[Ipsec-tools-commits] [ ipsec-tools-Bugs-2116476 ] packet doesn't match the negotiated policy in th
Brought to you by:
mit_warlord,
netbsd
Menu
▾
▴
[Ipsec-tools-commits] [ ipsec-tools-Bugs-2116476 ] packet doesn't match the negotiated policy in the SA
|
From: SourceForge.net <no...@so...> - 2008-09-17 16:34:59
|
Bugs item #2116476, was opened at 2008-09-17 18:34 Message generated for change (Tracker Item Submitted) made by Item Submitter You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=2116476&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Martin Kozelsky (mkozelsky) Assigned to: Nobody/Anonymous (nobody) Summary: packet doesn't match the negotiated policy in the SA Initial Comment: If more security policies are used packets are sent from linux throught bad SA in some occasion. I have linux with kernel 2.6.26 and racoon 0.7.1, IPSec tunnel is configured to Cisco ASA with Cisco Adaptive Security Appliance Software Version 8.0(3)19. Cisco ASA produces this log: "Sep 17 2008 16:41:13: %ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0x47068DBF, sequence number= 0x2D) from 10.76.66.200 (user= 10.76.66.200) to 10.76.66.202. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 192.168.1.10, its source as 192.168.2.1, and its protocol as 1. The SA specifies its local proxy as 192.168.1.0/255.255.255.0/0/0 and its remote_proxy as 10.0.0.0/255.255.255.0/0/0." How to get this state: 1. Linux have inner addresses 192.168.2.1/24 and 10.0.0.1/24. 2. Router behind ASA has inner address 192.168.1.10/24. 3. No ISAKMP/IPSec SA are established. 4. Make ping from 192.168.1.10 to 10.0.0.1, ISAKMP/IPSec SA are established, pings are passing. 5. Make ping from 192.168.2.1 to 192.168.1.10, IPSec SA isnt established, pakets are sent throught bad existing SA, ASA is producing warning log! 6. Make ping from 192.168.1.10 to 192.168.2.1, right SA is established, pings are passing and from 192.168.2.1 to 192.168.1.10 too. There is some mistake with handling security policy database and security association database. Output from setkey and Cisco ASA log is attached. I tried firstly kernel 2.6.24 and after 2.6.26 (x86_64 of course) but the situation is the same. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=2116476&group_id=74601 |