[ previous ] [ next ] [ threads ]
 
 From:  Kael Fischer <kael dot fischer at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: IPSEC phase 1 OK ... phase 2 can't get sainfo
 Date:  Wed, 21 Dec 2005 15:34:12 -0800
The answer is as follows:

choosing "LAN subnet" as the "local subnet" in the Tunnel definition places
an equivalent subnet but with slightly different notation than one might
enter on the other end of the tunnel in the "Remote subnet" box.  This is
parsed into the racoon.conf file and horks it all up.

This is hard to see because the local subnet box just says "LAN subnet"

In my case:
"LAN subnet" was parsed as 192.168.0.129/25 but I entered
192.169.0.128/25at the other end of the tunnel (see original post). 
These are the same
subnet but is a problem in the racoon.conf context.  Going the other
direction there was a similar problem

The best way to avoid this IMO is to enter the "Local subnet" explicitly.
Then it can be literally compared to what you have entered on the other
end.  The important thing to note is that the subnets not only have to be
the same...  The unmasked bits have to be the same too,  i.e.
192.168.0.129/25 != 192.169.0.128/25 for the racoon subnet definition.

Hope this gets indexed in google and saves someone a day...

Kael



On 12/21/05, Kael Fischer <kael dot fischer at gmail dot com> wrote:
>
> Hi all:
> I haven't set up IPsec before, so noob mode is on.  Google turned up
> many people with this problem but no answer.  Can someone help?
>
> Using m0n0wall 1.2 (cdrom w/ floppy) on systems with intel (em)
> gigabit interfaces, I am trying to set up a little tunnel.  Following
> the monowall handbook, if i try to set up a tunnel I get this
> behavior.
>
> LAN 1---router 1--internet--router2---LAN2
>
> - machine on LAN1 tries to connect to LAN2
>   - router 1 says:
>
> Dec 21 12:03:11         racoon: INFO: isakmp.c:952:isakmp_ph2begin_i():
> initiate new phase 2 negotiation: xxx.xxx.55.196[0]<=>xxx.xxx.99.25[0]
> Dec 21 12:03:10         racoon: INFO: isakmp.c:2459:log_ph1established():
> ISAKMP-SA established xxx.xxx.55.196[500]-xxx.xxx.99.25[500]
> spi:47edc24e6bf633db:b49363a252c0412f
> Dec 21 12:03:10         racoon: NOTIFY: oakley.c:2102:oakley_skeyid():
> couldn't find the proper pskey, try to get one by the peer's address.
> Dec 21 12:03:10         racoon: INFO: vendorid.c:128:check_vendorid():
> received Vendor ID: KAME/racoon
> Dec 21 12:03:10         racoon: INFO: isakmp.c:813:isakmp_ph1begin_i():
> begin
> Aggressive mode.
> Dec 21 12:03:10         racoon: INFO: isakmp.c:808:isakmp_ph1begin_i():
> initiate new phase 1 negotiation:
> xxx.xxx.55.196[500]<=>xxx.xxx.99.25[500]
> Dec 21 12:03:10         racoon: INFO: isakmp.c:1694:isakmp_post_acquire():
> IPsec-SA request for 169.230.81.25 queued due to no phase1 found.
>
> - router 2 says:
>
> Dec 21 12:03:32         racoon: ERROR: isakmp.c:1073:isakmp_ph2begin_r():
> failed to pre-process packet.
> Dec 21 12:03:32         racoon: ERROR: isakmp_quick.c:1046:quick_r1recv():
> failed to get sainfo.
> Dec 21 12:03:32         racoon: ERROR: isakmp_quick.c:1812:get_sainfo_r():
> failed to get sainfo.
> Dec 21 12:03:32         racoon: INFO: isakmp.c:1059:isakmp_ph2begin_r():
> respond new phase 2 negotiation: xxx.xxx.99.25[0]<=>xxx.xxx.55.196[0]
>
> router 1 racoon.conf:
> path pre_shared_key "/var/etc/psk.txt";
>
> path certificate  "/var/etc";
>
> remote xxx.xxx.99.25 {
>         exchange_mode aggressive;
>         my_identifier address "xxx.xxx.55.196";
>
>         peers_identifier address xxx.xxx.99.25;
>         initial_contact on;
>         support_proxy on;
>         proposal_check obey;
>
>         proposal {
>                 encryption_algorithm blowfish;
>                 hash_algorithm sha1;
>                 authentication_method pre_shared_key;
>                 dh_group 2;
>                 lifetime time 28800 secs;
>         }
> }
>
> sainfo address 192.168.0.0/25 any address 192.168.0.129/25 any {
>         encryption_algorithm 3des,blowfish,cast128,rijndael;
>         authentication_algorithm hmac_sha1,hmac_md5;
>         compression_algorithm deflate;
>         lifetime time 86400 secs;
> }
>
> router 2 racoon.conf:
> path pre_shared_key "/var/etc/psk.txt";
>
> path certificate  "/var/etc";
>
> remote xxx.xxx.55.196 {
>         exchange_mode aggressive;
>         my_identifier address "xxx.xxx.99.25";
>
>         peers_identifier address xxx.xxx.55.196;
>         initial_contact on;
>         support_proxy on;
>         proposal_check obey;
>
>         proposal {
>                 encryption_algorithm blowfish;
>                 hash_algorithm sha1;
>                 authentication_method pre_shared_key;
>                 dh_group 2;
>                 lifetime time 28800 secs;
>         }
>         lifetime time 28800 secs;
> }
>
> sainfo address 192.168.0.128/25 any address 192.168.0.1/25 any {
>         encryption_algorithm 3des;
>         authentication_algorithm hmac_sha1;
>         compression_algorithm deflate;
>         lifetime time 86400 secs;
> }
>
>
>
>
> --
> Kael Fischer, Ph.D
> DeRisi Lab - Univ. Of California San Francisco
>