You could try unchecking the Agressive mode it is less secure any way.
On 12/21/05, Kael Fischer <kael dot fischer at gmail dot com> wrote:
>
> Hi all:
> I haven't set up IPsec before, so noob mode is on. Google turned up
> many people with this problem but no answer. Can someone help?
>
> Using m0n0wall 1.2 (cdrom w/ floppy) on systems with intel (em)
> gigabit interfaces, I am trying to set up a little tunnel. Following
> the monowall handbook, if i try to set up a tunnel I get this
> behavior.
>
> LAN 1---router 1--internet--router2---LAN2
>
> - machine on LAN1 tries to connect to LAN2
> - router 1 says:
>
> Dec 21 12:03:11 racoon: INFO: isakmp.c:952:isakmp_ph2begin_i():
> initiate new phase 2 negotiation: xxx.xxx.55.196[0]<=>xxx.xxx.99.25[0]
> Dec 21 12:03:10 racoon: INFO: isakmp.c:2459:log_ph1established():
> ISAKMP-SA established xxx.xxx.55.196[500]-xxx.xxx.99.25[500]
> spi:47edc24e6bf633db:b49363a252c0412f
> Dec 21 12:03:10 racoon: NOTIFY: oakley.c:2102:oakley_skeyid():
> couldn't find the proper pskey, try to get one by the peer's address.
> Dec 21 12:03:10 racoon: INFO: vendorid.c:128:check_vendorid():
> received Vendor ID: KAME/racoon
> Dec 21 12:03:10 racoon: INFO: isakmp.c:813:isakmp_ph1begin_i():
> begin
> Aggressive mode.
> Dec 21 12:03:10 racoon: INFO: isakmp.c:808:isakmp_ph1begin_i():
> initiate new phase 1 negotiation:
> xxx.xxx.55.196[500]<=>xxx.xxx.99.25[500]
> Dec 21 12:03:10 racoon: INFO: isakmp.c:1694:isakmp_post_acquire():
> IPsec-SA request for 169.230.81.25 queued due to no phase1 found.
>
> - router 2 says:
>
> Dec 21 12:03:32 racoon: ERROR: isakmp.c:1073:isakmp_ph2begin_r():
> failed to pre-process packet.
> Dec 21 12:03:32 racoon: ERROR: isakmp_quick.c:1046:quick_r1recv():
> failed to get sainfo.
> Dec 21 12:03:32 racoon: ERROR: isakmp_quick.c:1812:get_sainfo_r():
> failed to get sainfo.
> Dec 21 12:03:32 racoon: INFO: isakmp.c:1059:isakmp_ph2begin_r():
> respond new phase 2 negotiation: xxx.xxx.99.25[0]<=>xxx.xxx.55.196[0]
>
> router 1 racoon.conf:
> path pre_shared_key "/var/etc/psk.txt";
>
> path certificate "/var/etc";
>
> remote 169.230.81.25 {
> exchange_mode aggressive;
> my_identifier address "xxx.xxx.55196";
>
> peers_identifier address xxx.xxx.99.25;
> initial_contact on;
> support_proxy on;
> proposal_check obey;
>
> proposal {
> encryption_algorithm blowfish;
> hash_algorithm sha1;
> authentication_method pre_shared_key;
> dh_group 2;
> lifetime time 28800 secs;
> }
> }
>
> sainfo address 192.168.0.0/25 any address 192.168.0.129/25 any {
> encryption_algorithm 3des,blowfish,cast128,rijndael;
> authentication_algorithm hmac_sha1,hmac_md5;
> compression_algorithm deflate;
> lifetime time 86400 secs;
> }
>
> router 2 racoon.conf:
> path pre_shared_key "/var/etc/psk.txt";
>
> path certificate "/var/etc";
>
> remote xxx.xxx.55.196 {
> exchange_mode aggressive;
> my_identifier address "xxx.xxx.99.25";
>
> peers_identifier address xxx.xxx.55.196;
> initial_contact on;
> support_proxy on;
> proposal_check obey;
>
> proposal {
> encryption_algorithm blowfish;
> hash_algorithm sha1;
> authentication_method pre_shared_key;
> dh_group 2;
> lifetime time 28800 secs;
> }
> lifetime time 28800 secs;
> }
>
> sainfo address 192.168.0.128/25 any address 192.168.0.1/25 any {
> encryption_algorithm 3des;
> authentication_algorithm hmac_sha1;
> compression_algorithm deflate;
> lifetime time 86400 secs;
> }
>
>
>
>
> --
> Kael Fischer, Ph.D
> DeRisi Lab - Univ. Of California San Francisco
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
| 