[ previous ] [ next ] [ threads ]
 
 From:  m0n0wall query <mickmail40 dash m0n0wall at yahoo dot co dot uk>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  m0n0wall to sonicwall connection query
 Date:  Fri, 17 Mar 2006 11:18:45 +0000 (GMT)
Hi,
   
  I am running m0n0wall on a soekris 4501.
I am trying to connect between my m0n0wall and another companies sonicwall.
I seem to be getting past phase 1, but am getting error "no phase 2 handle found".
Have tried most m0n0wall configs that I can think of, but still no use.
(I am now trying to get access to the sonicwall config to be able the try different configs from
there)
   
  Can you help?
   
  Mick
   
  Setup details follow.
   
  
My m0nowall has a WAN IP of 192.168.1.253 (it is port forwarded (tcp port 500, 443) from dsl router)
Its LAN ip is 192.168.11.1
  
We tried as the documentation suggested and used Aggressive Mode, but got an error 
(when I try it now, I get)
racoon: INFO: IPsec-SA request for "other Internet IP" queued due to no phase1 found.
racoon: INFO: initiate new phase 1 negotiation: 192.168.1.253[500]<=>"other Internet IP"[500]
racoon: INFO: begin Aggressive mode.
racoon: ERROR: reject the packet, received unexpecting payload type 0.
  
We changed to mode "main" and got past phase 1, but are now stuck on phase 2.
  
racoon: INFO: IPsec-SA request for "other Internet IP" queued due to no phase1 found.
racoon: INFO: initiate new phase 1 negotiation: 192.168.1.253[500]<=>"other Internet IP"[500]
racoon: INFO: begin Identity Protection mode.
racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
racoon: INFO: received Vendor ID: DPD
racoon: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
racoon: INFO: ISAKMP-SA established 192.168.1.253[500]-"other Internet IP"[500]
spi:d77e57c8ae03e559:a8e1dcefca1248d8
racoon: INFO: initiate new phase 2 negotiation: 192.168.1.253[0]<=>"other Internet IP"[0]
racoon: ERROR: unknown notify message, no phase2 handle found.
racoon: ERROR: unknown notify message, no phase2 handle found.
racoon: ERROR: "other Internet IP" give up to get IPsec-SA due to time up to wait.
   
  
m0n0wall setup as follows
  mode: Tunnel
interface: WAN
local subnet: LAN Subnet
Remote subnet: 126.0.0.144 / 24
Remote gateway: Other Company internet IP
  Phase 1
Negotiation: main
my identifier: IP Address, my internet IP
Encryption: 3DES
Hash Algorithm: MD5
DH Key group: 2
Lifetime: 28800
Authentication Method: Pre-Shared
Pre Shared Key: password
  Phase 2
Protocol: ESP
Encrytion Algorithms: 3DES
Hash algorithms: MD5
PFS key group: off
lifetime: 28800
   
  Sonicwall setup
(same as example in documentation except set to negotiation main)
  Keying Mode: IKE using preshared secret
IPSec Gateway Name or address: My internet IP
Exchange: Aggressive Mode
Phase 1 DH Group: Group2
SA Life time: 28800
Phase 1: 3DES & MD5
Phase 2: Strong Encrypt and Authenticate (ESP 3DES HMAC MD5)
Shared Secret: password
Destination network
network 192.168.11.0 255.255.255.0