Subject: racoon + generate_policy
To: None <current-users@netbsd.org>
From: Paul Dokas <dokas@cs.umn.edu>
List: current-users
Date: 01/17/2002 14:29:17
Something's seriously wrong with racoon's generate_policy flag. I'm attempting
to create IPSec connections between a fixed endpoint and a roaming laptop. Both
ends are X86 NetBSD -current as of this week, and I'm using racoon-20011215a
from pkgsrc.
The problem is shown in the following racoon log (from the fixed endpoint):
2002-01-17 13:49:48: DEBUG: oakley.c:389:oakley_compute_keymat(): KEYMAT computed.
2002-01-17 13:49:48: DEBUG: isakmp_quick.c:1611:quick_r3prep(): call pk_sendupdate
2002-01-17 13:49:48: DEBUG: algorithm.c:509:alg_ipsec_encdef(): encription(3des)
2002-01-17 13:49:48: DEBUG: algorithm.c:552:alg_ipsec_hmacdef(): hmac(hmac_sha1)
2002-01-17 13:49:48: DEBUG: pfkey.c:971:pk_sendupdate(): call pfkey_send_update
2002-01-17 13:49:48: DEBUG: isakmp_quick.c:1616:quick_r3prep(): pfkey update sent.
2002-01-17 13:49:48: DEBUG: algorithm.c:509:alg_ipsec_encdef(): encription(3des)
2002-01-17 13:49:48: DEBUG: algorithm.c:552:alg_ipsec_hmacdef(): hmac(hmac_sha1)
2002-01-17 13:49:48: DEBUG: pfkey.c:1212:pk_sendadd(): call pfkey_send_add
2002-01-17 13:49:48: DEBUG: isakmp_quick.c:1623:quick_r3prep(): pfkey add sent.
2002-01-17 13:49:48: DEBUG: pfkey.c:1867:pk_sendspdupdate2(): call pfkey_send_spdupdate2
2002-01-17 13:49:48: DEBUG: isakmp_quick.c:1645:quick_r3prep(): pfkey spdupdate2(inbound) sent.
2002-01-17 13:49:48: DEBUG: pfkey.c:1867:pk_sendspdupdate2(): call pfkey_send_spdupdate2
2002-01-17 13:49:48: DEBUG: isakmp_quick.c:1665:quick_r3prep(): pfkey spdupdate2(outbound) sent.
2002-01-17 13:49:48: DEBUG: policy.c:184:cmpspidxstrict(): sub:0xbfbfd660: 128.101.A.B/32[0] 128.101.C.D/32[0] proto=any dir=out
2002-01-17 13:49:48: DEBUG: policy.c:185:cmpspidxstrict(): db :0x80a2c08: 128.101.E.F/32[0] 128.101.A.B/32[0] proto=any dir=in
2002-01-17 13:49:48: DEBUG: policy.c:184:cmpspidxstrict(): sub:0xbfbfd660: 128.101.A.B/32[0] 128.101.C.D/32[0] proto=any dir=out
2002-01-17 13:49:48: DEBUG: policy.c:185:cmpspidxstrict(): db :0x80b3208: 128.101.A.B/32[0] 128.101.E.F/32[0] proto=any dir=out
2002-01-17 13:49:48: DEBUG: policy.c:184:cmpspidxstrict(): sub:0xbfbfd660: 128.101.C.D/32[0] 128.101.A.B/32[0] proto=any dir=in
2002-01-17 13:49:48: DEBUG: policy.c:185:cmpspidxstrict(): db :0x80a2c08: 128.101.E.F/32[0] 128.101.A.B/32[0] proto=any dir=in
2002-01-17 13:49:48: DEBUG: policy.c:184:cmpspidxstrict(): sub:0xbfbfd660: 128.101.C.D/32[0] 128.101.A.B/32[0] proto=any dir=in
2002-01-17 13:49:48: DEBUG: policy.c:185:cmpspidxstrict(): db :0x80b3208: 128.101.A.B/32[0] 128.101.E.F/32[0] proto=any dir=out
2002-01-17 13:49:48: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey UPDATE message
2002-01-17 13:49:48: DEBUG: pfkey.c:1100:pk_recvupdate(): pfkey UPDATE succeeded: ESP/Transport 128.101.C.D->128.101.A.B spi=52049000(0x31a3468)
2002-01-17 13:49:48: INFO: pfkey.c:1107:pk_recvupdate(): IPsec-SA established: ESP/Transport 128.101.C.D->128.101.A.B spi=52049000(0x31a3468)
2002-01-17 13:49:48: DEBUG: pfkey.c:1145:pk_recvupdate(): ===
2002-01-17 13:49:48: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey ADD message
2002-01-17 13:49:48: INFO: pfkey.c:1319:pk_recvadd(): IPsec-SA established: ESP/Transport 128.101.A.B->128.101.C.D spi=156122386(0x94e3d12)
2002-01-17 13:49:48: DEBUG: pfkey.c:1324:pk_recvadd(): ===
2002-01-17 13:49:48: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey X_SPDUPDATE message
2002-01-17 13:49:48: ERROR: pfkey.c:207:pfkey_handler(): pfkey X_SPDUPDATE failed: No such file or directory
2002-01-17 13:49:48: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey X_SPDUPDATE message
2002-01-17 13:49:48: ERROR: pfkey.c:207:pfkey_handler(): pfkey X_SPDUPDATE failed: No such file or directory
128.101.A.B is the fixed endpoint and 128.101.C.D is the DHCP'd laptop.
The laptop has a set policy:
spdadd 0.0.0.0/0 128.101.A.B/32 any -P out ipsec esp/transport//require;
spdadd 128.101.A.B/32 0.0.0.0/0 any -P in ipsec esp/transport//require;
And the fixed endpoint has static policy for a third machine (128.101.E.F):
spdadd 128.101.A.B/32 128.101.E.F/32 any -P out ipsec esp/transport//require ah/transport//require;
spdadd 128.101.E.F/32 128.101.A.B/32 any -P in ipsec esp/transport//require ah/transport//require;
The fixed endpoint's racoon.conf contains this:
remote anonymous
{
exchange_mode main,aggressive,base;
doi ipsec_doi;
situation identity_only;
my_identifier asn1dn;
certificate_type x509 "fnord.crt" "fnord.prv";
lifetime time 96 hour; # sec,min,hour
#lifetime byte 250 MB; # B,KB,GB
initial_contact off;
# phase 1 proposal (for ISAKMP SA)
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method rsasig;
dh_group modp1536;
}
# the configuration makes racoon (as a responder) to obey the
# initiator's lifetime and PFS group proposal.
# this makes testing so much easier.
#proposal_check obey;
# for clients with dynamic IPs
generate_policy on;
}
And the laptop's racoon.conf is almost the same, except for:
remote 128.101.A.B
{
.
.
.
# for clients with dynamic IPs
#generate_policy on;
}
Both ends negotiate and install SAD entries, but the fix endpoint never
installs SPD entries. They appear to be failing with the 'X_SPDUPDATE'
error message shown above.
I was doing all of this because I was packaging up all of the configuration
files for another person. I had this working once upon a time...
Anyone know what's going on?
Paul
--
Paul Dokas dokas@cs.umn.edu
======================================================================
Don Juan Matus: "an enigma wrapped in mystery wrapped in a tortilla."