#71 packet doesn't match the negotiated policy in the SA

closed
nobody
None
5
2014-08-27
2008-09-17
No

If more security policies are used packets are sent from linux throught bad SA in some occasion.

I have linux with kernel 2.6.26 and racoon 0.7.1, IPSec tunnel is configured to Cisco ASA with Cisco Adaptive Security Appliance Software Version 8.0(3)19. Cisco ASA produces this log:

"Sep 17 2008 16:41:13: %ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0x47068DBF, sequence number= 0x2D) from 10.76.66.200 (user= 10.76.66.200) to 10.76.66.202. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 192.168.1.10, its source as 192.168.2.1, and its protocol as 1. The SA specifies its local proxy as 192.168.1.0/255.255.255.0/0/0 and its remote_proxy as 10.0.0.0/255.255.255.0/0/0."

How to get this state:
1. Linux have inner addresses 192.168.2.1/24 and 10.0.0.1/24.
2. Router behind ASA has inner address 192.168.1.10/24.
3. No ISAKMP/IPSec SA are established.
4. Make ping from 192.168.1.10 to 10.0.0.1, ISAKMP/IPSec SA are established, pings are passing.
5. Make ping from 192.168.2.1 to 192.168.1.10, IPSec SA isnt established, pakets are sent throught bad existing SA, ASA is producing warning log!
6. Make ping from 192.168.1.10 to 192.168.2.1, right SA is established, pings are passing and from 192.168.2.1 to 192.168.1.10 too.

There is some mistake with handling security policy database and security association database. Output from setkey and Cisco ASA log is attached.

I tried firstly kernel 2.6.24 and after 2.6.26 (x86_64 of course) but the situation is the same.

Discussion

  • Martin Kozelsky

    Martin Kozelsky - 2008-09-17

    Output from setkey and Cisco ASA log

     
  • Martin Kozelsky

    Martin Kozelsky - 2008-09-19
    • status: open --> closed
     
  • Martin Kozelsky

    Martin Kozelsky - 2008-09-19

    The change of level from "required" to "unique" in setkey command "spdadd" solves this problem.

     

Log in to post a comment.