Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

#71 packet doesn't match the negotiated policy in the SA

closed
nobody
None
5
2014-08-27
2008-09-17
Martin Kozelsky
No

If more security policies are used packets are sent from linux throught bad SA in some occasion.

I have linux with kernel 2.6.26 and racoon 0.7.1, IPSec tunnel is configured to Cisco ASA with Cisco Adaptive Security Appliance Software Version 8.0(3)19. Cisco ASA produces this log:

"Sep 17 2008 16:41:13: %ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0x47068DBF, sequence number= 0x2D) from 10.76.66.200 (user= 10.76.66.200) to 10.76.66.202. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 192.168.1.10, its source as 192.168.2.1, and its protocol as 1. The SA specifies its local proxy as 192.168.1.0/255.255.255.0/0/0 and its remote_proxy as 10.0.0.0/255.255.255.0/0/0."

How to get this state:
1. Linux have inner addresses 192.168.2.1/24 and 10.0.0.1/24.
2. Router behind ASA has inner address 192.168.1.10/24.
3. No ISAKMP/IPSec SA are established.
4. Make ping from 192.168.1.10 to 10.0.0.1, ISAKMP/IPSec SA are established, pings are passing.
5. Make ping from 192.168.2.1 to 192.168.1.10, IPSec SA isnt established, pakets are sent throught bad existing SA, ASA is producing warning log!
6. Make ping from 192.168.1.10 to 192.168.2.1, right SA is established, pings are passing and from 192.168.2.1 to 192.168.1.10 too.

There is some mistake with handling security policy database and security association database. Output from setkey and Cisco ASA log is attached.

I tried firstly kernel 2.6.24 and after 2.6.26 (x86_64 of course) but the situation is the same.

Discussion

  • Output from setkey and Cisco ASA log

     
    Attachments
    • status: open --> closed
     
  • The change of level from "required" to "unique" in setkey command "spdadd" solves this problem.