[Ipsec-tools-devel] Does setkey support IP address range format?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

I noticed that racoon.conf supports IP address range in the "sainfo"
statement  (even though it is undocumented).

For example, if the local policy IP address range is 10.10.1.1 - 10.10.1.2,
and the remote policy IP address range is 192.168.10.99 - 192.168.10.101,
I can use the sainfo statement in racoon.conf as below:

sainfo address 10.10.1.1-10.10.1.2 any address 192.168.10.99-192.168.10.101
any {
            other stuffs ...
}

I wonder that does setkey support the similar IP range syntax in
setkey.conf? Otherwise, I need to use the following lengthy approach.

flush;
spdflush;
spdadd 192.168.10.99/32 10.10.1.1/32 any -P in ipsec
        esp/tunnel/172.24.1.170-172.24.1.166/require;

spdadd 10.10.1.1/32 192.168.10.99/32 any -P out ipsec
        esp/tunnel/172.24.1.166-172.24.1.170/require;

spdadd 192.168.10.99/32 10.10.1.2/32 any -P in ipsec
        esp/tunnel/172.24.1.170-172.24.1.166/require;

spdadd 10.10.1.2/32 192.168.10.99/32 any -P out ipsec
        esp/tunnel/172.24.1.166-172.24.1.170/require;

spdadd 192.168.10.100/31 10.10.1.1/32 any -P in ipsec
        esp/tunnel/172.24.1.170-172.24.1.166/require;

spdadd 10.10.1.1/32 192.168.10.100/31 any -P out ipsec
        esp/tunnel/172.24.1.166-172.24.1.170/require;

spdadd 192.168.10.100/31 10.10.1.2/32 any -P in ipsec
        esp/tunnel/172.24.1.170-172.24.1.166/require;

spdadd 10.10.1.2/32 192.168.10.100/31 any -P out ipsec
        esp/tunnel/172.24.1.166-172.24.1.170/require;

spdadd 172.24.1.170/32 172.24.1.166/32  any -P in ipsec
    esp/tunnel/172.24.1.170-172.24.1.166/require;

spdadd 172.24.1.166/32 172.24.1.170/32 any -P out ipsec
    esp/tunnel/172.24.1.166-172.24.1.170/require;

Another question: How do I initiate the VPN Phase 2 connection for the IP
range case?

I have no problem to establish the Phase 1 SA using the following command:

racoonctl es isakmp inet 172.24.1.166 172.24.1.170

If I tried to "ping -I eth1 -c 1 192.168.10.100" to establish the Phase 2
connection, it failed to get sainfo with following log.

2013-01-10 10:24:24: DEBUG: suitable outbound SP found: 10.10.1.1/32[0]
192.168.10.100/31[0] proto=any dir=out.
2013-01-10 10:24:24: INFO: $$$$$$$$$ getsp 1
2013-01-10 10:24:24: DEBUG: sub:0xbfe8a770: 192.168.10.100/31[0]
10.10.1.1/32[0] proto=any dir=in
2013-01-10 10:24:24: DEBUG: db :0x87deb60: 172.24.1.166/32[0]
172.24.1.170/32[0] proto=any dir=out
2013-01-10 10:24:24: DEBUG: sub:0xbfe8a770: 192.168.10.100/31[0]
10.10.1.1/32[0] proto=any dir=in
2013-01-10 10:24:24: DEBUG: db :0x87dede8: 172.24.1.170/32[0]
172.24.1.166/32[0] proto=any dir=fwd
2013-01-10 10:24:24: DEBUG: sub:0xbfe8a770: 192.168.10.100/31[0]
10.10.1.1/32[0] proto=any dir=in
2013-01-10 10:24:24: DEBUG: db :0x87df070: 172.24.1.170/32[0]
172.24.1.166/32[0] proto=any dir=in
2013-01-10 10:24:24: DEBUG: sub:0xbfe8a770: 192.168.10.100/31[0]
10.10.1.1/32[0] proto=any dir=in
2013-01-10 10:24:24: DEBUG: db :0x87df2f8: 10.10.1.2/32[0]
192.168.10.100/31[0] proto=any dir=out
2013-01-10 10:24:24: DEBUG: sub:0xbfe8a770: 192.168.10.100/31[0]
10.10.1.1/32[0] proto=any dir=in
2013-01-10 10:24:24: DEBUG: db :0x87df580: 192.168.10.100/31[0]
10.10.1.2/32[0] proto=any dir=fwd
2013-01-10 10:24:24: DEBUG: sub:0xbfe8a770: 192.168.10.100/31[0]
10.10.1.1/32[0] proto=any dir=in
2013-01-10 10:24:24: DEBUG: db :0x87df808: 192.168.10.100/31[0]
10.10.1.2/32[0] proto=any dir=in
2013-01-10 10:24:24: DEBUG: sub:0xbfe8a770: 192.168.10.100/31[0]
10.10.1.1/32[0] proto=any dir=in
2013-01-10 10:24:24: DEBUG: db :0x87dfa90: 10.10.1.1/32[0]
192.168.10.100/31[0] proto=any dir=out
2013-01-10 10:24:24: DEBUG: sub:0xbfe8a770: 192.168.10.100/31[0]
10.10.1.1/32[0] proto=any dir=in
2013-01-10 10:24:24: DEBUG: db :0x87dfd18: 192.168.10.100/31[0]
10.10.1.1/32[0] proto=any dir=fwd
2013-01-10 10:24:24: DEBUG: sub:0xbfe8a770: 192.168.10.100/31[0]
10.10.1.1/32[0] proto=any dir=in
2013-01-10 10:24:24: DEBUG: db :0x87dffa0: 192.168.10.100/31[0]
10.10.1.1/32[0] proto=any dir=in
2013-01-10 10:24:24: DEBUG: suitable inbound SP found: 192.168.10.100/31[0]
10.10.1.1/32[0] proto=any dir=in.
2013-01-10 10:24:24: DEBUG: new acquire 10.10.1.1/32[0]
192.168.10.100/31[0]proto=any dir=out
2013-01-10 10:24:24: [172.24.1.170] DEBUG2: Checking remote conf "s2s"
172.24.1.170[500].
2013-01-10 10:24:24: DEBUG2: enumrmconf: "s2s" matches.
2013-01-10 10:24:24: [172.24.1.170] DEBUG: configuration "s2s" selected.
2013-01-10 10:24:24: DEBUG: getsainfo params: loc='10.10.1.1' rmt='
192.168.10.100/31' peer='NULL' client='NULL' id=2
2013-01-10 10:24:24: DEBUG: evaluating sainfo: loc='10.10.1.1-10.10.1.2',
rmt='192.168.10.99-192.168.10.101', peer='ANY', id=2
2013-01-10 10:24:24: DEBUG: check and compare ids : id type mismatch
IPv4_address_range != IPv4_address
2013-01-10 10:24:24: ERROR: failed to get sainfo.

My local VPN gateway is Fedora 10 running ipsec-tools-0.8.0. The remote VPN
gateway is DLINK DSR-500N.

Thank a lot for any helps.