[ previous ] [ next ] [ threads ]
 
 From:  Jesse Guardiani <jesse at wingnet dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  SOLVED ipsec issues! (was: Re: ipsec issues - tunnel from 1.11 -> 1.2b3)
 Date:  Wed, 15 Dec 2004 10:32:12 -0500
Jesse Guardiani wrote:

> I'm attempting to set up an IPSec tunnel between a
> 1.11 box and a 1.2b3 box. My phase1 negotiation is
> working, but phase2 (ESP) fails. See below for the
> logs on the 1.2b3 machine (most recent first):
> 
> Dec 14 09:49:51  racoon: ERROR: pfkey.c:804:pfkey_timeover():
> 216.64.98.249 give up to get IPsec-SA due to time up to wait.
> Dec 14 09:49:41  last message repeated 2 times
> Dec 14 09:49:21  racoon: ERROR: isakmp_inf.c:141:isakmp_info_recv():
> ignore information because the message has no hash payload.
> Dec 14 09:49:21  racoon: INFO: isakmp.c:952:isakmp_ph2begin_i(): initiate
> new phase 2 negotiation: 216.64.98.233[0]<=>216.64.98.249[0]
> 
> I've double checked my configs, and they appear to be
> the same on both ends, with the exception of phase1
> pre-shared keys.
> 
> Any ideas?

OK. The problem went away after I changed my "remote subnet" from:

192.168.1.1/24

to:

192.168.1.0/24

I got the idea from this post:
    http://m0n0.ch/wall/list/?action=show_msg&actionargs[]=38&actionargs[]=76

This seems like an avoidable user error. Can't we make the webGUI
test the subnet and throw an error or auto-correct user mistakes?

-- 
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v)  423-559-5145 (f)
http://www.wingnet.net