[ previous ] [ next ] [ threads ]
 
 From:  Lee Saferite <lee dot saferite at speedysigns dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  m0n0wall <-> sonicWall VPN Problem
 Date:  Wed, 21 Sep 2005 10:50:24 -0400
Does anyone know how I can get racoon to be more verbose in it's log 
messages?  I'm sitting here trying to figure out my VPN problem, and the 
sonicwall is giving me nothing in the logs and I was hoping the racoon 
might be able to tell me more.  I can currently get the m0n0wall to 
shown the inbound SAD for a few seconds, but it times out since the 
other half is never finished.  I seriously have no idea what the 
'correct' config is for the sonicwall.  I have read a few conflicting 
examples and nothing works so far. Any help/advice is greatly appreciated.


Background:
--------------------

Branch Office <---> m0n0Wall <--(internet)--> sonicWall <---> Main Office


racoon.conf:
-------------

path pre_shared_key "/var/etc/psk.txt";

path certificate  "/var/etc";

remote x.x.146.35 {
	exchange_mode aggressive;
	my_identifier fqdn "BranchOffice";

	peers_identifier address x.x.146.35;
	initial_contact on;
	support_proxy on;
	proposal_check obey;

	proposal {
		encryption_algorithm 3des;
		hash_algorithm sha1;
		authentication_method pre_shared_key;
		dh_group 2;
		lifetime time 28800 secs;
	}
	lifetime time 28800 secs;
}

sainfo address 172.30.200.0/24 any address 192.168.1.0/24 any {
	encryption_algorithm 3des;
	authentication_algorithm hmac_sha1,hmac_md5;
	compression_algorithm deflate;
	pfs_group 2;
	lifetime time 86400 secs;
}

remote anonymous {
	exchange_mode aggressive;
	my_identifier fqdn "RemoteUsers";

	initial_contact on;
	passive on;
	generate_policy on;
	support_proxy on;
	proposal_check obey;

	proposal {
		encryption_algorithm blowfish;
		hash_algorithm sha1;
		authentication_method pre_shared_key;
		dh_group 2;
		lifetime time 28800 secs;
	}
	lifetime time 28800 secs;
}

sainfo anonymous {
	encryption_algorithm 3des,blowfish;
	authentication_algorithm hmac_sha1;
	compression_algorithm deflate;
	pfs_group 2;
	lifetime time 86400 secs;
}

config.xml excerpt:
--------
    <ipsec>
        <tunnel>
            <interface>wan</interface>
            <local-subnet>
                <network>lan</network>
            </local-subnet>
            <remote-subnet>192.168.1.0/24</remote-subnet>
            <remote-gateway>x.x.146.35</remote-gateway>
            <p1>
                <mode>aggressive</mode>
                <myident>
                    <fqdn>BranchOffice</fqdn>
                </myident>
                <encryption-algorithm>3des</encryption-algorithm>
                <hash-algorithm>sha1</hash-algorithm>
                <dhgroup>2</dhgroup>
                <lifetime>28800</lifetime>
                <pre-shared-key>xxxxx</pre-shared-key>
                <private-key/>
                <cert/>
                <peercert/>
                <authentication_method>pre_shared_key</authentication_method>
            </p1>
            <p2>
                <protocol>esp</protocol>
                <encryption-algorithm-option>3des</encryption-algorithm-option>
                <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
                <hash-algorithm-option>hmac_md5</hash-algorithm-option>
                <pfsgroup>2</pfsgroup>
                <lifetime>86400</lifetime>
            </p2>
        </tunnel>
        <enable/>
    </ipsec>

log excerpts:
-------------
Sep 21 10:38:11 firewall racoon: INFO: isakmp.c:1694:isakmp_post_acquire(): IPsec-SA request for
x.x.146.35 queued due to no phase1 found.
Sep 21 10:38:11 firewall racoon: INFO: isakmp.c:808:isakmp_ph1begin_i(): initiate new phase 1
negotiation: x.x.148.2[500]<=>x.x.146.35[500]
Sep 21 10:38:11 firewall racoon: INFO: isakmp.c:813:isakmp_ph1begin_i(): begin Aggressive mode.
Sep 21 10:38:12 firewall racoon: WARNING: ipsec_doi.c:3067:ipsecdoi_checkid1(): ID type mismatched.
Sep 21 10:38:12 firewall racoon: WARNING: ipsec_doi.c:3082:ipsecdoi_checkid1(): ID value mismatched.
Sep 21 10:38:12 firewall racoon: INFO: isakmp.c:2459:log_ph1established(): ISAKMP-SA established
x.x.148.2[500]-x.x.146.35[500] spi:ebbbec97a45234c2:6fd2bb65803c0674
Sep 21 10:38:13 firewall racoon: INFO: isakmp.c:952:isakmp_ph2begin_i(): initiate new phase 2
negotiation: x.x.148.2[0]<=>x.x.146.35[0]
Sep 21 10:38:14 firewall racoon: ERROR: isakmp_inf.c:843:isakmp_info_recv_n(): unknown notify
message, no phase2 handle found.