Date: Sat, 11 Jan 2003 13:23:34 +0100 From: Matthias Teege <matthias-fbsdsec@mteege.de> To: freebsd-security@freebsd.org Subject: ESP input: no key association found for spi Message-ID: <20030111122334.GB33642@gic.mteege.de>
next in thread | raw e-mail | index | archive | help
Moin, i connected a OpenBSD/isakmpd and a FreeBSD/racoon router together with IPSec and the tunnel is up know. But on the FreeBSD side I get the following messages: Jan 11 13:05:01 bullet /kernel: IPv4 ESP input: no key association found for spi 15572638 Jan 11 13:06:41 bullet /kernel: IPv4 ESP input: no key association found for spi 175788114 Jan 11 13:08:21 bullet /kernel: IPv4 ESP input: no key association found for spi 242915680 Jan 11 13:12:31 bullet /kernel: IPv4 ESP input: no key association found for spi 180762712 Jan 11 13:13:46 bullet /kernel: IPv4 ESP input: no key association found for spi 263880410 Was does this mean? On the FreeBSD side I use the following setup #!/bin/sh setkey -FP setkey -F setkey -c << EOF spdadd 192.168.0.0/24 0.0.0.0/0 any -P in ipsec esp/tunnel/192.168.9.9-192.168.9.11; spdadd 0.0.0.0/0 192.168.0.0/24 any -P out ipsec esp/tunnel/192.168.9.11-192.168.9.9; bullet# setkey -DP 192.168.0.0/24[any] 0.0.0.0/0[any] any in ipsec esp/tunnel/192.168.9.9-192.168.9.11/default spid=73 seq=1 pid=95831 refcnt=1 0.0.0.0/0[any] 192.168.0.0/24[any] any out ipsec esp/tunnel/192.168.9.11-192.168.9.9/default spid=74 seq=0 pid=95831 refcnt=1 bullet# raccon.conf # $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $ # "path" must be placed before it should be used. # You can overwrite which you defined, but it should not use due to confusing. path include "/usr/local/etc/racoon" ; #include "remote.conf" ; # search this file for pre_shared_key with various ID key. path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; # racoon will look for certificate file in the directory, # if the certificate/certificate request payload is received. path certificate "/usr/local/etc/cert" ; # "log" specifies logging level. It is followed by either "notify", "debug" # or "debug2". #log debug; # "padding" defines some parameter of padding. You should not touch these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # if no listen directive is specified, racoon will listen to all # available interface addresses. listen { #isakmp ::1 [7000]; #isakmp 202.249.11.124 [500]; isakmp 192.168.9.11 [500]; #admin [7002]; # administrative's port by kmpstat. strict_address; # required all addresses must be bound. } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 15 sec; } remote 192.168.9.9 { exchange_mode main,aggressive; #exchange_mode aggressive,main; #exchange_mode main; doi ipsec_doi; situation identity_only; my_identifier address 192.168.9.11; peers_identifier address 192.168.9.9; #my_identifier user_fqdn "sakane@kame.net"; #peers_identifier user_fqdn "sakane@kame.net"; #certificate_type x509 "mycert" "mypriv"; nonce_size 16; #lifetime time 1 min; # sec,min,hour lifetime time 60 min; # sec,min,hour initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } remote anonymous { exchange_mode main,aggressive; #exchange_mode aggressive,main; #exchange_mode main; doi ipsec_doi; situation identity_only; #my_identifier address; my_identifier user_fqdn "sakane@kame.net"; peers_identifier user_fqdn "sakane@kame.net"; #certificate_type x509 "mycert" "mypriv"; nonce_size 16; #lifetime time 1 min; # sec,min,hour lifetime time 60 min; # sec,min,hour initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } remote ::1 [8000] { #exchange_mode main,aggressive; exchange_mode aggressive,main; doi ipsec_doi; situation identity_only; my_identifier user_fqdn "sakane@kame.net"; peers_identifier user_fqdn "sakane@kame.net"; #certificate_type x509 "mycert" "mypriv"; nonce_size 16; lifetime time 1 min; # sec,min,hour proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } sainfo anonymous { pfs_group 1; lifetime time 30 sec; encryption_algorithm 3des ; authentication_algorithm hmac_sha1; compression_algorithm deflate ; } sainfo address 192.168.9.11 any address 192.168.9.9 any { pfs_group 1; lifetime time 30 sec; encryption_algorithm 3des ; authentication_algorithm hmac_sha1; compression_algorithm deflate ; } sainfo address 203.178.141.209 any address 203.178.141.218 any { pfs_group 1; lifetime time 30 sec; encryption_algorithm des ; authentication_algorithm hmac_md5; compression_algorithm deflate ; } sainfo address ::1 icmp6 address ::1 icmp6 { pfs_group 1; lifetime time 60 sec; encryption_algorithm 3des, cast128, blowfish 448, des ; authentication_algorithm hmac_sha1, hmac_md5 ; compression_algorithm deflate ; } Thnaks for any hint Bis dann Matthias -- Matthias Teege -- matthias@mteege.de -- http://www.mteege.de make world not war PGP-Key auf Anfrage To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030111122334.GB33642>