[ previous ] [ next ] [ threads ]
 
 From:  "Robert Salomons" <rh underscore salomons at solcon dot nl>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  IPsec & failed to get sainfo
 Date:  Tue, 21 Dec 2004 17:31:59 +0100
Dear reader,

Its almost 2 days now, that i`m breaking my skull over this issue...

I`m trying to create a VPN connection, based on IP-Sec.

But the error that keeps continuing is:
router1

Dec 20 23:37:30 racoon: ERROR: isakmp.c:1073:isakmp_ph2begin_r(): failed to pre-process packet. 
Dec 20 23:37:30 racoon: ERROR: isakmp_quick.c:1046:quick_r1recv(): failed to get sainfo. 
Dec 20 23:37:30 racoon: ERROR: isakmp_quick.c:1812:get_sainfo_r(): failed to get sainfo. 
Dec 20 23:37:30 racoon: INFO: isakmp.c:1059:isakmp_ph2begin_r(): respond new phase 2 negotiation:
xxx.xxx.221.219[0]<=>xxx.xxx.254.122[0] 
Dec 20 23:37:29 racoon: INFO: isakmp.c:2459:log_ph1established(): ISAKMP-SA established
xxx.xxx.221.219[500]-xxx.xxx.254.122[500] spi:8a58411f6aa4a6c0:8d484e083f558571 
Dec 20 23:37:29 racoon: NOTIFY: oakley.c:2084:oakley_skeyid(): couldn't find the proper pskey, try
to get one by the peer's address. 
Dec 20 23:37:29 racoon: INFO: isakmp.c:909:isakmp_ph1begin_r(): begin Aggressive mode. 
Dec 20 23:37:29 racoon: INFO: isakmp.c:904:isakmp_ph1begin_r(): respond new phase 1 negotiation:
xxx.xxx.221.219[500]<=>xxx.xxx.254.122[500]
 

and on the other router
router2

Dec 21 00:48:22 racoon: INFO: isakmp.c:942:isakmp_ph2begin_i(): initiate new phase 2 negotiation:
xxx.xxx.254.122[0]<=>xxx.xxx.221.219[0] 
Dec 21 00:48:21 racoon: INFO: isakmp.c:2412:log_ph1established(): ISAKMP-SA established
xxx.xxx.254.122[500]-xxx.xxx.221.219[500] spi:8a58411f6aa4a6c0:8d484e083f558571 
Dec 21 00:48:21 racoon: NOTIFY: oakley.c:2040:oakley_skeyid(): couldn't find the proper pskey, try
to get one by the peer's address. 
Dec 21 00:48:21 racoon: WARNING: ipsec_doi.c:3099:ipsecdoi_checkid1(): ID value mismatched. 
Dec 21 00:48:21 racoon: INFO: vendorid.c:128:check_vendorid(): received Vendor ID: KAME/racoon 
Dec 21 00:48:21 racoon: INFO: isakmp.c:803:isakmp_ph1begin_i(): begin Aggressive mode. 
Dec 21 00:48:21 racoon: INFO: isakmp.c:798:isakmp_ph1begin_i(): initiate new phase 1 negotiation:
xxx.xxx.254.122[500]<=>xxx.xxx.221.219[500] 
Dec 21 00:48:21 racoon: INFO: isakmp.c:1684:isakmp_post_acquire(): IPsec-SA request for
xxx.xxx.221.219 queued due to no phase1 found. 



works great.
I downloaden some manuals from the site, took a look at some example racoon.conf`s, and created a
config on my m0n0wall routers. I tried thousands of options, but i cant get tru this!!! I tried
different versions of monowall, from 1.0, 1.1, 1.11, 1.2b3, Pre-shared keys are good, 


Though i`m pretty shure i use the right settings, i still seem to be missing something. Who can give
me a clue?

thnx in advance,
RS

p.s. To answer your next question,below are the configs.

router 1
path pre_shared_key "/var/etc/psk.txt";

remote xxx.xxx.254.122 {
 exchange_mode aggressive;
 my_identifier address "xxx.xxx.221.219";
 peers_identifier address xxx.xxx.254.122;
 initial_contact on;
 support_proxy on;
 proposal_check obey;

 proposal {
  encryption_algorithm blowfish;
  hash_algorithm md5;
  authentication_method pre_shared_key;
  dh_group 2;
  lifetime time 28800 secs;
 }
 lifetime time 28800 secs;
}

sainfo address 192.168.0.0/16 any address 100.0.0.0/24 any {
 encryption_algorithm blowfish;
 authentication_algorithm hmac_md5;
 compression_algorithm deflate;
 pfs_group 2;
 lifetime time 86400 secs;
}



SPD 
192.168.0.0/16[any] 192.168.10.3[any] any
 in none
 spid=143 seq=3 pid=2338
 refcnt=1
100.0.0.0/24[any] 192.168.0.0/16[any] any
 in ipsec
 esp/tunnel/xxx.xxx.254.122-xxx.xxx.221.219/unique#16478
 spid=146 seq=2 pid=2338
 refcnt=1
192.168.10.3[any] 192.168.0.0/16[any] any
 out none
 spid=144 seq=1 pid=2338
 refcnt=1
192.168.0.0/16[any] 100.0.0.0/24[any] any
 out ipsec
 esp/tunnel/xxx.xxx.221.219-xxx.xxx.254.122/unique#16477
 spid=145 seq=0 pid=2338
 refcnt=1
 


SAD 
No SAD entries.
 




router 2

path pre_shared_key "/var/etc/psk.txt";

remote xxx.xxx.221.219 {
 exchange_mode aggressive;
 my_identifier address "xxx.xxx.254.122";
 peers_identifier address xxx.xxx.221.219;
 initial_contact on;
 support_proxy on;
 proposal_check obey;
 proposal {
  encryption_algorithm blowfish;
  hash_algorithm md5;
  authentication_method pre_shared_key;
  dh_group 2;
  lifetime time 28800 secs;
 }
 lifetime time 28800 secs;
}

sainfo address 100.0.0.0/24 any address 192.168.10.0/24 any {
 encryption_algorithm blowfish;
 authentication_algorithm hmac_md5;
 compression_algorithm deflate;
 pfs_group 2;
 lifetime time 86400 secs;
}




SPD 
192.168.10.0/24[any] 100.0.0.0/24[any] any
 in ipsec
 esp/tunnel/xxx.xxx.221.219-xxx.xxx.254.122/unique#16426
 spid=42 seq=1 pid=9831
 refcnt=1
100.0.0.0/24[any] 192.168.10.0/24[any] any
 out ipsec
 esp/tunnel/xxx.xxx.254.122-xxx.xxx.221.219/unique#16425
 spid=41 seq=0 pid=9831
 refcnt=1
 


SAD 
No SAD entries.