Date: Fri, 8 Feb 2002 23:57:26 -0800 (PST) From: Frank Drebin <frank@mini.chicago.com> To: freebsd-security@freebsd.org Subject: Re: Racoon/sainfo - 'no policy found' Message-ID: <200202090757.XAA35755@mini.chicago.com> In-Reply-To: <a3uvp6$gom$1@news1.xs4all.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
> It seems to me the your pgpnet peer is trying to use x509
> authentication because in this case
> the ip adres will not be used as an id.
> How do both configurations look?
>
> Try to look with ethereal, the first messages in fase 1 are
> not crypted
OK, the config file is at the end of this message. Both ends
are the same.
Since sending my first message I've found that FBSD/racoon<->FBSD/racoon
only works till the first time the keys are renegotiated. At that point
I get the message about the security association expiring but from then
on I always get the 'policy not found' error. The following is part of
the log from one side of the FBSD<->FBSD case.
2002-02-08 23:44:28: INFO: pfkey.c:1365:pk_recvexpire(): IPsec-SA expired: ESP/T
unnel NODE-A->NODE-B spi=230063835(0xdb67edb)
2002-02-08 23:45:13: ERROR: pfkey.c:738:pfkey_timeover(): NODE-A give up to get
IPsec-SA due to time up to wait.
2002-02-08 23:46:26: INFO: isakmp.c:1513:isakmp_ph1expire(): ISAKMP-SA expired N
ODE-B[500]-NODE-A[500] spi:acb764b9c1e300cc:c458bd632f2ae2b0
2002-02-08 23:46:27: INFO: isakmp.c:1561:isakmp_ph1delete(): ISAKMP-SA deleted N
ODE-B[500]-NODE-A[500] spi:acb764b9c1e300cc:c458bd632f2ae2b0
2002-02-08 23:47:31: INFO: isakmp.c:891:isakmp_ph1begin_r(): respond new phase 1
negotiation: NODE-B[500]<=>NODE-A[500]
2002-02-08 23:47:31: INFO: isakmp.c:896:isakmp_ph1begin_r(): begin Aggressive mo
de.
2002-02-08 23:47:33: NOTIFY: oakley.c:2036:oakley_skeyid(): couldn't find pskey,
try to get one by the peer's address.
2002-02-08 23:47:33: INFO: isakmp.c:2409:log_ph1established(): ISAKMP-SA establi
shed NODE-B[500]-NODE-A[500] spi:d0ce96eebdeb0fec:3e4be8b2963f2ca6
2002-02-08 23:47:33: INFO: isakmp.c:1046:isakmp_ph2begin_r(): respond new phase
2 negotiation: NODE-B[0]<=>NODE-A[0]
2002-02-08 23:47:33: ERROR: proposal.c:965:set_proposal_from_policy(): not suppo
rted nested SA.2002-02-08 23:47:33: ERROR: isakmp_quick.c:2070:get_proposal_r():
failed to create saprop.
2002-02-08 23:47:33: ERROR: isakmp_quick.c:1069:quick_r1recv(): failed to get pr
oposal for responder.
2002-02-08 23:47:33: ERROR: isakmp.c:1060:isakmp_ph2begin_r(): failed to pre-pro
cess packet.
... ad nauseum
Thanks for your help!
------ racoon config file -------
# $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $
# "path" must be placed before it should be used.
# You can overwrite which you defined, but it should not use due to confusing.
path include "/usr/local/etc/racoon" ;
#include "remote.conf" ;
# search this file for pre_shared_key with various ID key.
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
# racoon will look for certificate file in the directory,
# if the certificate/certificate request payload is received.
path certificate "/usr/local/etc/cert" ;
# "log" specifies logging level. It is followed by either "notify", "debug"
# or "debug2".
#log debug;
# "padding" defines some parameter of padding. You should not touch these.
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
# if no listen directive is specified, racoon will listen to all
# available interface addresses.
listen
{
#isakmp ::1 [7000];
#isakmp 202.249.11.124 [500];
#admin [7002]; # administrative's port by kmpstat.
#strict_address; # required all addresses must be bound.
}
# Specification of default various timer.
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
# timer for waiting to complete each phase.
phase1 30 sec;
phase2 15 sec;
}
remote anonymous
{
#exchange_mode main,aggressive;
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
#my_identifier address;
my_identifier user_fqdn "sakane@kame.net";
peers_identifier user_fqdn "sakane@kame.net";
#certificate_type x509 "mycert" "mypriv";
nonce_size 16;
lifetime time 10 min; # sec,min,hour
initial_contact on;
support_mip6 on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 5;
}
}
sainfo anonymous
{
pfs_group 5;
lifetime time 10 min;
authentication_algorithm hmac_sha1;
encryption_algorithm 3des;
compression_algorithm deflate ;
}
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200202090757.XAA35755>