From owner-freebsd-security Mon Mar 4 20:36:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from papa.tanu.org (kame195.kame.net [203.178.141.195]) by hub.freebsd.org (Postfix) with ESMTP id 12B8437B402 for ; Mon, 4 Mar 2002 20:36:06 -0800 (PST) Received: from localhost (kame197.kame.net [203.178.141.197]) by papa.tanu.org (8.11.6/8.11.6) with ESMTP id g254eZQ91667; Tue, 5 Mar 2002 13:40:35 +0900 (JST) (envelope-from sakane@kame.net) To: frank@mini.chicago.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: Racoon/sainfo - 'no policy found' In-Reply-To: Your message of "Fri, 8 Feb 2002 23:57:26 -0800 (PST)" <20020212021302.B70C89F016@okeeffe.bestweb.net> References: <20020212021302.B70C89F016@okeeffe.bestweb.net> X-Mailer: Cue version 0.6 (011026-1440/sakane) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Message-Id: <20020305133645Z.sakane@kame.net> Date: Tue, 05 Mar 2002 13:36:45 +0900 From: Shoichi Sakane X-Dispatcher: imput version 20000228(IM140) Lines: 26 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Since sending my first message I've found that FBSD/racoon<->FBSD/racoon > only works till the first time the keys are renegotiated. At that point > I get the message about the security association expiring but from then > on I always get the 'policy not found' error. The following is part of > the log from one side of the FBSD<->FBSD case. > 2002-02-08 23:47:31: INFO: isakmp.c:896:isakmp_ph1begin_r(): begin Aggressive mode. > 2002-02-08 23:47:33: NOTIFY: oakley.c:2036:oakley_skeyid(): couldn't find pskey, try to get one by the peer's address. it seems you didn't define the pre-shared key file properly. you should add a single line into the psk file like, "sakane@kame.net presharedkey". in this case. "sakane@kame.net" is the identifier of both of nodes as you used exactly same configuration. but it's not much problem. > 2002-02-08 23:47:33: ERROR: proposal.c:965:set_proposal_from_policy(): not supported nested SA. > 2002-02-08 23:47:33: ERROR: isakmp_quick.c:2070:get_proposal_r(): failed to create saprop. the message means the SPD entry to be used this negotiation has different ipsec tunnel end points, such like spdadd X Y any -P out ipsec esp/tunnel/A-B/use esp/tunnel/A-C/use; do you have it ? if so, racoon doesn't support this configuration. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message