-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ohh - just searched the lists some more - FreeBSD does not support NAT-T :(
Well - I've setup PPTP now - it connects -and I've enabled the firewall
rule - but still no traffic through - will check the m0n0 logs to see if
it says anything about the trafic.. - hope I'm closer to making it work
there :)
Sorry for being too hasty here - thought I had checked for NAT-T support
~ (dooh!).
on 06-10-2004 15:40 Klavs Klavsen wrote:
| Hi guys,
|
| Resend of "softremoteLT-ipsec->mono bug?" to dev list - as this smells
| more like a bug.
|
| Can you confirm this is a bug? According to everything I can read on the
| list, it should "just work" - yet it doesn't - and there's the weird
| errormsg, shown below.
| --
| I just setup a M0n0wall 1.2b1 and setup ipsec - mobile clients (set to
| agressive etc. - exactly as shown here:
| http://m0n0.ch/wall/docbook/faq.html#id2591386
|
| The connection is opened - and the client says it sends packets through
| when I try to ping - however I never get an answer.
|
| This is the M0n0wall system log - notice the weird errors at the bottom
| - which makes me believe the routes to my ipsec/mobile client is the
| problem:
|
| Oct 6 11:34:55 racoon: INFO: isakmp_inf.c:989:purge_ipsec_spi():
purged
| IPsec-SA proto_id=ESP spi=3793674120.
| Oct 6 11:34:55 racoon: INFO: isakmp_inf.c:887:purge_isakmp_spi():
| purged ISAKMP-SA proto_id=ISAKMP spi=459580eb864f454e:06c66f937f909708.
| Oct 6 11:34:56 racoon: INFO: isakmp.c:1574:isakmp_ph1delete():
| ISAKMP-SA deleted 83.89.136.110[500]-213.237.54.63[500]
| spi:459580eb864f454e:06c66f937f909708
| Oct 6 11:35:17 racoon: INFO: isakmp.c:904:isakmp_ph1begin_r(): respond
| new phase 1 negotiation: 83.89.136.110[500]<=>213.237.54.63[500]
| Oct 6 11:35:17 racoon: INFO: isakmp.c:909:isakmp_ph1begin_r(): begin
| Aggressive mode.
| Oct 6 11:35:21 racoon: WARNING:
| isakmp_inf.c:1345:isakmp_check_notify(): ignore INITIAL-CONTACT
| notification, because it is only accepted after phase1.
| Oct 6 11:35:21 racoon: INFO: isakmp.c:2459:log_ph1established():
| ISAKMP-SA established 83.89.136.110[500]-213.237.54.63[500]
| spi:65e8b156ed6433c1:6cc96917027fb3a4
| Oct 6 11:35:21 racoon: INFO: isakmp.c:1059:isakmp_ph2begin_r():
respond
| new phase 2 negotiation: 83.89.136.110[0]<=>213.237.54.63[0]
| Oct 6 11:35:21 racoon: INFO: isakmp_quick.c:2017:get_proposal_r(): no
| policy found, try to generate the policy : 192.168.1.51/32[0]
| 10.1.32.0/24[0] proto=any dir=in
| Oct 6 11:35:25 racoon: INFO: pfkey.c:1197:pk_recvupdate(): IPsec-SA
| established: ESP/Tunnel 213.237.54.63->83.89.136.110
| spi=109501380(0x686dbc4)
| Oct 6 11:35:25 racoon: INFO: pfkey.c:1420:pk_recvadd(): IPsec-SA
| established: ESP/Tunnel 83.89.136.110->213.237.54.63
| spi=625586047(0x2549af7f)
| Oct 6 11:35:25 racoon: ERROR: pfkey.c:2009:pk_recvspdupdate(): such
| policy does not already exist: 192.168.1.51/32[0] 10.1.32.0/24[0]
| proto=any dir=in
| Oct 6 11:35:25 racoon: ERROR: pfkey.c:2009:pk_recvspdupdate(): such
| policy does not already exist: 10.1.32.0/24[0] 192.168.1.51/32[0]
| proto=any dir=out
|
| also output from setkey:
|
| $ setkey -DP
| 192.168.1.51[any] 10.1.32.0/24[any] any
| in ipsec
| esp/tunnel/213.237.54.63-83.89.136.110/require
| spid=19 seq=1 pid=577
| refcnt=1
| 10.1.32.0/24[any] 192.168.1.51[any] any
| out ipsec
| esp/tunnel/83.89.136.110-213.237.54.63/require
| spid=20 seq=0 pid=577
| refcnt=1
|
| I don't know how I should/could continue here - so I hope you have an
| idea of what is wrong here - so i can get the tunnel up and running :(
|
- --
Regards,
Klavs Klavsen, GSEC - kl at vsen dot dk - http://www.vsen.dk
PGP: 7E063C62/2873 188C 968E 600D D8F8 B8DA 3D3A 0B79 7E06 3C62
"Those who do not understand Unix are condemned to reinvent it, poorly."
~ --Henry Spencer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFBZmirPToLeX4GPGIRAk0vAJ9kYd3kaF3xxmbUNDOHzGPGnyQ/jACguu2t
wwhY1ElDQNd7RX8m1e+OMsc=
=NE1K
-----END PGP SIGNATURE----- | 