From: Philipp Matthias Hahn <pmhahn@ti...> - 2008-09-23 16:04:17
I'm not subscribed to this list, so please cc: me on replies.
I'm trying to configure an roadwarrior setting. The initiating
roadwarrior (XXX.XXX.13.170) SPD looks like this:
spdadd XXX.XXX.13.170 XXX.XXX.22.1 any -P out ipsec
spdadd XXX.XXX.22.1 XXX.XXX.13.170 any -P in ipsec
The receiving gateway (XXX.XXX.22.1) has no SPs preconfigured, but has
"generate_policy on" in racoons configuration file.
I'm using certificates. If the roadwarrior now pings XXX.XXX.22.1, an SA
is created, but the gateway creates the wrong policy:
DEBUG: anonymous sainfo selected.
DEBUG: get sa info: anonymous
DEBUG: get a destination address of SP index from phase1 address due to no ID payloads found OR because ID type is not address.
DEBUG: get a source address of SP index from phase1 address due to no ID payloads found OR because ID type is not address.
DEBUG: get a src address from ID payload XXX.XXX.13.170 prefixlen=32 ul_proto=0
DEBUG: get dst address from ID payload XXX.XXX.22.1 prefixlen=32 ul_proto=0
INFO: no policy found, try to generate the policy : XXX.XXX.13.170/32 XXX.XXX.22.1/32 proto=any dir=in
INFO: IPsec-SA established: ESP/Transport XXX.XXX.13.170->XXX.XXX.22.1 spi=48928478(0x2ea96de)
The policy only matches port 500, so doesn't match ICMP ECHO_REPLY,
which gets rejected by the roadwarrior.
Is this supposed to happen or how can I force racoon on the gateway to
create a policy for [any]?
PS: The link to the mailing-list-archive (forum_id=32000) on the
sourceforce project page and in the README leads to
/ / (_)__ __ ____ __ Philipp Hahn
/ /__/ / _ \/ // /\ \/ /
/____/_/_//_/\_,_/ /_/\_\ pmhahn@...
Get latest updates about Open Source Projects, Conferences and News.