netbsd-users: "failed to get sainfo" - racoon(8) / setkey(8) VLSM/CIDR

Subject: "failed to get sainfo" - racoon(8) / setkey(8) VLSM/CIDR
To: None <Ipsec-tools-users@lists.sourceforge.net, netbsd-users@netbsd.org>
From: Brian A. Seklecki <lavalamp@spiritual-machines.org>
List: netbsd-users
Date: 05/23/2006 17:45:36

All:

Coming from an OpenBSD IPSEC environment where one daemon manages kernel 
SPD/SPA entries and IKE negotiations, I'm having trouble understanding how 
racoon(8) relates ipsec(4) SPA/SPD entries from setkey(8).

If I want to install generic transport mode SA "template" that racoon can 
"pick up" for negotiation, I enter:

   spdadd 192.168.2.200 192.168.2.127 any -P out ipsec
     esp/transport//require;

   spdadd 192.168.2.127 192.168.2.200 any -P in ipsec
      esp/transport//require;

This works nicely blocking out that ACL until an SA is built, thus this 
output:


   # setkey -DP
   192.168.2.127[any] 192.168.2.200[any] any
           in ipsec
           esp/transport//require
           created: May 23 17:24:01 2006  lastused: May 23 17:24:01 2006
           lifetime: 0(s) validtime: 0(s)
           spid=16503 seq=1 pid=1844
           refcnt=1
   192.168.2.200[any] 192.168.2.127[any] any
           out ipsec
           esp/transport//require
           created: May 23 17:24:01 2006  lastused: May 23 17:33:52 2006
           lifetime: 0(s) validtime: 0(s)
           spid=16502 seq=0 pid=1844
           refcnt=2

*) Seeen here, setkey(8) doesn't seem have be CIDR/VLSM syntax aware. 
Or, at least if it is, it doensn't error on config file parsing or show it 
in "dump" command output

However, if my sainfo {} line in racoon.conf complements this config with 
any of the following:

   sainfo address 192.168.2.127 /32 any address 192.168.2.200 /32 any {
   sainfo address 192.168.2.127/32 any address 192.168.2.200/32 any {
   sainfo address 192.168.2.127 any address 192.168.2.200 any {

I get the following:

   2006-05-23 17:33:33: DEBUG: get pfkey ACQUIRE message
   2006-05-23 17:33:33: DEBUG: suitable outbound SP found:
   192.168.2.200/32[0] 192.168.2.127/32[0] proto=any dir=out.
   2006-05-23 17:33:33: DEBUG: sub:0xbfbfe2f0: 192.168.2.127/32[0]
   192.168.2.200/32[0] proto=any dir=in
   2006-05-23 17:33:33: DEBUG: db :0x80b1c08: 192.168.2.127/32[0]
   192.168.2.200/32[0] proto=any dir=in
   2006-05-23 17:33:33: DEBUG: suitable inbound SP found:
   192.168.2.127/32[0]
   192.168.2.200/32[0] proto=any dir=in.
   2006-05-23 17:33:33: DEBUG: new acquire 192.168.2.200/32[0]
   192.168.2.127/32[0] proto=any dir=out
   2006-05-23 17:33:33: ERROR: failed to get sainfo.


This happens before any attempt at IKE exchange phase 1 occurs, which 
leads me to believe (without a ktrace(8)/kdump(8) yet) that racoon(8) is 
having trouble coorelating an in-kernel SPD/SPA.

Also, changing the sainfo {} proposal to 'anonymous' solves the issue. 
I'm donna dig through the source code a bit and try to find how it 
attempts to match up, but what other conditions could racoon(8) possibly 
be disqualifying the above sainfo{} lines on?

TIA,
l8*
 	-lava