[Ipsec-tools-devel] Question on IPSec racoon

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

I have the following setup:

HostA --- GWA ----- GWB --- HostB

HostA IP Address = 192.168.2.11
GWA IP Addresses = 192.168.2.1 and 192.168.1.100
GWB IP Addresses = 192.168.1.1 and 192.168.0.27
HostB IP Address = 192.168.0.130

O/S on GWA and GWB = Linux 2.6.11-1.1369_FC4
ipsec-tools = ipsec-tools-0.6.4

Host A is my client (with a webbrowser) and Host B is my webserver.
Host A and B can't do IPSec themselves.
GWA and GWB provide IPSec tunnel for A and B.
I encountered a problem when sainfo in racoon.conf has a netmask of /32 for 
A or B.
I expect to have many instances of host A and want each to use a different 
SA (tunnel).

The gateways try to establish a tunnel, but the log indicates that racoon 
can't find sainfo.

I have tried this with other netmasks (/24 and /31) and it works fine.

Any idea why /32 doesn't work? Is this a documented restriction? If so, I 
couldn't find it anywhere.

The following is the log message for the error:
Jul 27 09:22:02 gwb racoon: 2006-07-27 09:22:02: ERROR: 
isakmp_quick.c:1839:get_sainfo_r(): failed to get sainfo.

Jul 27 09:22:02 gwb racoon: 2006-07-27 09:22:02: ERROR: 
isakmp_quick.c:1058:quick_r1recv(): failed to get sainfo.

Jul 27 09:22:02 gwb racoon: 2006-07-27 09:22:02: ERROR: 
isakmp.c:1302:isakmp_ph2begin_r(): failed to pre-process packet.

The following is the setkey for GWA:

flush;
spdflush;

spdadd 192.168.2.11/32[any] 192.168.0.0/24[80] tcp -P out ipsec 
esp/tunnel/192.168.1.100-192.168.1.1/unique;

spdadd 192.168.0.0/24[80] 192.168.2.11/32[any] tcp -P in ipsec 
esp/tunnel/192.168.1.1-192.168.1.100/unique;

The following is the racoon.conf for GWA:
path include "/etc/racoon";

path pre_shared_key "/etc/racoon/psk.txt";

path certificate "/etc/racoon/certs";

remote 192.168.1.1 {

    exchange_mode main;

    generate_policy on;

    proposal {

        encryption_algorithm 3des;

        hash_algorithm md5;

        authentication_method pre_shared_key;

        dh_group modp1024;

    }

}

sainfo anonymous {

    pfs_group modp768;

    encryption_algorithm rijndael, rijndael 192, rijndael 256, 3des, des, 
blowfish 128, blowfish 192, blowfish 256, blowfish 448, twofish 128, twofish 
192, twofish 256, null_enc;

    authentication_algorithm hmac_sha256, hmac_sha1, hmac_md5;

    compression_algorithm deflate;

}

The following is the setkey for GWB:

flush;
spdflush;

spdadd 192.168.2.11/32[any] 192.168.0.0/24[80] tcp -P in ipsec 
esp/tunnel/192.168.1.100-192.168.1.1/unique;

spdadd 192.168.0.0/24[80] 192.168.2.11/32[any] tcp -P out ipsec 
esp/tunnel/192.168.1.1-192.168.1.100/unique;

The following is the racoon.conf for GWB:

path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";

path certificate "/etc/racoon/certs";

remote 192.168.1.100 {

    exchange_mode main;

    proposal {

        encryption_algorithm 3des;

        hash_algorithm md5;

        authentication_method pre_shared_key;

        dh_group modp1024;

    }

}

sainfo address 192.168.0.0/24 [80] tcp address 192.168.2.11/32 [any] tcp {

    pfs_group modp768;

    encryption_algorithm null_enc;

    authentication_algorithm hmac_md5;

    compression_algorithm deflate;

}