From: Philipp M. H. <pm...@ti...> - 2008-09-23 16:04:17
|
Hello! I'm not subscribed to this list, so please cc: me on replies. I'm trying to configure an roadwarrior setting. The initiating roadwarrior (XXX.XXX.13.170) SPD looks like this: spdadd XXX.XXX.13.170 XXX.XXX.22.1 any -P out ipsec esp/transport//require; spdadd XXX.XXX.22.1 XXX.XXX.13.170 any -P in ipsec esp/transport//require; The receiving gateway (XXX.XXX.22.1) has no SPs preconfigured, but has "generate_policy on" in racoons configuration file. I'm using certificates. If the roadwarrior now pings XXX.XXX.22.1, an SA is created, but the gateway creates the wrong policy: DEBUG: anonymous sainfo selected. DEBUG: get sa info: anonymous DEBUG: get a destination address of SP index from phase1 address due to no ID payloads found OR because ID type is not address. DEBUG: get a source address of SP index from phase1 address due to no ID payloads found OR because ID type is not address. DEBUG: get a src address from ID payload XXX.XXX.13.170[500] prefixlen=32 ul_proto=0 DEBUG: get dst address from ID payload XXX.XXX.22.1[500] prefixlen=32 ul_proto=0 INFO: no policy found, try to generate the policy : XXX.XXX.13.170/32[500] XXX.XXX.22.1/32[500] proto=any dir=in ... INFO: IPsec-SA established: ESP/Transport XXX.XXX.13.170[0]->XXX.XXX.22.1[0] spi=48928478(0x2ea96de) The policy only matches port 500, so doesn't match ICMP ECHO_REPLY, which gets rejected by the roadwarrior. Is this supposed to happen or how can I force racoon on the gateway to create a policy for [any]? BYtE Philipp PS: The link to the mailing-list-archive (forum_id=32000) on the sourceforce project page and in the README leads to "blackbberrytools-users". -- / / (_)__ __ ____ __ Philipp Hahn / /__/ / _ \/ // /\ \/ / /____/_/_//_/\_,_/ /_/\_\ pm...@ti... |