[ previous ] [ next ] [ threads ]
 
 From:  Klavs Klavsen <kl at vsen dot dk>
 To:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall-dev] softremoteLT-ipsec->mono bug?
 Date:  Fri, 08 Oct 2004 12:15:07 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ohh - just searched the lists some more - FreeBSD does not support NAT-T  :(

Well - I've setup PPTP now - it connects -and I've enabled the firewall
rule - but still no traffic through - will check the m0n0 logs to see if
it says anything about the trafic.. - hope I'm closer to making it work
there :)

Sorry for being too hasty here - thought I had checked for NAT-T support
~ (dooh!).

on 06-10-2004 15:40 Klavs Klavsen wrote:
| Hi guys,
|
| Resend of "softremoteLT-ipsec->mono bug?" to dev list - as this smells
| more like a bug.
|
| Can you confirm this is a bug? According to everything I can read on the
| list, it should "just work" - yet it doesn't - and there's the weird
| errormsg, shown below.
| --
| I just setup a M0n0wall 1.2b1 and setup ipsec - mobile clients (set to
| agressive etc. - exactly as shown here:
| http://m0n0.ch/wall/docbook/faq.html#id2591386
|
| The connection is opened - and the client says it sends packets through
| when I try to ping - however I never get an answer.
|
| This is the M0n0wall system log - notice the weird errors at the bottom
| - which makes me believe the routes to my ipsec/mobile client is the
| problem:
|
| Oct 6 11:34:55     racoon: INFO: isakmp_inf.c:989:purge_ipsec_spi():
purged
| IPsec-SA proto_id=ESP spi=3793674120.
| Oct 6 11:34:55     racoon: INFO: isakmp_inf.c:887:purge_isakmp_spi():
| purged ISAKMP-SA proto_id=ISAKMP spi=459580eb864f454e:06c66f937f909708.
| Oct 6 11:34:56     racoon: INFO: isakmp.c:1574:isakmp_ph1delete():
| ISAKMP-SA deleted 83.89.136.110[500]-213.237.54.63[500]
| spi:459580eb864f454e:06c66f937f909708
| Oct 6 11:35:17     racoon: INFO: isakmp.c:904:isakmp_ph1begin_r(): respond
| new phase 1 negotiation: 83.89.136.110[500]<=>213.237.54.63[500]
| Oct 6 11:35:17     racoon: INFO: isakmp.c:909:isakmp_ph1begin_r(): begin
| Aggressive mode.
| Oct 6 11:35:21     racoon: WARNING:
| isakmp_inf.c:1345:isakmp_check_notify(): ignore INITIAL-CONTACT
| notification, because it is only accepted after phase1.
| Oct 6 11:35:21     racoon: INFO: isakmp.c:2459:log_ph1established():
| ISAKMP-SA established 83.89.136.110[500]-213.237.54.63[500]
| spi:65e8b156ed6433c1:6cc96917027fb3a4
| Oct 6 11:35:21     racoon: INFO: isakmp.c:1059:isakmp_ph2begin_r():
respond
| new phase 2 negotiation: 83.89.136.110[0]<=>213.237.54.63[0]
| Oct 6 11:35:21     racoon: INFO: isakmp_quick.c:2017:get_proposal_r(): no
| policy found, try to generate the policy : 192.168.1.51/32[0]
| 10.1.32.0/24[0] proto=any dir=in
| Oct 6 11:35:25     racoon: INFO: pfkey.c:1197:pk_recvupdate(): IPsec-SA
| established: ESP/Tunnel 213.237.54.63->83.89.136.110
| spi=109501380(0x686dbc4)
| Oct 6 11:35:25     racoon: INFO: pfkey.c:1420:pk_recvadd(): IPsec-SA
| established: ESP/Tunnel 83.89.136.110->213.237.54.63
| spi=625586047(0x2549af7f)
| Oct 6 11:35:25     racoon: ERROR: pfkey.c:2009:pk_recvspdupdate(): such
| policy does not already exist: 192.168.1.51/32[0] 10.1.32.0/24[0]
| proto=any dir=in
| Oct 6 11:35:25     racoon: ERROR: pfkey.c:2009:pk_recvspdupdate(): such
| policy does not already exist: 10.1.32.0/24[0] 192.168.1.51/32[0]
| proto=any dir=out
|
| also output from setkey:
|
| $ setkey -DP
| 192.168.1.51[any] 10.1.32.0/24[any] any
|     in ipsec
|     esp/tunnel/213.237.54.63-83.89.136.110/require
|     spid=19 seq=1 pid=577
|     refcnt=1
| 10.1.32.0/24[any] 192.168.1.51[any] any
|     out ipsec
|     esp/tunnel/83.89.136.110-213.237.54.63/require
|     spid=20 seq=0 pid=577
|     refcnt=1
|
| I don't know how I should/could continue here - so I hope you have an
| idea of what is wrong here - so i can get the tunnel up and running :(
|

- --
Regards,
Klavs Klavsen, GSEC - kl at vsen dot dk - http://www.vsen.dk
PGP: 7E063C62/2873 188C 968E 600D D8F8  B8DA 3D3A 0B79 7E06 3C62

"Those who do not understand Unix are condemned to reinvent it, poorly."
~  --Henry Spencer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBZmirPToLeX4GPGIRAk0vAJ9kYd3kaF3xxmbUNDOHzGPGnyQ/jACguu2t
wwhY1ElDQNd7RX8m1e+OMsc=
=NE1K
-----END PGP SIGNATURE-----