[Ipsec-tools-users] Cannot match on sainfo subnet

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello everyone,

I am struggling with a configuration for a small subnet. The basic outline 
is as follows:

- ipsec-tools 0.8.2 on both machines
- transport mode, no NAT (at least not yet, NAT will be added later)

Host A (usually initiator, but I tried the other way round as well)
======
IP 10.0.0.1

ipsec-tools.conf:
-----------------
spdadd 10.0.0.0/25 10.0.0.254 any -P out priority 1 ipsec
    esp/transport//require
    ah/transport//require;

spdadd 10.0.0.254 10.0.0.0/25 any -P in priority 1 ipsec
    esp/transport//require
    ah/transport//require;

racoon.conf:
------------
[ ... ]

sainfo address 10.0.0.0/25 any address 10.0.0.254 any
{
	...
}

Host B (usually responder)
======
IP 10.0.0.254

ipsec-tools.conf:
-----------------
spdadd 10.0.0.254 10.0.0.0/25 any -P out priority 0 ipsec
    esp/transport//require
    ah/transport//require;

spdadd 10.0.0.0/25 10.0.0.254 any -P in priority 0 ipsec
    esp/transport//require
    ah/transport//require;

racoon.conf:
------------
[ ... ]

sainfo address 10.0.0.254 any address 10.0.0.0/25 any
{
	...
}

Using this config, phase 1 works. However, the connection setup gets stuck 
at phase 2, where I get the following on the responder side:

racoon: DEBUG: getsainfo params: loc='10.0.0.254' rmt='10.0.0.1' peer='C=UK, O=Marvin, CN=alpha.marvin' client='10.0.0.1' id=0
racoon: DEBUG: evaluating sainfo: loc='10.0.0.254', rmt='10.0.0.0/25', peer='ANY', id=0
racoon: DEBUG: check and compare ids : values matched (IPv4_address)
racoon: DEBUG: cmpid target: '10.0.0.254'
racoon: DEBUG: cmpid source: '10.0.0.254'
racoon: DEBUG: check and compare ids : value mismatch (IPv4_subnet)
racoon: DEBUG: cmpid target: '10.0.0.1'
racoon: DEBUG: cmpid source: '10.0.0.0/25'
racoon: ERROR: failed to get sainfo.
racoon: ERROR: failed to get sainfo.
racoon: [10.0.0.1] ERROR: failed to pre-process ph2 packet (side: 1, status: 1).

I would expect that either '10.0.0.1' and '10.0.0.0/25' yield a match, or 
that the initiator sends '10.0.0.0/25' instead of '10.0.0.1' (based on 
ipsec-tools.conf settings). Am I wrong? If so, what is the correct way to 
configure a specific sainfo setting?

Of course, if I change 'address 10.0.0.0/25 any' on the responder side, the 
connection is set up as intended. The point is however, that I would like 
to have different settings for several different IP ranges.

Thanks a lot for any hints!

Phil