[ previous ] [ next ] [ threads ]
 
 From:  "Robert Salomons" <rh underscore salomons at solcon dot nl>
 To:  "Robert Rich" <rrich at gstisecurity dot com>
 Cc:  "Mark Spieth" <mspieth at neod dot net>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] IPsec & failed to get sainfo
 Date:  Tue, 21 Dec 2004 20:50:03 +0100 
Robert,

Router 1 says in SPD:
192.168.0.0/16[any] 192.168.10.3[any] any
	in none
	spid=13 seq=3 pid=384
	refcnt=1
192.168.5.0/24[any] 192.168.0.0/16[any] any
	in ipsec
	esp/tunnel/.124.102-62.177.221.219/unique#16392
	spid=16 seq=2 pid=384
	refcnt=1
192.168.10.3[any] 192.168.0.0/16[any] any
	out none
	spid=14 seq=1 pid=384
	refcnt=1
192.168.0.0/16[any] 192.168.5.0/24[any] any
	out ipsec
	esp/tunnel/62.177.221.219-82.161.124.102/unique#16391
	spid=15 seq=0 pid=384
	refcnt=1btw, i also tried versions 1.0 etc... they give al the same 
error...Phase 1 is coming up though, (it is right?) so wats bothering phase 
2 :S----- Original Message ----- 
From: "Robert Rich" <rrich at gstisecurity dot com>
To: "Robert Salomons" <rh underscore salomons at solcon dot nl>
Cc: "Mark Spieth" <mspieth at neod dot net>; <m0n0wall at lists dot m0n0 dot ch>
Sent: Tuesday, December 21, 2004 6:53 PM
Subject: Re: [m0n0wall] IPsec & failed to get sainfo


> I'm new to m0n0/freebsd ipsec, but will be dealing with it substantally 
> later
> this week.
>
> Any idea what these are in the SPD output of router 1?
>
>> 192.168.0.0/16[any] 192.168.10.3[any] any
>> in none
>> spid=143 seq=3 pid=2338
>> refcnt=1
> ...
>> 192.168.10.3[any] 192.168.0.0/16[any] any
>> out none
>> spid=144 seq=1 pid=2338
>> refcnt=1
>
> I just noticed that they share the 192.168/8 network with the other 
> entries.
>
> My default answer for everything is to slap a sniffer out front.  You may 
> get
> some clues with the isakmp decodes in ethereal.
>
> I also saw a note from a user that was having problems running racoon and 
> the
> suggestion that fixed it was to use address instead of 'dn' as the remote
> identifier.  I'm assuming that's what you're doing b/c the config shows
> 'my_identifier address xxx.yyy', but i've never looked at this config file
> before. :)
>
>
>
>
>
> Quoting Robert Salomons <rh underscore salomons at solcon dot nl>:
>
>> Hi,
>>
>> Unfortunately this doesnt work for me ...
>>
>> i changed it to somthing with @!%* digits and so on, but i still can`t 
>> get
>> it up.
>>
>> what next ?
>> ----- Original Message -----
>> From: "Mark Spieth" <mspieth at neod dot net>
>> To: "Robert Salomons" <rh underscore salomons at solcon dot nl>; <m0n0wall at lists dot m0n0 dot ch>
>> Sent: Tuesday, December 21, 2004 5:50 PM
>> Subject: RE: [m0n0wall] IPsec & failed to get sainfo
>>
>>
>> >I had this same issue last week. To set the tunnels up quickly I put in 
>> >a
>> >simple preshared key. I tried and tried, the VPN just never linked up. 
>> >Then
>> >I replaced the shared key with something strange like 6rgQI9X3 and it
>> >linked right up.
>> >
>> > Mark Spieth - Director of Internet Services
>> >
>> > Northeast Ohio Digital Inc.
>> >
>> > http://www.neod.net
>> >
>> > mspieth at neod dot net
>> >
>> > 330-830-6551
>> >
>> >
>> >
>> > CONFIDENTIALITY NOTICE: The materials attached hereto are confidential 
>> > and
>> > the property of the sender. The information contained in the attached
>> > materials is privileged and/or confidential and is intended only for 
>> > the
>> > use of the above-named individual(s) or entity(ies). If you are not the
>> > intended recipient, be advised that any unauthorized disclosure, 
>> > copying,
>> > distribution or the taking of any action in reliance on the contents of
>> > the attached information is strictly prohibited. If you have received 
>> > this
>> > transmission in error, please discard the information immediately
>> >
>> >
>> > -----Original Message-----
>> > From: Robert Salomons [mailto:rh underscore salomons at solcon dot nl]
>> > Sent: Tuesday, December 21, 2004 11:32 AM
>> > To: m0n0wall at lists dot m0n0 dot ch
>> > Subject: [m0n0wall] IPsec & failed to get sainfo
>> >
>> > Dear reader,
>> >
>> > Its almost 2 days now, that i`m breaking my skull over this issue...
>> >
>> > I`m trying to create a VPN connection, based on IP-Sec.
>> >
>> > But the error that keeps continuing is:
>> > router1
>> >
>> > Dec 20 23:37:30 racoon: ERROR: isakmp.c:1073:isakmp_ph2begin_r(): 
>> > failed
>> > to pre-process packet.
>> > Dec 20 23:37:30 racoon: ERROR: isakmp_quick.c:1046:quick_r1recv(): 
>> > failed
>> > to get sainfo.
>> > Dec 20 23:37:30 racoon: ERROR: isakmp_quick.c:1812:get_sainfo_r(): 
>> > failed
>> > to get sainfo.
>> > Dec 20 23:37:30 racoon: INFO: isakmp.c:1059:isakmp_ph2begin_r(): 
>> > respond
>> > new phase 2 negotiation: xxx.xxx.221.219[0]<=>xxx.xxx.254.122[0]
>> > Dec 20 23:37:29 racoon: INFO: isakmp.c:2459:log_ph1established():
>> > ISAKMP-SA established xxx.xxx.221.219[500]-xxx.xxx.254.122[500]
>> > spi:8a58411f6aa4a6c0:8d484e083f558571
>> > Dec 20 23:37:29 racoon: NOTIFY: oakley.c:2084:oakley_skeyid(): couldn't
>> > find the proper pskey, try to get one by the peer's address.
>> > Dec 20 23:37:29 racoon: INFO: isakmp.c:909:isakmp_ph1begin_r(): begin
>> > Aggressive mode.
>> > Dec 20 23:37:29 racoon: INFO: isakmp.c:904:isakmp_ph1begin_r(): respond
>> > new phase 1 negotiation: xxx.xxx.221.219[500]<=>xxx.xxx.254.122[500]
>> >
>> >
>> > and on the other router
>> > router2
>> >
>> > Dec 21 00:48:22 racoon: INFO: isakmp.c:942:isakmp_ph2begin_i(): 
>> > initiate
>> > new phase 2 negotiation: xxx.xxx.254.122[0]<=>xxx.xxx.221.219[0]
>> > Dec 21 00:48:21 racoon: INFO: isakmp.c:2412:log_ph1established():
>> > ISAKMP-SA established xxx.xxx.254.122[500]-xxx.xxx.221.219[500]
>> > spi:8a58411f6aa4a6c0:8d484e083f558571
>> > Dec 21 00:48:21 racoon: NOTIFY: oakley.c:2040:oakley_skeyid(): couldn't
>> > find the proper pskey, try to get one by the peer's address.
>> > Dec 21 00:48:21 racoon: WARNING: ipsec_doi.c:3099:ipsecdoi_checkid1(): 
>> > ID
>> > value mismatched.
>> > Dec 21 00:48:21 racoon: INFO: vendorid.c:128:check_vendorid(): received
>> > Vendor ID: KAME/racoon
>> > Dec 21 00:48:21 racoon: INFO: isakmp.c:803:isakmp_ph1begin_i(): begin
>> > Aggressive mode.
>> > Dec 21 00:48:21 racoon: INFO: isakmp.c:798:isakmp_ph1begin_i(): 
>> > initiate
>> > new phase 1 negotiation: xxx.xxx.254.122[500]<=>xxx.xxx.221.219[500]
>> > Dec 21 00:48:21 racoon: INFO: isakmp.c:1684:isakmp_post_acquire():
>> > IPsec-SA request for xxx.xxx.221.219 queued due to no phase1 found.
>> >
>> >
>> > i have 2 times a m0n0wall router, with the latest béta version 1.2b3.
>> > Internet connection `n all works great.
>> > I downloaden some manuals from the site, took a look at some example
>> > racoon.conf`s, and created a config on my m0n0wall routers. I tried
>> > thousands of options, but i cant get tru this!!! I tried different
>> > versions of monowall, from 1.0, 1.1, 1.11, 1.2b3, Pre-shared keys are
>> > good,
>> >
>> >
>> > Though i`m pretty shure i use the right settings, i still seem to be
>> > missing something. Who can give me a clue?
>> >
>> > thnx in advance,
>> > RS
>> >
>> > p.s. To answer your next question,below are the configs.
>> >
>> > router 1
>> > path pre_shared_key "/var/etc/psk.txt";
>> >
>> > remote xxx.xxx.254.122 {
>> > exchange_mode aggressive;
>> > my_identifier address "xxx.xxx.221.219";
>> > peers_identifier address xxx.xxx.254.122;
>> > initial_contact on;
>> > support_proxy on;
>> > proposal_check obey;
>> >
>> > proposal {
>> >  encryption_algorithm blowfish;
>> >  hash_algorithm md5;
>> >  authentication_method pre_shared_key;
>> >  dh_group 2;
>> >  lifetime time 28800 secs;
>> > }
>> > lifetime time 28800 secs;
>> > }
>> >
>> > sainfo address 192.168.0.0/16 any address 100.0.0.0/24 any {
>> > encryption_algorithm blowfish;
>> > authentication_algorithm hmac_md5;
>> > compression_algorithm deflate;
>> > pfs_group 2;
>> > lifetime time 86400 secs;
>> > }
>> >
>> >
>> >
>> > SPD
>> > 192.168.0.0/16[any] 192.168.10.3[any] any
>> > in none
>> > spid=143 seq=3 pid=2338
>> > refcnt=1
>> > 100.0.0.0/24[any] 192.168.0.0/16[any] any
>> > in ipsec
>> > esp/tunnel/xxx.xxx.254.122-xxx.xxx.221.219/unique#16478
>> > spid=146 seq=2 pid=2338
>> > refcnt=1
>> > 192.168.10.3[any] 192.168.0.0/16[any] any
>> > out none
>> > spid=144 seq=1 pid=2338
>> > refcnt=1
>> > 192.168.0.0/16[any] 100.0.0.0/24[any] any
>> > out ipsec
>> > esp/tunnel/xxx.xxx.221.219-xxx.xxx.254.122/unique#16477
>> > spid=145 seq=0 pid=2338
>> > refcnt=1
>> >
>> >
>> >
>> > SAD
>> > No SAD entries.
>> >
>> >
>> >
>> >
>> >
>> > router 2
>> >
>> > path pre_shared_key "/var/etc/psk.txt";
>> >
>> > remote xxx.xxx.221.219 {
>> > exchange_mode aggressive;
>> > my_identifier address "xxx.xxx.254.122";
>> > peers_identifier address xxx.xxx.221.219;
>> > initial_contact on;
>> > support_proxy on;
>> > proposal_check obey;
>> > proposal {
>> >  encryption_algorithm blowfish;
>> >  hash_algorithm md5;
>> >  authentication_method pre_shared_key;
>> >  dh_group 2;
>> >  lifetime time 28800 secs;
>> > }
>> > lifetime time 28800 secs;
>> > }
>> >
>> > sainfo address 100.0.0.0/24 any address 192.168.10.0/24 any {
>> > encryption_algorithm blowfish;
>> > authentication_algorithm hmac_md5;
>> > compression_algorithm deflate;
>> > pfs_group 2;
>> > lifetime time 86400 secs;
>> > }
>> >
>> >
>> >
>> >
>> > SPD
>> > 192.168.10.0/24[any] 100.0.0.0/24[any] any
>> > in ipsec
>> > esp/tunnel/xxx.xxx.221.219-xxx.xxx.254.122/unique#16426
>> > spid=42 seq=1 pid=9831
>> > refcnt=1
>> > 100.0.0.0/24[any] 192.168.10.0/24[any] any
>> > out ipsec
>> > esp/tunnel/xxx.xxx.254.122-xxx.xxx.221.219/unique#16425
>> > spid=41 seq=0 pid=9831
>> > refcnt=1
>> >
>> >
>> >
>> > SAD
>> > No SAD entries.
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>> > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>> >
>> >
>> >
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
>>
>
>
> --
> Robert Rich
> Global Security Technologies, Inc.
> Mobile: 614.975.7549
> Office: 614.890.6400
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>