# IPSec + racoon --> ERROR: no suitable policy found

## mrfree

I'm trying to configure 2 PC on my LAN (this is an experiment, same subnet 10.10.44.0)

. 1 Gentoo box 10.10.47.225 netmask 255.255.252.0

. 1 windozeXP 10.10.44.24 netmask 255.255.252.0

to communicate using IPSec (+ racoon)

This is my gentoo box configuration...

/etc/ipsec.conf

```

#!/usr/sbin/setkey -f

# Flush the SAD and SPD

flush;

spdflush;

# Attention: Use these keys for testing purposes only!

# Generate your own keys!

# AH SAs using 128 bit long keys

add 10.10.47.225 10.10.44.24 ah 0x200 -A hmac-md5

0xa7d1dc620e597d31a7901e72cc9ce6e5;

add 10.10.44.24 10.10.47.225 ah 0x300 -A hmac-md5

0xa5fd37a4b45ac244198d2dde8215d461;

# ESP SAs using 192 bit long keys

add 10.10.47.225 10.10.44.24 esp 0x201 -E rijndael-cbc

0x431d00d3a0d1788238aba2f9ddbe56dd0ba60439b2cd01dd;

add 10.10.44.24 10.10.47.225 esp 0x301 -E rijndael-cbc

0x45f054cf29eede206bf64b80fc68a7f60ec73fa717f3caf5;

spdadd 10.10.47.225 10.10.44.24 any -P out ipsec

       esp/transport//require

       ah/transport//require;

spdadd 10.10.44.24 10.10.47.225 any -P in ipsec

       esp/transport//require

       ah/transport//require;
```

/etc/racoon/racoon.conf

```

# $KAME: racoon.conf.sample,v 1.28 2002/10/18 14:33:28 itojun Exp $

# "path" affects "include" directives.  "path" must be specified before any

# "include" directive with relative file path.

# you can overwrite "path" directive afterwards, however, doing so may add

# more confusion.

#path include "/usr/local/v6/etc" ;

#include "remote.conf" ;

# the file should contain key ID/key pairs, for pre-shared key authentication.

path pre_shared_key "/etc/racoon/psk.txt" ;

# racoon will look for certificate file in the directory,

# if the certificate/certificate request payload is received.

#path certificate "/usr/local/openssl/certs" ;

# "log" specifies logging level.  It is followed by either "notify", "debug"

# or "debug2".

#log debug;

remote anonymous

{

        #exchange_mode main,aggressive,base;

        exchange_mode main,base;

        #my_identifier fqdn "server.kame.net";

        #certificate_type x509 "foo@kame.net.cert" "foo@kame.net.priv" ;

        lifetime time 24 hour ; # sec,min,hour

        #initial_contact off ;

        #passive on ;

        # phase 1 proposal (for ISAKMP SA)

        proposal {

                encryption_algorithm 3des;

                hash_algorithm sha1;

                authentication_method pre_shared_key ;

                dh_group 2 ;

        }

        # the configuration makes racoon (as a responder) to obey the

        # initiator's lifetime and PFS group proposal.

        # this makes testing so much easier.

        proposal_check obey;

}

# phase 2 proposal (for IPsec SA).

# actual phase 2 proposal will obey the following items:

# - kernel IPsec policy configuration (like "esp/transport//use)

# - permutation of the crypto/hash/compression algorithms presented below

sainfo anonymous

{

        pfs_group 2;

        lifetime time 12 hour ;

        #encryption_algorithm 3des, cast128, blowfish 448, des, rijndael ;

        encryption_algorithm 3des, blowfish 448, des, rijndael ;

        authentication_algorithm hmac_sha1, hmac_md5 ;

        compression_algorithm deflate ;

}
```

If I try to ping my gentoo box (from windows using IPSec) racoon reports these errors:

```
2006-01-10 18:11:03: INFO: @(#)ipsec-tools 0.6.2 (http://ipsec-tools.sourceforge.net)

2006-01-10 18:11:03: INFO: @(#)This product linked OpenSSL 0.9.7e 25 Oct 2004 (http://www.openssl.org/)

2006-01-10 18:11:03: INFO: 127.0.0.1[500] used as isakmp port (fd=6)

2006-01-10 18:11:03: INFO: 127.0.0.1[500] used for NAT-T

2006-01-10 18:11:03: INFO: 10.10.47.225[500] used as isakmp port (fd=7)

2006-01-10 18:11:03: INFO: 10.10.47.225[500] used for NAT-T

2006-01-10 18:11:20: ERROR: unknown Informational exchange received.

2006-01-10 18:12:36: INFO: respond new phase 1 negotiation: 10.10.47.225[500]<=>10.10.44.24[500]

2006-01-10 18:12:36: INFO: begin Identity Protection mode.

2006-01-10 18:12:36: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY

2006-01-10 18:12:36: INFO: received Vendor ID: FRAGMENTATION

2006-01-10 18:12:36: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2006-01-10 18:12:36: INFO: ISAKMP-SA established 10.10.47.225[500]-10.10.44.24[500] spi:a5d2a3be36e17415:83c32fa7f0b45f38

2006-01-10 18:12:36: INFO: respond new phase 2 negotiation: 10.10.47.225[500]<=>10.10.44.24[500]

2006-01-10 18:12:36: ERROR: not matched

2006-01-10 18:12:36: ERROR: no suitable policy found.

2006-01-10 18:12:36: ERROR: failed to pre-process packet.

2006-01-10 18:12:36: INFO: respond new phase 2 negotiation: 10.10.47.225[500]<=>10.10.44.24[500]

2006-01-10 18:12:36: ERROR: not matched

2006-01-10 18:12:36: ERROR: no suitable policy found.

2006-01-10 18:12:36: ERROR: failed to pre-process packet.
```

Which is the wrong policy???

----------

## mrfree

If I try to swap in and out rules...

```
spdadd 10.10.47.225 10.10.44.24 any -P in ipsec

       esp/transport//require

       ah/transport//require;

spdadd 10.10.44.24 10.10.47.225 any -P out ipsec

       esp/transport//require

       ah/transport//require;

```

the errors changes

```
INFO: respond new phase 2 negotiation: 10.10.47.225[500]<=>10.10.44.24[500]

2006-01-10 20:03:21: ERROR: no policy found: 10.10.44.24/32[0] 10.10.47.225/32[0] proto=any dir=in

2006-01-10 20:03:21: ERROR: failed to get proposal for responder.

2006-01-10 20:03:21: ERROR: failed to pre-process packet.

```

On this useful site I've read

 *Quote:*   

> no suitable policy found
> 
>   you did not set a policy for this IP with setkey.
> 
>   Check /etc/ipsec.conf and run it through setkey -f again.
> ...

 

Here is other infos of interest  :Wink: 

```
# setkey -D

10.10.44.24 10.10.47.225

        esp mode=transport spi=769(0x00000301) reqid=0(0x00000000)

        E: aes-cbc  45f054cf 29eede20 6bf64b80 fc68a7f6 0ec73fa7 17f3caf5

        seq=0x00000000 replay=0 flags=0x00000000 state=mature

        created: Jan 10 20:04:51 2006   current: Jan 10 20:07:16 2006

        diff: 145(s)    hard: 0(s)      soft: 0(s)

        last:                           hard: 0(s)      soft: 0(s)

        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)

        allocated: 0    hard: 0 soft: 0

        sadb_seq=3 pid=14619 refcnt=0

10.10.44.24 10.10.47.225

        ah mode=transport spi=768(0x00000300) reqid=0(0x00000000)

        A: hmac-md5  a5fd37a4 b45ac244 198d2dde 8215d461

        seq=0x00000000 replay=0 flags=0x00000000 state=mature

        created: Jan 10 20:04:50 2006   current: Jan 10 20:07:16 2006

        diff: 146(s)    hard: 0(s)      soft: 0(s)

        last:                           hard: 0(s)      soft: 0(s)

        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)

        allocated: 0    hard: 0 soft: 0

        sadb_seq=2 pid=14619 refcnt=0

10.10.47.225 10.10.44.24

        esp mode=transport spi=513(0x00000201) reqid=0(0x00000000)

        E: aes-cbc  431d00d3 a0d17882 38aba2f9 ddbe56dd 0ba60439 b2cd01dd

        seq=0x00000000 replay=0 flags=0x00000000 state=mature

        created: Jan 10 20:04:50 2006   current: Jan 10 20:07:16 2006

        diff: 146(s)    hard: 0(s)      soft: 0(s)

        last:                           hard: 0(s)      soft: 0(s)

        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)

        allocated: 0    hard: 0 soft: 0

        sadb_seq=1 pid=14619 refcnt=0

10.10.47.225 10.10.44.24

        ah mode=transport spi=512(0x00000200) reqid=0(0x00000000)

        A: hmac-md5  a7d1dc62 0e597d31 a7901e72 cc9ce6e5

        seq=0x00000000 replay=0 flags=0x00000000 state=mature

        created: Jan 10 20:04:50 2006   current: Jan 10 20:07:16 2006

        diff: 146(s)    hard: 0(s)      soft: 0(s)

        last:                           hard: 0(s)      soft: 0(s)

        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)

        allocated: 0    hard: 0 soft: 0

        sadb_seq=0 pid=14619 refcnt=0

```

Windoze use 3DES or DES for encryption and MD5 or SHA1 for hash, probably the problem resides here... tomorrow I'll try something about this  :Smile: 

----------

## mrfree

Oh s**t I can't resist until tomorrow   :Twisted Evil: 

I've tryed with this ipsec.conf but nothing has changed

```
#!/usr/sbin/setkey -f

# Flush the SAD and SPD

flush;

spdflush;

# Attention: Use these keys for testing purposes only!

# Generate your own keys!

# AH SAs using 128 bit long keys

add 10.10.47.225 10.10.44.24 ah 0x200 -A hmac-md5

0xa7d1dc620e597d31a7901e72cc9ce6e5;

add 10.10.44.24 10.10.47.225 ah 0x300 -A hmac-md5

0xa5fd37a4b45ac244198d2dde8215d461;

# ESP SAs using 192 bit long keys

add 10.10.47.225 10.10.44.24 esp 0x201 -E 3des-cbc

#add 10.10.47.225 10.10.44.24 esp 0x201 -E rijndael-cbc

0x431d00d3a0d1788238aba2f9ddbe56dd0ba60439b2cd01dd;

add 10.10.44.24 10.10.47.225 esp 0x301 -E 3des-cbc

#add 10.10.44.24 10.10.47.225 esp 0x301 -E rijndael-cbc

0x45f054cf29eede206bf64b80fc68a7f60ec73fa717f3caf5;

spdadd 10.10.47.225 10.10.44.24 any -P in ipsec

       esp/transport//require

       ah/transport//require;

spdadd 10.10.44.24 10.10.47.225 any -P out ipsec

       esp/transport//require

       ah/transport//require;

```

----------

## dewswim

Try to add 2 lines in racoon.conf, in section "anonymous": 

```

verify_identifier off; 

generate_policy on; 

```

The First line is necessary, because windows has rather strange representation about fields ESP. 

And the second for generation policy.

----------

