[Ipsec-tools-devel] racoon - 'pfkey X_SPDUPDATE failed: Invalid argument' message on server when client requests NAT-T

[Victor B. <Vic...@qu...>]

Hi there,

I've got a debian linux box running racoon 0.6.6, which listens for both
regular and NAT-T encapsulated connections. It's a road warrior setup
with the following config:


/********************** racoon.conf (excerpt)
#
# NOTE: This file will not be used if you use racoon-tool(8) to manage
your
# IPsec connections. racoon-tool will process racoon-tool.conf(5) and
# generate a configuration (/var/lib/racoon/racoon.conf) and use it,
instead
# of this file.
#
# Simple racoon.conf
#
#
# Please look in /usr/share/doc/racoon/examples for
# examples that come with the source.
#
# Please read racoon.conf(5) for details, and alsoread setkey(8).
#
#
# Also read the Linux IPSEC Howto up at
# http://www.ipsec-howto.org/t1.html
#

path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/certs/vpn";

listen {
    isakmp 59.167.247.164 [500];
    isakmp_natt 59.167.247.164 [4500];
}

# 'road-warrior' config using key pairs

remote anonymous
{
    exchange_mode main;
    my_identifier fqdn "vpn.quantium.com.au";
#    certificate_type x509 "quibble_vpn_cert.pem" "quibble_vpn_key.pem"
;
#    certificate_type x509 "quibble_vpn_07_cert.pem"
"quibble_vpn_07_key.pem" ;
#    certificate_type x509 "quantium_vpn_07_2_cert.pem"
"quantium_vpn_07_2_key.pem" ;
    certificate_type x509 "quantium_vpn_07_3_cert.pem"
"quantium_vpn_07_3_key.pem" ;
    certificate_type x509 "garretti_07_cert.pem" "garretti_07_key.pem" ;
    ca_type x509 "cacert.pem";
    lifetime time 1 hour ;      # sec,min,hour
    passive on;
    generate_policy on;
    nat_traversal on;
    proposal
    {
        encryption_algorithm 3des;
        hash_algorithm sha1;
        authentication_method rsasig ;
        dh_group 2;
    }
    proposal
    {
       encryption_algorithm 3des;
       hash_algorithm md5;
       authentication_method rsasig ;
       dh_group 2;
    }
    proposal_check obey;
}

# phase 2 proposal (for IPsec SA).
# quick mode description for all connections
sainfo anonymous
{
    pfs_group 2;
    lifetime time 10 min ;
    encryption_algorithm 3des;
    authentication_algorithm hmac_sha1, hmac_md5 ;
    compression_algorithm deflate ;
}
/**********************=20

Whenever a client attempts to connect to the road warrior policy using
ESP with no NAT Traversal, everything works fine. Whenever a client
attempts to connect with NAT-T, racoon doesn't generate the policy on
its end properly. As a result, the client thinks the tunnel is
established but no traffic goes through.

The following errors are reported in the log when this happens (shown
with a few lines of context - can provide further back on request):

/******************************

19:03:01 racoon: DEBUG: KEYMAT computed.
19:03:01 racoon: DEBUG: call pk_sendupdate
19:03:01 racoon: DEBUG: encryption(3des)
19:03:01 racoon: DEBUG: hmac(hmac_sha1)
19:03:01 racoon: DEBUG: call pfkey_send_update_nat
19:03:01 racoon: DEBUG: pfkey update sent.
19:03:01 racoon: DEBUG: encryption(3des)
19:03:01 racoon: DEBUG: hmac(hmac_sha1)
19:03:01 racoon: DEBUG: call pfkey_send_add_nat
19:03:01 racoon: DEBUG: pfkey add sent.
19:03:01 racoon: DEBUG: call pfkey_send_spdupdate2
19:03:01 racoon: DEBUG: pfkey spdupdate2(inbound) sent.
19:03:01 racoon: DEBUG: call pfkey_send_spdupdate2
19:03:01 racoon: DEBUG: pfkey spdupdate2(outbound) sent.
19:03:01 racoon: DEBUG: sub:0xbf999de0: 192.168.2.10/32[0]
192.168.16.0/24[0] proto=3Dany dir=3Din
19:03:01 racoon: DEBUG: db :0x80befb8: 192.168.1.1/32[0]
192.168.16.0/24[0] proto=3Dany dir=3Din
19:03:01 racoon: DEBUG: sub:0xbf999de0: 192.168.2.10/32[0]
192.168.16.0/24[0] proto=3Dany dir=3Din
19:03:01 racoon: DEBUG: db :0x80bf290: 192.168.16.0/24[0]
192.168.1.1/32[0] proto=3Dany dir=3Dout
19:03:01 racoon: DEBUG: sub:0xbf999de0: 192.168.2.10/32[0]
192.168.16.0/24[0] proto=3Dany dir=3Din
19:03:01 racoon: DEBUG: db :0x80bf4d0: 192.168.1.1/32[0]
192.168.16.0/24[0] proto=3Dany dir=3Dfwd
19:03:01 racoon: DEBUG: sub:0xbf999de0: 192.168.2.10/32[0]
192.168.16.0/24[0] proto=3Dany dir=3Dfwd
19:03:01 racoon: DEBUG: db :0x80befb8: 192.168.1.1/32[0]
192.168.16.0/24[0] proto=3Dany dir=3Din
19:03:01 racoon: DEBUG: sub:0xbf999de0: 192.168.2.10/32[0]
192.168.16.0/24[0] proto=3Dany dir=3Dfwd
19:03:01 racoon: DEBUG: db :0x80bf290: 192.168.16.0/24[0]
192.168.1.1/32[0] proto=3Dany dir=3Dout
19:03:01 racoon: DEBUG: sub:0xbf999de0: 192.168.2.10/32[0]
192.168.16.0/24[0] proto=3Dany dir=3Dfwd
19:03:01 racoon: DEBUG: db :0x80bf4d0: 192.168.1.1/32[0]
192.168.16.0/24[0] proto=3Dany dir=3Dfwd
19:03:01 racoon: DEBUG: sub:0xbf999de0: 192.168.16.0/24[0]
192.168.2.10/32[0] proto=3Dany dir=3Dout
19:03:01 racoon: DEBUG: db :0x80befb8: 192.168.1.1/32[0]
192.168.16.0/24[0] proto=3Dany dir=3Din
19:03:01 racoon: DEBUG: sub:0xbf999de0: 192.168.16.0/24[0]
192.168.2.10/32[0] proto=3Dany dir=3Dout
19:03:01 racoon: DEBUG: db :0x80bf290: 192.168.16.0/24[0]
192.168.1.1/32[0] proto=3Dany dir=3Dout
19:03:01 racoon: DEBUG: sub:0xbf999de0: 192.168.16.0/24[0]
192.168.2.10/32[0] proto=3Dany dir=3Dout
19:03:01 racoon: DEBUG: db :0x80bf4d0: 192.168.1.1/32[0]
192.168.16.0/24[0] proto=3Dany dir=3Dfwd
19:03:01 racoon: DEBUG: get pfkey UPDATE message
19:03:01 racoon: DEBUG: pfkey UPDATE succeeded: ESP/Tunnel
143.238.212.72[0]->59.167.247.164[0] spi=3D57177202(0x368
7472)
19:03:01 racoon: INFO: IPsec-SA established: ESP/Tunnel
143.238.212.72[0]->59.167.247.164[0] spi=3D57177202(0x368747
2)
19:03:01 racoon: DEBUG: =3D=3D=3D
19:03:01 racoon: DEBUG: get pfkey ADD message
19:03:01 racoon: INFO: IPsec-SA established: ESP/Tunnel
59.167.247.164[0]->143.238.212.72[0] spi=3D207298076(0xc5b1e
1c)
19:03:01 racoon: DEBUG: =3D=3D=3D
19:03:01 racoon: DEBUG: get pfkey X_SPDUPDATE message
19:03:01 racoon: ERROR: pfkey X_SPDUPDATE failed: Invalid argument
19:03:01 racoon: DEBUG: get pfkey X_SPDUPDATE message
19:03:01 racoon: ERROR: pfkey X_SPDUPDATE failed: Invalid argument
19:03:21 racoon: DEBUG: =3D=3D=3D
/******************************

The "extra" db entries are normal, as there are actually other static
policies defined on the server other than the road warrior one, so it is
checking the client's proposal first against those.=20

What seems to be the problem is the ' pfkey X_SPDUPDATE failed: Invalid
argument' message - whenever I see this, the policy on the server side
has not been set up properly.=20

Given this is a road warrior config, it would be really nice to have
NAT-T working. If anyone could provide even some suggestions as to what
to investigate, I would be very grateful.

More background info follows.

quibble:~# setkey -V
setkey @(#) ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)

quibble:~# uname -a
Linux quibble 2.6.21.4vb20070609 #2 Sat Jun 9 19:23:37 EST 2007 i686
GNU/Linux

quibble:~# lsmod
Module                  Size  Used by
xt_mark                 2048  5
xt_MARK                 2432  2
xt_state                2688  9
ipt_MASQUERADE          3584  1
xt_multiport            3200  2
ipt_recent              8984  2
ipt_LOG                 6144  5
xt_limit                2816  5
iptable_mangle          2944  1
nf_nat_ftp              3584  0
nf_conntrack_ftp        9600  1 nf_nat_ftp
iptable_nat             7428  1
nf_nat                 16556  3 ipt_MASQUERADE,nf_nat_ftp,iptable_nat
xt_TCPMSS               4992  0
xt_tcpmss               2432  0
xt_tcpudp               3328  35
iptable_filter          3200  1
ip_tables              11592  3
iptable_mangle,iptable_nat,iptable_filter
x_tables               14340  13
xt_mark,xt_MARK,xt_state,ipt_MASQUERADE,xt_multiport,ipt_recent,ipt_LOG,
xt_limit,iptable_nat,xt_TCPMSS,xt_tcpmss,xt_tcpudp,ip_tables
pppoe                  12736  2
pppox                   3720  1 pppoe
ppp_generic            24980  6 pppoe,pppox
slhc                    6144  1 ppp_generic
ipv6                  223328  26
smbfs                  57592  2
twofish                 8576  0
twofish_common         36352  1 twofish
serpent                19072  0
blowfish                9472  0
ecb                     3584  0
aes                    28224  0
xcbc                    5512  0
sha256                 11264  0
crypto_null             2688  0
dm_snapshot            16416  0
dm_mirror              18964  0
dm_mod                 51276  2 dm_snapshot,dm_mirror
tsdev                   7744  0
i810_audio             31636  0
ac97_codec             16140  1 i810_audio
snd_intel8x0           31260  0
snd_ac97_codec         90656  1 snd_intel8x0
intel_agp              23196  1
ac97_bus                2432  1 snd_ac97_codec
snd_pcm                68744  2 snd_intel8x0,snd_ac97_codec
snd_timer              19844  1 snd_pcm
snd                    46692  4
snd_intel8x0,snd_ac97_codec,snd_pcm,snd_timer
soundcore               7392  2 i810_audio,snd
parport_pc             32292  0
i2c_i801                8208  0
agpgart                31792  1 intel_agp
rtc                    11672  0
snd_page_alloc          9736  2 snd_intel8x0,snd_pcm
parport                32840  1 parport_pc
psmouse                34696  0
evdev                   9344  0
serio_raw               6660  0
floppy                 52932  0
i2c_core               20624  1 i2c_i801
pcspkr                  2944  0
ext3                  118280  5
jbd                    49832  1 ext3
mbcache                 7940  1 ext3
ide_cd                 36256  0
cdrom                  32928  1 ide_cd
ide_disk               15616  7
8139too                24576  0
8139cp                 21120  0
e100                   32392  0
mii                     5504  3 8139too,8139cp,e100
piix                    9476  0 [permanent]
ide_core              108812  3 ide_cd,ide_disk,piix
ehci_hcd               29452  0
uhci_hcd               21648  0
usbcore               120088  3 ehci_hcd,uhci_hcd

Cheers,

V