From owner-freebsd-net@FreeBSD.ORG  Thu Feb 11 11:25:17 2010
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 3F9741065676
	for <freebsd-net@freebsd.org>; Thu, 11 Feb 2010 11:25:17 +0000 (UTC)
	(envelope-from DAntrushin@mail.ru)
Received: from gmp-eb-inf-2.sun.com (gmp-eb-inf-2.sun.com [192.18.6.24])
	by mx1.freebsd.org (Postfix) with ESMTP id C74568FC12
	for <freebsd-net@freebsd.org>; Thu, 11 Feb 2010 11:25:16 +0000 (UTC)
Received: from fe-emea-09.sun.com (gmp-eb-lb-1-fe1.eu.sun.com [192.18.6.7]
	(may be forged))
	by gmp-eb-inf-2.sun.com (8.13.7+Sun/8.12.9) with ESMTP id
	o1BBPFWB029772
	for <freebsd-net@freebsd.org>; Thu, 11 Feb 2010 11:25:15 GMT
MIME-version: 1.0
Content-transfer-encoding: 7BIT
Content-type: text/plain; CHARSET=US-ASCII; format=flowed
Received: from conversion-daemon.fe-emea-09.sun.com by fe-emea-09.sun.com
	(Sun Java(tm) System Messaging Server 7u2-7.04 64bit (built Jul 2
	2009))
	id <0KXO00C00CVB8E00@fe-emea-09.sun.com> for freebsd-net@freebsd.org;
	Thu, 11 Feb 2010 11:25:05 +0000 (GMT)
Received: from [129.159.126.126] ([unknown] [129.159.126.126])
	by fe-emea-09.sun.com
	(Sun Java(tm) System Messaging Server 7u2-7.04 64bit (built Jul 2
	2009)) with ESMTPSA id <0KXO0018GD1NPSB0@fe-emea-09.sun.com> for
	freebsd-net@freebsd.org; Thu, 11 Feb 2010 11:25:00 +0000 (GMT)
Date: Thu, 11 Feb 2010 14:24:50 +0300
From: Denis Antrushin <DAntrushin@mail.ru>
Sender: Denis.Antrushin@Sun.COM
To: freebsd-net@freebsd.org
Message-id: <4B73E902.6050301@mail.ru>
User-Agent: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.9.1.5) Gecko/20091202
	Lightning/1.0pre Thunderbird/3.0
Subject: IPSec connection troubles
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Feb 2010 11:25:17 -0000

Hello,

I'm trying to establish IPSec connection between FreeBSD and
Solaris boxes. I use FreeBSD 8-STABLE (don't recall exact checkout
date, but it contains recent IPComp fixes for sure).
Since I'm behind NAT, I compiled 0.8alpha snapshot of ipsec-tools
from their site.

racoon config looks like this:
------------------------------------------------------------
remote A.B.C.D {
     exchange_mode main;
     doi ipsec_doi;
     situation identity_only;
     certificate_type x509 "mycert.pem" "mykey.pem";
     my_identifier asn1dn ;
     peers_identifier asn1dn ;
     peers_certfile x509 "server.crt";
     send_cert off;
     verify_identifier off;
     lifetime time 7200 seconds;
     initial_contact on;
     passive off;
     proposal_check obey;
     generate_policy off;
     nonce_size 16;
     nat_traversal on;
     proposal {
         encryption_algorithm aes;
         hash_algorithm sha1;
         authentication_method rsasig;
         dh_group modp1536;
     }
}

sainfo address 192.168.1.33/32 tcp address A.B.C.D[2112] tcp {
     pfs_group modp1536;
     lifetime time 7200 seconds;
     encryption_algorithm aes;
     authentication_algorithm hmac_sha1;
     compression_algorithm deflate;
}

sainfo address 192.168.1.33/32 udp address A.B.C.D[2112] udp {
     pfs_group modp1536;
     lifetime time 7200 seconds;
     encryption_algorithm aes;
     authentication_algorithm hmac_sha1;
     compression_algorithm deflate;
}

sainfo address 192.168.1.33/32 icmp address A.B.C.D[any] icmp {
     pfs_group modp1536;
     lifetime time 7200 seconds;
     encryption_algorithm aes;
     authentication_algorithm hmac_sha1;
     compression_algorithm deflate;
}

listen {
     isakmp 192.168.1.33 [500];
     isakmp_natt 192.168.1.33 [4500];
}

-------------------------------------------------------------------

security policy is as follows:

spdadd 192.168.1.33/32 A.B.C.D/32[2112] tcp -P out
     ipsec esp/transport//unique;
spdadd A.B.C.D/32[2112] 192.168.1.33/32 tcp -P in
     ipsec esp/transport//unique;
spdadd 192.168.1.33/32 A.B.C.D/32[2112] udp -P out
     ipsec esp/transport//unique;
spdadd A.B.C.D/32[2112] 192.168.1.33/32 udp -P in
     ipsec esp/transport//unique;

spdadd 192.168.1.33/32 A.B.C.D/32 icmp -P out
     ipsec esp/transport//require;
spdadd A.B.C.D/32 192.168.1.33/32 icmp -P in
     ipsec esp/transport//require;


When I try to connect to TCP port 2112 of solaris box,
racoon successfully negotiates with remote peer, I see
SA installed in kernel, but then nothing happens.
I see encapsulated TCP SYN packets sent on enc0, but
nothing else. TCP connection is not established, nothing
in racoon logs (except KA), nothing on PF_KEY socket.
The very same setup works on Linux and Mac.

How can I further debug this problem?


Thanks,
   Denis