Date: Sat, 11 Jan 2003 13:23:34 +0100 From: Matthias Teege <matthias-fbsdsec@mteege.de> To: freebsd-security@freebsd.org Subject: ESP input: no key association found for spi Message-ID: <20030111122334.GB33642@gic.mteege.de>
next in thread | raw e-mail | index | archive | help
Moin,
i connected a OpenBSD/isakmpd and a FreeBSD/racoon router together
with IPSec and the tunnel is up know. But on the FreeBSD side I get
the following messages:
Jan 11 13:05:01 bullet /kernel: IPv4 ESP input: no key association found for spi 15572638
Jan 11 13:06:41 bullet /kernel: IPv4 ESP input: no key association found for spi 175788114
Jan 11 13:08:21 bullet /kernel: IPv4 ESP input: no key association found for spi 242915680
Jan 11 13:12:31 bullet /kernel: IPv4 ESP input: no key association found for spi 180762712
Jan 11 13:13:46 bullet /kernel: IPv4 ESP input: no key association found for spi 263880410
Was does this mean?
On the FreeBSD side I use the following setup
#!/bin/sh
setkey -FP
setkey -F
setkey -c << EOF
spdadd 192.168.0.0/24 0.0.0.0/0 any -P in ipsec
esp/tunnel/192.168.9.9-192.168.9.11;
spdadd 0.0.0.0/0 192.168.0.0/24 any -P out ipsec
esp/tunnel/192.168.9.11-192.168.9.9;
bullet# setkey -DP
192.168.0.0/24[any] 0.0.0.0/0[any] any
in ipsec
esp/tunnel/192.168.9.9-192.168.9.11/default
spid=73 seq=1 pid=95831
refcnt=1
0.0.0.0/0[any] 192.168.0.0/24[any] any
out ipsec
esp/tunnel/192.168.9.11-192.168.9.9/default
spid=74 seq=0 pid=95831
refcnt=1
bullet#
raccon.conf
# $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $
# "path" must be placed before it should be used.
# You can overwrite which you defined, but it should not use due to confusing.
path include "/usr/local/etc/racoon" ;
#include "remote.conf" ;
# search this file for pre_shared_key with various ID key.
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
# racoon will look for certificate file in the directory,
# if the certificate/certificate request payload is received.
path certificate "/usr/local/etc/cert" ;
# "log" specifies logging level. It is followed by either "notify", "debug"
# or "debug2".
#log debug;
# "padding" defines some parameter of padding. You should not touch these.
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
# if no listen directive is specified, racoon will listen to all
# available interface addresses.
listen
{
#isakmp ::1 [7000];
#isakmp 202.249.11.124 [500];
isakmp 192.168.9.11 [500];
#admin [7002]; # administrative's port by kmpstat.
strict_address; # required all addresses must be bound.
}
# Specification of default various timer.
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
# timer for waiting to complete each phase.
phase1 30 sec;
phase2 15 sec;
}
remote 192.168.9.9
{
exchange_mode main,aggressive;
#exchange_mode aggressive,main;
#exchange_mode main;
doi ipsec_doi;
situation identity_only;
my_identifier address 192.168.9.11;
peers_identifier address 192.168.9.9;
#my_identifier user_fqdn "sakane@kame.net";
#peers_identifier user_fqdn "sakane@kame.net";
#certificate_type x509 "mycert" "mypriv";
nonce_size 16;
#lifetime time 1 min; # sec,min,hour
lifetime time 60 min; # sec,min,hour
initial_contact on;
support_mip6 on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
remote anonymous
{
exchange_mode main,aggressive;
#exchange_mode aggressive,main;
#exchange_mode main;
doi ipsec_doi;
situation identity_only;
#my_identifier address;
my_identifier user_fqdn "sakane@kame.net";
peers_identifier user_fqdn "sakane@kame.net";
#certificate_type x509 "mycert" "mypriv";
nonce_size 16;
#lifetime time 1 min; # sec,min,hour
lifetime time 60 min; # sec,min,hour
initial_contact on;
support_mip6 on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
remote ::1 [8000]
{
#exchange_mode main,aggressive;
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
my_identifier user_fqdn "sakane@kame.net";
peers_identifier user_fqdn "sakane@kame.net";
#certificate_type x509 "mycert" "mypriv";
nonce_size 16;
lifetime time 1 min; # sec,min,hour
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
sainfo anonymous
{
pfs_group 1;
lifetime time 30 sec;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}
sainfo address 192.168.9.11 any address 192.168.9.9 any
{
pfs_group 1;
lifetime time 30 sec;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}
sainfo address 203.178.141.209 any address 203.178.141.218 any
{
pfs_group 1;
lifetime time 30 sec;
encryption_algorithm des ;
authentication_algorithm hmac_md5;
compression_algorithm deflate ;
}
sainfo address ::1 icmp6 address ::1 icmp6
{
pfs_group 1;
lifetime time 60 sec;
encryption_algorithm 3des, cast128, blowfish 448, des ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
Thnaks for any hint
Bis dann
Matthias
--
Matthias Teege -- matthias@mteege.de -- http://www.mteege.de
make world not war
PGP-Key auf Anfrage
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030111122334.GB33642>