Subject: Re: update /sys/netkey/* files?
To: None <>
From: Paul Dokas <>
List: tech-net
Date: 01/31/2002 15:27:08
On Thu, Jan 31, 2002 at 02:02:07PM +0900, wrote:
> >Are there any plans to update the files in /sys/netkey/* to a more 
> >recent version from KAME?  The -current files appear to be from July
> >2001.
> >
> >In particular, I'm after functionality surrounding SPDUPDATE.  In the
> >files in -current, if an SPD entry does not exist, then it returns
> >ENOENT.  In the recent KAME snapshot, SPDUPDATE will add an entry if
> >one doesn't exist.
> 	there's no plan for jumbo update.  i'll try to upgrade SPDUPDATE
> 	portion sooner.
> itojun

Yea!  Anonymous sessions now work!

  2002-01-31 14:24:21: INFO: isakmp.c:891:isakmp_ph1begin_r(): respond new phase 1 negotiation: A.B.C.D[500]<=>E.F.G.H[500]
  2002-01-31 14:24:21: INFO: isakmp.c:896:isakmp_ph1begin_r(): begin Identity Protection mode.
  2002-01-31 14:24:21: INFO: vendorid.c:128:check_vendorid(): received Vendor ID: KAME/racoon
  2002-01-31 14:24:23: INFO: isakmp.c:2409:log_ph1established(): ISAKMP-SA established A.B.C.D[500]-E.F.G.H[500] spi:dd8dfb9ba7bbb95c:ad800f5b3195f670
  2002-01-31 14:24:23: INFO: isakmp.c:1046:isakmp_ph2begin_r(): respond new phase 2 negotiation: A.B.C.D[0]<=>E.F.G.H[0]
  2002-01-31 14:24:23: INFO: isakmp_quick.c:2015:get_proposal_r(): no policy found, try to generate the policy : E.F.G.H/32[0] A.B.C.D/32[0] proto=any dir=in
  2002-01-31 14:24:23: INFO: pfkey.c:1107:pk_recvupdate(): IPsec-SA established: ESP/Transport E.F.G.H->A.B.C.D spi=194787242(0xb9c37aa)
  2002-01-31 14:24:23: INFO: pfkey.c:1319:pk_recvadd(): IPsec-SA established: ESP/Transport A.B.C.D->E.F.G.H spi=11213793(0xab1be1)

A.B.C.D is my fixed endpoint.
E.F.G.H is a DHCP config'd machine.

These logs are from the fixed endpoint.

My fixed endpoint now has the following SPD entries:

  E.F.G.H[any] A.B.C.D[any] any
          in ipsec
          spid=3 seq=2 pid=13532
  A.B.C.D[any] E.F.G.H[any] any
          out ipsec
          spid=4 seq=0 pid=13532

And all works!   Thank you very much for the code pullup.

I'll do some more testing and then email out my configs so that others
can do this as well.

Interestingly, when using transport mode, I can only do ESP, not ESP+AH.
That is, on my DHCP config'd machine, my /etc/ipsec.conf has this:

  spdadd A.B.C.D/32 any -P out ipsec esp/transport//require;
  spdadd A.B.C.D/32 any -P in ipsec esp/transport//require;

But, the following refuses to work:

  spdadd A.B.C.D/32 any -P out ipsec esp/transport//require ah/transport//require;
  spdadd A.B.C.D/32 any -P in ipsec esp/transport//require ah/transport//require;

Tunnels are next...

Paul Dokas                                  
Don Juan Matus:  "an enigma wrapped in mystery wrapped in a tortilla."