|
||||||||
I'm having weird luck with IPsec using PB18. Connecting from a net4501 M0n0wall to an openbsd ISAKMPD box works 99% of the time. On occasion, it drops the connection, and can take upwards of 3 minutes to re-establish the connection. Various errors pop up on the screen, but it makes it through. Trying to get rid of this annoyance, I've set up a M0n0wall on the same subnet as the OpenBSD box. Changing the configuration on the net4501 to match the settings on the M0n0wall results in: Oct 30 12:06:03 racoon: ERROR: isakmp.c:1063:isakmp_ph2begin_r(): failed to pre-process packet. Oct 30 12:06:03 racoon: ERROR: isakmp_quick.c:1046:quick_r1recv(): failed to get sainfo. Oct 30 12:06:03 racoon: ERROR: isakmp_quick.c:1812:get_sainfo_r(): failed to get sainfo. Oct 30 12:06:03 racoon: INFO: isakmp.c:1049:isakmp_ph2begin_r(): respond new phase 2 negotiation: xx.yyy.zz.www[0]<=>aa.bbb.ccc.ddd[0] Oct 30 12:05:52 racoon: ERROR: isakmp.c:1063:isakmp_ph2begin_r(): failed to pre-process packet. Oct 30 12:05:52 racoon: ERROR: isakmp_quick.c:1046:quick_r1recv(): failed to get sainfo. Oct 30 12:05:52 racoon: ERROR: isakmp_quick.c:1812:get_sainfo_r(): failed to get sainfo. Oct 30 12:05:52 racoon: INFO: isakmp.c:1049:isakmp_ph2begin_r(): respond new phase 2 negotiation: xx.yyy.zz.www[0]<=>aa.bbb.ccc.ddd[0] Oct 30 12:05:52 racoon: INFO: isakmp.c:2412:log_ph1established(): ISAKMP-SA established xx.yyy.zz.www[500]-aa.bbb.ccc.ddd[500] spi:9cdf224c6c500d8a:aa219300404b661f Oct 30 12:05:52 racoon: WARNING: ipsec_doi.c:3099:ipsecdoi_checkid1(): ID value mismatched. Oct 30 12:05:50 racoon: INFO: vendorid.c:128:check_vendorid(): received Vendor ID: KAME/raccoon I can't get M0n0Wall to talk to M0n0wall. I would certainly think that doing so would be a supported feature. The other M0n0Wall is showing: Oct 30 11:44:56 m0n0wall racoon: ERROR: pfkey.c:741:pfkey_timeover(): xx.yyy.zz.www give up to get IPsec-SA due to time up to wait. Oct 30 11:44:56 m0n0wall racoon: INFO: isakmp.c:1564:isakmp_ph1delete(): ISAKMP-SA deleted aa.bbb.ccc.ddd[500]-xx.yyy.zz.www[500] spi:19427c6826513e53:30db42e9f0c7adf6 Oct 30 11:45:18 m0n0wall racoon: INFO: isakmp.c:1684:isakmp_post_acquire(): IPsec-SA request for xx.yyy.zz.www queued due to no phase1 found. Oct 30 11:45:18 m0n0wall racoon: INFO: isakmp.c:798:isakmp_ph1begin_i(): initiate new phase 1 negotiation: aa.bbb.ccc.ddd[500]<=>xx.yyy.zz.www[500] Oct 30 11:45:18 m0n0wall racoon: INFO: isakmp.c:803:isakmp_ph1begin_i(): begin Identity Protection mode. Oct 30 11:45:49 m0n0wall racoon: ERROR: isakmp.c:1776:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP xx.yyy.zz.www-> aa.bbb.ccc.ddd Oct 30 11:45:49 m0n0wall racoon: INFO: isakmp.c:1781:isakmp_chkph1there(): delete phase 2 handler. Oct 30 11:46:10 m0n0wall racoon: INFO: isakmp.c:1703:isakmp_post_acquire(): request for establishing IPsec-SA was queued due to no phase1 found. Oct 30 11:46:18 m0n0wall racoon: ERROR: isakmp.c:1437:isakmp_ph1resend(): phase1 negotiation failed due to time up. 54423019d006a2d9:0000000000000000 Oct 30 11:46:41 m0n0wall racoon: ERROR: isakmp.c:1776:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP xx.yyy.zz.www->aa.bbb.ccc.ddd Oct 30 11:46:41 m0n0wall racoon: INFO: isakmp.c:1781:isakmp_chkph1there(): delete phase 2 handler. Oct 30 11:47:02 m0n0wall racoon: INFO: isakmp.c:1684:isakmp_post_acquire(): IPsec-SA request for xx.yyy.zz.www queued due to no phase1 found. Oct 30 11:47:02 m0n0wall racoon: INFO: isakmp.c:798:isakmp_ph1begin_i(): initiate new phase 1 negotiation: aa.bbb.ccc.ddd[500]<=>xx.yyy.zz.www[500] Oct 30 11:47:02 m0n0wall racoon: INFO: isakmp.c:803:isakmp_ph1begin_i(): begin Identity Protection mode. Oct 30 11:47:33 m0n0wall racoon: ERROR: isakmp.c:1776:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP xx.yyy.zz.www->aa.bbb.ccc.ddd Oct 30 11:47:33 m0n0wall racoon: INFO: isakmp.c:1781:isakmp_chkph1there(): delete phase 2 handler. Any ideas on what I am missing? Greg Nicholson |