#67 Racoon can't find IPv6 policy for phase 2 as responder

closed
nobody
5
2009-01-16
2008-02-01
Anonymous
No

I'm using ipsec-tools version 0.7 on kernel 2.6.20 and run into some issue when linux is the IKE responder.

The symptom is that between a device and a linux system, if the linux is the initiator, both MM and QM negotiation can go through and traffic is encrypted fine. But if Linux is the responder, the MM negotiation went OK, but the QM would fail. Racoon processed the first QM payload from the initiator, tried to find a policy, found one but found one without requiring IPsec. The log file logged:

Feb 1 02:45:03 racoon: DEBUG: suitable SP found:fdd8:147f:cbf0:10e0:212:3fff:fe53:4b06/128[0] fdd8:147f:cbf0:1040:212:3fff:fe59:6c8b/128[0] proto=any dir=out
Feb 1 02:45:03 racoon: ERROR: policy found, but no IPsec required: fdd8:147f:cbf0:10e0:212:3fff:fe53:4b06/128[0] fdd8:147f:cbf0:1040:212:3fff:fe59:6c8b/128[0] proto=any dir=out
Feb 1 02:45:03 racoon: ERROR: failed to get proposal for responder.
Feb 1 02:45:03 racoon: ERROR: failed to pre-process packet.
Feb 1 02:45:03 racoon: DEBUG: IV freed

I have the following entries configured in the ipsec-tools.conf.

spdadd fdd8:147f:cbf0:1200:212:3fff:fe53:4b06 fdd8:147f:cbf0:1040:212:3fff:fe59:6c8b icmp6 -P out none;
spdadd fdd8:147f:cbf0:1040:212:3fff:fe59:6c8b fdd8:147f:cbf0:1200:212:3fff:fe53:4b06 icmp6 -P in none;

spdadd fdd8:147f:cbf0:1200:212:3fff:fe53:4b06 fdd8:147f:cbf0:1040:212:3fff:fe59:6c8b any -P out ipsec esp/transport//require;
spdadd fdd8:147f:cbf0:1040:212:3fff:fe59:6c8b fdd8:147f:cbf0:1200:212:3fff:fe53:4b06 any -P in ipsec esp/transport//require;

and the following entries in racoon.conf

sainfo anonymous
{
# Vista doesn't do quick mode PFS,
# so we turn it off on all nodes.
# pfs_group 2;
encryption_algorithm aes, 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
lifetime time 3600 sec;
}

I also tried put specific address in racoon.conf, but the symptom is still there.
sainfo address fdd8:147f:cbf0:10e0:212:3fff:fe53:4b06 any address fdd8:147f:cbf0:1040:212:3fff:fe59:6c8b any
{
# Vista doesn't do quick mode PFS,
# so we turn it off on all nodes.
# pfs_group 2;
encryption_algorithm aes, 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
lifetime time 3600 sec;
}
sainfo anonymous
{
# Vista doesn't do quick mode PFS,
# so we turn it off on all nodes.
# pfs_group 2;
encryption_algorithm aes, 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
lifetime time 3600 sec;
}

The sekey -D -P showes the policies are loaded in kernel:
fdd8:147f:cbf0:1200:212:3fff:fe53:4b06[any] fdd8:147f:cbf0:1040:212:3fff:fe59:6c8b[any] any
out prio def ipsec
esp/transport//require
created: Feb 1 05:48:00 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1161241 seq=13 pid=21606
refcnt=1
fdd8:147f:cbf0:1040:212:3fff:fe59:6c8b[any] fdd8:147f:cbf0:1200:212:3fff:fe53:4b06[any] any
in prio def ipsec
esp/transport//require
created: Feb 1 05:48:00 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1161248 seq=5 pid=21606
refcnt=1

For IPv4, linux worked fine as a responder. The problem occured in Ipv6 only.Is it a bug or my configuration is wrong?

Discussion

  • Timo Teras
    Timo Teras
    2009-01-16

    • status: open --> closed
     
  • Timo Teras
    Timo Teras
    2009-01-16

    Closing all sourceforge.net bugs. If this issue has not been cared for please submit a new bug report to https://trac.ipsec-tools.net/ issue tracker. Thank you.