From owner-freebsd-security  Sat Feb  2 16:45:18 2002
Delivered-To: freebsd-security@freebsd.org
Received: from barney.sfrn.dnai.com (barney.sfrn.dnai.com [208.59.199.24])
	by hub.freebsd.org (Postfix) with ESMTP id A8E6537B416
	for <freebsd-security@freebsd.org>; Sat,  2 Feb 2002 16:45:10 -0800 (PST)
Received: from sideshow-bob.sfrn.dnai.com (sideshow-bob.sfrn.dnai.com [208.59.199.20])
	by barney.sfrn.dnai.com (8.11.2/8.11.2) with ESMTP id g130iwx98766
	for <freebsd-security@freebsd.org>; Sat, 2 Feb 2002 16:44:58 -0800 (PST)
Received: from mini.chicago.com (dnai-216-15-39-222.cust.dnai.com [216.15.39.222])
	by sideshow-bob.sfrn.dnai.com (8.11.3/8.11.3) with ESMTP id g130iF904093
	for <freebsd-security@freebsd.org>; Sat, 2 Feb 2002 16:44:15 -0800 (PST)
	(envelope-from frank@mini.chicago.com)
Received: (from frank@localhost)
	by mini.chicago.com (8.9.3/8.9.3) id QAA49670
	for freebsd-security@freebsd.org; Sat, 2 Feb 2002 16:48:18 -0800 (PST)
	(envelope-from frank)
From: Frank Drebin <frank@mini.chicago.com>
Message-Id: <200202030048.QAA49670@mini.chicago.com>
Subject: Racoon/sainfo - 'no policy found'
To: freebsd-security@freebsd.org
Date: Sat, 2 Feb 2002 16:48:18 -0800 (PST)
X-Mailer: ELM [version 2.4ME+ PL54 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

I'm trying to get working a 'standard' vpn setup.  That is,
I have a FreeBSD (4.2) machine runing NAT, IPFilter, IPSec,
Racoon (version 20011215a) among other things.  I want to
connect to it using Windows 98 and PGPNet (I've tried 6.5.8
and 7.0.3) over the internet.  No matter what I do, I get
 'no policy found' followed by 'failed to get proposal for
 responder'.

I should point out that I *HAVE* gotten this whole thing to
work when I replaced the '98 side with another FBSD machine
(4.4) running racoon (same version) along with all the other
appropriate  pieces.

I've attached a section of the log file generated when trying
to connect from '98.  My racoon.conf is just a copy of the one
that comes with the distribution.  It works for FBSD<->FBSD,
why doesn't it work with PGPNet?

Oh, and in searching through the mailing lists I came across
a patch someone suggested for something similar.  I tried
that too - no joy.

Any help, suggestions, etc. would be greatly appreciated!

Thanks

-------------
. . .
2002-01-31 17:18:45: DEBUG: oakley.c:755:oakley_compute_hash1(): HASH computed:
2002-01-31 17:18:45: DEBUG: plog.c:193:plogdump(): 
79d4fa1b 6c2b6af5 91173e15 f7f8729f 6215747a
2002-01-31 17:18:45: DEBUG: sainfo.c:100:getsainfo(): anonymous sainfo selected.2002-01-31 17:18:45: DEBUG: isakmp_quick.c:1815:get_sainfo_r(): get sa info: anonymous
. . .

2002-01-31 17:18:45: DEBUG: sainfo.c:100:getsainfo(): anonymous sainfo selected.2002-01-31 17:18:45: DEBUG: isakmp_quick.c:1815:get_sainfo_r(): get sa info: anonymous
2002-01-31 17:18:45: DEBUG: isakmp_quick.c:1907:get_proposal_r(): get a destination address of SP index from phase1 address due to no ID payloads found OR because ID type is not address.
2002-01-31 17:18:45: DEBUG: isakmp_quick.c:1968:get_proposal_r(): get a source address of SP index from phase1 address due to no ID payloads found OR because ID type is not address.
2002-01-31 17:18:45: DEBUG: isakmp_quick.c:1993:get_proposal_r(): get a src address from ID payload WINDOWS-EXTERNAL[0] prefixlen=32 ul_proto=0
2002-01-31 17:18:45: DEBUG: isakmp_quick.c:1998:get_proposal_r(): get dst address from ID payload FBSD-EXTERNAL[0] prefixlen=32 ul_proto=0
2002-01-31 17:18:45: DEBUG: policy.c:216:cmpspidxwild(): sub:0xbfbff6b0: WINDOWS-EXTERNAL[0] FBSD-EXTERNAL[0] proto=any dir=in
2002-01-31 17:18:45: DEBUG: policy.c:217:cmpspidxwild(): db: 0x80a3a08: WINDOWS-INTERNAL[0] FBSD-INTERNAL[0] proto=any dir=in
2002-01-31 17:18:45: DEBUG: policy.c:244:cmpspidxwild(): 0xbfbff6b0 masked with /24: WINDOWS-EXTERNAL/24[0]
2002-01-31 17:18:45: DEBUG: policy.c:246:cmpspidxwild(): 0x80a3a08 masked with /24: WINDOWS-INTERNAL/24[0]
2002-01-31 17:18:45: DEBUG: policy.c:216:cmpspidxwild(): sub:0xbfbff6b0: WINDOWS-EXTERNAL[0] FBSD-EXTERNAL[0] proto=any dir=in
2002-01-31 17:18:45: DEBUG: policy.c:217:cmpspidxwild(): db: 0x80a3e08: FBSD-INTERNAL/24[0] WINDOWS-INTERNAL/24[0] proto=any dir=out
2002-01-31 17:18:45: ERROR: isakmp_quick.c:2028:get_proposal_r(): no policy found: WINDOWS-EXTERNAL[0] UNIX-EXTERNAL/32[0] proto=any dir=in
2002-01-31 17:18:45: ERROR: isakmp_quick.c:1069:quick_r1recv(): failed to get proposal for responder.
2002-01-31 17:18:45: ERROR: isakmp.c:1060:isakmp_ph2begin_r(): failed to pre-process packet.
. . .

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message