[ previous ] [ next ] [ threads ]
 
 From:  Klavs Klavsen <kl at vsen dot dk>
 To:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  softremoteLT-ipsec->mono bug?
 Date:  Wed, 06 Oct 2004 15:40:38 +0200
Hi guys,

Resend of "softremoteLT-ipsec->mono bug?" to dev list - as this smells 
more like a bug.

Can you confirm this is a bug? According to everything I can read on the 
list, it should "just work" - yet it doesn't - and there's the weird 
errormsg, shown below.
--
I just setup a M0n0wall 1.2b1 and setup ipsec - mobile clients (set to
agressive etc. - exactly as shown here:
http://m0n0.ch/wall/docbook/faq.html#id2591386

The connection is opened - and the client says it sends packets through
when I try to ping - however I never get an answer.

This is the M0n0wall system log - notice the weird errors at the bottom
- which makes me believe the routes to my ipsec/mobile client is the
problem:

Oct 6 11:34:55 	racoon: INFO: isakmp_inf.c:989:purge_ipsec_spi(): purged
IPsec-SA proto_id=ESP spi=3793674120.
Oct 6 11:34:55 	racoon: INFO: isakmp_inf.c:887:purge_isakmp_spi():
purged ISAKMP-SA proto_id=ISAKMP spi=459580eb864f454e:06c66f937f909708.
Oct 6 11:34:56 	racoon: INFO: isakmp.c:1574:isakmp_ph1delete():
ISAKMP-SA deleted 83.89.136.110[500]-213.237.54.63[500]
spi:459580eb864f454e:06c66f937f909708
Oct 6 11:35:17 	racoon: INFO: isakmp.c:904:isakmp_ph1begin_r(): respond
new phase 1 negotiation: 83.89.136.110[500]<=>213.237.54.63[500]
Oct 6 11:35:17 	racoon: INFO: isakmp.c:909:isakmp_ph1begin_r(): begin
Aggressive mode.
Oct 6 11:35:21 	racoon: WARNING:
isakmp_inf.c:1345:isakmp_check_notify(): ignore INITIAL-CONTACT
notification, because it is only accepted after phase1.
Oct 6 11:35:21 	racoon: INFO: isakmp.c:2459:log_ph1established():
ISAKMP-SA established 83.89.136.110[500]-213.237.54.63[500]
spi:65e8b156ed6433c1:6cc96917027fb3a4
Oct 6 11:35:21 	racoon: INFO: isakmp.c:1059:isakmp_ph2begin_r(): respond
new phase 2 negotiation: 83.89.136.110[0]<=>213.237.54.63[0]
Oct 6 11:35:21 	racoon: INFO: isakmp_quick.c:2017:get_proposal_r(): no
policy found, try to generate the policy : 192.168.1.51/32[0]
10.1.32.0/24[0] proto=any dir=in
Oct 6 11:35:25 	racoon: INFO: pfkey.c:1197:pk_recvupdate(): IPsec-SA
established: ESP/Tunnel 213.237.54.63->83.89.136.110
spi=109501380(0x686dbc4)
Oct 6 11:35:25 	racoon: INFO: pfkey.c:1420:pk_recvadd(): IPsec-SA
established: ESP/Tunnel 83.89.136.110->213.237.54.63
spi=625586047(0x2549af7f)
Oct 6 11:35:25 	racoon: ERROR: pfkey.c:2009:pk_recvspdupdate(): such
policy does not already exist: 192.168.1.51/32[0] 10.1.32.0/24[0]
proto=any dir=in
Oct 6 11:35:25 	racoon: ERROR: pfkey.c:2009:pk_recvspdupdate(): such
policy does not already exist: 10.1.32.0/24[0] 192.168.1.51/32[0]
proto=any dir=out

also output from setkey:

$ setkey -DP
192.168.1.51[any] 10.1.32.0/24[any] any
	in ipsec
	esp/tunnel/213.237.54.63-83.89.136.110/require
	spid=19 seq=1 pid=577
	refcnt=1
10.1.32.0/24[any] 192.168.1.51[any] any
	out ipsec
	esp/tunnel/83.89.136.110-213.237.54.63/require
	spid=20 seq=0 pid=577
	refcnt=1

I don't know how I should/could continue here - so I hope you have an
idea of what is wrong here - so i can get the tunnel up and running :(

-- 
Regards,
Klavs Klavsen, GSEC - kl at vsen dot dk - http://www.vsen.dk
PGP: 7E063C62/2873 188C 968E 600D D8F8  B8DA 3D3A 0B79 7E06 3C62

"Those who do not understand Unix are condemned to reinvent it, poorly."
~  --Henry Spencer