Ipsec racoon not finding correct SPD entry

From: Graham Murray
Date: Wed May 04 2005 - 02:50:56 EST


I am using the following setkey rules, and the mirror on the other system.

spdadd 192.168.50.45 192.168.50.211[22] tcp -P out none;
spdadd 192.168.50.211[22] 192.168.50.45 tcp -P in none;
spdadd 192.168.50.45 192.168.50.211 any -P out ipsec
esp/transport//require ah/transport//require;
spdadd 192.168.50.211 192.168.50.45 any -P in ipsec
esp/transport//require ah/transport//require;

Ssh works fine between the systems, but attempts to establish any other
connection fail with the following messages on the destination system.

May 3 09:44:53 gtway2 racoon: INFO: respond new phase 1 negotiation: 192.168.50.211[500]<=>192.168.50.45[500]
May 3 09:44:53 gtway2 racoon: INFO: begin Identity Protection mode.
May 3 09:44:53 gtway2 racoon: INFO: ISAKMP-SA established 192.168.50.211[500]-192.168.50.45[500] spi:59eb21f5b7639c24:750588e6931651bb
May 3 09:44:54 gtway2 racoon: INFO: respond new phase 2 negotiation: 192.168.50.211[0]<=>192.168.50.45[0]
May 3 09:44:54 gtway2 racoon: ERROR: policy found, but no IPsec required: 192.168.50.211/32[0] 192.168.50.45/32[0] proto=any dir=out
May 3 09:44:54 gtway2 racoon: ERROR: failed to get proposal for responder.
May 3 09:44:54 gtway2 racoon: ERROR: failed to pre-process packet.


If I remove the first two rules on both systems and make all traffic between
the 2 systems use ipsec, then everything works fine.

I have googled for this problem, but see mainly old reports from BSD but can
see no solution.





-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html