Re: Racoon/sainfo - 'no policy found'

From: Rob Frohwein (rob@frohwein.xs4all.nl)
Date: 02/07/02


From: "Rob Frohwein" <rob@frohwein.xs4all.nl>
To: freebsd-security@freebsd.org
Date: Thu, 7 Feb 2002 14:40:26 -0800


"Frank Drebin" <frank@mini.CHicago.COM> wrote in message
news:list.freebsd.security#200202030048.QAA49670@mini.chicago.com...
> I'm trying to get working a 'standard' vpn setup. That is,
> I have a FreeBSD (4.2) machine runing NAT, IPFilter, IPSec,
> Racoon (version 20011215a) among other things. I want to
> connect to it using Windows 98 and PGPNet (I've tried 6.5.8
> and 7.0.3) over the internet. No matter what I do, I get
> 'no policy found' followed by 'failed to get proposal for
> responder'.
>
> I should point out that I *HAVE* gotten this whole thing to
> work when I replaced the '98 side with another FBSD machine
> (4.4) running racoon (same version) along with all the other
> appropriate pieces.
>
> I've attached a section of the log file generated when trying
> to connect from '98. My racoon.conf is just a copy of the one
> that comes with the distribution. It works for FBSD<->FBSD,
> why doesn't it work with PGPNet?
>
> Oh, and in searching through the mailing lists I came across
> a patch someone suggested for something similar. I tried
> that too - no joy.
>
> Any help, suggestions, etc. would be greatly appreciated!
>
> Thanks
>
> -------------
> . . .
> 2002-01-31 17:18:45: DEBUG: oakley.c:755:oakley_compute_hash1(): HASH
computed:
> 2002-01-31 17:18:45: DEBUG: plog.c:193:plogdump():
> 79d4fa1b 6c2b6af5 91173e15 f7f8729f 6215747a
> 2002-01-31 17:18:45: DEBUG: sainfo.c:100:getsainfo(): anonymous sainfo
selected.2002-01-31 17:18:45: DEBUG: isakmp_quick.c:1815:get_sainfo_r(): get
sa info: anonymous
> . . .
>
> 2002-01-31 17:18:45: DEBUG: sainfo.c:100:getsainfo(): anonymous sainfo
selected.2002-01-31 17:18:45: DEBUG: isakmp_quick.c:1815:get_sainfo_r(): get
sa info: anonymous
> 2002-01-31 17:18:45: DEBUG: isakmp_quick.c:1907:get_proposal_r(): get a
destination address of SP index from phase1 address due to no ID payloads
found OR because ID type is not address.

++++++++++++++++++++
It seems to me the your pgpnet peer is trying to use x509 authentication,
because in this case
the ip adres will not be used as an id.
How do both configurations look?
Try to look with ethereal, the first messages in fase 1 are not crypted.
++++++++++++++++++++++++

> 2002-01-31 17:18:45: DEBUG: isakmp_quick.c:1968:get_proposal_r(): get a
source address of SP index from phase1 address due to no ID payloads found
OR because ID type is not address.
> 2002-01-31 17:18:45: DEBUG: isakmp_quick.c:1993:get_proposal_r(): get a
src address from ID payload WINDOWS-EXTERNAL[0] prefixlen=32 ul_proto=0
> 2002-01-31 17:18:45: DEBUG: isakmp_quick.c:1998:get_proposal_r(): get dst
address from ID payload FBSD-EXTERNAL[0] prefixlen=32 ul_proto=0
> 2002-01-31 17:18:45: DEBUG: policy.c:216:cmpspidxwild(): sub:0xbfbff6b0:
WINDOWS-EXTERNAL[0] FBSD-EXTERNAL[0] proto=any dir=in
> 2002-01-31 17:18:45: DEBUG: policy.c:217:cmpspidxwild(): db: 0x80a3a08:
WINDOWS-INTERNAL[0] FBSD-INTERNAL[0] proto=any dir=in
> 2002-01-31 17:18:45: DEBUG: policy.c:244:cmpspidxwild(): 0xbfbff6b0 masked
with /24: WINDOWS-EXTERNAL/24[0]
> 2002-01-31 17:18:45: DEBUG: policy.c:246:cmpspidxwild(): 0x80a3a08 masked
with /24: WINDOWS-INTERNAL/24[0]
> 2002-01-31 17:18:45: DEBUG: policy.c:216:cmpspidxwild(): sub:0xbfbff6b0:
WINDOWS-EXTERNAL[0] FBSD-EXTERNAL[0] proto=any dir=in
> 2002-01-31 17:18:45: DEBUG: policy.c:217:cmpspidxwild(): db: 0x80a3e08:
FBSD-INTERNAL/24[0] WINDOWS-INTERNAL/24[0] proto=any dir=out
> 2002-01-31 17:18:45: ERROR: isakmp_quick.c:2028:get_proposal_r(): no
policy found: WINDOWS-EXTERNAL[0] UNIX-EXTERNAL/32[0] proto=any dir=in
> 2002-01-31 17:18:45: ERROR: isakmp_quick.c:1069:quick_r1recv(): failed to
get proposal for responder.
> 2002-01-31 17:18:45: ERROR: isakmp.c:1060:isakmp_ph2begin_r(): failed to
pre-process packet.
> . . .
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Relevant Pages

  • Racoon/sainfo - no policy found
    ... I have a FreeBSD machine runing NAT, IPFilter, IPSec, ... Racoon among other things. ... why doesn't it work with PGPNet? ...
    (FreeBSD-Security)
  • Re: Racoon 0.7 on FreeBSD 6 with a lot of VPN tunnels
    ... I also raised the limit in the socketvar.h in FreeBSD 6 Stable from the default 128kbytes to 768kbytes. ... A good way to test this with less tunnels is sending reload signals to the racoon processes which forces a lot of pfkey traffic. ... that I am also a pfSense developer. ...
    (freebsd-net)
  • vpn1/fw1 NG to ipsec/racoon troubles, help please ...
    ... I have a freebsd related ipsec question. ... checkpoint box and tunnel into our network from home. ... VPN1 side is set up to reflect my freebsd configuration. ... racoon configuration parameters are set to 3des,md5,w/pfs ...
    (FreeBSD-Security)
  • Re: +ipsec_common_input: no key association found for SA
    ... times match your racoon restarts or the ... restarts and kernel log entries. ... the packet from the other box is unknown on the ... freebsd are they running; I assume they are both on ...
    (freebsd-net)
  • Re: IPSEC documentation
    ... > racoon has passive_mode option. ... which will cause problem for generating policies with actual ... racoon's versions) and about policies with ports only (but perhaps I ... > If we would also have NAT-T support, FreeBSD would be the best choice ...
    (freebsd-net)