pfkey UPDATE and ADD failed with IPsec

To: tech-net%NetBSD.org@localhost
Subject: pfkey UPDATE and ADD failed with IPsec
From: Frank Wille <frank%phoenix.owl.de@localhost>
Date: Fri, 04 Mar 2016 19:24:55 +0100

Hi,

after I found out that an "rsasig" Roadwarrior client with IKE mode config
does not work with Racoon, I wanted to try something proven, which many
people successfully configured: "hybrid_rsa_client" (configuation
attached).

I initiate the connection and enter my password:
# racoonctl vc -u frank 77.182.71.224

Phase 1 is established, racoonctl returned, the MOTD is displayed and even
mode config worked fine, assigning me an IP address and a gateyway. The
phase1-up script entered the correct SPD policies (192.168.0.90 is the
first address from my "mode-configured" VPN pool):

# setkey -DP
0.0.0.0/0[any] 192.168.0.90[any] reserved
    in ipsec
    esp/tunnel/77.182.71.224-192.168.1.5/require
    spid=8 seq=1 pid=2094
    refcnt=1
192.168.0.90[any] 0.0.0.0/0[any] reserved
    out ipsec
    esp/tunnel/192.168.1.5-77.182.71.224/require
    spid=7 seq=0 pid=2094
    refcnt=1


There are no SAD entries yet, and phase 2 was not attempted. But I guess
this is normal. Phase 2 is established when accessing an address from my
VPN network, e.g. by typing "ping 192.168.0.100".

But it looks like Racoon cannot update the SA database? The following
happens:

/netbsd: key_set_natt_ports: type 2, sport = 4500, dport = 4500
/netbsd: key_update: no SA index found.
/netbsd: key_set_natt_ports: type 2, sport = 4500, dport = 4500
/netbsd: key_setsaval: unable to initialize SA type 3.
racoon: ERROR: pfkey UPDATE failed: No such file or directory 
racoon: ERROR: pfkey ADD failed: Invalid argument 
racoon: ERROR: 77.182.71.224 give up to get IPsec-SA due to time up to wait.


Any idea why there is no SA index found? What is wrong with type 3?
This is a macppc running a 7.0 kernel.

Just one of the required two(?) SAD entries appears.
# setkey -D
77.182.71.224 192.168.1.5 
        esp mode=tunnel spi=29020503(0x01bad157) reqid=0(0x00000000)
        seq=0x00000000 replay=0 flags=0x00000000 state=larval 
        sadb_seq=0 pid=2777 refcnt=1


The VPN gateway (NetBSD/i386 6.1.5) doesn't seem to have any problem with
the keys:

/netbsd: key_update: type 2, sport = 50185, dport = 37905
/netbsd: key_update: type 2, sport = 37905, dport = 50185
racoon: INFO: IPsec-SA established: ESP/Tunnel
77.182.71.224[500]->91.56.227.155[500] spi=88411440(0x5450d30) 
racoon: INFO: IPsec-SA established: ESP/Tunnel
77.182.71.224[500]->91.56.227.155[500] spi=29020503(0x1bad157) 


Racoon client configuration, client/gateway logs and tcpdumps attached.

-- 
Frank Wille

path include "/etc/racoon";
path certificate "/etc/racoon/certs";
path script "/etc/racoon/scripts";

remote "epia"
{
	remote_address 77.182.71.224;
	exchange_mode main,base;

	my_identifier asn1dn;

	certificate_type x509 "client1crt.pem" "client1key.pem";
	ca_type x509 "epiaCA.pem";

	mode_cfg on;	# ISAKMP mode config
	dpd_delay 20;	# peer detection (alive check)
	nat_traversal on;	# force

	ike_frag on;
	script "phase1-up.sh" phase1_up;
	script "phase1-down.sh" phase1_down;
	lifetime time 8 hour;

	proposal {
		encryption_algorithm aes;
		hash_algorithm md5;
		authentication_method hybrid_rsa_client;
		dh_group 2;
	}

	proposal_check obey;
}

sainfo anonymous
{
	pfs_group 2;
	lifetime time 8 hour;
	encryption_algorithm aes;
	authentication_algorithm hmac_md5;
	compression_algorithm deflate;
}

Mar  4 18:35:10 powerbook racoon: INFO: ISAKMP-SA established 192.168.1.5[4500]-77.182.71.224[4500] spi:a34c5592983a1a43:995dcb31c1574658 
Mar  4 18:35:10 powerbook racoon: WARNING: Ignored attribute UNITY_BANNER 
Mar  4 18:35:10 powerbook racoon: WARNING: Ignored attribute UNITY_SPLITDNS_NAME 
Mar  4 18:35:10 powerbook racoon: WARNING: Ignored attribute APPLICATION_VERSION 
Mar  4 18:35:10 powerbook racoon: INFO: unsupported PF_KEY message REGISTER 
Mar  4 18:35:24 powerbook racoon: INFO: initiate new phase 2 negotiation: 192.168.1.5[4500]<=>77.182.71.224[4500] 
Mar  4 18:35:24 powerbook racoon: INFO: NAT detected -> UDP encapsulation (ENC_MODE 1->3). 
Mar  4 18:35:25 powerbook racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel 
Mar  4 18:35:25 powerbook racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1) 
Mar  4 18:35:25 powerbook /netbsd: key_set_natt_ports: type 2, sport = 4500, dport = 4500
Mar  4 18:35:25 powerbook /netbsd: key_update: no SA index found.
Mar  4 18:35:25 powerbook /netbsd: key_set_natt_ports: type 2, sport = 4500, dport = 4500
Mar  4 18:35:25 powerbook /netbsd: key_setsaval: unable to initialize SA type 3.
Mar  4 18:35:25 powerbook racoon: ERROR: pfkey UPDATE failed: No such file or directory 
Mar  4 18:35:25 powerbook racoon: ERROR: pfkey ADD failed: Invalid argument 
Mar  4 18:35:54 powerbook racoon: ERROR: 77.182.71.224 give up to get IPsec-SA due to time up to wait.

Mar  4 18:35:12 epia racoon: INFO: ISAKMP-SA established 77.182.71.224[4500]-91.56.227.155[2500] spi:a34c5592983a1a43:995dcb31c1574658 
Mar  4 18:35:12 epia racoon: [91.56.227.155] INFO: received INITIAL-CONTACT 
Mar  4 18:35:12 epia racoon: INFO: Using port 0 
Mar  4 18:35:12 epia racoon: INFO: login succeeded for user "frank" 
Mar  4 18:35:27 epia racoon: INFO: respond new phase 2 negotiation: 77.182.71.224[4500]<=>91.56.227.155[2500] 
Mar  4 18:35:27 epia racoon: INFO: no policy found, try to generate the policy : 192.168.0.90/32[0] 0.0.0.0/0[0] proto=any dir=in 
Mar  4 18:35:27 epia racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel 
Mar  4 18:35:27 epia racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1) 
Mar  4 18:35:27 epia /netbsd: key_update: type 2, sport = 50185, dport = 37905
Mar  4 18:35:27 epia /netbsd: key_update: type 2, sport = 37905, dport = 50185
Mar  4 18:35:27 epia racoon: INFO: IPsec-SA established: ESP/Tunnel 77.182.71.224[500]->91.56.227.155[500] spi=88411440(0x5450d30) 
Mar  4 18:35:27 epia racoon: INFO: IPsec-SA established: ESP/Tunnel 77.182.71.224[500]->91.56.227.155[500] spi=29020503(0x1bad157)

18:35:09.719274 IP 192.168.1.5.500 > 77.182.71.224.500: isakmp: phase 1 I ident
18:35:09.838749 IP 77.182.71.224.500 > 192.168.1.5.500: isakmp: phase 1 R ident
18:35:09.913033 IP 192.168.1.5.500 > 77.182.71.224.500: isakmp: phase 1 I ident
18:35:10.057537 IP 77.182.71.224.500 > 192.168.1.5.500: isakmp: phase 1 R ident
18:35:10.124952 IP 192.168.1.5.4500 > 77.182.71.224.4500: NONESP-encap: isakmp: phase 1 I ident[E]
18:35:10.271572 IP 77.182.71.224.4500 > 192.168.1.5.4500: NONESP-encap: isakmp: phase 1 R ident[E]
18:35:10.283699 IP 77.182.71.224.4500 > 192.168.1.5.4500: NONESP-encap: isakmp: phase 1 R ident[E]
18:35:10.285900 IP 77.182.71.224.4500 > 192.168.1.5.4500: NONESP-encap: isakmp: phase 1 R ident[E]
18:35:10.303905 IP 77.182.71.224.4500 > 192.168.1.5.4500: NONESP-encap: isakmp: phase 2/others R #6[E]
18:35:10.334041 IP 192.168.1.5.4500 > 77.182.71.224.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
18:35:10.369370 IP 192.168.1.5.4500 > 77.182.71.224.4500: NONESP-encap: isakmp: phase 2/others I #6[E]
18:35:10.471216 IP 77.182.71.224.4500 > 192.168.1.5.4500: NONESP-encap: isakmp: phase 2/others R #6[E]
18:35:10.503101 IP 192.168.1.5.4500 > 77.182.71.224.4500: NONESP-encap: isakmp: phase 2/others I #6[E]
18:35:10.521172 IP 192.168.1.5.4500 > 77.182.71.224.4500: NONESP-encap: isakmp: phase 2/others I #6[E]
18:35:10.639479 IP 77.182.71.224.4500 > 192.168.1.5.4500: NONESP-encap: isakmp: phase 2/others R #6[E]
18:35:11.020788 IP 77.182.71.224.4500 > 192.168.1.5.4500: isakmp-nat-keep-alive
18:35:15.129846 IP 192.168.1.5.4500 > 77.182.71.224.4500: isakmp-nat-keep-alive
18:35:24.810643 IP 192.168.1.5.4500 > 77.182.71.224.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
18:35:25.092633 IP 77.182.71.224.4500 > 192.168.1.5.4500: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
18:35:25.156750 IP 192.168.1.5.4500 > 77.182.71.224.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
18:35:30.343186 IP 192.168.1.5.4500 > 77.182.71.224.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
18:35:30.345608 IP 77.182.71.224.4500 > 192.168.1.5.4500: NONESP-encap: isakmp: phase 2/others R inf[E]
18:35:30.380115 IP 192.168.1.5.4500 > 77.182.71.224.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
18:35:30.450836 IP 77.182.71.224.4500 > 192.168.1.5.4500: NONESP-encap: isakmp: phase 2/others R inf[E]
18:35:31.030311 IP 77.182.71.224.4500 > 192.168.1.5.4500: isakmp-nat-keep-alive
18:35:35.149860 IP 192.168.1.5.4500 > 77.182.71.224.4500: isakmp-nat-keep-alive
18:35:50.503164 IP 192.168.1.5.4500 > 77.182.71.224.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
18:35:50.523757 IP 77.182.71.224.4500 > 192.168.1.5.4500: NONESP-encap: isakmp: phase 2/others R inf[E]
18:35:50.557191 IP 192.168.1.5.4500 > 77.182.71.224.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
18:35:50.604777 IP 77.182.71.224.4500 > 192.168.1.5.4500: NONESP-encap: isakmp: phase 2/others R inf[E]
18:35:51.048974 IP 77.182.71.224.4500 > 192.168.1.5.4500: isakmp-nat-keep-alive
18:35:55.169609 IP 192.168.1.5.4500 > 77.182.71.224.4500: isakmp-nat-keep-alive
18:36:04.502989 IP 192.168.1.5.4500 > 77.182.71.224.4500: NONESP-encap: isakmp: phase 2/others I inf[E]

18:35:12.065335 PPPoE  [ses 0x69d] IP 91.56.227.155.2532 > 77.182.71.224.500: isakmp: phase 1 I ident
18:35:12.132893 PPPoE  [ses 0x69d] IP 77.182.71.224.500 > 91.56.227.155.2532: isakmp: phase 1 R ident
18:35:12.257998 PPPoE  [ses 0x69d] IP 91.56.227.155.2532 > 77.182.71.224.500: isakmp: phase 1 I ident
18:35:12.352294 PPPoE  [ses 0x69d] IP 77.182.71.224.500 > 91.56.227.155.2532: isakmp: phase 1 R ident
18:35:12.470654 PPPoE  [ses 0x69d] IP 91.56.227.155.2500 > 77.182.71.224.4500: NONESP-encap: isakmp: phase 1 I ident[E]
18:35:12.557931 PPPoE  [ses 0x69d] IP 77.182.71.224.4500 > 91.56.227.155.2500: NONESP-encap: isakmp: phase 1 R ident[E]
18:35:12.564858 PPPoE  [ses 0x69d] IP 77.182.71.224.4500 > 91.56.227.155.2500: NONESP-encap: isakmp: phase 1 R ident[E]
18:35:12.571775 PPPoE  [ses 0x69d] IP 77.182.71.224.4500 > 91.56.227.155.2500: NONESP-encap: isakmp: phase 1 R ident[E]
18:35:12.600792 PPPoE  [ses 0x69d] IP 77.182.71.224.4500 > 91.56.227.155.2500: NONESP-encap: isakmp: phase 2/others R #6[E]
18:35:12.676358 PPPoE  [ses 0x69d] IP 91.56.227.155.2500 > 77.182.71.224.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
18:35:12.711102 PPPoE  [ses 0x69d] IP 91.56.227.155.2500 > 77.182.71.224.4500: NONESP-encap: isakmp: phase 2/others I #6[E]
18:35:12.768379 PPPoE  [ses 0x69d] IP 77.182.71.224.4500 > 91.56.227.155.2500: NONESP-encap: isakmp: phase 2/others R #6[E]
18:35:12.844888 PPPoE  [ses 0x69d] IP 91.56.227.155.2500 > 77.182.71.224.4500: NONESP-encap: isakmp: phase 2/others I #6[E]
18:35:12.863366 PPPoE  [ses 0x69d] IP 91.56.227.155.2500 > 77.182.71.224.4500: NONESP-encap: isakmp: phase 2/others I #6[E]
18:35:12.932223 PPPoE  [ses 0x69d] IP 77.182.71.224.4500 > 91.56.227.155.2500: NONESP-encap: isakmp: phase 2/others R #6[E]
18:35:13.320040 PPPoE  [ses 0x69d] IP 77.182.71.224.4500 > 91.56.227.155.2500: isakmp-nat-keep-alive
18:35:17.469649 PPPoE  [ses 0x69d] IP 91.56.227.155.2500 > 77.182.71.224.4500: isakmp-nat-keep-alive
18:35:27.159243 PPPoE  [ses 0x69d] IP 91.56.227.155.2500 > 77.182.71.224.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
18:35:27.385679 PPPoE  [ses 0x69d] IP 77.182.71.224.4500 > 91.56.227.155.2500: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
18:35:27.498762 PPPoE  [ses 0x69d] IP 91.56.227.155.2500 > 77.182.71.224.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
18:35:32.642487 PPPoE  [ses 0x69d] IP 77.182.71.224.4500 > 91.56.227.155.2500: NONESP-encap: isakmp: phase 2/others R inf[E]
18:35:32.686518 PPPoE  [ses 0x69d] IP 91.56.227.155.2500 > 77.182.71.224.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
18:35:32.732353 PPPoE  [ses 0x69d] IP 91.56.227.155.2500 > 77.182.71.224.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
18:35:32.748055 PPPoE  [ses 0x69d] IP 77.182.71.224.4500 > 91.56.227.155.2500: NONESP-encap: isakmp: phase 2/others R inf[E]
18:35:33.330366 PPPoE  [ses 0x69d] IP 77.182.71.224.4500 > 91.56.227.155.2500: isakmp-nat-keep-alive
18:35:37.491392 PPPoE  [ses 0x69d] IP 91.56.227.155.2500 > 77.182.71.224.4500: isakmp-nat-keep-alive
18:35:52.822856 PPPoE  [ses 0x69d] IP 77.182.71.224.4500 > 91.56.227.155.2500: NONESP-encap: isakmp: phase 2/others R inf[E]
18:35:52.847720 PPPoE  [ses 0x69d] IP 91.56.227.155.2500 > 77.182.71.224.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
18:35:52.901927 PPPoE  [ses 0x69d] IP 91.56.227.155.2500 > 77.182.71.224.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
18:35:52.903848 PPPoE  [ses 0x69d] IP 77.182.71.224.4500 > 91.56.227.155.2500: NONESP-encap: isakmp: phase 2/others R inf[E]
18:35:53.350660 PPPoE  [ses 0x69d] IP 77.182.71.224.4500 > 91.56.227.155.2500: isakmp-nat-keep-alive
18:35:57.512129 PPPoE  [ses 0x69d] IP 91.56.227.155.2500 > 77.182.71.224.4500: isakmp-nat-keep-alive
18:36:06.847912 PPPoE  [ses 0x69d] IP 91.56.227.155.2500 > 77.182.71.224.4500: NONESP-encap: isakmp: phase 2/others I inf[E]

Follow-Ups:
- Re: pfkey UPDATE and ADD failed with IPsec
  - From: Christos Zoulas

Prev by Date: Re: RFC: ALTQ caller refactor
Next by Date: Re: pfkey UPDATE and ADD failed with IPsec
Previous by Thread: racoon with rsasig and mode_cfg
Next by Thread: Re: pfkey UPDATE and ADD failed with IPsec
Indexes:

Home | Main Index | Thread Index | Old Index