From owner-freebsd-questions  Tue Jun 18 13: 5:58 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from rwcrmhc53.attbi.com (rwcrmhc53.attbi.com [204.127.198.39])
	by hub.freebsd.org (Postfix) with ESMTP id 5827D37B408
	for <questions@freebsd.org>; Tue, 18 Jun 2002 13:05:49 -0700 (PDT)
Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc53.attbi.com
          (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP
          id <20020618200549.BYQH11659.rwcrmhc53.attbi.com@blossom.cjclark.org>
          for <questions@freebsd.org>; Tue, 18 Jun 2002 20:05:49 +0000
Received: from blossom.cjclark.org (localhost. [127.0.0.1])
	by blossom.cjclark.org (8.12.3/8.12.3) with ESMTP id g5IK5mJX011805
	for <questions@freebsd.org>; Tue, 18 Jun 2002 13:05:48 -0700 (PDT)
	(envelope-from crist.clark@attbi.com)
Received: (from cjc@localhost)
	by blossom.cjclark.org (8.12.3/8.12.3/Submit) id g5IK5lFx011804
	for questions@freebsd.org; Tue, 18 Jun 2002 13:05:47 -0700 (PDT)
X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f
Date: Tue, 18 Jun 2002 13:05:47 -0700
From: "Crist J. Clark" <crist.clark@attbi.com>
To: questions@freebsd.org
Subject: Configuring sainfo in racoon(8)
Message-ID: <20020618130547.A11688@blossom.cjclark.org>
Reply-To: cjclark@alum.mit.edu
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
X-URL: http://people.freebsd.org/~cjc/
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

I am trying to get some ESP tunnels going. I am using racoon(8) to
handle the IKE to negotiate the SAs. I am having a problem right from
the start. My racoon.conf(5) looks something like,

  remote 192.168.100.1 {
    ...

    my_identifier user_fqdn "cjc@mydomain.org";
    peer_identifier user_fqdn "cjc@mydomain.org";
    ...

  }

  sainfo user_fqdn "cjc@mydomain.org" user_fqdn "cjc@mydomain.org" {
    ...

  }

I have my SPD set,

  # setkey -c <<EOF
  spdadd 192.168.200.1 192.168.101.0/24 any
    -P out ipsec esp/tunnel/192.168.200.1-192.168.100.1/require;
  spdadd 192.168.101.0/24 192.168.200.1 any
    -P in  ipsec esp/tunnel/192.168.100.1-192.168.200.1/require;
  EOF

To review what that is saying, I am trying take all traffic that
originates from 192.168.200.1 bound for the 192.168.101.0/24 network
and put it through an ESP tunnel where 192.168.100.1 is the other end
of the tunnel. This is the configuration on 192.168.200.1 itself.

Now, the SPD loads fine and racoon(8) starts up OK. However, once I
try to put any traffic through the tunnel, racoon(8) can't seem to
figure out the SA for the tunnel. Here is the 'racoon -d -F' output
(racoon(8) in the foreground at debug level one) once I try to put
some traffic through the tunnel,

  2002-06-18 12:26:04: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey ACQUIRE message
  2002-06-18 12:26:04: DEBUG: pfkey.c:1519:pk_recvacquire(): suitable outbound SP found: 192.168.200.1/32[0] 192.168.101.0/24[0] proto=any dir=out.
  2002-06-18 12:26:04: DEBUG: policy.c:184:cmpspidxstrict(): sub:0xbfbff454: 192.168.101.0/24[0] 192.168.200.1/32[0] proto=any dir=in
  2002-06-18 12:26:04: DEBUG: policy.c:185:cmpspidxstrict(): db :0x80a3a08: 192.168.101.0/24[0] 192.168.200.1/32[0] proto=any dir=in
  2002-06-18 12:26:04: DEBUG: pfkey.c:1535:pk_recvacquire(): suitable inbound SP found: 192.168.101.0/24[0] 192.168.200.1/32[0] proto=any dir=in.
  2002-06-18 12:26:04: DEBUG: pfkey.c:1574:pk_recvacquire(): new acquire 192.168.200.1/32[0] 192.168.101.0/24[0] proto=any dir=out
  2002-06-18 12:26:04: ERROR: pfkey.c:1604:pk_recvacquire(): failed to get sainfo.

So we see racoon(8) figures out my SPD entries fine, but is having
some problems finding the right 'sainfo.'

As I showed in the abridged racoon.conf(5) above, I use 'user_fqdn' as
the identifiers for this SA. The documentation says this is fine, but
I think I understand where the problems lies. It seems like racoon(8)
is trying to build the ESP SA for the outbound traffic before the
first phase of IKE has been completed (no IKE traffic goes out before
we get the error). Since we have not completed Phase 1, we do not yet
know the identity of the remote site.

Can anyone enlighten me as to what I am doing wrong or where my logic
is failing me? Thanks.
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message