Re: [m0n0wall] 1.21 released - IPSEC Strangeness

From:	Trent the Uncatchable <trent underscore the underscore uncatchable at yahoo dot com>
To:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] 1.21 released - IPSEC Strangeness
Date:	Wed, 4 Jan 2006 21:04:47 -0800 (PST)
Hi,

I upgraded my Soekris 4801 to 1.21 and experienced the
same issue with the main and aggressive mode.  Here is
the relevant RACOON error:

Jan 4 20:43:29 	racoon: ERROR: invalid ID payload.
Jan 4 20:43:29 	racoon: ERROR: Expecting IP address
type in main mode, but FQDN.
Jan 4 20:43:28 	racoon: INFO: received Vendor ID:
CISCO-UNITY
Jan 4 20:43:28 	racoon: INFO: received Vendor ID: DPD
Jan 4 20:43:28 	racoon: INFO: received Vendor ID:
draft-ietf-ipsra-isakmp-xauth-06.txt
Jan 4 20:43:27 	racoon: INFO: begin Identity
Protection mode.
Jan 4 20:43:27 	racoon: INFO: initiate new phase 1
negotiation: 

I tried switching the Phase 1 Identifier from FQDN to
both "My IP Address" and IP address with my IP typed
in.  Would this be indicating that the M0n0wall is
expecting the ID payload from my Cisco box to be the
IP address?  Hmmm...Thoughts?  When I switched my
IPSEC tunnel to 'aggressive' it worked of course but
still threw up some strange info indicating it's not
working quite right.  It was:

Jan 4 20:44:55 	racoon: WARNING: attribute has been
modified.
Jan 4 20:44:55 	racoon: WARNING: ignore
RESPONDER-LIFETIME notification.
Jan 4 20:44:55 	/kernel: WARNING: pseudo-random number
generator used for IPsec processing
Jan 4 20:44:55 	racoon: INFO: initiate new phase 2
negotiation: 205.xxx.xxx.xxx[0]<=>207.xxx.xxx.xxx[0]
Jan 4 20:44:55 	racoon: INFO: ISAKMP-SA established
205.xxx.xxx.xxx[500]-207.xxx.xxx.xxx[500]
spi:xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Jan 4 20:44:55 	racoon: NOTIFY: couldn't find the
proper pskey, try to get one by the peer's address.
Jan 4 20:44:54 	racoon: WARNING: No ID match.
Jan 4 20:44:54 	racoon: INFO: received Vendor ID:
CISCO-UNITY
Jan 4 20:44:54 	racoon: INFO: received Vendor ID: DPD
Jan 4 20:44:54 	racoon: INFO: received Vendor ID:
draft-ietf-ipsra-isakmp-xauth-06.txt
Jan 4 20:44:53 	racoon: INFO: begin Aggressive mode.
Jan 4 20:44:53 	racoon: INFO: initiate new phase 1
negotiation:
205.xxx.xxx.xxx[500]<=>207.xxx.xxx.xxx[500]

Addresses and SPI have been changed to protect the
innocent.  The other end point is a Cisco Pix running
Pix 6.3.1 and we are using a pre-shared key.  

Stephen.



   After upgrading 7 Generic PCs and 3 Net48 boxes,
all is working           well with 
   one exception.  In order to get my IPSEC Tunnels to
come back     up, I had to 
   switch from "main" to "aggressive".  Everything
else upgraded    without any 
   problems and so far seems to be working fine.

Roy...


		
__________________________________________ 
Yahoo! DSL – Something to write home about. 
Just $16.99/mo. or less. 
dsl.yahoo.com