tech-net: racoon(8) looks up wrong SPD for itself

Subject: racoon(8) looks up wrong SPD for itself
To: None <tech-net@netbsd.org>
From: Matthias Drochner <M.Drochner@fz-juelich.de>
List: tech-net
Date: 07/01/2002 20:33:53

Hi -
I'm not very clueful how racoon is really supposed to work, but
in consideration of the fact that it worked afterwards while
it didn't before, I'm thinking I am on the right track...

After I've added an spd entry which lets ICMP pass through, key
negotiation stopped working.

The relevant entries are (first two lines are new):
spdadd 0.0.0.0/0 134.94.206.11 icmp -P out none;
spdadd 134.94.206.11 0.0.0.0/0 icmp -P in none;
spdadd 0.0.0.0/0 134.94.206.11 any -P out ipsec esp/tunnel/134.94.206.1-134.94.
206.11/require;
spdadd 134.94.206.11 0.0.0.0/0 any -P in ipsec esp/tunnel/134.94.206.11-134.94.
206.1/require;
[... more lines for more tunnel partners ...]
spdadd 0.0.0.0/0 134.94.206.0/24 any -P out discard;
spdadd 134.94.206.0/24 0.0.0.0/0 any -P in discard;

The error message in syslog was:
INFO: isakmp.c:1046:isakmp_ph2begin_r(): respond new phase 2 negotiation: 
134.94.206.1[0]<=>134.94
.206.11[0]
ERROR: isakmp_quick.c:2064:get_proposal_r(): policy found, but no IPsec 
required: 0.0.0.0/0[0] 134
.94.206.11/32[0] proto=any dir=out
ERROR: isakmp_quick.c:1071:quick_r1recv(): failed to get proposal for 
responder.
ERROR: isakmp.c:1060:isakmp_ph2begin_r(): failed to pre-process packet.

It obviously hit the ICMP rule.

As a proof of the theory, I applied a small patch to racoon:
*** isakmp_quick.c.~1.4.~	Tue May 21 17:21:28 2002
--- isakmp_quick.c	Mon Jul  1 20:05:04 2002
***************
*** 2011,2017 ****
--- 2011,2022 ----
  		spidx.ul_proto = IPSEC_ULPROTO_ANY;
  
  	/* get inbound policy */
+ 	{
+ 	int sav = spidx.ul_proto;
+ 	spidx.ul_proto = IPPROTO_UDP;
  	sp_in = getsp_r(&spidx);
+ 	spidx.ul_proto = sav;
+ 	}
  	if (sp_in == NULL) {
  		if (iph2->ph1->rmconf->gen_policy) {
  			plog(LLV_INFO, LOCATION, NULL,


And key negotiation worked again.
There is still a warning in the log:
NOTIFY: proposal.c:1016:set_proposal_from_policy(): There is a difference 
between the in/out bound
 policies in SPD.

but this is obviously due to the fact that my patch is far from being a real 
fix,
it corrects one side only (and this not even correctly...).

best regards
Matthias