[ previous ] [ next ] [ threads ]
 
 From:  Daniel Solsona <dani at netsupport dash si dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Some problems doing VPN with a 3Com OfficeConnect Secure Gateway
 Date:  Thu, 21 Jul 2005 10:23:27 +0200
Hi all,

I'm having some problems trying to config IPSec with m0n0wall and a 3Com 
OfficeConnect Secure Gateway.

I'm using M0n0wall version 1.11 running on a Soekris net4801 box

On the m0n0wall side, my IPSec config is the next one (ip's and passwords 
deleted )

local_wan_ip -> public ip of the m0n0wall
remote_ip -> public ip of the 3com

<ipsec>
  <enable/>
  <tunnel>
   <interface>opt1</interface>
   <local-subnet>
    <address>local_subnet</address>
   </local-subnet>
   <remote-subnet>remote_subnet</remote-subnet>
   <remote-gateway>remote_ip</remote-gateway>
   <p1>
    <mode>main</mode>
    <myident>
     <address>local_wan_ip</address>
    </myident>
    <encryption-algorithm>3des</encryption-algorithm>
    <hash-algorithm>sha1</hash-algorithm>
    <dhgroup>2</dhgroup>
    <lifetime>600</lifetime>
    <pre-shared-key>test</pre-shared-key>
   </p1>
   <p2>
    <protocol>esp</protocol>
    <encryption-algorithm-option>3des</encryption-algorithm-option>
    <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
    <pfsgroup>0</pfsgroup>
    <lifetime/>
   </p2>
   <descr>Pruebas VPN netsupport</descr>
  </tunnel>
 </ipsec>

The errors i found on the m0n0wall:

Mar 9 12:39:47  racoon: INFO: isakmp.c:1574:isakmp_ph1delete(): ISAKMP-SA 
deleted local_wan_ip[500]-remote_ip[500] 
spi:37b747e358e08438:dff6a2eb3069fbc9
  Mar 9 12:39:46  racoon: INFO: isakmp.c:1526:isakmp_ph1expire(): ISAKMP-SA 
expired local_wan_ip[500]-remote_ip[500] 
spi:37b747e358e08438:dff6a2eb3069fbc9
  Mar 9 12:39:07  racoon: ERROR: isakmp.c:1073:isakmp_ph2begin_r(): failed to 
pre-process packet.
  Mar 9 12:39:07  racoon: ERROR: isakmp_quick.c:1046:quick_r1recv(): failed to 
get sainfo.
  Mar 9 12:39:07  racoon: ERROR: isakmp_quick.c:1812:get_sainfo_r(): failed to 
get sainfo.
  Mar 9 12:39:07  racoon: INFO: isakmp.c:1059:isakmp_ph2begin_r(): respond new 
phase 2 negotiation: local_wan_ip[0]<=>remote_ip[0]
  Mar 9 12:38:59  racoon: ERROR: isakmp.c:1073:isakmp_ph2begin_r(): failed to 
pre-process packet.
  Mar 9 12:38:59  racoon: ERROR: isakmp_quick.c:1046:quick_r1recv(): failed to 
get sainfo.
  Mar 9 12:38:59  racoon: ERROR: isakmp_quick.c:1812:get_sainfo_r(): failed to 
get sainfo.
  Mar 9 12:38:59  racoon: INFO: isakmp.c:1059:isakmp_ph2begin_r(): respond new 
phase 2 negotiation: local_wan_ip[0]<=>remote_ip[0]
  Mar 9 12:38:51  racoon: ERROR: isakmp.c:1073:isakmp_ph2begin_r(): failed to 
pre-process packet.
  Mar 9 12:38:51  racoon: ERROR: isakmp_quick.c:1046:quick_r1recv(): failed to 
get sainfo.
  Mar 9 12:38:51  racoon: ERROR: isakmp_quick.c:1812:get_sainfo_r(): failed to 
get sainfo.
  Mar 9 12:38:51  racoon: INFO: isakmp.c:1059:isakmp_ph2begin_r(): respond new 
phase 2 negotiation: local_wan_ip[0]<=>remote_ip[0]
  Mar 9 12:38:49  racoon: INFO: isakmp.c:2459:log_ph1established(): ISAKMP-SA 
established local_wan_ip[500]-remote_ip[500] 
spi:1d84f26798d20cbb:5275ba6c6a7352fd
  Mar 9 12:38:47  racoon: INFO: isakmp.c:909:isakmp_ph1begin_r(): begin 
Identity Protection mode.
  Mar 9 12:38:47  racoon: INFO: isakmp.c:904:isakmp_ph1begin_r(): respond new 
phase 1 negotiation: local_wan_ip[500]<=>remote_ip[500]


As i see on the 3Com logs too, the routers do ok the phase1, but then it stops 
at phase 2

Do i need to put some rules of the firewall for the VPN connection? what 
protocols?

Thanks in advance, and tell me if you need more info.