Date: Tue, 18 Jun 2002 13:05:47 -0700 From: "Crist J. Clark" <crist.clark@attbi.com> To: security@freebsd.org Subject: Configuring sainfo in racoon(8) Message-ID: <20020618130547.A11688@blossom.cjclark.org>
next in thread | raw e-mail | index | archive | help
I am trying to get some ESP tunnels going. I am using racoon(8) to
handle the IKE to negotiate the SAs. I am having a problem right from
the start. My racoon.conf(5) looks something like,
remote 192.168.100.1 {
...
my_identifier user_fqdn "cjc@mydomain.org";
peer_identifier user_fqdn "cjc@mydomain.org";
...
}
sainfo user_fqdn "cjc@mydomain.org" user_fqdn "cjc@mydomain.org" {
...
}
I have my SPD set,
# setkey -c <<EOF
spdadd 192.168.200.1 192.168.101.0/24 any
-P out ipsec esp/tunnel/192.168.200.1-192.168.100.1/require;
spdadd 192.168.101.0/24 192.168.200.1 any
-P in ipsec esp/tunnel/192.168.100.1-192.168.200.1/require;
EOF
To review what that is saying, I am trying take all traffic that
originates from 192.168.200.1 bound for the 192.168.101.0/24 network
and put it through an ESP tunnel where 192.168.100.1 is the other end
of the tunnel. This is the configuration on 192.168.200.1 itself.
Now, the SPD loads fine and racoon(8) starts up OK. However, once I
try to put any traffic through the tunnel, racoon(8) can't seem to
figure out the SA for the tunnel. Here is the 'racoon -d -F' output
(racoon(8) in the foreground at debug level one) once I try to put
some traffic through the tunnel,
2002-06-18 12:26:04: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey ACQUIRE message
2002-06-18 12:26:04: DEBUG: pfkey.c:1519:pk_recvacquire(): suitable outbound SP found: 192.168.200.1/32[0] 192.168.101.0/24[0] proto=any dir=out.
2002-06-18 12:26:04: DEBUG: policy.c:184:cmpspidxstrict(): sub:0xbfbff454: 192.168.101.0/24[0] 192.168.200.1/32[0] proto=any dir=in
2002-06-18 12:26:04: DEBUG: policy.c:185:cmpspidxstrict(): db :0x80a3a08: 192.168.101.0/24[0] 192.168.200.1/32[0] proto=any dir=in
2002-06-18 12:26:04: DEBUG: pfkey.c:1535:pk_recvacquire(): suitable inbound SP found: 192.168.101.0/24[0] 192.168.200.1/32[0] proto=any dir=in.
2002-06-18 12:26:04: DEBUG: pfkey.c:1574:pk_recvacquire(): new acquire 192.168.200.1/32[0] 192.168.101.0/24[0] proto=any dir=out
2002-06-18 12:26:04: ERROR: pfkey.c:1604:pk_recvacquire(): failed to get sainfo.
So we see racoon(8) figures out my SPD entries fine, but is having
some problems finding the right 'sainfo.'
As I showed in the abridged racoon.conf(5) above, I use 'user_fqdn' as
the identifiers for this SA. The documentation says this is fine, but
I think I understand where the problems lies. It seems like racoon(8)
is trying to build the ESP SA for the outbound traffic before the
first phase of IKE has been completed (no IKE traffic goes out before
we get the error). Since we have not completed Phase 1, we do not yet
know the identity of the remote site.
Can anyone enlighten me as to what I am doing wrong or where my logic
is failing me? Thanks.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020618130547.A11688>