[Ipsec-tools-devel] racoon failed to bind to 127.0.0.1 [address already in use], and SPD cannot be flushed fully

Rafiqul Ahsan

2006-03-01 15:30:31 UTC

I actually killed the racoon daemon, and I dont see the error. However, I am
facing some other error for which I really need another help...I am trying
racoon at Linux, and in.iked at Solaris...
However, Ii keep getting following racoon error , when I try to ping from
Solaris (10.19.171.18) to Linux (10.19.171.30):

2006-03-01 09:22:00: INFO: begin Identity Protection mode.
2006-03-01 09:22:00: WARNING: SPI size isn't zero, but IKE proposal.
2006-03-01 09:22:00: ERROR: rejected dh_group:
DB(prop#1:trns#1):Peer(prop#1:trns#1) = 1024-bit MODP group:1536-bit MODP
group
2006-03-01 09:22:00: ERROR: no suitable proposal found.
2006-03-01 09:22:00: ERROR: failed to get valid proposal.
2006-03-01 09:22:00: ERROR: failed to process packet.
2006-03-01 09:22:02: NOTIFY: the packet is retransmitted by 10.19.171.18
[500].
2006-03-01 09:22:02: INFO: respond new phase 1 negotiation: 10.19.171.30
[500]<=>10.19.171.18[500]

Here is my racoon.conf :

path pre_shared_key "/etc/racoon/psk.txt";

remote anonymous
{
exchange_mode main;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}

sainfo anonymous
{
pfs_group 2;
lifetime time 1 hour ;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}
Here is my ike.config at Solaris :

## Phase 1 transform defaults...

p1_lifetime_secs 30 #14400
p1_nonce_len 16 #20
p2_nonce_len 16
## Parameters that may also show up in rules.

p1_xform { auth_method preshared oakley_group 2 auth_alg sha1 encr_alg 3des}

p2_pfs 2
{
label "simple inheritor"
local_id_type ip
local_addr 10.19.171.18
remote_addr 10.19.171.30

p2_pfs 1

p1_xform
{auth_method preshared oakley_group 2 auth_alg sha1 encr_alg 3des}
}

# ps -a | grep in.iked
# /usr/lib/inet/in.iked -f ike.config
# ping 10.19.171.30
no answer from 10.19.171.30
Looks like it cannot match the dh_group, and failed to get valid proposal ?
I am stuck here, please know that I badly need your help on identifying this
problem.

Thanks for your help..

Rafi

Post by Rafiqul Ahsan
I have couple of problem, when I am trying to load racoon.conf. The very
first time, I did not get the binding error, the error was something else,
like dh_group, and proposal not found etc., but when i try to load 2nd/3rd
time, I keep getting cannot bind to address error (as follows). Also, this
is the first time I am noticing, that whenever I flush out the SPD, I used
to see empty, by checking /etc/setkey -DP, now I see something like this ...
::/0[any] ::/0[any] any
in none
lifetime: 0(s) validtime: 0(s)
spid=283 seq=7 pid=9288
refcnt=1
::/0[any] ::/0[any] any
in none
lifetime: 0(s) validtime: 0(s)
spid=267 seq=6 pid=9288
refcnt=1
0.0.0.0/0[any] <http://0.0.0.0/0%5Bany%5D> 0.0.0.0/0[any]<http://0.0.0.0/0%5Bany%5D>any
in none
created: Feb 28 15:59:22 2006 lastused: Feb 28 16:01:03 2006
lifetime: 0(s) validtime: 0(s)
spid=251 seq=5 pid=9288
refcnt=1
Here is my /etc/racoon/racoon.conf
path pre_shared_key "/etc/racoon/psk.txt";
remote anonymous
{
exchange_mode main;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous
{
pfs_group 2;
lifetime time 1 hour ;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}
Foreground mode.
http://ipsec-tools.sourceforge.net)
2003 (http://www.openssl.org/)
2006-02-28 16:47:23: ERROR: failed to bind to address 127.0.0.1[500]
(Address already in use).
2006-02-28 16:47:23: ERROR: failed to bind to address 10.19.171.30[500]
(Address already in use).
2006-02-28 16:47:23: ERROR: failed to bind to address ::1[500] (Address
already in use).
Can you guys help me to figure out the problem ?
Thanks
Rafi
--
Rafiqul Ahsan 630-717-1698(h)
2120 Periwinkle Ln 630-689-1457(h)
Naperville, IL 60540 847-812-6176(c)

--
Rafiqul Ahsan 630-717-1698(h)
2120 Periwinkle Ln 630-689-1457(h)
Naperville, IL 60540 847-812-6176(c)