[ previous ] [ next ] [ threads ]
 
 From:  "Sean Waite" <swaite at sbn dash services dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  IPSEC VPN -No traffic pass through
 Date:  Tue, 20 Dec 2005 21:44:08 -0600
Last week the internet was shut down temporarily disconecting my VPN. At the one end is a Cisco PIX
506, the other is m0n0wall 1.2.
When I got back home where the m0n0wall box is I could not get the tunnel back up. Now at this point
both the PIX and the m0n0wall box
report an IPSEC tunnel. The problem is no traffic is going through. Until now the VPN tunnel had
worked for about 2-3 months without
issue. Although from time to time when my IP address at home would change I would have to set the
new one in the PIX as my identifier.

I am relatively new to IPSEC VPNs, especially with m0nowall. The first error message "/kernel:
WARNING: pseudo-random number generator
used for IPsec processing" has never affected the tunnel. The second "ignore RESPONDER-LIFETIME
notification" I have not been able to
diagnose, as all lifetimes are set to 86400 on both ends. The last one
"ipsec_doi.c:918:cmp_aproppair_i(): attribute has been modified"
is new to me, but I believe is the cause of the problem. Thus far I have not been able to find any
information on this.

Any tips, ideas, or help would be very much appriciated.

Below is the log and racoon.conf:
______________________________________________________________________________________________________________________________________
RACOON.CONF:
path pre_shared_key "/var/etc/psk.txt";

path certificate  "/var/etc";

remote 6*.***.***.** {
	exchange_mode aggressive;
	my_identifier address "7*.***.***.**";

	peers_identifier address 6*.***.***.**;
	initial_contact on;
	support_proxy on;
	proposal_check obey;

	proposal {
		encryption_algorithm des;
		hash_algorithm md5;
		authentication_method pre_shared_key;
		dh_group 1;
		lifetime time 86400 secs;
	}
	lifetime time 86400 secs;
}

sainfo address 192.168.2.0/24 any address 192.168.1.0/24 any {
	encryption_algorithm des,3des;
	authentication_algorithm hmac_sha1,hmac_md5;
	compression_algorithm deflate;
	lifetime time 86400 secs;
}
______________________________________________________________________________________________________________________________________
SPD:

192.168.2.0/24[any] 192.168.2.1[any] any
	in none
	spid=1 seq=3 pid=363
	refcnt=1
192.168.1.0/24[any] 192.168.2.0/24[any] any
	in ipsec
	esp/tunnel/6*.***.***.**-7*.***.***.**/unique#16386
	spid=4 seq=2 pid=363
	refcnt=1
192.168.2.1[any] 192.168.2.0/24[any] any
	out none
	spid=2 seq=1 pid=363
	refcnt=1
192.168.2.0/24[any] 192.168.1.0/24[any] any
	out ipsec
	esp/tunnel/7*.***.***.**-6*.***.***.**/unique#16385
	spid=3 seq=0 pid=363
	refcnt=1
______________________________________________________________________________________________________________________________________
SAD:
7*.***.*** 6*.***.***.**
	esp mode=tunnel spi=1875021408(0x6fc28e60) reqid=16385(0x00004001)
	E: des-cbc  ******** ********
	A: hmac-sha1  ******** ******** ******** ******** ********
	seq=0x00000f62 replay=4 flags=0x00000000 state=mature
	created: Dec 20 22:44:37 2005	current: Dec 21 03:32:16 2005
	diff: 17259(s)	hard: 86400(s)	soft: 69120(s)
	last: Dec 21 03:32:13 2005	hard: 0(s)	soft: 0(s)
	current: 1834784(bytes)	hard: 0(bytes)	soft: 0(bytes)
	allocated: 3938	hard: 0	soft: 0
	sadb_seq=1 pid=365 refcnt=2
6*.***.***.** 7*.***.***
	esp mode=tunnel spi=158474755(0x09722203) reqid=16386(0x00004002)
	E: des-cbc  ******** ********  
	A: hmac-sha1  ******** ******** ******** ******** ********  
	seq=0x00000000 replay=4 flags=0x00000000 state=mature
	created: Dec 20 22:44:37 2005	current: Dec 21 03:32:16 2005
	diff: 17259(s)	hard: 86400(s)	soft: 69120(s)
	last: Dec 21 03:31:21 2005	hard: 0(s)	soft: 0(s)
	current: 73430(bytes)	hard: 0(bytes)	soft: 0(bytes)
	allocated: 788	hard: 0	soft: 0
	sadb_seq=0 pid=365 refcnt=1
______________________________________________________________________________________________________________________________________
LOG:
Dec 20 22:44:21 	racoon: INFO: main.c:172:main(): @(#)package version freebsd-20050510a
Dec 20 22:44:21 	racoon: INFO: main.c:174:main(): @(#)internal version 20001216 sakane at kame dot net
Dec 20 22:44:21 	racoon: INFO: main.c:175:main(): @(#)This product linked OpenSSL 0.9.7d 17 Mar 2004
(http://www.openssl.org/)
Dec 20 22:44:21 	racoon: INFO: isakmp.c:1368:isakmp_open(): 127.0.0.1[500] used as isakmp port
(fd=7)
Dec 20 22:44:21 	racoon: INFO: isakmp.c:1368:isakmp_open(): 7*.***.***.**[500] used as isakmp port
(fd=8)
Dec 20 22:44:21 	racoon: INFO: isakmp.c:1368:isakmp_open(): 192.168.2.1[500] used as isakmp port
(fd=9)
Dec 20 22:44:36 	racoon: INFO: isakmp.c:1694:isakmp_post_acquire(): IPsec-SA request for
6*.***.***.** queued due to no phase1 found.
Dec 20 22:44:36 	racoon: INFO: isakmp.c:808:isakmp_ph1begin_i(): initiate new phase 1 negotiation:
7*.***.***.**[500]<=>6*.***.***.**[500]
Dec 20 22:44:36 	racoon: INFO: isakmp.c:813:isakmp_ph1begin_i(): begin Aggressive mode.
Dec 20 22:44:36 	racoon: NOTIFY: oakley.c:2102:oakley_skeyid(): couldn't find the proper pskey, try
to get one by the peer's address.
Dec 20 22:44:36 	racoon: INFO: isakmp.c:2459:log_ph1established(): ISAKMP-SA established
7*.***.***.**[500]-6*.***.***.**[500]
spi:*********************************
Dec 20 22:44:37 	racoon: INFO: isakmp.c:952:isakmp_ph2begin_i(): initiate new phase 2 negotiation:
7*.***.***.**[0]<=>6*.***.***.**[0]
Dec 20 22:44:37 	/kernel: WARNING: pseudo-random number generator used for IPsec processing
Dec 20 22:44:37 	racoon: WARNING: isakmp_inf.c:1340:isakmp_check_notify(): ignore RESPONDER-LIFETIME
notification.
Dec 20 22:44:37 	racoon: WARNING: ipsec_doi.c:918:cmp_aproppair_i(): attribute has been modified.
Dec 20 22:44:37 	racoon: INFO: pfkey.c:1197:pk_recvupdate(): IPsec-SA established: ESP/Tunnel
6*.***.***.**->7*.***.***.**
spi=158474755(0x9722203)
Dec 20 22:44:37 	racoon: INFO: pfkey.c:1420:pk_recvadd(): IPsec-SA established: ESP/Tunnel
7*.***.***.**->6*.***.***.**
spi=1875021408(0x6fc28e60)
Dec 20 22:46:21 	dnsmasq[97]: reading /etc/resolv.conf
Dec 20 22:46:21 	dnsmasq[97]: using nameserver 2*.**.***.***#53



Sean