current-users: Re: racoon -- AUTH must be present for ESP

Subject: Re: racoon -- AUTH must be present for ESP
To: None <current-users@netbsd.org>
From: Jay Nelson <jnelson@newsstand.com>
List: current-users
Date: 10/20/2003 10:33:29
On Mon, Oct 20, 2003 at 08:49:20AM +0900, Jun-ichiro itojun Hagino wrote:
> > I think I've looked at this so long, I'm not seeing.
> > 
> > Kernal and userland is "NetBSD 1.6ZC (GENERIC) #0: Sat Oct 11". The
> > racoon config that works quite nicely on 1.6.1 fails after, what
> > appears a normal phase one and phase two negotiation with:
> > 
> > 2003-10-12 10:33:54: ERROR: ipsec_doi.c:2678: attr AUTH must be
> > present for ESP NULL encryption
> > 2003-10-12 10:33:54: ERROR: pfkey.c:953: failed to start post getspi
> > 
> > I can't find anything in the docs or man pages that I recognize as
> > related.
> > 
> > What am I missing?
> 
> 	would you please post your racoon.conf as well as setkey(8) settings
> 	(ipsec.conf), confidential info removed (like secret keys)?
> 
> 	basically, the error here is that your racoon (or the IKE peer)
> 	requesting ESP without encryption, without authentication.
> 
> itojun

setkey settings and racoon conf are created on the fly by the ip-up ppp
scripts. essentially setkey is configured by:

spdadd 10.10.10.2/32 192.168.1.0/24[any] any -P out ipsec esp/tunnel/${myaddr}-2
09.163.140.4/require ;
spdadd 192.168.1.0/24 10.10.10.2/32[any] any -P in ipsec esp/tunnel/209.163.140.
4-${myaddr}/require ;

EOF

and the completed racoon.conf (anonymous SA selected) looks like this:

path pre_shared_key "/etc/racoon/psk.txt" ;
path backupsa "/var/run/backupsa" ;

log debug2 ;

remote anonymous
{
	exchange_mode main,base;
	support_proxy on;
	proposal_check obey;
	generate_policy on;
	initial_contact on;

	my_identifier address;
	peers_identifier address ;

 proposal {
		encryption_algorithm des;
		hash_algorithm sha1;
		authentication_method pre_shared_key ;
		dh_group 1 ;
	}
}

remote 65.198.169.4
{
	exchange_mode main,aggressive,base;
	doi ipsec_doi;
	situation identity_only;
	support_proxy on;
	proposal_check obey;
	generate_policy on;
	initial_contact on;

	my_identifier address ;
	peers_identifier address ;

 proposal {
		encryption_algorithm des;
		hash_algorithm sha1;
		authentication_method pre_shared_key ;
		lifetime time 3600 sec;
		dh_group 1 ;
	}
}

sainfo anonymous
{
        pfs_group 1;
	lifetime time 3600 sec;
	encryption_algorithm des,3des,blowfish,null_enc ;
	authentication_algorithm hmac_sha1,non_auth ;
	compression_algorithm deflate ;
}
listen {
	isakmp 205.238.178.66;
}
sainfo address 205.238.178.66 any address 2XX.163.140.4 any
{
  pfs_group 1;
  lifetime time 3600 sec;
  encryption_algorithm des,3des,blowfish,null_enc;
  authentication_algorithm hmac_sha1,non_auth;
  compression_algorithm deflate ;
}

sainfo address 2XX.163.140.4 any address 205.238.178.66 any  
{
  pfs_group 1;
  lifetime time 3600 sec;
  encryption_algorithm des,3des,blowfish,null_enc;
  authentication_algorithm hmac_sha1,non_auth;
  compression_algorithm deflate ;
}