Subject: PGPNet and isakmpd problem
To: None <tech-net@netbsd.org>
From: Matt Hempel <matt@epana.com>
List: tech-net
Date: 10/04/2001 16:11:12
I've been trying to get these to work together to replace Racoon.  isakmpd 
adds the SPD entries for you, making it a lot easier for endusers with 
dynamic IPs.

I've managed to get PGPNet through phase 1 IKE.  It authenticates 
fine.  The problem is in Quick Mode.  Despite my transform having 
ENCAPSULATION_MODE as TRANSPORT and despite PGPNet having the NetBSD 
gateway defined as a "Secure Host", the SPD entry shows up as tunnel rather 
than transport, which doesn't allow traffic to pass properly.

This is the NetBSD configuration for Quick Mode:

[Default-quick-mode]

DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-PFS-SUITE

# Suites

[QM-ESP-3DES-SHA-PFS-SUITE]
Protocols= QM-ESP-3DES-SHA-PFS

# Quick mode protocols

[QM-ESP-3DES-SHA-PFS-XF]
PROTOCOL_ID= IPSEC_ESP
Transforms= QM-ESP-3DES-SHA-PFS-XF

# Quick mode transforms
# ESP 3DES+SHA

[QM-ESP-3DES-SHA-PFS-XF]

TRANSFORM_ID= 3DES
ENCAPSULATION_MODE= TRANSPORT
GROUP_DESCRIPTION= MODP_1024
AUTHENTICATION_ALGORITHM= HMAC_SHA
Life= LIFE_PHASE2

The report shows the following:

131013.187240 Report> sa_report: 0x8107a00 NetBSD phase 2 doi 1 flags 0x1
131013.187559 Report> sa_report: icookie 740d0d2f3c2cfebd rcookie 
f9795424081dad76
131013.187752 Report> sa_report: msgid 4c727c03 refcnt 2
131013.187931 Report> sa_report: suite 1 proto 3
131013.188131 Report> sa_report: spi_sz[0] 4 spi[0] 0x8133270 spi_sz[1] 4 
spi[1] 0x8133330
131013.188516 Report> sa_report: initiator id: mhempel, responder id: 
mhempel, src: 10.14.1.30 dst: 10.14.1.254
131013.188721 Report> sa_report: spi[0]:
131013.188909 Report> e1040166
131013.189090 Report> sa_report: spi[1]:
131013.189274 Report> 55eed332
131013.189475 Report> sa_report: 0x8107900 mhempel phase 1 doi 1 flags 0x1
131013.189678 Report> sa_report: icookie 740d0d2f3c2cfebd rcookie 
f9795424081dad76
131013.189864 Report> sa_report: msgid 00000000 refcnt 2
131013.190066 Report> sa_report: suite 1 proto 1
131013.190265 Report> sa_report: spi_sz[0] 0 spi[0] 0x0 spi_sz[1] 0 spi[1] 0x0
131013.190624 Report> sa_report: initiator id: mhempel, responder id: 
mhempel, src: 10.14.1.30 dst: 10.14.1.254
131013.190854 Report> transport_report: transport 0x8109380 flags 0 refcnt 1
131013.191175 Report> udp_report: fd 5 src 10.14.1.30 dst 10.14.1.254
131013.191370 Report> transport_report: transport 0x8109300 flags 0 refcnt 1
131013.191688 Report> udp_report: fd 5 src 10.14.1.30 dst 10.14.1.254
131013.191885 Report> transport_report: transport 0x8109280 flags 0 refcnt 1
131013.192136 Report> udp_report: fd 6 src 0.0.0.0 dst 0.0.0.0
131013.192330 Report> transport_report: transport 0x8109200 flags 1 refcnt 1
131013.192608 Report> udp_report: fd 5 src 10.14.1.30 dst 0.0.0.0
131013.192992 Report> connection_report: passive connection NetBSD 
local_id: 0a0e011e: 10.14.1.30, remote_id: <no id>

Despite this, setkey -DP shows:

bash-2.05# setkey -DP
10.14.1.254[any] 10.14.1.30[any] any
         in ipsec
         esp/tunnel/10.14.1.254-10.14.1.30/require
         spid=52 seq=1 pid=1925
         refcnt=1
10.14.1.30[any] 10.14.1.254[any] any
         out ipsec
         esp/tunnel/10.14.1.30-10.14.1.254/require
         spid=51 seq=0 pid=1925
         refcnt=1
bash-2.05#

Suggestions?

--m