[Ipsec-tools-devel] Problems generating automatic policies

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

I=B4d like to introduce mysef, my name is Fernando and I am new in this lis=
t,
of course i=B4ve subscribed because i need a little help, i hope i=B4ll be =
able
to not just ask questions but help others too... thanks.

Well my problem is that i can=B4t generete the security policies in racoon,
using the syntax widely known, I put the generate_policy on; passive on;
remote anonymous and sainfo anonymous in my racoon.conf on the server side,
but I always get the same error.

2006-08-14 16:12:20: INFO: begin Aggressive mode.
2006-08-14 16:12:20: INFO: received Vendor ID: DPD
2006-08-14 16:12:20: NOTIFY: couldn't find the proper pskey, try to get one
by the peer's address.
2006-08-14 16:12:20: INFO: ISAKMP-SA established 123.123.123.123[500]-
222.222.222.222[500] spi:b9ee1b7fde2dd49d:e6866b9d09d49cfb
2006-08-14 16:12:20: INFO: respond new phase 2 negotiation: 123.123.123.123
[500]<=3D>222.222.222.222[500]
2006-08-14 16:12:20: INFO: Update the generated policy : 192.168.1.0/24[0]
192.168.0.0/24[0] proto=3Dany dir=3Din
2006-08-14 16:12:21: INFO: IPsec-SA established: ESP/Tunnel 222.222.222.222
[0]->123.123.123.123[0] spi=3D188221412(0xb3807e4)
2006-08-14 16:12:21: INFO: IPsec-SA established: ESP/Tunnel 123.123.123.123
[0]->222.222.222.222[0] spi=3D18652776(0x11c9e68)
2006-08-14 16:12:21: ERROR: such policy does not already exist: "
192.168.1.0/24[0] 192.168.0.0/24[0] proto=3Dany dir=3Din"
2006-08-14 16:12:21: ERROR: such policy does not already exist: "
192.168.1.0/24[0] 192.168.0.0/24[0] proto=3Dany dir=3Dfwd"
2006-08-14 16:12:21: ERROR: such policy does not already exist: "
192.168.0.0/24[0] 192.168.1.0/24[0] proto=3Dany dir=3Dout"

My configuration files are:

Server Side

path pre_shared_key "/etc/racoon/psk.txt";
log debug;
remote anonymous {
        exchange_mode aggressive;
        generate_policy on;
        passive on;
        proposal_check obey;

        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group modp1024;
                lifetime time 28800 second;
        }
}

sainfo anonymous {

        pfs_group modp768;
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate;
        lifetime time 3600 second;
}

Client Side:

path pre_shared_key "/etc/racoon/psk.txt";

remote 123.123.123.123 {
        exchange_mode aggressive;
        initial_contact on;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group modp1024;
                lifetime time 28800 second;
        }
}

sainfo address 192.168.1.0/24 any address 192.168.0.0/24 any {
    pfs_group modp768;
    encryption_algorithm 3des;
    authentication_algorithm hmac_md5;
    compression_algorithm deflate;
    lifetime time 3600 second;
}

And both psk.txt with the keys, with those files, commenting out the
generate_policy on statement and running the following script on the server
the VPN works perfectly.

#!/usr/sbin/setkey -f

# Corrente:201.17.146.176

flush;
spdflush;

spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec
    esp/tunnel/222.222.222.222-123.123.123.123/require;

spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec
    esp/tunnel/123.123.123.123-222.222.222.222/require;

BUT this script is only for testing because the 222.222.222.222 side is
dynamic and of course I have other script in the client "inverted", the
client side is not a problem because i can easy get the IP address from the
Interface.

Am i missing some configuration? Any suggestions?

thanks a lot!

By the way, I=B4m running 0.6.5 version of ipsec-tools in both sides.