Phase 1 is ok in both sides.
Trouble is in phase2.
1. If FreeBSD-GW is initiator then it sends the following id's : 10.0.2.109 and 10.0.2.108 in the phase2, but Sun-GW returned ID payload with the other id's: 10.0.1.109 10.0.1.108.
As a result, racoon fails to negotiate with in.iked and to construct IPSec-SA between two Gateways.
2. If Sun-GW is initiator then it sends proposals including the following id's: 0.0.0.0 and 0.0.0.0. But FreeBSD-GW is configured in such way that its SPD base includes only the following (inner) id's: 10.0.2.109 and 10.0.2.108.
As a result, there is no suitable proposal can be found and phase2 failed.
If proposals with 0.0.0.0 and 0.0.0.0 through ESP-tunnel are added to SPD base on FreeBSD-GW then phase2-negotiation succeeds and IPSec-SA created.
<-------------Here is more detailed information------->
Here is configs for Solaris:
File -> ipsecinit.conf:
{laddr 10.0.1.108 raddr 10.0.1.109} ipsec {encr_algs any encr_auth_algs any sa shared}
{laddr 10.0.1.109 raddr 10.0.1.108} ipsec {encr_algs any encr_auth_algs any sa shared}
## Parameters that may also show uere is configs for Solaris:
File -> ipsecinit.conf:
{laddr 10.0.1.108 raddr 10.0.1.109} ipsec {encr_algs any encr_auth_algs any sa shared}
{laddr 10.0.1.109 raddr 10.0.1.108} ipsec {encr_algs any encr_auth_algs any sa shared}
File -> ike.preshared:
{ # sun-ca_server preshared
localidtype IP
localid 10.0.1.108
remoteidtype IP
remoteid 10.0.1.109
#preshared key
key 282828282828282828282129292929292929292929
}
ifconfig trace(Solaris):
lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
le0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
inet 10.0.1.108 netmask ffffff00 broadcast 10.0.1.255
ether 8:0:20:91:ce:e7
le0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
inet 10.0.0.108 netmask ffffff00 broadcast 10.255.255.255
le0:2: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
inet 10.0.2.108 netmask ffffff00 broadcast 10.255.255.255
ip.tun0: flags=10028d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST,UNNUMBERED,IPv4 > mtu 1480 index 4
inet tunnel src 10.0.1.108 tunnel dst 10.0.1.109
tunnel security settings esp (3des-cbc/hmac-md5)
tunnel hop limit 60
inet 10.0.2.108 --> 10.0.2.109 netmask ffffff00
Here is configs for FreeBSD Gateway:
Ipsec policy File:
spdadd 0.0.0.0 0.0.0.0 any -P out ipsec esp/tunnel/10.0.1.109-10.0.1.108/require;
spdadd 0.0.0.0 0.0.0.0 any -P in ipsec esp/tunnel/10.0.1.108-10.0.1.109/require;
spdadd 10.0.2.109 10.0.2.108 any -P out ipsec esp/tunnel/10.0.1.109-10.0.1.108/require;
spdadd 10.0.2.108 10.0.2.109 any -P in ipsec esp/tunnel/10.0.1.108-10.0.1.109/require;
IKE daemon File -> racoon.conf:
# "padding" defines some parameter of padding. You should not touch these.
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
# if no listen directive is specified, racoon will listen to all
# available interface addresses.
listen
{
#isakmp ::1 [7000];
#isakmp 202.249.11.124 [500];
#admin [7002]; # administrative's port by kmpstat.
#strict_address; # required all addresses must be bound.
}
# Specification of default various timer.
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
# timer for waiting to complete each phase.
phase1 30 sec;
phase2 30 sec;
}