[ previous ] [ next ] [ threads ]
 
 From:  Joseph & Katie Jackson <jkjackson at gmail dot com>
 To:  kael at sonic dot net
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] IPSEC phase 1 OK ... phase 2 can't get sainfo
 Date:  Wed, 21 Dec 2005 15:19:07 -0600
You could try unchecking the Agressive mode it is less secure any way.

On 12/21/05, Kael Fischer <kael dot fischer at gmail dot com> wrote:
>
> Hi all:
> I haven't set up IPsec before, so noob mode is on.  Google turned up
> many people with this problem but no answer.  Can someone help?
>
> Using m0n0wall 1.2 (cdrom w/ floppy) on systems with intel (em)
> gigabit interfaces, I am trying to set up a little tunnel.  Following
> the monowall handbook, if i try to set up a tunnel I get this
> behavior.
>
> LAN 1---router 1--internet--router2---LAN2
>
> - machine on LAN1 tries to connect to LAN2
> - router 1 says:
>
> Dec 21 12:03:11         racoon: INFO: isakmp.c:952:isakmp_ph2begin_i():
> initiate new phase 2 negotiation: xxx.xxx.55.196[0]<=>xxx.xxx.99.25[0]
> Dec 21 12:03:10         racoon: INFO: isakmp.c:2459:log_ph1established():
> ISAKMP-SA established xxx.xxx.55.196[500]-xxx.xxx.99.25[500]
> spi:47edc24e6bf633db:b49363a252c0412f
> Dec 21 12:03:10         racoon: NOTIFY: oakley.c:2102:oakley_skeyid():
> couldn't find the proper pskey, try to get one by the peer's address.
> Dec 21 12:03:10         racoon: INFO: vendorid.c:128:check_vendorid():
> received Vendor ID: KAME/racoon
> Dec 21 12:03:10         racoon: INFO: isakmp.c:813:isakmp_ph1begin_i():
> begin
> Aggressive mode.
> Dec 21 12:03:10         racoon: INFO: isakmp.c:808:isakmp_ph1begin_i():
> initiate new phase 1 negotiation:
> xxx.xxx.55.196[500]<=>xxx.xxx.99.25[500]
> Dec 21 12:03:10         racoon: INFO: isakmp.c:1694:isakmp_post_acquire():
> IPsec-SA request for 169.230.81.25 queued due to no phase1 found.
>
> - router 2 says:
>
> Dec 21 12:03:32         racoon: ERROR: isakmp.c:1073:isakmp_ph2begin_r():
> failed to pre-process packet.
> Dec 21 12:03:32         racoon: ERROR: isakmp_quick.c:1046:quick_r1recv():
> failed to get sainfo.
> Dec 21 12:03:32         racoon: ERROR: isakmp_quick.c:1812:get_sainfo_r():
> failed to get sainfo.
> Dec 21 12:03:32         racoon: INFO: isakmp.c:1059:isakmp_ph2begin_r():
> respond new phase 2 negotiation: xxx.xxx.99.25[0]<=>xxx.xxx.55.196[0]
>
> router 1 racoon.conf:
> path pre_shared_key "/var/etc/psk.txt";
>
> path certificate  "/var/etc";
>
> remote 169.230.81.25 {
>        exchange_mode aggressive;
>        my_identifier address "xxx.xxx.55196";
>
>        peers_identifier address xxx.xxx.99.25;
>        initial_contact on;
>        support_proxy on;
>        proposal_check obey;
>
>        proposal {
>                encryption_algorithm blowfish;
>                hash_algorithm sha1;
>                authentication_method pre_shared_key;
>                dh_group 2;
>                lifetime time 28800 secs;
>        }
> }
>
> sainfo address 192.168.0.0/25 any address 192.168.0.129/25 any {
>        encryption_algorithm 3des,blowfish,cast128,rijndael;
>        authentication_algorithm hmac_sha1,hmac_md5;
>        compression_algorithm deflate;
>        lifetime time 86400 secs;
> }
>
> router 2 racoon.conf:
> path pre_shared_key "/var/etc/psk.txt";
>
> path certificate  "/var/etc";
>
> remote xxx.xxx.55.196 {
>        exchange_mode aggressive;
>        my_identifier address "xxx.xxx.99.25";
>
>        peers_identifier address xxx.xxx.55.196;
>        initial_contact on;
>        support_proxy on;
>        proposal_check obey;
>
>        proposal {
>                encryption_algorithm blowfish;
>                hash_algorithm sha1;
>                authentication_method pre_shared_key;
>                dh_group 2;
>                lifetime time 28800 secs;
>        }
>        lifetime time 28800 secs;
> }
>
> sainfo address 192.168.0.128/25 any address 192.168.0.1/25 any {
>        encryption_algorithm 3des;
>        authentication_algorithm hmac_sha1;
>        compression_algorithm deflate;
>        lifetime time 86400 secs;
> }
>
>
>
>
> --
> Kael Fischer, Ph.D
> DeRisi Lab - Univ. Of California San Francisco
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>