Subject: racoon(8) looks up wrong SPD for itself
To: None <>
From: Matthias Drochner <>
List: tech-net
Date: 07/01/2002 20:33:53
Hi -
I'm not very clueful how racoon is really supposed to work, but
in consideration of the fact that it worked afterwards while
it didn't before, I'm thinking I am on the right track...

After I've added an spd entry which lets ICMP pass through, key
negotiation stopped working.

The relevant entries are (first two lines are new):
spdadd icmp -P out none;
spdadd icmp -P in none;
spdadd any -P out ipsec esp/tunnel/
spdadd any -P in ipsec esp/tunnel/
[... more lines for more tunnel partners ...]
spdadd any -P out discard;
spdadd any -P in discard;

The error message in syslog was:
INFO: isakmp.c:1046:isakmp_ph2begin_r(): respond new phase 2 negotiation:[0]<=>134.94
ERROR: isakmp_quick.c:2064:get_proposal_r(): policy found, but no IPsec 
required:[0] 134
.94.206.11/32[0] proto=any dir=out
ERROR: isakmp_quick.c:1071:quick_r1recv(): failed to get proposal for 
ERROR: isakmp.c:1060:isakmp_ph2begin_r(): failed to pre-process packet.

It obviously hit the ICMP rule.

As a proof of the theory, I applied a small patch to racoon:
*** isakmp_quick.c.~1.4.~	Tue May 21 17:21:28 2002
--- isakmp_quick.c	Mon Jul  1 20:05:04 2002
*** 2011,2017 ****
--- 2011,2022 ----
  		spidx.ul_proto = IPSEC_ULPROTO_ANY;
  	/* get inbound policy */
+ 	{
+ 	int sav = spidx.ul_proto;
+ 	spidx.ul_proto = IPPROTO_UDP;
  	sp_in = getsp_r(&spidx);
+ 	spidx.ul_proto = sav;
+ 	}
  	if (sp_in == NULL) {
  		if (iph2->ph1->rmconf->gen_policy) {

And key negotiation worked again.
There is still a warning in the log:
NOTIFY: proposal.c:1016:set_proposal_from_policy(): There is a difference 
between the in/out bound
 policies in SPD.

but this is obviously due to the fact that my patch is far from being a real 
it corrects one side only (and this not even correctly...).

best regards