[ previous ] [ next ] [ threads ]
 
 From:  Kael Fischer <kael dot fischer at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  IPSEC phase 1 OK ... phase 2 can't get sainfo
 Date:  Wed, 21 Dec 2005 12:33:32 -0800
Hi all:
I haven't set up IPsec before, so noob mode is on.  Google turned up
many people with this problem but no answer.  Can someone help?

Using m0n0wall 1.2 (cdrom w/ floppy) on systems with intel (em)
gigabit interfaces, I am trying to set up a little tunnel.  Following
the monowall handbook, if i try to set up a tunnel I get this
behavior.

LAN 1---router 1--internet--router2---LAN2

- machine on LAN1 tries to connect to LAN2
  - router 1 says:

Dec 21 12:03:11 	racoon: INFO: isakmp.c:952:isakmp_ph2begin_i():
initiate new phase 2 negotiation: xxx.xxx.55.196[0]<=>xxx.xxx.99.25[0]
Dec 21 12:03:10 	racoon: INFO: isakmp.c:2459:log_ph1established():
ISAKMP-SA established xxx.xxx.55.196[500]-xxx.xxx.99.25[500]
spi:47edc24e6bf633db:b49363a252c0412f
Dec 21 12:03:10 	racoon: NOTIFY: oakley.c:2102:oakley_skeyid():
couldn't find the proper pskey, try to get one by the peer's address.
Dec 21 12:03:10 	racoon: INFO: vendorid.c:128:check_vendorid():
received Vendor ID: KAME/racoon
Dec 21 12:03:10 	racoon: INFO: isakmp.c:813:isakmp_ph1begin_i(): begin
Aggressive mode.
Dec 21 12:03:10 	racoon: INFO: isakmp.c:808:isakmp_ph1begin_i():
initiate new phase 1 negotiation:
xxx.xxx.55.196[500]<=>xxx.xxx.99.25[500]
Dec 21 12:03:10 	racoon: INFO: isakmp.c:1694:isakmp_post_acquire():
IPsec-SA request for 169.230.81.25 queued due to no phase1 found.

- router 2 says:

Dec 21 12:03:32 	racoon: ERROR: isakmp.c:1073:isakmp_ph2begin_r():
failed to pre-process packet.
Dec 21 12:03:32 	racoon: ERROR: isakmp_quick.c:1046:quick_r1recv():
failed to get sainfo.
Dec 21 12:03:32 	racoon: ERROR: isakmp_quick.c:1812:get_sainfo_r():
failed to get sainfo.
Dec 21 12:03:32 	racoon: INFO: isakmp.c:1059:isakmp_ph2begin_r():
respond new phase 2 negotiation: xxx.xxx.99.25[0]<=>xxx.xxx.55.196[0]

router 1 racoon.conf:
path pre_shared_key "/var/etc/psk.txt";

path certificate  "/var/etc";

remote 169.230.81.25 {
	exchange_mode aggressive;
	my_identifier address "xxx.xxx.55196";

	peers_identifier address xxx.xxx.99.25;
	initial_contact on;
	support_proxy on;
	proposal_check obey;

	proposal {
		encryption_algorithm blowfish;
		hash_algorithm sha1;
		authentication_method pre_shared_key;
		dh_group 2;
                lifetime time 28800 secs;
	}
}

sainfo address 192.168.0.0/25 any address 192.168.0.129/25 any {
	encryption_algorithm 3des,blowfish,cast128,rijndael;
	authentication_algorithm hmac_sha1,hmac_md5;
	compression_algorithm deflate;
        lifetime time 86400 secs;
}

router 2 racoon.conf:
path pre_shared_key "/var/etc/psk.txt";

path certificate  "/var/etc";

remote xxx.xxx.55.196 {
	exchange_mode aggressive;
	my_identifier address "xxx.xxx.99.25";

	peers_identifier address xxx.xxx.55.196;
	initial_contact on;
	support_proxy on;
	proposal_check obey;

	proposal {
		encryption_algorithm blowfish;
		hash_algorithm sha1;
		authentication_method pre_shared_key;
		dh_group 2;
		lifetime time 28800 secs;
	}
	lifetime time 28800 secs;
}

sainfo address 192.168.0.128/25 any address 192.168.0.1/25 any {
	encryption_algorithm 3des;
	authentication_algorithm hmac_sha1;
	compression_algorithm deflate;
	lifetime time 86400 secs;
}




--
Kael Fischer, Ph.D
DeRisi Lab - Univ. Of California San Francisco