Subject: Re: racoon -- AUTH must be present for ESP
To: None <current-users@netbsd.org>
From: Jay Nelson <jnelson@newsstand.com>
List: current-users
Date: 10/20/2003 10:33:29
On Mon, Oct 20, 2003 at 08:49:20AM +0900, Jun-ichiro itojun Hagino wrote:
> > I think I've looked at this so long, I'm not seeing.
> >
> > Kernal and userland is "NetBSD 1.6ZC (GENERIC) #0: Sat Oct 11". The
> > racoon config that works quite nicely on 1.6.1 fails after, what
> > appears a normal phase one and phase two negotiation with:
> >
> > 2003-10-12 10:33:54: ERROR: ipsec_doi.c:2678: attr AUTH must be
> > present for ESP NULL encryption
> > 2003-10-12 10:33:54: ERROR: pfkey.c:953: failed to start post getspi
> >
> > I can't find anything in the docs or man pages that I recognize as
> > related.
> >
> > What am I missing?
>
> would you please post your racoon.conf as well as setkey(8) settings
> (ipsec.conf), confidential info removed (like secret keys)?
>
> basically, the error here is that your racoon (or the IKE peer)
> requesting ESP without encryption, without authentication.
>
> itojun
setkey settings and racoon conf are created on the fly by the ip-up ppp
scripts. essentially setkey is configured by:
spdadd 10.10.10.2/32 192.168.1.0/24[any] any -P out ipsec esp/tunnel/${myaddr}-2
09.163.140.4/require ;
spdadd 192.168.1.0/24 10.10.10.2/32[any] any -P in ipsec esp/tunnel/209.163.140.
4-${myaddr}/require ;
EOF
and the completed racoon.conf (anonymous SA selected) looks like this:
path pre_shared_key "/etc/racoon/psk.txt" ;
path backupsa "/var/run/backupsa" ;
log debug2 ;
remote anonymous
{
exchange_mode main,base;
support_proxy on;
proposal_check obey;
generate_policy on;
initial_contact on;
my_identifier address;
peers_identifier address ;
proposal {
encryption_algorithm des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 1 ;
}
}
remote 65.198.169.4
{
exchange_mode main,aggressive,base;
doi ipsec_doi;
situation identity_only;
support_proxy on;
proposal_check obey;
generate_policy on;
initial_contact on;
my_identifier address ;
peers_identifier address ;
proposal {
encryption_algorithm des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
lifetime time 3600 sec;
dh_group 1 ;
}
}
sainfo anonymous
{
pfs_group 1;
lifetime time 3600 sec;
encryption_algorithm des,3des,blowfish,null_enc ;
authentication_algorithm hmac_sha1,non_auth ;
compression_algorithm deflate ;
}
listen {
isakmp 205.238.178.66;
}
sainfo address 205.238.178.66 any address 2XX.163.140.4 any
{
pfs_group 1;
lifetime time 3600 sec;
encryption_algorithm des,3des,blowfish,null_enc;
authentication_algorithm hmac_sha1,non_auth;
compression_algorithm deflate ;
}
sainfo address 2XX.163.140.4 any address 205.238.178.66 any
{
pfs_group 1;
lifetime time 3600 sec;
encryption_algorithm des,3des,blowfish,null_enc;
authentication_algorithm hmac_sha1,non_auth;
compression_algorithm deflate ;
}