From owner-freebsd-security  Thu Feb  7 14:41: 1 2002
Delivered-To: freebsd-security@freebsd.org
Received: from smtpzilla2.xs4all.nl (smtpzilla2.xs4all.nl [194.109.127.138])
	by hub.freebsd.org (Postfix) with ESMTP id 97A0437B42F
	for <freebsd-security@freebsd.org>; Thu,  7 Feb 2002 14:40:41 -0800 (PST)
Received: from list1.xs4all.nl (list1.xs4all.nl [194.109.6.52])
	by smtpzilla2.xs4all.nl (8.12.0/8.12.0) with ESMTP id g17Mee8p007244
	for <freebsd-security@freebsd.org>; Thu, 7 Feb 2002 23:40:41 +0100 (CET)
Received: (from root@localhost)
	by list1.xs4all.nl (8.9.3/8.9.3) id XAA21279;
	Thu, 7 Feb 2002 23:40:40 +0100 (CET)
From: "Rob Frohwein" <rob@frohwein.xs4all.nl>
To: freebsd-security@freebsd.org
X-Via: imploder /usr/local/lib/mail/news2mail/news2mail at list1.xs4all.nl
Subject: Re: Racoon/sainfo - 'no policy found'
Date: Thu, 7 Feb 2002 14:40:26 -0800
Organization: XS4ALL Internet BV
Message-ID: <a3uvp6$gom$1@news1.xs4all.nl>
In-Reply-To: <200202030048.QAA49670@mini.chicago.com>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


"Frank Drebin" <frank@mini.CHicago.COM> wrote in message
news:list.freebsd.security#200202030048.QAA49670@mini.chicago.com...
> I'm trying to get working a 'standard' vpn setup.  That is,
> I have a FreeBSD (4.2) machine runing NAT, IPFilter, IPSec,
> Racoon (version 20011215a) among other things.  I want to
> connect to it using Windows 98 and PGPNet (I've tried 6.5.8
> and 7.0.3) over the internet.  No matter what I do, I get
>  'no policy found' followed by 'failed to get proposal for
>  responder'.
>
> I should point out that I *HAVE* gotten this whole thing to
> work when I replaced the '98 side with another FBSD machine
> (4.4) running racoon (same version) along with all the other
> appropriate  pieces.
>
> I've attached a section of the log file generated when trying
> to connect from '98.  My racoon.conf is just a copy of the one
> that comes with the distribution.  It works for FBSD<->FBSD,
> why doesn't it work with PGPNet?
>
> Oh, and in searching through the mailing lists I came across
> a patch someone suggested for something similar.  I tried
> that too - no joy.
>
> Any help, suggestions, etc. would be greatly appreciated!
>
> Thanks
>
> -------------
> . . .
> 2002-01-31 17:18:45: DEBUG: oakley.c:755:oakley_compute_hash1(): HASH
computed:
> 2002-01-31 17:18:45: DEBUG: plog.c:193:plogdump():
> 79d4fa1b 6c2b6af5 91173e15 f7f8729f 6215747a
> 2002-01-31 17:18:45: DEBUG: sainfo.c:100:getsainfo(): anonymous sainfo
selected.2002-01-31 17:18:45: DEBUG: isakmp_quick.c:1815:get_sainfo_r(): get
sa info: anonymous
> . . .
>
> 2002-01-31 17:18:45: DEBUG: sainfo.c:100:getsainfo(): anonymous sainfo
selected.2002-01-31 17:18:45: DEBUG: isakmp_quick.c:1815:get_sainfo_r(): get
sa info: anonymous
> 2002-01-31 17:18:45: DEBUG: isakmp_quick.c:1907:get_proposal_r(): get a
destination address of SP index from phase1 address due to no ID payloads
found OR because ID type is not address.

++++++++++++++++++++
It seems to me the  your pgpnet peer is trying to use x509 authentication,
because in this case
the ip adres will not be used as an id.
How do both configurations look?
Try to look with ethereal, the first messages in fase 1 are not crypted.
++++++++++++++++++++++++

> 2002-01-31 17:18:45: DEBUG: isakmp_quick.c:1968:get_proposal_r(): get a
source address of SP index from phase1 address due to no ID payloads found
OR because ID type is not address.
> 2002-01-31 17:18:45: DEBUG: isakmp_quick.c:1993:get_proposal_r(): get a
src address from ID payload WINDOWS-EXTERNAL[0] prefixlen=32 ul_proto=0
> 2002-01-31 17:18:45: DEBUG: isakmp_quick.c:1998:get_proposal_r(): get dst
address from ID payload FBSD-EXTERNAL[0] prefixlen=32 ul_proto=0
> 2002-01-31 17:18:45: DEBUG: policy.c:216:cmpspidxwild(): sub:0xbfbff6b0:
WINDOWS-EXTERNAL[0] FBSD-EXTERNAL[0] proto=any dir=in
> 2002-01-31 17:18:45: DEBUG: policy.c:217:cmpspidxwild(): db: 0x80a3a08:
WINDOWS-INTERNAL[0] FBSD-INTERNAL[0] proto=any dir=in
> 2002-01-31 17:18:45: DEBUG: policy.c:244:cmpspidxwild(): 0xbfbff6b0 masked
with /24: WINDOWS-EXTERNAL/24[0]
> 2002-01-31 17:18:45: DEBUG: policy.c:246:cmpspidxwild(): 0x80a3a08 masked
with /24: WINDOWS-INTERNAL/24[0]
> 2002-01-31 17:18:45: DEBUG: policy.c:216:cmpspidxwild(): sub:0xbfbff6b0:
WINDOWS-EXTERNAL[0] FBSD-EXTERNAL[0] proto=any dir=in
> 2002-01-31 17:18:45: DEBUG: policy.c:217:cmpspidxwild(): db: 0x80a3e08:
FBSD-INTERNAL/24[0] WINDOWS-INTERNAL/24[0] proto=any dir=out
> 2002-01-31 17:18:45: ERROR: isakmp_quick.c:2028:get_proposal_r(): no
policy found: WINDOWS-EXTERNAL[0] UNIX-EXTERNAL/32[0] proto=any dir=in
> 2002-01-31 17:18:45: ERROR: isakmp_quick.c:1069:quick_r1recv(): failed to
get proposal for responder.
> 2002-01-31 17:18:45: ERROR: isakmp.c:1060:isakmp_ph2begin_r(): failed to
pre-process packet.
> . . .
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message