[vpn-devel] Linux: unable to locate inbound policy for init phase2
Michael Kenny
kennym79web at gmail.com
Thu Sep 2 18:01:32 CDT 2010
I'm wondering if anyone might have an idea of something I have configured
wrong or if this might possibly be a bug.
I have a Cisco ASA 5505 and using Mutual RSA + XAuth, config pull, DHCP,
main mode, auto for the rest of the important stuff including topology with
auto policy. I don't think NAT-T, DPD, or fragmentation options result in
any changes.
After iked finishes installing the NONE policies:
10/08/06 13:52:57 ii : configured adapter tap0
10/08/06 13:52:57 ii : creating NONE INBOUND policy ANY:them:* -> ANY:me:*
10/08/06 13:52:57 K> : send pfkey X_SPDADD UNSPEC message
10/08/06 13:52:57 K< : recv pfkey X_SPDADD UNSPEC message
10/08/06 13:52:57 ii : - id = 80
10/08/06 13:52:57 ii : - type = NONE
10/08/06 13:52:57 ii : - dir = INBOUND
10/08/06 13:52:57 ii : - src = them:0/32
10/08/06 13:52:57 ii : - dst = me:0/32
10/08/06 13:52:57 ii : creating NONE OUTBOUND policy ANY:me:* -> ANY:them:*
10/08/06 13:52:57 ii : created NONE policy route for them/32
10/08/06 13:52:57 K> : send pfkey X_SPDADD UNSPEC message
10/08/06 13:52:57 K< : recv pfkey X_SPDADD UNSPEC message
10/08/06 13:52:57 ii : - id = 89
10/08/06 13:52:57 ii : - type = NONE
10/08/06 13:52:57 ii : - dir = OUTBOUND
10/08/06 13:52:57 ii : - src = me:0/32
10/08/06 13:52:57 ii : - dst = them:0/32
I then see where it tries to start phase 2 and fails:
10/08/06 13:52:57 ii : calling init phase2 for initial policy
10/08/06 13:52:57 !! : unable to locate inbound policy for init phase2
And then it continues creating the IPSEC policies:
0/08/06 13:52:57 ii : creating IPSEC INBOUND policy ANY:0.0.0.0/0:* ->
ANY:192.168.2.10:*
10/08/06 13:52:57 K> : send pfkey X_SPDADD UNSPEC message
10/08/06 13:52:57 K< : recv pfkey X_SPDADD UNSPEC message
10/08/06 13:52:57 ii : - id = 96
10/08/06 13:52:57 ii : - type = IPSEC
10/08/06 13:52:57 ii : - dir = INBOUND
10/08/06 13:52:57 ii : - src = 0.0.0.0:0
10/08/06 13:52:57 ii : - dst = 192.168.2.10:0/32
10/08/06 13:52:57 ii : - transform #0
10/08/06 13:52:57 ii : -- proto = 50
10/08/06 13:52:57 ii : -- level = UNIQUE
10/08/06 13:52:57 ii : -- mode = TUNNEL
10/08/06 13:52:57 ii : -- reqid = 1
10/08/06 13:52:57 ii : -- tsrc = them
10/08/06 13:52:57 ii : -- tdst = me
10/08/06 13:52:57 ii : creating IPSEC OUTBOUND policy ANY:192.168.2.10:* ->
ANY:0.0.0.0/0:*
10/08/06 13:52:57 ii : created IPSEC policy route for 0.0.0.0
10/08/06 13:52:57 K> : send pfkey X_SPDADD UNSPEC message
10/08/06 13:52:57 K< : recv pfkey X_SPDADD UNSPEC message
10/08/06 13:52:57 ii : - id = 105
10/08/06 13:52:57 ii : - type = IPSEC
10/08/06 13:52:57 ii : - dir = OUTBOUND
10/08/06 13:52:57 ii : - src = 192.168.2.10:0/32
10/08/06 13:52:57 ii : - dst = 0.0.0.0:0
10/08/06 13:52:57 ii : - transform #0
10/08/06 13:52:57 ii : -- proto = 50
10/08/06 13:52:57 ii : -- level = UNIQUE
10/08/06 13:52:57 ii : -- mode = TUNNEL
10/08/06 13:52:57 ii : -- reqid = 2
10/08/06 13:52:57 ii : -- tsrc = 192.168.10.160
10/08/06 13:52:57 ii : -- tdst = 192.168.10.107
And then it sits there without hitting phase 2. The other end keeps
resending me the config packets until it times out, if I leave it alone.
However, if I create traffic, such as simply pinging the gateway, it
continues on:
10/08/06 13:53:03 K< : recv pfkey ACQUIRE ESP message
10/08/06 13:53:03 ii : - id = 105
10/08/06 13:53:03 ii : - type = IPSEC
10/08/06 13:53:03 ii : - dir = OUTBOUND
10/08/06 13:53:03 ii : - src = me:0/32
10/08/06 13:53:03 ii : - dst = them:0/32
10/08/06 13:53:03 ii : calling init phase2 for squired policy
I see my pings respond and everything appears normal and fully functional.
Phase 2 looks like it happens as it should.
Any thoughts on what might be happening?
Thanks,
Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-devel/attachments/20100902/02016d17/attachment-0002.html>
More information about the vpn-devel
mailing list