[vpn-devel] Linux: unable to locate inbound policy for init phase2

Michael Kenny kennym79web at gmail.com
Thu Sep 2 18:01:32 CDT 2010


I'm wondering if anyone might have an idea of something I have configured
wrong or if this might possibly be a bug.

I have a Cisco ASA 5505 and using Mutual RSA + XAuth, config pull, DHCP,
main mode, auto for the rest of the important stuff including topology with
auto policy. I don't think NAT-T, DPD, or fragmentation options result in
any changes.

After iked finishes installing the NONE policies:

10/08/06 13:52:57 ii : configured adapter tap0
10/08/06 13:52:57 ii : creating NONE INBOUND policy ANY:them:* -> ANY:me:*
10/08/06 13:52:57 K> : send pfkey X_SPDADD UNSPEC message
10/08/06 13:52:57 K< : recv pfkey X_SPDADD UNSPEC message
10/08/06 13:52:57 ii : - id   = 80
10/08/06 13:52:57 ii : - type = NONE
10/08/06 13:52:57 ii : - dir  = INBOUND
10/08/06 13:52:57 ii : - src  = them:0/32
10/08/06 13:52:57 ii : - dst  = me:0/32
10/08/06 13:52:57 ii : creating NONE OUTBOUND policy ANY:me:* -> ANY:them:*
10/08/06 13:52:57 ii : created NONE policy route for them/32
10/08/06 13:52:57 K> : send pfkey X_SPDADD UNSPEC message
10/08/06 13:52:57 K< : recv pfkey X_SPDADD UNSPEC message
10/08/06 13:52:57 ii : - id   = 89
10/08/06 13:52:57 ii : - type = NONE
10/08/06 13:52:57 ii : - dir  = OUTBOUND
10/08/06 13:52:57 ii : - src  = me:0/32
10/08/06 13:52:57 ii : - dst  = them:0/32

I then see where it tries to start phase 2 and fails:

10/08/06 13:52:57 ii : calling init phase2 for initial policy
10/08/06 13:52:57 !! : unable to locate inbound policy for init phase2

And then it continues creating the IPSEC policies:

0/08/06 13:52:57 ii : creating IPSEC INBOUND policy ANY:0.0.0.0/0:* ->
ANY:192.168.2.10:*
10/08/06 13:52:57 K> : send pfkey X_SPDADD UNSPEC message
10/08/06 13:52:57 K< : recv pfkey X_SPDADD UNSPEC message
10/08/06 13:52:57 ii : - id   = 96
10/08/06 13:52:57 ii : - type = IPSEC
10/08/06 13:52:57 ii : - dir  = INBOUND
10/08/06 13:52:57 ii : - src  = 0.0.0.0:0
10/08/06 13:52:57 ii : - dst  = 192.168.2.10:0/32
10/08/06 13:52:57 ii : - transform #0
10/08/06 13:52:57 ii : -- proto = 50
10/08/06 13:52:57 ii : -- level = UNIQUE
10/08/06 13:52:57 ii : -- mode  = TUNNEL
10/08/06 13:52:57 ii : -- reqid = 1
10/08/06 13:52:57 ii : -- tsrc  = them
10/08/06 13:52:57 ii : -- tdst  = me
10/08/06 13:52:57 ii : creating IPSEC OUTBOUND policy ANY:192.168.2.10:* ->
ANY:0.0.0.0/0:*
10/08/06 13:52:57 ii : created IPSEC policy route for 0.0.0.0
10/08/06 13:52:57 K> : send pfkey X_SPDADD UNSPEC message
10/08/06 13:52:57 K< : recv pfkey X_SPDADD UNSPEC message
10/08/06 13:52:57 ii : - id   = 105
10/08/06 13:52:57 ii : - type = IPSEC
10/08/06 13:52:57 ii : - dir  = OUTBOUND
10/08/06 13:52:57 ii : - src  = 192.168.2.10:0/32
10/08/06 13:52:57 ii : - dst  = 0.0.0.0:0
10/08/06 13:52:57 ii : - transform #0
10/08/06 13:52:57 ii : -- proto = 50
10/08/06 13:52:57 ii : -- level = UNIQUE
10/08/06 13:52:57 ii : -- mode  = TUNNEL
10/08/06 13:52:57 ii : -- reqid = 2
10/08/06 13:52:57 ii : -- tsrc  = 192.168.10.160
10/08/06 13:52:57 ii : -- tdst  = 192.168.10.107

And then it sits there without hitting phase 2. The other end keeps
resending me the config packets until it times out, if I leave it alone.
However, if I create traffic, such as simply pinging the gateway, it
continues on:

10/08/06 13:53:03 K< : recv pfkey ACQUIRE ESP message
10/08/06 13:53:03 ii : - id   = 105
10/08/06 13:53:03 ii : - type = IPSEC
10/08/06 13:53:03 ii : - dir  = OUTBOUND
10/08/06 13:53:03 ii : - src  = me:0/32
10/08/06 13:53:03 ii : - dst  = them:0/32
10/08/06 13:53:03 ii : calling init phase2 for squired policy

I see my pings respond and everything appears normal and fully functional.
Phase 2 looks like it happens as it should.

Any thoughts on what might be happening?

Thanks,
Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-devel/attachments/20100902/02016d17/attachment-0002.html>


More information about the vpn-devel mailing list