Date: Thu, 7 Feb 2002 14:40:26 -0800 From: "Rob Frohwein" <rob@frohwein.xs4all.nl> To: freebsd-security@freebsd.org Subject: Re: Racoon/sainfo - 'no policy found' Message-ID: <a3uvp6$gom$1@news1.xs4all.nl> In-Reply-To: <200202030048.QAA49670@mini.chicago.com>
next in thread | previous in thread | raw e-mail | index | archive | help
"Frank Drebin" <frank@mini.CHicago.COM> wrote in message news:list.freebsd.security#200202030048.QAA49670@mini.chicago.com... > I'm trying to get working a 'standard' vpn setup. That is, > I have a FreeBSD (4.2) machine runing NAT, IPFilter, IPSec, > Racoon (version 20011215a) among other things. I want to > connect to it using Windows 98 and PGPNet (I've tried 6.5.8 > and 7.0.3) over the internet. No matter what I do, I get > 'no policy found' followed by 'failed to get proposal for > responder'. > > I should point out that I *HAVE* gotten this whole thing to > work when I replaced the '98 side with another FBSD machine > (4.4) running racoon (same version) along with all the other > appropriate pieces. > > I've attached a section of the log file generated when trying > to connect from '98. My racoon.conf is just a copy of the one > that comes with the distribution. It works for FBSD<->FBSD, > why doesn't it work with PGPNet? > > Oh, and in searching through the mailing lists I came across > a patch someone suggested for something similar. I tried > that too - no joy. > > Any help, suggestions, etc. would be greatly appreciated! > > Thanks > > ------------- > . . . > 2002-01-31 17:18:45: DEBUG: oakley.c:755:oakley_compute_hash1(): HASH computed: > 2002-01-31 17:18:45: DEBUG: plog.c:193:plogdump(): > 79d4fa1b 6c2b6af5 91173e15 f7f8729f 6215747a > 2002-01-31 17:18:45: DEBUG: sainfo.c:100:getsainfo(): anonymous sainfo selected.2002-01-31 17:18:45: DEBUG: isakmp_quick.c:1815:get_sainfo_r(): get sa info: anonymous > . . . > > 2002-01-31 17:18:45: DEBUG: sainfo.c:100:getsainfo(): anonymous sainfo selected.2002-01-31 17:18:45: DEBUG: isakmp_quick.c:1815:get_sainfo_r(): get sa info: anonymous > 2002-01-31 17:18:45: DEBUG: isakmp_quick.c:1907:get_proposal_r(): get a destination address of SP index from phase1 address due to no ID payloads found OR because ID type is not address. ++++++++++++++++++++ It seems to me the your pgpnet peer is trying to use x509 authentication, because in this case the ip adres will not be used as an id. How do both configurations look? Try to look with ethereal, the first messages in fase 1 are not crypted. ++++++++++++++++++++++++ > 2002-01-31 17:18:45: DEBUG: isakmp_quick.c:1968:get_proposal_r(): get a source address of SP index from phase1 address due to no ID payloads found OR because ID type is not address. > 2002-01-31 17:18:45: DEBUG: isakmp_quick.c:1993:get_proposal_r(): get a src address from ID payload WINDOWS-EXTERNAL[0] prefixlen=32 ul_proto=0 > 2002-01-31 17:18:45: DEBUG: isakmp_quick.c:1998:get_proposal_r(): get dst address from ID payload FBSD-EXTERNAL[0] prefixlen=32 ul_proto=0 > 2002-01-31 17:18:45: DEBUG: policy.c:216:cmpspidxwild(): sub:0xbfbff6b0: WINDOWS-EXTERNAL[0] FBSD-EXTERNAL[0] proto=any dir=in > 2002-01-31 17:18:45: DEBUG: policy.c:217:cmpspidxwild(): db: 0x80a3a08: WINDOWS-INTERNAL[0] FBSD-INTERNAL[0] proto=any dir=in > 2002-01-31 17:18:45: DEBUG: policy.c:244:cmpspidxwild(): 0xbfbff6b0 masked with /24: WINDOWS-EXTERNAL/24[0] > 2002-01-31 17:18:45: DEBUG: policy.c:246:cmpspidxwild(): 0x80a3a08 masked with /24: WINDOWS-INTERNAL/24[0] > 2002-01-31 17:18:45: DEBUG: policy.c:216:cmpspidxwild(): sub:0xbfbff6b0: WINDOWS-EXTERNAL[0] FBSD-EXTERNAL[0] proto=any dir=in > 2002-01-31 17:18:45: DEBUG: policy.c:217:cmpspidxwild(): db: 0x80a3e08: FBSD-INTERNAL/24[0] WINDOWS-INTERNAL/24[0] proto=any dir=out > 2002-01-31 17:18:45: ERROR: isakmp_quick.c:2028:get_proposal_r(): no policy found: WINDOWS-EXTERNAL[0] UNIX-EXTERNAL/32[0] proto=any dir=in > 2002-01-31 17:18:45: ERROR: isakmp_quick.c:1069:quick_r1recv(): failed to get proposal for responder. > 2002-01-31 17:18:45: ERROR: isakmp.c:1060:isakmp_ph2begin_r(): failed to pre-process packet. > . . . > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?a3uvp6$gom$1>