[ previous ] [ next ] [ threads ]
 
 From:  "Robert Salomons" <rh underscore salomons at solcon dot nl>
 To:  "Mark Spieth" <mspieth at neod dot net>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] IPsec & failed to get sainfo
 Date:  Tue, 21 Dec 2004 18:15:55 +0100
Hi,

Unfortunately this doesnt work for me ...

i changed it to somthing with @!%* digits and so on, but i still can`t get 
it up.

what next ?
----- Original Message ----- 
From: "Mark Spieth" <mspieth at neod dot net>
To: "Robert Salomons" <rh underscore salomons at solcon dot nl>; <m0n0wall at lists dot m0n0 dot ch>
Sent: Tuesday, December 21, 2004 5:50 PM
Subject: RE: [m0n0wall] IPsec & failed to get sainfo


>I had this same issue last week. To set the tunnels up quickly I put in a 
>simple preshared key. I tried and tried, the VPN just never linked up. Then 
>I replaced the shared key with something strange like 6rgQI9X3 and it 
>linked right up.
>
> Mark Spieth - Director of Internet Services
>
> Northeast Ohio Digital Inc.
>
> http://www.neod.net
>
> mspieth at neod dot net
>
> 330-830-6551
>
>
>
> CONFIDENTIALITY NOTICE: The materials attached hereto are confidential and 
> the property of the sender. The information contained in the attached 
> materials is privileged and/or confidential and is intended only for the 
> use of the above-named individual(s) or entity(ies). If you are not the 
> intended recipient, be advised that any unauthorized disclosure, copying, 
> distribution or the taking of any action in reliance on the contents of 
> the attached information is strictly prohibited. If you have received this 
> transmission in error, please discard the information immediately
>
>
> -----Original Message-----
> From: Robert Salomons [mailto:rh underscore salomons at solcon dot nl]
> Sent: Tuesday, December 21, 2004 11:32 AM
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: [m0n0wall] IPsec & failed to get sainfo
>
> Dear reader,
>
> Its almost 2 days now, that i`m breaking my skull over this issue...
>
> I`m trying to create a VPN connection, based on IP-Sec.
>
> But the error that keeps continuing is:
> router1
>
> Dec 20 23:37:30 racoon: ERROR: isakmp.c:1073:isakmp_ph2begin_r(): failed 
> to pre-process packet.
> Dec 20 23:37:30 racoon: ERROR: isakmp_quick.c:1046:quick_r1recv(): failed 
> to get sainfo.
> Dec 20 23:37:30 racoon: ERROR: isakmp_quick.c:1812:get_sainfo_r(): failed 
> to get sainfo.
> Dec 20 23:37:30 racoon: INFO: isakmp.c:1059:isakmp_ph2begin_r(): respond 
> new phase 2 negotiation: xxx.xxx.221.219[0]<=>xxx.xxx.254.122[0]
> Dec 20 23:37:29 racoon: INFO: isakmp.c:2459:log_ph1established(): 
> ISAKMP-SA established xxx.xxx.221.219[500]-xxx.xxx.254.122[500] 
> spi:8a58411f6aa4a6c0:8d484e083f558571
> Dec 20 23:37:29 racoon: NOTIFY: oakley.c:2084:oakley_skeyid(): couldn't 
> find the proper pskey, try to get one by the peer's address.
> Dec 20 23:37:29 racoon: INFO: isakmp.c:909:isakmp_ph1begin_r(): begin 
> Aggressive mode.
> Dec 20 23:37:29 racoon: INFO: isakmp.c:904:isakmp_ph1begin_r(): respond 
> new phase 1 negotiation: xxx.xxx.221.219[500]<=>xxx.xxx.254.122[500]
>
>
> and on the other router
> router2
>
> Dec 21 00:48:22 racoon: INFO: isakmp.c:942:isakmp_ph2begin_i(): initiate 
> new phase 2 negotiation: xxx.xxx.254.122[0]<=>xxx.xxx.221.219[0]
> Dec 21 00:48:21 racoon: INFO: isakmp.c:2412:log_ph1established(): 
> ISAKMP-SA established xxx.xxx.254.122[500]-xxx.xxx.221.219[500] 
> spi:8a58411f6aa4a6c0:8d484e083f558571
> Dec 21 00:48:21 racoon: NOTIFY: oakley.c:2040:oakley_skeyid(): couldn't 
> find the proper pskey, try to get one by the peer's address.
> Dec 21 00:48:21 racoon: WARNING: ipsec_doi.c:3099:ipsecdoi_checkid1(): ID 
> value mismatched.
> Dec 21 00:48:21 racoon: INFO: vendorid.c:128:check_vendorid(): received 
> Vendor ID: KAME/racoon
> Dec 21 00:48:21 racoon: INFO: isakmp.c:803:isakmp_ph1begin_i(): begin 
> Aggressive mode.
> Dec 21 00:48:21 racoon: INFO: isakmp.c:798:isakmp_ph1begin_i(): initiate 
> new phase 1 negotiation: xxx.xxx.254.122[500]<=>xxx.xxx.221.219[500]
> Dec 21 00:48:21 racoon: INFO: isakmp.c:1684:isakmp_post_acquire(): 
> IPsec-SA request for xxx.xxx.221.219 queued due to no phase1 found.
>
>

> Internet connection `n all works great.
> I downloaden some manuals from the site, took a look at some example 
> racoon.conf`s, and created a config on my m0n0wall routers. I tried 
> thousands of options, but i cant get tru this!!! I tried different 
> versions of monowall, from 1.0, 1.1, 1.11, 1.2b3, Pre-shared keys are 
> good,
>
>
> Though i`m pretty shure i use the right settings, i still seem to be 
> missing something. Who can give me a clue?
>
> thnx in advance,
> RS
>
> p.s. To answer your next question,below are the configs.
>
> router 1
> path pre_shared_key "/var/etc/psk.txt";
>
> remote xxx.xxx.254.122 {
> exchange_mode aggressive;
> my_identifier address "xxx.xxx.221.219";
> peers_identifier address xxx.xxx.254.122;
> initial_contact on;
> support_proxy on;
> proposal_check obey;
>
> proposal {
>  encryption_algorithm blowfish;
>  hash_algorithm md5;
>  authentication_method pre_shared_key;
>  dh_group 2;
>  lifetime time 28800 secs;
> }
> lifetime time 28800 secs;
> }
>
> sainfo address 192.168.0.0/16 any address 100.0.0.0/24 any {
> encryption_algorithm blowfish;
> authentication_algorithm hmac_md5;
> compression_algorithm deflate;
> pfs_group 2;
> lifetime time 86400 secs;
> }
>
>
>
> SPD
> 192.168.0.0/16[any] 192.168.10.3[any] any
> in none
> spid=143 seq=3 pid=2338
> refcnt=1
> 100.0.0.0/24[any] 192.168.0.0/16[any] any
> in ipsec
> esp/tunnel/xxx.xxx.254.122-xxx.xxx.221.219/unique#16478
> spid=146 seq=2 pid=2338
> refcnt=1
> 192.168.10.3[any] 192.168.0.0/16[any] any
> out none
> spid=144 seq=1 pid=2338
> refcnt=1
> 192.168.0.0/16[any] 100.0.0.0/24[any] any
> out ipsec
> esp/tunnel/xxx.xxx.221.219-xxx.xxx.254.122/unique#16477
> spid=145 seq=0 pid=2338
> refcnt=1
>
>
>
> SAD
> No SAD entries.
>
>
>
>
>
> router 2
>
> path pre_shared_key "/var/etc/psk.txt";
>
> remote xxx.xxx.221.219 {
> exchange_mode aggressive;
> my_identifier address "xxx.xxx.254.122";
> peers_identifier address xxx.xxx.221.219;
> initial_contact on;
> support_proxy on;
> proposal_check obey;
> proposal {
>  encryption_algorithm blowfish;
>  hash_algorithm md5;
>  authentication_method pre_shared_key;
>  dh_group 2;
>  lifetime time 28800 secs;
> }
> lifetime time 28800 secs;
> }
>
> sainfo address 100.0.0.0/24 any address 192.168.10.0/24 any {
> encryption_algorithm blowfish;
> authentication_algorithm hmac_md5;
> compression_algorithm deflate;
> pfs_group 2;
> lifetime time 86400 secs;
> }
>
>
>
>
> SPD
> 192.168.10.0/24[any] 100.0.0.0/24[any] any
> in ipsec
> esp/tunnel/xxx.xxx.221.219-xxx.xxx.254.122/unique#16426
> spid=42 seq=1 pid=9831
> refcnt=1
> 100.0.0.0/24[any] 192.168.10.0/24[any] any
> out ipsec
> esp/tunnel/xxx.xxx.254.122-xxx.xxx.221.219/unique#16425
> spid=41 seq=0 pid=9831
> refcnt=1
>
>
>
> SAD
> No SAD entries.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
>