From owner-freebsd-security  Thu Jun 20 23:28:19 2002
Delivered-To: freebsd-security@freebsd.org
Received: from sccrmhc03.attbi.com (sccrmhc03.attbi.com [204.127.202.63])
	by hub.freebsd.org (Postfix) with ESMTP id C2B8B37B407
	for <security@freebsd.org>; Thu, 20 Jun 2002 23:28:12 -0700 (PDT)
Received: from blossom.cjclark.org ([12.234.91.48]) by sccrmhc03.attbi.com
          (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP
          id <20020621062812.SBFF20219.sccrmhc03.attbi.com@blossom.cjclark.org>
          for <security@freebsd.org>; Fri, 21 Jun 2002 06:28:12 +0000
Received: from blossom.cjclark.org (localhost. [127.0.0.1])
	by blossom.cjclark.org (8.12.3/8.12.3) with ESMTP id g5L6SAJK029539
	for <security@freebsd.org>; Thu, 20 Jun 2002 23:28:11 -0700 (PDT)
	(envelope-from cjc@blossom.cjclark.org)
Received: (from cjc@localhost)
	by blossom.cjclark.org (8.12.3/8.12.3/Submit) id g5L6SA8A029538
	for security@freebsd.org; Thu, 20 Jun 2002 23:28:10 -0700 (PDT)
Date: Tue, 18 Jun 2002 13:05:47 -0700
From: "Crist J. Clark" <crist.clark@attbi.com>
To: security@freebsd.org
Subject: Configuring sainfo in racoon(8)
Message-ID: <20020618130547.A11688@blossom.cjclark.org>
Reply-To: cjclark@alum.mit.edu
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
X-URL: http://people.freebsd.org/~cjc/
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

I am trying to get some ESP tunnels going. I am using racoon(8) to
handle the IKE to negotiate the SAs. I am having a problem right from
the start. My racoon.conf(5) looks something like,

  remote 192.168.100.1 {
    ...

    my_identifier user_fqdn "cjc@mydomain.org";
    peer_identifier user_fqdn "cjc@mydomain.org";
    ...

  }

  sainfo user_fqdn "cjc@mydomain.org" user_fqdn "cjc@mydomain.org" {
    ...

  }

I have my SPD set,

  # setkey -c <<EOF
  spdadd 192.168.200.1 192.168.101.0/24 any
    -P out ipsec esp/tunnel/192.168.200.1-192.168.100.1/require;
  spdadd 192.168.101.0/24 192.168.200.1 any
    -P in  ipsec esp/tunnel/192.168.100.1-192.168.200.1/require;
  EOF

To review what that is saying, I am trying take all traffic that
originates from 192.168.200.1 bound for the 192.168.101.0/24 network
and put it through an ESP tunnel where 192.168.100.1 is the other end
of the tunnel. This is the configuration on 192.168.200.1 itself.

Now, the SPD loads fine and racoon(8) starts up OK. However, once I
try to put any traffic through the tunnel, racoon(8) can't seem to
figure out the SA for the tunnel. Here is the 'racoon -d -F' output
(racoon(8) in the foreground at debug level one) once I try to put
some traffic through the tunnel,

  2002-06-18 12:26:04: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey ACQUIRE message
  2002-06-18 12:26:04: DEBUG: pfkey.c:1519:pk_recvacquire(): suitable outbound SP found: 192.168.200.1/32[0] 192.168.101.0/24[0] proto=any dir=out.
  2002-06-18 12:26:04: DEBUG: policy.c:184:cmpspidxstrict(): sub:0xbfbff454: 192.168.101.0/24[0] 192.168.200.1/32[0] proto=any dir=in
  2002-06-18 12:26:04: DEBUG: policy.c:185:cmpspidxstrict(): db :0x80a3a08: 192.168.101.0/24[0] 192.168.200.1/32[0] proto=any dir=in
  2002-06-18 12:26:04: DEBUG: pfkey.c:1535:pk_recvacquire(): suitable inbound SP found: 192.168.101.0/24[0] 192.168.200.1/32[0] proto=any dir=in.
  2002-06-18 12:26:04: DEBUG: pfkey.c:1574:pk_recvacquire(): new acquire 192.168.200.1/32[0] 192.168.101.0/24[0] proto=any dir=out
  2002-06-18 12:26:04: ERROR: pfkey.c:1604:pk_recvacquire(): failed to get sainfo.

So we see racoon(8) figures out my SPD entries fine, but is having
some problems finding the right 'sainfo.'

As I showed in the abridged racoon.conf(5) above, I use 'user_fqdn' as
the identifiers for this SA. The documentation says this is fine, but
I think I understand where the problems lies. It seems like racoon(8)
is trying to build the ESP SA for the outbound traffic before the
first phase of IKE has been completed (no IKE traffic goes out before
we get the error). Since we have not completed Phase 1, we do not yet
know the identity of the remote site.

Can anyone enlighten me as to what I am doing wrong or where my logic
is failing me? Thanks.
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message