[ previous ] [ next ] [ threads ]
 
 From:  "Mark Spieth" <mspieth at neod dot net>
 To:  "Robert Salomons" <rh underscore salomons at solcon dot nl>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] IPsec & failed to get sainfo
 Date:  Tue, 21 Dec 2004 11:50:12 -0500
I had this same issue last week. To set the tunnels up quickly I put in a simple preshared key. I
tried and tried, the VPN just never linked up. Then I replaced the shared key with something strange
like 6rgQI9X3 and it linked right up.

Mark Spieth - Director of Internet Services

Northeast Ohio Digital Inc.

http://www.neod.net

mspieth at neod dot net

330-830-6551

 

CONFIDENTIALITY NOTICE: The materials attached hereto are confidential and the property of the
sender. The information contained in the attached materials is privileged and/or confidential and is
intended only for the use of the above-named individual(s) or entity(ies). If you are not the
intended recipient, be advised that any unauthorized disclosure, copying, distribution or the taking
of any action in reliance on the contents of the attached information is strictly prohibited. If you
have received this transmission in error, please discard the information immediately


-----Original Message-----
From: Robert Salomons [mailto:rh underscore salomons at solcon dot nl] 
Sent: Tuesday, December 21, 2004 11:32 AM
To: m0n0wall at lists dot m0n0 dot ch
Subject: [m0n0wall] IPsec & failed to get sainfo

Dear reader,

Its almost 2 days now, that i`m breaking my skull over this issue...

I`m trying to create a VPN connection, based on IP-Sec.

But the error that keeps continuing is:
router1

Dec 20 23:37:30 racoon: ERROR: isakmp.c:1073:isakmp_ph2begin_r(): failed to pre-process packet. 
Dec 20 23:37:30 racoon: ERROR: isakmp_quick.c:1046:quick_r1recv(): failed to get sainfo. 
Dec 20 23:37:30 racoon: ERROR: isakmp_quick.c:1812:get_sainfo_r(): failed to get sainfo. 
Dec 20 23:37:30 racoon: INFO: isakmp.c:1059:isakmp_ph2begin_r(): respond new phase 2 negotiation:
xxx.xxx.221.219[0]<=>xxx.xxx.254.122[0] 
Dec 20 23:37:29 racoon: INFO: isakmp.c:2459:log_ph1established(): ISAKMP-SA established
xxx.xxx.221.219[500]-xxx.xxx.254.122[500] spi:8a58411f6aa4a6c0:8d484e083f558571 
Dec 20 23:37:29 racoon: NOTIFY: oakley.c:2084:oakley_skeyid(): couldn't find the proper pskey, try
to get one by the peer's address. 
Dec 20 23:37:29 racoon: INFO: isakmp.c:909:isakmp_ph1begin_r(): begin Aggressive mode. 
Dec 20 23:37:29 racoon: INFO: isakmp.c:904:isakmp_ph1begin_r(): respond new phase 1 negotiation:
xxx.xxx.221.219[500]<=>xxx.xxx.254.122[500]
 

and on the other router
router2

Dec 21 00:48:22 racoon: INFO: isakmp.c:942:isakmp_ph2begin_i(): initiate new phase 2 negotiation:
xxx.xxx.254.122[0]<=>xxx.xxx.221.219[0] 
Dec 21 00:48:21 racoon: INFO: isakmp.c:2412:log_ph1established(): ISAKMP-SA established
xxx.xxx.254.122[500]-xxx.xxx.221.219[500] spi:8a58411f6aa4a6c0:8d484e083f558571 
Dec 21 00:48:21 racoon: NOTIFY: oakley.c:2040:oakley_skeyid(): couldn't find the proper pskey, try
to get one by the peer's address. 
Dec 21 00:48:21 racoon: WARNING: ipsec_doi.c:3099:ipsecdoi_checkid1(): ID value mismatched. 
Dec 21 00:48:21 racoon: INFO: vendorid.c:128:check_vendorid(): received Vendor ID: KAME/racoon 
Dec 21 00:48:21 racoon: INFO: isakmp.c:803:isakmp_ph1begin_i(): begin Aggressive mode. 
Dec 21 00:48:21 racoon: INFO: isakmp.c:798:isakmp_ph1begin_i(): initiate new phase 1 negotiation:
xxx.xxx.254.122[500]<=>xxx.xxx.221.219[500] 
Dec 21 00:48:21 racoon: INFO: isakmp.c:1684:isakmp_post_acquire(): IPsec-SA request for
xxx.xxx.221.219 queued due to no phase1 found. 



works great.
I downloaden some manuals from the site, took a look at some example racoon.conf`s, and created a
config on my m0n0wall routers. I tried thousands of options, but i cant get tru this!!! I tried
different versions of monowall, from 1.0, 1.1, 1.11, 1.2b3, Pre-shared keys are good, 


Though i`m pretty shure i use the right settings, i still seem to be missing something. Who can give
me a clue?

thnx in advance,
RS

p.s. To answer your next question,below are the configs.

router 1
path pre_shared_key "/var/etc/psk.txt";

remote xxx.xxx.254.122 {
 exchange_mode aggressive;
 my_identifier address "xxx.xxx.221.219";
 peers_identifier address xxx.xxx.254.122;
 initial_contact on;
 support_proxy on;
 proposal_check obey;

 proposal {
  encryption_algorithm blowfish;
  hash_algorithm md5;
  authentication_method pre_shared_key;
  dh_group 2;
  lifetime time 28800 secs;
 }
 lifetime time 28800 secs;
}

sainfo address 192.168.0.0/16 any address 100.0.0.0/24 any {
 encryption_algorithm blowfish;
 authentication_algorithm hmac_md5;
 compression_algorithm deflate;
 pfs_group 2;
 lifetime time 86400 secs;
}



SPD 
192.168.0.0/16[any] 192.168.10.3[any] any
 in none
 spid=143 seq=3 pid=2338
 refcnt=1
100.0.0.0/24[any] 192.168.0.0/16[any] any
 in ipsec
 esp/tunnel/xxx.xxx.254.122-xxx.xxx.221.219/unique#16478
 spid=146 seq=2 pid=2338
 refcnt=1
192.168.10.3[any] 192.168.0.0/16[any] any
 out none
 spid=144 seq=1 pid=2338
 refcnt=1
192.168.0.0/16[any] 100.0.0.0/24[any] any
 out ipsec
 esp/tunnel/xxx.xxx.221.219-xxx.xxx.254.122/unique#16477
 spid=145 seq=0 pid=2338
 refcnt=1
 


SAD 
No SAD entries.
 




router 2

path pre_shared_key "/var/etc/psk.txt";

remote xxx.xxx.221.219 {
 exchange_mode aggressive;
 my_identifier address "xxx.xxx.254.122";
 peers_identifier address xxx.xxx.221.219;
 initial_contact on;
 support_proxy on;
 proposal_check obey;
 proposal {
  encryption_algorithm blowfish;
  hash_algorithm md5;
  authentication_method pre_shared_key;
  dh_group 2;
  lifetime time 28800 secs;
 }
 lifetime time 28800 secs;
}

sainfo address 100.0.0.0/24 any address 192.168.10.0/24 any {
 encryption_algorithm blowfish;
 authentication_algorithm hmac_md5;
 compression_algorithm deflate;
 pfs_group 2;
 lifetime time 86400 secs;
}




SPD 
192.168.10.0/24[any] 100.0.0.0/24[any] any
 in ipsec
 esp/tunnel/xxx.xxx.221.219-xxx.xxx.254.122/unique#16426
 spid=42 seq=1 pid=9831
 refcnt=1
100.0.0.0/24[any] 192.168.10.0/24[any] any
 out ipsec
 esp/tunnel/xxx.xxx.254.122-xxx.xxx.221.219/unique#16425
 spid=41 seq=0 pid=9831
 refcnt=1
 


SAD 
No SAD entries.