From: Jean K. <jkh...@np...> - 2006-07-28 22:54:09
|
I have the following setup: HostA --- GWA ----- GWB --- HostB HostA IP Address = 192.168.2.11 GWA IP Addresses = 192.168.2.1 and 192.168.1.100 GWB IP Addresses = 192.168.1.1 and 192.168.0.27 HostB IP Address = 192.168.0.130 O/S on GWA and GWB = Linux 2.6.11-1.1369_FC4 ipsec-tools = ipsec-tools-0.6.4 Host A is my client (with a webbrowser) and Host B is my webserver. Host A and B can't do IPSec themselves. GWA and GWB provide IPSec tunnel for A and B. I encountered a problem when sainfo in racoon.conf has a netmask of /32 for A or B. I expect to have many instances of host A and want each to use a different SA (tunnel). The gateways try to establish a tunnel, but the log indicates that racoon can't find sainfo. I have tried this with other netmasks (/24 and /31) and it works fine. Any idea why /32 doesn't work? Is this a documented restriction? If so, I couldn't find it anywhere. The following is the log message for the error: Jul 27 09:22:02 gwb racoon: 2006-07-27 09:22:02: ERROR: isakmp_quick.c:1839:get_sainfo_r(): failed to get sainfo. Jul 27 09:22:02 gwb racoon: 2006-07-27 09:22:02: ERROR: isakmp_quick.c:1058:quick_r1recv(): failed to get sainfo. Jul 27 09:22:02 gwb racoon: 2006-07-27 09:22:02: ERROR: isakmp.c:1302:isakmp_ph2begin_r(): failed to pre-process packet. The following is the setkey for GWA: flush; spdflush; spdadd 192.168.2.11/32[any] 192.168.0.0/24[80] tcp -P out ipsec esp/tunnel/192.168.1.100-192.168.1.1/unique; spdadd 192.168.0.0/24[80] 192.168.2.11/32[any] tcp -P in ipsec esp/tunnel/192.168.1.1-192.168.1.100/unique; The following is the racoon.conf for GWA: path include "/etc/racoon"; path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; remote 192.168.1.1 { exchange_mode main; generate_policy on; proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key; dh_group modp1024; } } sainfo anonymous { pfs_group modp768; encryption_algorithm rijndael, rijndael 192, rijndael 256, 3des, des, blowfish 128, blowfish 192, blowfish 256, blowfish 448, twofish 128, twofish 192, twofish 256, null_enc; authentication_algorithm hmac_sha256, hmac_sha1, hmac_md5; compression_algorithm deflate; } The following is the setkey for GWB: flush; spdflush; spdadd 192.168.2.11/32[any] 192.168.0.0/24[80] tcp -P in ipsec esp/tunnel/192.168.1.100-192.168.1.1/unique; spdadd 192.168.0.0/24[80] 192.168.2.11/32[any] tcp -P out ipsec esp/tunnel/192.168.1.1-192.168.1.100/unique; The following is the racoon.conf for GWB: path include "/etc/racoon"; path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; remote 192.168.1.100 { exchange_mode main; proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key; dh_group modp1024; } } sainfo address 192.168.0.0/24 [80] tcp address 192.168.2.11/32 [any] tcp { pfs_group modp768; encryption_algorithm null_enc; authentication_algorithm hmac_md5; compression_algorithm deflate; } |