>Over the past day and a half, i've managed to construct a racoon.conf
>file which causes my system to successfully initiate an ISAKMP SA with
>a peer connected to the same subnet.. it then fails to initiate any
>phase 2 negotiations because it doesn't find any matching policy
>entries for the peer.
>I've traced it as far as ipsecdoi_initsakeys() in ipsec_doi.c;
>iph2->side == INITIATOR, and iph2->spidx->policy->proposal == NULL, so
>it just returns without setting anything up.
>
>What's wrong with the following?  i'm trying to set up ESP in
>transport mode with des and hmac-md5 authentication..

	The following one worked for me.  There seem to be a bug in
	"high" or "normal" encryption level entries, which results in
	"no proposal chosen".  I'll take a closer look on it.

	it is also necessary to set IPsec policy into kernel, by using
	setkey(8), so that racoon would get key negotiation requests.
	it should be included into racoon but I don't think it is yet.

itojun



# automatically generated from $Id: sandiego.pl,v 1.8 2000/01/12 07:36:48 itojun Exp $
# do not edit.

# sample policy setting for setkey(8):
# spdadd 206.175.160.20 206.175.160.36 any -P out ipsec esp/tunnel/206.175.160.20-206.175.160.36/use;
# spdadd 206.175.160.20 10.160.36.0/24 any -P out ipsec esp/tunnel/206.175.160.20-206.175.160.36/use;

# search this file for pre_shared_key with various ID key.
path pre_shared_key "./psk.txt" ;

# racoon will search this directory if the certificate or certificate request
# is received.
path certificate "./cert.txt" ;

# personal infomation.
identifier vendor_id "KAME/racoon";
identifier user_fqdn "itojun@lychee.itojun.org";
identifier fqdn "lychee.itojun.org";
identifier keyid "./keyid.txt";

# "log" specifies logging level.  It is followed by either "info", "notify",
# "debug" or "debug2".
log debug2;

# "padding" defines some parameter of padding.  You should not touch these.
padding {
	maximum_length 20;	# maximum padding length.
	randomize off;		# enbale randomize length.
	restrict_check off;	# enable restrict check.
	exclusive_tail off;	# extract last one octet.
}

# if no listen directive is specified, racoon will listen to all
# available interface addresses.
listen {
#	isakmp 127.0.0.1 [7000];
#	isakmp 0.0.0.0 [500];
	admin [7002];	# administrative's port by kmpstat.
}

# Specification of default various timer.
timer {
	# These value can be changed per remote node.
	counter 1;		# maximun trying count to send.
	interval 30 sec;	# maximun interval to resend.
	persend 1;		# the number of packets per a send.

	# timer for waiting to complete each phase.
	phase1 20 sec;
	phase2 15 sec;
}

# Specification of algorithm level.  These are extracted into attribute of
# proposal to negotiate SA.  There are seven type of class;
#	"ISAKMP authentication method"
#	"ISAKMP encryption algorithm"
#	"ISAKMP hash algorithm",
#	"ISAKMP DH group",
#	"IPsec encryption algorithm",
#	"IPsec authentication algorithm",
#	"IPsec compression algorithm",
# Each class can be defined three level; "normal", "high" and "extra_high".
# Each level can be omited.  If so, it is interpreted that there is no
# algorithm appropreately for use in its level.  algorithm type may be
# defined at multiple level.
#
# XXX multiple item in one line causes trouble, try avoiding symbolic names
# like "high" or "normal"
#
algorithm_strength {
	isakmp_auth_method {
		extra_high nothing ;	# for clearance.
#		high  dsssig, rsasig, rsaenc, rsarev;
		normal pre_shared_key ;
	}
	isakmp_encryption {
		extra_high nothing ;
#		high rc5, blowfish ;
#		normal cast128, 3des, des ;
	}
	isakmp_hash {
		extra_high nothing ;
		high sha1 ;
		normal md5 ;
	}
	isakmp_dh_group {
		extra_high modp1536 ;
		high modp1024 ;
		normal modp768 ;
	}
	ipsec_encryption {
		extra_high nothing ;
#		high rc5, blowfish ;
#		normal cast128, 3des, des ;
	}
	ipsec_authentication {
		extra_high nothing ;
		high hmac_sha1 ;
		normal hmac_md5 ;
	}
	ipsec_ipcomp {
		extra_high nothing ;
#		high deflate, lzs ;
#		normal oui, deflate, lzs ;
	}
}

# main mode example, with "anonymous" (any peer) configuration
remote anonymous
{
	# In below case, main mode and aggressive mode are accepted.  When
	# initiating, main mode is first to be sent.
	exchange_mode aggressive, main;

	identifier address;
	nonce_size 16;

	# for aggressive mode definition.
	dh_group modp1536;

	proposal {
		encryption_algorithm 3des;
		hash_algorithm sha1;
		authentication_method pre_shared_key ;
		dh_group modp1536;
		lifetime time 1200 sec;
	}
}

policy 206.175.160.20 206.175.160.36 any inout ipsec
{
#	pfs_group modp1024;

	# This proposal means IP2|ESP|ULP.
	proposal {
		lifetime byte 10 MB;
		protocol esp {
			level require ;
			mode tunnel 206.175.160.36 ;
			encryption_algorithm cast128 ;
			authentication_algorithm hmac_md5 ;
		}
	}

}

policy 206.175.160.20 10.160.36.0/24 any inout ipsec
{
#	pfs_group modp1024;

	# This proposal means IP2|ESP|ULP.
	proposal {
		lifetime byte 10 MB;
		protocol esp {
			level require ;
			mode tunnel 206.175.160.36 ;
			encryption_algorithm cast128 ;
			authentication_algorithm hmac_md5 ;
		}
	}

}