[ previous ] [ next ] [ threads ]
 
 From:  Robert Rich <rrich at gstisecurity dot com>
 To:  Robert Salomons <rh underscore salomons at solcon dot nl>
 Cc:  Mark Spieth <mspieth at neod dot net>, "m0n0wall at lists dot m0n0 dot ch" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] IPsec & failed to get sainfo
 Date:  Tue, 21 Dec 2004 12:53:30 -0500 
I'm new to m0n0/freebsd ipsec, but will be dealing with it substantally later
this week.

Any idea what these are in the SPD output of router 1?

> 192.168.0.0/16[any] 192.168.10.3[any] any
> in none
> spid=143 seq=3 pid=2338
> refcnt=1
...
> 192.168.10.3[any] 192.168.0.0/16[any] any
> out none
> spid=144 seq=1 pid=2338
> refcnt=1

I just noticed that they share the 192.168/8 network with the other entries.

My default answer for everything is to slap a sniffer out front.  You may get
some clues with the isakmp decodes in ethereal.

I also saw a note from a user that was having problems running racoon and the
suggestion that fixed it was to use address instead of 'dn' as the remote
identifier.  I'm assuming that's what you're doing b/c the config shows
'my_identifier address xxx.yyy', but i've never looked at this config file
before. :)





Quoting Robert Salomons <rh underscore salomons at solcon dot nl>:

> Hi,
>
> Unfortunately this doesnt work for me ...
>
> i changed it to somthing with @!%* digits and so on, but i still can`t get
> it up.
>
> what next ?
> ----- Original Message -----
> From: "Mark Spieth" <mspieth at neod dot net>
> To: "Robert Salomons" <rh underscore salomons at solcon dot nl>; <m0n0wall at lists dot m0n0 dot ch>
> Sent: Tuesday, December 21, 2004 5:50 PM
> Subject: RE: [m0n0wall] IPsec & failed to get sainfo
>
>
> >I had this same issue last week. To set the tunnels up quickly I put in a
> >simple preshared key. I tried and tried, the VPN just never linked up. Then
> >I replaced the shared key with something strange like 6rgQI9X3 and it
> >linked right up.
> >
> > Mark Spieth - Director of Internet Services
> >
> > Northeast Ohio Digital Inc.
> >
> > http://www.neod.net
> >
> > mspieth at neod dot net
> >
> > 330-830-6551
> >
> >
> >
> > CONFIDENTIALITY NOTICE: The materials attached hereto are confidential and
> > the property of the sender. The information contained in the attached
> > materials is privileged and/or confidential and is intended only for the
> > use of the above-named individual(s) or entity(ies). If you are not the
> > intended recipient, be advised that any unauthorized disclosure, copying,
> > distribution or the taking of any action in reliance on the contents of
> > the attached information is strictly prohibited. If you have received this
> > transmission in error, please discard the information immediately
> >
> >
> > -----Original Message-----
> > From: Robert Salomons [mailto:rh underscore salomons at solcon dot nl]
> > Sent: Tuesday, December 21, 2004 11:32 AM
> > To: m0n0wall at lists dot m0n0 dot ch
> > Subject: [m0n0wall] IPsec & failed to get sainfo
> >
> > Dear reader,
> >
> > Its almost 2 days now, that i`m breaking my skull over this issue...
> >
> > I`m trying to create a VPN connection, based on IP-Sec.
> >
> > But the error that keeps continuing is:
> > router1
> >
> > Dec 20 23:37:30 racoon: ERROR: isakmp.c:1073:isakmp_ph2begin_r(): failed
> > to pre-process packet.
> > Dec 20 23:37:30 racoon: ERROR: isakmp_quick.c:1046:quick_r1recv(): failed
> > to get sainfo.
> > Dec 20 23:37:30 racoon: ERROR: isakmp_quick.c:1812:get_sainfo_r(): failed
> > to get sainfo.
> > Dec 20 23:37:30 racoon: INFO: isakmp.c:1059:isakmp_ph2begin_r(): respond
> > new phase 2 negotiation: xxx.xxx.221.219[0]<=>xxx.xxx.254.122[0]
> > Dec 20 23:37:29 racoon: INFO: isakmp.c:2459:log_ph1established():
> > ISAKMP-SA established xxx.xxx.221.219[500]-xxx.xxx.254.122[500]
> > spi:8a58411f6aa4a6c0:8d484e083f558571
> > Dec 20 23:37:29 racoon: NOTIFY: oakley.c:2084:oakley_skeyid(): couldn't
> > find the proper pskey, try to get one by the peer's address.
> > Dec 20 23:37:29 racoon: INFO: isakmp.c:909:isakmp_ph1begin_r(): begin
> > Aggressive mode.
> > Dec 20 23:37:29 racoon: INFO: isakmp.c:904:isakmp_ph1begin_r(): respond
> > new phase 1 negotiation: xxx.xxx.221.219[500]<=>xxx.xxx.254.122[500]
> >
> >
> > and on the other router
> > router2
> >
> > Dec 21 00:48:22 racoon: INFO: isakmp.c:942:isakmp_ph2begin_i(): initiate
> > new phase 2 negotiation: xxx.xxx.254.122[0]<=>xxx.xxx.221.219[0]
> > Dec 21 00:48:21 racoon: INFO: isakmp.c:2412:log_ph1established():
> > ISAKMP-SA established xxx.xxx.254.122[500]-xxx.xxx.221.219[500]
> > spi:8a58411f6aa4a6c0:8d484e083f558571
> > Dec 21 00:48:21 racoon: NOTIFY: oakley.c:2040:oakley_skeyid(): couldn't
> > find the proper pskey, try to get one by the peer's address.
> > Dec 21 00:48:21 racoon: WARNING: ipsec_doi.c:3099:ipsecdoi_checkid1(): ID
> > value mismatched.
> > Dec 21 00:48:21 racoon: INFO: vendorid.c:128:check_vendorid(): received
> > Vendor ID: KAME/racoon
> > Dec 21 00:48:21 racoon: INFO: isakmp.c:803:isakmp_ph1begin_i(): begin
> > Aggressive mode.
> > Dec 21 00:48:21 racoon: INFO: isakmp.c:798:isakmp_ph1begin_i(): initiate
> > new phase 1 negotiation: xxx.xxx.254.122[500]<=>xxx.xxx.221.219[500]
> > Dec 21 00:48:21 racoon: INFO: isakmp.c:1684:isakmp_post_acquire():
> > IPsec-SA request for xxx.xxx.221.219 queued due to no phase1 found.
> >
> >
> > i have 2 times a m0n0wall router, with the latest béta version 1.2b3.
> > Internet connection `n all works great.
> > I downloaden some manuals from the site, took a look at some example
> > racoon.conf`s, and created a config on my m0n0wall routers. I tried
> > thousands of options, but i cant get tru this!!! I tried different
> > versions of monowall, from 1.0, 1.1, 1.11, 1.2b3, Pre-shared keys are
> > good,
> >
> >
> > Though i`m pretty shure i use the right settings, i still seem to be
> > missing something. Who can give me a clue?
> >
> > thnx in advance,
> > RS
> >
> > p.s. To answer your next question,below are the configs.
> >
> > router 1
> > path pre_shared_key "/var/etc/psk.txt";
> >
> > remote xxx.xxx.254.122 {
> > exchange_mode aggressive;
> > my_identifier address "xxx.xxx.221.219";
> > peers_identifier address xxx.xxx.254.122;
> > initial_contact on;
> > support_proxy on;
> > proposal_check obey;
> >
> > proposal {
> >  encryption_algorithm blowfish;
> >  hash_algorithm md5;
> >  authentication_method pre_shared_key;
> >  dh_group 2;
> >  lifetime time 28800 secs;
> > }
> > lifetime time 28800 secs;
> > }
> >
> > sainfo address 192.168.0.0/16 any address 100.0.0.0/24 any {
> > encryption_algorithm blowfish;
> > authentication_algorithm hmac_md5;
> > compression_algorithm deflate;
> > pfs_group 2;
> > lifetime time 86400 secs;
> > }
> >
> >
> >
> > SPD
> > 192.168.0.0/16[any] 192.168.10.3[any] any
> > in none
> > spid=143 seq=3 pid=2338
> > refcnt=1
> > 100.0.0.0/24[any] 192.168.0.0/16[any] any
> > in ipsec
> > esp/tunnel/xxx.xxx.254.122-xxx.xxx.221.219/unique#16478
> > spid=146 seq=2 pid=2338
> > refcnt=1
> > 192.168.10.3[any] 192.168.0.0/16[any] any
> > out none
> > spid=144 seq=1 pid=2338
> > refcnt=1
> > 192.168.0.0/16[any] 100.0.0.0/24[any] any
> > out ipsec
> > esp/tunnel/xxx.xxx.221.219-xxx.xxx.254.122/unique#16477
> > spid=145 seq=0 pid=2338
> > refcnt=1
> >
> >
> >
> > SAD
> > No SAD entries.
> >
> >
> >
> >
> >
> > router 2
> >
> > path pre_shared_key "/var/etc/psk.txt";
> >
> > remote xxx.xxx.221.219 {
> > exchange_mode aggressive;
> > my_identifier address "xxx.xxx.254.122";
> > peers_identifier address xxx.xxx.221.219;
> > initial_contact on;
> > support_proxy on;
> > proposal_check obey;
> > proposal {
> >  encryption_algorithm blowfish;
> >  hash_algorithm md5;
> >  authentication_method pre_shared_key;
> >  dh_group 2;
> >  lifetime time 28800 secs;
> > }
> > lifetime time 28800 secs;
> > }
> >
> > sainfo address 100.0.0.0/24 any address 192.168.10.0/24 any {
> > encryption_algorithm blowfish;
> > authentication_algorithm hmac_md5;
> > compression_algorithm deflate;
> > pfs_group 2;
> > lifetime time 86400 secs;
> > }
> >
> >
> >
> >
> > SPD
> > 192.168.10.0/24[any] 100.0.0.0/24[any] any
> > in ipsec
> > esp/tunnel/xxx.xxx.221.219-xxx.xxx.254.122/unique#16426
> > spid=42 seq=1 pid=9831
> > refcnt=1
> > 100.0.0.0/24[any] 192.168.10.0/24[any] any
> > out ipsec
> > esp/tunnel/xxx.xxx.254.122-xxx.xxx.221.219/unique#16425
> > spid=41 seq=0 pid=9831
> > refcnt=1
> >
> >
> >
> > SAD
> > No SAD entries.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> >
> >
> >
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>


--
Robert Rich
Global Security Technologies, Inc.
Mobile: 614.975.7549
Office: 614.890.6400

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.