[support] Spmd (racoon2) errors with dynamic keying for Mobile IPv6 using racoon2 and mip6d

Sebastien Decugis sdecugis at hongo.wide.ad.jp
Tue Apr 8 08:19:26 JST 2008 

Hello Emmanuel,

Actually these error messages are normal, because the SPD entries are 
not managed by racoon2. Please ignore the messages. With the latest 
upstream racoon2 (not included yet in the nautilus6 repository) the 
error message will be gone.

Do you have any problem with the behavior of the daemon, except from 
these messages?



emmanuel.schublin at thalesaleniaspace.com a écrit :
> Hello,
> 
> The spmd (racoon2) process generate some errors when I start mip6d with
> dynamic keying option on Homeguy 1.0 distribution :
> 
> 2008-04-02 11:46:46 [INFO]: main.c:171: Racoon Spmd - Security Policy
> Management Daemon - Started
> 2008-04-02 11:46:46 [INFO]: main.c:172: Spmd Version: 20071227d
> 2008-04-02 11:46:47 [INFO]: main.c:450: 'files' found in nsswitch.conf
> hosts line, we will read hosts file
> 2008-04-02 11:46:47 [INFO]: main.c:459: 'dns' found in nsswitch.conf hosts
> line, we will start dns proxy service
> 2008-04-02 11:47:00 [INTERNAL_ERR]: spmd_pfkey.c:1801: No spid_data entry
> with this sequence.
> 2008-04-02 11:47:00 [INTERNAL_ERR]: spmd_pfkey.c:1801: No spid_data entry
> with this sequence.
> 2008-04-02 11:47:00 [INTERNAL_ERR]: spmd_pfkey.c:1801: No spid_data entry
> with this sequence.
> 2008-04-02 11:47:00 [INTERNAL_ERR]: spmd_pfkey.c:1801: No spid_data entry
> with this sequence.
> 2008-04-02 11:47:00 [INTERNAL_ERR]: spmd_pfkey.c:1801: No spid_data entry
> with this sequence.
> 2008-04-02 11:47:03 [INTERNAL_ERR]: spmd_pfkey.c:1801: No spid_data entry
> with this sequence.
> 2008-04-02 11:47:03 [INTERNAL_ERR]: spmd_pfkey.c:1801: No spid_data entry
> with this sequence.
> 2008-04-02 11:47:03 [INTERNAL_ERR]: spmd_pfkey.c:2006: Argument spid_data
> is NULL
> 2008-04-02 11:47:03 [INTERNAL_ERR]: spmd_pfkey.c:2048: Can't find spid_data
> (by spid)
> 
> My MN mip6d.conf file :
> 
> NodeConfig MN;
> DebugLevel 10;
> DoRouteOptimizationCN enabled;
> DoRouteOptimizationMN enabled;
> Interface "eth0";
> MnHomeLink "eth0" {
>         HomeAgentAddress 2001:660:6602:103::2;
>         HomeAddress 2001:660:6602:103::3/64;
> }
> UseCnBuAck enabled;
> UseMnHaIPsec enabled;
> KeyMngMobCapability enabled;
> IPsecPolicySet {
>         HomeAgentAddress 2001:660:6602:103::2;
>         HomeAddress 2001:660:6602:103::3/64;
> 
>       IPsecPolicy HomeRegBinding UseESP 200;
> #     IPsecPolicy MobPfxDisc UseESP 202;
>       IPsecPolicy TunnelMh UseESP 204;
> }
> 
> My MN racoon2.conf file :
> 
> # Home Agent address:  2001:660:6602:103::2
> # MN Home address   :  2001:660:6602:103::3
> interface {
>       spmd { unix "/var/run/racoon2/spmif"; };
>       spmd_password "/etc/racoon2/spmd.pwd";
>       ike { MY_IP; };
> };
> default {
>       remote {
>             acceptable_kmp { ikev2; };
>             ikev2 {
>                   logmode normal;
>                   kmp_sa_lifetime_time infinite;
>                   kmp_sa_lifetime_byte infinite;
>                   max_retry_to_send 3;
>                   interval_to_send 10 sec;
>                   times_per_send 1;
>                   kmp_sa_nego_time_limit 60 sec;
>                   ipsec_sa_nego_time_limit 40 sec;
>                   kmp_enc_alg { aes128_cbc; 3des_cbc; };
>                   kmp_prf_alg { hmac_md5; hmac_sha1; aes_xcbc; };
>                   kmp_hash_alg { hmac_sha1; hmac_md5; };
>                   kmp_dh_group { modp3072; modp2048; modp1024;  };
>                   kmp_auth_method { psk; };
>                   random_pad_content on;
>                   random_padlen on;
>                   max_padlen 50 bytes;
>             };
>       };
>       policy {
>             ipsec_mode transport;
>             ipsec_level require;
>       };
>       ipsec {
>             ipsec_sa_lifetime_time infinite;
>             ipsec_sa_lifetime_byte infinite;
>       };
>       sa {
>             esp_enc_alg { aes128_cbc; 3des_cbc; };
>             esp_auth_alg { hmac_sha1; hmac_md5; };
>       };
> };
> ipsec ipsec_ah_esp {
>       ipsec_sa_lifetime_time 28800 sec;
>       sa_index { ah_01; esp_01; };
> };
> ipsec ipsec_esp {
>       ipsec_sa_lifetime_time 28800 sec;
>       sa_index esp_01;
> };
> sa ah_01 {
>       sa_protocol ah;
>       ah_auth_alg { hmac_sha1; hmac_md5; };
> };
> sa esp_01 {
>       sa_protocol esp;
>       esp_enc_alg { aes128_cbc; 3des_cbc; };
>       esp_auth_alg { hmac_sha1; hmac_md5; };
> };
> remote HomeAgent {
>       acceptable_kmp { ikev2; };
>       ikev2 {
>             my_id       x509_subject
> "/etc/racoon2/certs/mn.platine.com.cert";
>             peers_id    x509_subject "/etc/racoon2/certs/cacert.pem";
>             kmp_auth_method { rsasig; };
>             my_public_key     x509pem
>                         "/etc/racoon2/certs/mn.platine.com.cert"
>                         "/etc/racoon2/certs/mn.platine.com.key.pem";
>             peers_public_key x509pem
>                         "/etc/racoon2/certs/cacert.pem"
>                         "";
>       };
> };
> # Policy and selector for protecting the BU/BA messages for Home
> Registration.
> policy HomeRegBinding {
>       remote_index      HomeAgent;
>       ipsec_mode  transport;
>       action            auto_ipsec;
>       ipsec_index       { ipsec_esp; };
>       ipsec_level require;
>       peers_sa_ipaddr   2001:660:6602:103::2;
>       my_sa_ipaddr      2001:660:6602:103::3;
>       install     off;
> };
> selector HomeRegBinding_out {
>       direction   outbound;
>       dst         2001:660:6602:103::2;
>       src         2001:660:6602:103::3;
>       policy_index      HomeRegBinding;
>       upper_layer_protocol    135 5 6;
>       reqid       200; # Note: you may choose whatever value you want but
> must be in sync with mip6d.conf and unique.
> };
> # Policy and selector for protecting the MPS/MPA messages for Mobile Prefix
> Discovery.
> policy MobPfxDisc {
>       remote_index      HomeAgent;
>       ipsec_mode  transport;
>       action            auto_ipsec;
>       ipsec_index       { ipsec_esp; };
>       ipsec_level require;
>       peers_sa_ipaddr   2001:660:6602:103::2;
>       my_sa_ipaddr      2001:660:6602:103::3;
>       install     off;
> };
> selector MobPfxDisc_out {
>       direction   outbound;
>       dst         2001:660:6602:103::2;
>       src         2001:660:6602:103::3;
>       policy_index      MobPfxDisc;
>       upper_layer_protocol    135 92 93;
>       reqid       202;
> };
> # Tunnel all traffic between MN and HA when the MN is not at home.
> policy TunnelMh {
>       remote_index      HomeAgent;
>       ipsec_mode  tunnel;
>       action            auto_ipsec;
>       ipsec_index       { ipsec_esp; };
>       ipsec_level require;
>       peers_sa_ipaddr   2001:660:6602:103::2;
>       my_sa_ipaddr      2001:660:6602:103::3;
>       install     off;
> };
> selector TunnelMh_out {
>       direction   outbound;
>       dst         2001:660:6602:103::2;
>       src         2001:660:6602:103::3;
>       policy_index      TunnelMh;
>       reqid       204;
> };
> 
> Maybe someone could help me...
> 
> Regards,
> Emmanuel
> 
> _______________________________________________
> Support mailing list
> Support at ml.nautilus6.org
> http://ml.nautilus6.org/mailman/listinfo/support
> 

-- 
Sebastien Decugis
http://www.nautilus6.org

More information about the Support mailing list