From owner-freebsd-security Fri Feb 8 23:54:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from barney.sfrn.dnai.com (barney.sfrn.dnai.com [208.59.199.24]) by hub.freebsd.org (Postfix) with ESMTP id 7656237B404 for ; Fri, 8 Feb 2002 23:54:10 -0800 (PST) Received: from sideshow-mel.sfrn.dnai.com (sideshow-mel.sfrn.dnai.com [208.59.199.19]) by barney.sfrn.dnai.com (8.11.2/8.11.2) with ESMTP id g197ruG43188 for ; Fri, 8 Feb 2002 23:53:56 -0800 (PST) Received: from mini.chicago.com (dnai-216-15-39-222.cust.dnai.com [216.15.39.222]) by sideshow-mel.sfrn.dnai.com (8.11.3/8.11.3) with ESMTP id g197o3d29116 for ; Fri, 8 Feb 2002 23:50:03 -0800 (PST) (envelope-from frank@mini.chicago.com) Received: (from frank@localhost) by mini.chicago.com (8.9.3/8.9.3) id XAA35755 for freebsd-security@freebsd.org; Fri, 8 Feb 2002 23:57:26 -0800 (PST) (envelope-from frank) From: Frank Drebin Message-Id: <200202090757.XAA35755@mini.chicago.com> Subject: Re: Racoon/sainfo - 'no policy found' In-Reply-To: To: freebsd-security@freebsd.org Date: Fri, 8 Feb 2002 23:57:26 -0800 (PST) X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > It seems to me the your pgpnet peer is trying to use x509 > authentication because in this case > the ip adres will not be used as an id. > How do both configurations look? > > Try to look with ethereal, the first messages in fase 1 are > not crypted OK, the config file is at the end of this message. Both ends are the same. Since sending my first message I've found that FBSD/racoon<->FBSD/racoon only works till the first time the keys are renegotiated. At that point I get the message about the security association expiring but from then on I always get the 'policy not found' error. The following is part of the log from one side of the FBSD<->FBSD case. 2002-02-08 23:44:28: INFO: pfkey.c:1365:pk_recvexpire(): IPsec-SA expired: ESP/T unnel NODE-A->NODE-B spi=230063835(0xdb67edb) 2002-02-08 23:45:13: ERROR: pfkey.c:738:pfkey_timeover(): NODE-A give up to get IPsec-SA due to time up to wait. 2002-02-08 23:46:26: INFO: isakmp.c:1513:isakmp_ph1expire(): ISAKMP-SA expired N ODE-B[500]-NODE-A[500] spi:acb764b9c1e300cc:c458bd632f2ae2b0 2002-02-08 23:46:27: INFO: isakmp.c:1561:isakmp_ph1delete(): ISAKMP-SA deleted N ODE-B[500]-NODE-A[500] spi:acb764b9c1e300cc:c458bd632f2ae2b0 2002-02-08 23:47:31: INFO: isakmp.c:891:isakmp_ph1begin_r(): respond new phase 1 negotiation: NODE-B[500]<=>NODE-A[500] 2002-02-08 23:47:31: INFO: isakmp.c:896:isakmp_ph1begin_r(): begin Aggressive mo de. 2002-02-08 23:47:33: NOTIFY: oakley.c:2036:oakley_skeyid(): couldn't find pskey, try to get one by the peer's address. 2002-02-08 23:47:33: INFO: isakmp.c:2409:log_ph1established(): ISAKMP-SA establi shed NODE-B[500]-NODE-A[500] spi:d0ce96eebdeb0fec:3e4be8b2963f2ca6 2002-02-08 23:47:33: INFO: isakmp.c:1046:isakmp_ph2begin_r(): respond new phase 2 negotiation: NODE-B[0]<=>NODE-A[0] 2002-02-08 23:47:33: ERROR: proposal.c:965:set_proposal_from_policy(): not suppo rted nested SA.2002-02-08 23:47:33: ERROR: isakmp_quick.c:2070:get_proposal_r(): failed to create saprop. 2002-02-08 23:47:33: ERROR: isakmp_quick.c:1069:quick_r1recv(): failed to get pr oposal for responder. 2002-02-08 23:47:33: ERROR: isakmp.c:1060:isakmp_ph2begin_r(): failed to pre-pro cess packet. ... ad nauseum Thanks for your help! ------ racoon config file ------- # $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $ # "path" must be placed before it should be used. # You can overwrite which you defined, but it should not use due to confusing. path include "/usr/local/etc/racoon" ; #include "remote.conf" ; # search this file for pre_shared_key with various ID key. path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; # racoon will look for certificate file in the directory, # if the certificate/certificate request payload is received. path certificate "/usr/local/etc/cert" ; # "log" specifies logging level. It is followed by either "notify", "debug" # or "debug2". #log debug; # "padding" defines some parameter of padding. You should not touch these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # if no listen directive is specified, racoon will listen to all # available interface addresses. listen { #isakmp ::1 [7000]; #isakmp 202.249.11.124 [500]; #admin [7002]; # administrative's port by kmpstat. #strict_address; # required all addresses must be bound. } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 15 sec; } remote anonymous { #exchange_mode main,aggressive; exchange_mode aggressive,main; doi ipsec_doi; situation identity_only; #my_identifier address; my_identifier user_fqdn "sakane@kame.net"; peers_identifier user_fqdn "sakane@kame.net"; #certificate_type x509 "mycert" "mypriv"; nonce_size 16; lifetime time 10 min; # sec,min,hour initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 5; } } sainfo anonymous { pfs_group 5; lifetime time 10 min; authentication_algorithm hmac_sha1; encryption_algorithm 3des; compression_algorithm deflate ; } To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message