From owner-freebsd-security@FreeBSD.ORG  Sat May  6 07:15:33 2006
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@FreeBSD.ORG
Delivered-To: freebsd-security@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6F5B516A402
	for <freebsd-security@FreeBSD.ORG>;
	Sat,  6 May 2006 07:15:33 +0000 (UTC)
	(envelope-from John.Ryan@genedata.com)
Received: from mail.core.genedata.com (mail.core.genedata.com [157.161.173.16])
	by mx1.FreeBSD.org (Postfix) with ESMTP id AE10243D49
	for <freebsd-security@FreeBSD.ORG>;
	Sat,  6 May 2006 07:15:31 +0000 (GMT)
	(envelope-from John.Ryan@genedata.com)
Received: from relay.core.genedata.com (root@nila-e0.core.genedata.com
	[172.20.16.64]) (authenticated bits=128)
	by mail.core.genedata.com (8.13.1/8.13.1) with ESMTP id k467FUxt024476
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
	for <freebsd-security@FreeBSD.ORG>; Sat, 6 May 2006 09:15:31 +0200
Received: from relay.ch.genedata.com (root@vesuvio-e0.ch.genedata.com
	[172.20.16.80]) (authenticated bits=128)
	by relay.core.genedata.com (8.13.1/8.13.1) with ESMTP id k467FUrK031475
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
	for <freebsd-security@FreeBSD.ORG>; Sat, 6 May 2006 09:15:30 +0200
Received: from [172.20.36.51] (biosa.ch.genedata.com [172.20.36.51])
	by relay.ch.genedata.com (8.13.1/8.13.1) with ESMTP id k467FT4B029728
	for <freebsd-security@FreeBSD.ORG>; Sat, 6 May 2006 09:15:30 +0200
Message-ID: <445C4D11.10200@genedata.com>
Date: Sat, 06 May 2006 09:15:29 +0200
From: John Ryan <John.Ryan@genedata.com>
User-Agent: Thunderbird 1.5 (X11/20051201)
MIME-Version: 1.0
To: freebsd-security@FreeBSD.ORG
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Filter-Version: 1.15 (nila)
X-Mailman-Approved-At: Sat, 06 May 2006 12:41:27 +0000
Cc: 
Subject: IPsec with racoon2
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 06 May 2006 07:15:33 -0000

Hi,

I'm trying to get IPsec running between 2 FreeBSD (VMware) boxes, using racoon2.
spmd and iked start up okay, but I get an error when I try a ping across the tunnel.
/var/log/messages shows:
May  5 13:52:36 biosa-vm4 iked: [INTERNAL_ERR]: if_spmd.c:726: SLID failed: 550 Operation failed
May  5 13:52:36 biosa-vm4 iked: [INTERNAL_ERR]: isakmp.c:647:isakmp_initiate_cont(): 0:172.20.36.55[0] - 172.20.36.52[0]:0x0:can't find 
selector (index (null))


2006-05-05 13:53:54 [INFO]: main.c:269:main(): starting iked for racoon2 20051102a
2006-05-05 13:53:54 [INFO]: main.c:272:main(): OPENSSLDIR: "/etc/ssl"
2006-05-05 13:53:54 [INFO]: main.c:282:main(): reading config /usr/local/etc/racoon2.conf
2006-05-05 13:53:54 [DEBUG]: ike_conf.c:3247:ike_conf_check_consistency(): checking configuration
2006-05-05 13:53:54 [DEBUG]: if_spmd.c:350: spmd I/F connection ok: 220 F8A......76C2B9
2006-05-05 13:53:54 [DEBUG]: cfsetup.c:3306: spmd_read_password_file([/usr/local/etc/racoon2/spmd.pwd], [cfsetup.c:3376], 1)
2006-05-05 13:53:54 [DEBUG]: cfsetup.c:3351: read 16 bytes
2006-05-05 13:53:54 [DEBUG]: if_spmd.c:413: spmd LOGIN ok: 250 OK
2006-05-05 13:53:54 [INFO]: isakmp.c:339:isakmp_open(): socket 5 bind 172.20.36.55[500]

Heres my network: (Running under vmware on Linux) The host has 2 network cards and they're functional from vmware.

ifconfig_lnc0="inet 172.20.36.55 netmask 0xfffff800"
ifconfig_lnc1="inet 192.168.4.1 netmask 0xffffff00"

#     _______________________                 _______________________
#    / Ext IP A.B.C.D        \    tunnel     / Ext IP W.X.Y.Z        \
# ---| Int IP 192.168.1.1/24 |===============| Int IP 192.168.4.1/24 |---
#    \_______________________/               \_______________________/
# For host "A.B.C.D"
# gif_interfaces="gif0"
# gifconfig_gif0="A.B.C.D W.X.Y.Z"
# ifconfig_gif0="inet 192.168.1.1 192.168.4.1 netmask 0xffffffff"
# static_routes="vpn"
# route_vpn="-net 192.168.4.0/24 192.168.4.1"

gif_interfaces="gif0"
gifconfig_gif0="172.20.36.55 172.20.36.52"
ifconfig_gif0="inet 192.168.4.1 192.168.1.1 netmask 0xffffffff"
static_routes="vpn"
route_vpn="-net 192.168.1.0/24 192.168.1.1"

Without IPsec running, I can ping the remote interfaces 192.168.[14].1 both ways

My racoon2.conf looks like:

setval {
        PSKDIR  "/usr/local/etc/racoon2/psk";
        CERTDIR "/usr/local/etc/racoon2/cert";
};

# interface info
interface
{
        ike {
                MY_IPV4%lnc0;
        };
        spmd {
                unix "/var/run/racoon/spmif";
        };
        spmd_password "/usr/local/etc/racoon2/spmd.pwd";
};

# resolver info
resolver
{
        resolver off;
};

#
# default section
#
default
{
        remote {
                ikev2 {
                        logmode normal;
                        kmp_sa_lifetime_time infinite;
                        kmp_sa_lifetime_byte infinite;
                        max_retry_to_send 3;
                        interval_to_send 10 sec;
                        times_per_send 1;
                        kmp_sa_nego_time_limit 60 sec;
                        ipsec_sa_nego_time_limit 40 sec;
                        kmp_enc_alg { aes256_cbc; 3des_cbc; };
                        kmp_hash_alg { hmac_sha1; hmac_md5; aes_xcbc; };
                        kmp_auth_method { dss; };
                        kmp_dh_group { 1; 2; 5; 14; 15; };
                        random_pad_content on;
                        random_padlen on;
                        max_padlen 50 bytes;
                };
        };

        policy {
                ipsec_mode tunnel;
                ipsec_level unique; # Not Yet Implemented, always 'unique'
        };

        ipsec {
                ipsec_sa_lifetime_time infinite;
                ipsec_sa_lifetime_byte infinite;
        };

        sa {
                esp_enc_alg { aes128_cbc; 3des_cbc; };
                esp_auth_alg { hmac_sha1; hmac_md5; };
        };
};
ipsec ipsec_ah_esp {
        ipsec_sa_lifetime_time 28800 sec;
        sa_index { ah_01; esp_01; };
};
ipsec ipsec_esp {
        ipsec_sa_lifetime_time 28800 sec;
        sa_index esp_01;
};
sa ah_01 {
        sa_protocol ah;
        ah_auth_alg { hmac_sha1; hmac_md5; };
};
sa esp_01 {
        sa_protocol esp;
        esp_enc_alg { aes128_cbc; 3des_cbc; };
        esp_auth_alg { hmac_sha1; hmac_md5; };
};

# biosa-vm1.ch.genedata.com
remote biosa-vm1.nowhere.com {
        acceptable_kmp { ikev2; };
        ikev2 {
                my_id fqdn "biosa-vm4.nowhere.com";
                peers_id fqdn "biosa-vm1.nowhere.com";
                peers_ipaddr 172.20.36.52 port 500;
                kmp_enc_alg { aes256_cbc; aes192_cbc; 3des_cbc; };
                kmp_prf_alg { hmac_md5; hmac_sha1; aes128_cbc; };
                kmp_hash_alg { hmac_md5; hmac_sha1; aes_xcbc; };
                kmp_dh_group { 5; };
                kmp_auth_method { psk; };
                pre_shared_key "${PSKDIR}/secret.psk";
        };
        selector_index 42;
};
selector 41 {
        direction outbound;
        src 172.20.36.55;
        dst 172.20.36.52;
        upper_layer_protocol "tcp";
        policy_index TUNNEL;
};
selector 42 {
        direction inbound;
        dst 172.20.36.52;
        src 172.20.36.55;
        upper_layer_protocol "tcp";
        policy_index TUNNEL;
};
policy TUNNEL {
        action auto_ipsec;
        remote_index biosa-vm1.nowhere.com;
        ipsec_mode tunnel;
        ipsec_index { ipsec_esp; };
        ipsec_level unique;
        peers_sa_ipaddr 172.20.36.52;
        my_sa_ipaddr 172.20.36.55;
};

Anyone got any idea what I'm doing wrong?

Thanks in advance
John Ryan