost verbatim from racoon.conf(5).  The only tweak is aggro only:

remote anonymous {
	exchange_mode aggressive;
	lifetime time 24 hour;
	ike_frag on;
	proposal {
		encryption_algorithm 3des;
		hash_algorithm sha1;
		authentication_method pre_shared_key;
		dh_group 2;
	}
}

The initiator (libreswan) is configured to propose:

        ikev2=no
        aggressive=yes
        # modp != east
        ike=3des-sha1-modp1536

Where modp1536 aka dh5.  Racoon, fills syslog with:

Mar 27 19:36:51 east racoon: INFO: respond new phase 1 negotiation: 192.1.2.23[500]<=>192.1.2.45[500] 
Mar 27 19:36:51 east racoon: INFO: begin Aggressive mode. 
Mar 27 19:36:51 east racoon: INFO: received Vendor ID: FRAGMENTATION 
Mar 27 19:36:51 east racoon: INFO: received Vendor ID: DPD 
Mar 27 19:36:51 east racoon: INFO: received Vendor ID: RFC 3947 
Mar 27 19:36:51 east racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 
Mar 27 19:36:51 east racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02  
Mar 27 19:36:51 east racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 
Mar 27 19:36:51 east racoon: ERROR: no suitable proposal found. 
Mar 27 19:36:51 east racoon: [192.1.2.45] ERROR: failed to get valid proposal. 
Mar 27 19:36:51 east racoon: [192.1.2.45] ERROR: failed to pre-process ph1 packet (side: 1, status 1). 
Mar 27 19:36:51 east racoon: [192.1.2.45] ERROR: phase1 negotiation failed. 
>How-To-Repeat:

>Fix:

Prev by Date: Re: kern/57292 (GENERIC64 virtio panic on aarch64)
Next by Date: NetBSD Nightly Trouble Ticket Report
Previous by Thread: Re: misc/57301 (A typo in "Using sysctl", NetBSD guide)
Next by Thread: Re: bin/57302: racoon goes for a loop when proposal isn't known
Indexes:

Home | Main Index | Thread Index | Old Index