[ previous ] [ next ] [ threads ]
 
 From:  "Kimmo Jaskari" <kimmo dot jaskari at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  VPN m0n0 - checkpoint broken
 Date:  Fri, 21 Apr 2006 13:51:31 +0300
I'm running a 1.22 and have been running a VPN between my at-home m0n0
and the Checkpoint Firewall-1 at work. When I set that up with version
1.20 it worked like a charm. However, I haven't felt the same need to
use it lately due to changes in what I do at work, but now that I do
need it it just doesn't want to cooperate. Only thing that has changed
now is that I'm running on 1.22.

Here's the log output of me trying to connect. I've altered the
gateway ip numbers, nothing else. 213.xxx is the m0n0, 194.xxx is the
FW-1. There are actually two tunnels set up below to two separate
inernal networks at work. Sorry for the spammage! ;)

I'd appreciate tips and pointers as to what might be off. I've tried:

3des/sha1/1024k
switching to 3des/md5 instead
re-entering the shared secret
re-creating the entire tunnel in m0n0 from scratch
double-checked settings in FW-1

Any help or tips would be welcome at this point.

Apr 21 12:19:23	racoon: INFO: @(#)ipsec-tools 0.6.5
(http://ipsec-tools.sourceforge.net)
Apr 21 12:19:23	racoon: INFO: @(#)This product linked OpenSSL
0.9.7d-p1 17 Mar 2004 (http://www.openssl.org/)
Apr 21 12:19:23	racoon: DEBUG: call pfkey_send_register for AH	
Apr 21 12:19:23	racoon: DEBUG: call pfkey_send_register for ESP	
Apr 21 12:19:23	racoon: DEBUG: call pfkey_send_register for IPCOMP	
Apr 21 12:19:23	racoon: DEBUG: reading config file /var/etc/racoon.conf	
Apr 21 12:19:23	racoon: DEBUG: compression algorithm can not be
checked because sadb message doesn't support it.
Apr 21 12:19:23	racoon: DEBUG: compression algorithm can not be
checked because sadb message doesn't support it.
Apr 21 12:19:23	racoon: DEBUG: my interface: 213.xxx.xxx.xxx (fxp0)	
Apr 21 12:19:23	racoon: DEBUG: my interface: 192.168.220.1 (vr0)	
Apr 21 12:19:23	racoon: DEBUG: my interface: 127.0.0.1 (lo0)	
Apr 21 12:19:23	racoon: DEBUG: configuring default isakmp port.	
Apr 21 12:19:23	racoon: DEBUG: 3 addrs are configured successfully	
Apr 21 12:19:23	racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=7)	
Apr 21 12:19:23	racoon: INFO: 192.168.220.1[500] used as isakmp port (fd=8)	
Apr 21 12:19:23	racoon: INFO: 213.xxx.xxx.xxx[500] used as isakmp port (fd=9)	
Apr 21 12:19:23	racoon: DEBUG: get pfkey X_SPDDUMP message	
Apr 21 12:19:23	racoon: DEBUG: get pfkey X_SPDDUMP message	
Apr 21 12:19:23	racoon: DEBUG: sub:0xbfbff4d4: 192.168.5.0/24[0]
192.168.220.0/24[0] proto=any dir=in
Apr 21 12:19:23	racoon: DEBUG: db :0x80a5a08: 192.168.220.0/24[0]
192.168.220.1/32[0] proto=any dir=in
Apr 21 12:19:23	racoon: DEBUG: get pfkey X_SPDDUMP message	
Apr 21 12:19:23	racoon: DEBUG: sub:0xbfbff4d4: 192.168.4.0/24[0]
192.168.220.0/24[0] proto=any dir=in
Apr 21 12:19:23	racoon: DEBUG: db :0x80a5a08: 192.168.220.0/24[0]
192.168.220.1/32[0] proto=any dir=in
Apr 21 12:19:23	racoon: DEBUG: sub:0xbfbff4d4: 192.168.4.0/24[0]
192.168.220.0/24[0] proto=any dir=in
Apr 21 12:19:23	racoon: DEBUG: db :0x80a5c08: 192.168.5.0/24[0]
192.168.220.0/24[0] proto=any dir=in
Apr 21 12:19:23	racoon: DEBUG: get pfkey X_SPDDUMP message	
Apr 21 12:19:23	racoon: DEBUG: sub:0xbfbff4d4: 192.168.220.0/24[0]
192.168.220.1/32[0] proto=any dir=in
Apr 21 12:19:23	racoon: DEBUG: db :0x80a5a08: 192.168.220.0/24[0]
192.168.220.1/32[0] proto=any dir=in
Apr 21 12:19:23	racoon: ERROR: such policy already exists. anyway
replace it: 192.168.220.0/24[0] 192.168.220.1/32[0] proto=any dir=in
Apr 21 12:19:23	racoon: DEBUG: get pfkey X_SPDDUMP message	
Apr 21 12:19:23	racoon: DEBUG: sub:0xbfbff4d4: 192.168.5.0/24[0]
192.168.220.0/24[0] proto=any dir=in
Apr 21 12:19:23	racoon: DEBUG: db :0x80a5c08: 192.168.5.0/24[0]
192.168.220.0/24[0] proto=any dir=in
Apr 21 12:19:23	racoon: ERROR: such policy already exists. anyway
replace it: 192.168.5.0/24[0] 192.168.220.0/24[0] proto=any dir=in
Apr 21 12:19:23	racoon: DEBUG: get pfkey X_SPDDUMP message	
Apr 21 12:19:23	racoon: DEBUG: sub:0xbfbff4d4: 192.168.4.0/24[0]
192.168.220.0/24[0] proto=any dir=in
Apr 21 12:19:23	racoon: DEBUG: db :0x80ad008: 192.168.4.0/24[0]
192.168.220.0/24[0] proto=any dir=in
Apr 21 12:19:23	racoon: ERROR: such policy already exists. anyway
replace it: 192.168.4.0/24[0] 192.168.220.0/24[0] proto=any dir=in
Apr 21 12:19:23	racoon: DEBUG: get pfkey X_SPDDUMP message	
Apr 21 12:19:23	racoon: DEBUG: sub:0xbfbff4d4: 192.168.220.1/32[0]
192.168.220.0/24[0] proto=any dir=out
Apr 21 12:19:23	racoon: DEBUG: db :0x80a5a08: 192.168.220.0/24[0]
192.168.220.1/32[0] proto=any dir=in
Apr 21 12:19:23	racoon: DEBUG: sub:0xbfbff4d4: 192.168.220.1/32[0]
192.168.220.0/24[0] proto=any dir=out
Apr 21 12:19:23	racoon: DEBUG: db :0x80a5c08: 192.168.5.0/24[0]
192.168.220.0/24[0] proto=any dir=in
Apr 21 12:19:23	racoon: DEBUG: sub:0xbfbff4d4: 192.168.220.1/32[0]
192.168.220.0/24[0] proto=any dir=out
Apr 21 12:19:23	racoon: DEBUG: db :0x80ad008: 192.168.4.0/24[0]
192.168.220.0/24[0] proto=any dir=in
Apr 21 12:19:23	racoon: DEBUG: get pfkey X_SPDDUMP message	
Apr 21 12:19:23	racoon: DEBUG: sub:0xbfbff4d4: 192.168.220.0/24[0]
192.168.5.0/24[0] proto=any dir=out
Apr 21 12:19:23	racoon: DEBUG: db :0x80a5a08: 192.168.220.0/24[0]
192.168.220.1/32[0] proto=any dir=in
Apr 21 12:19:23	racoon: DEBUG: sub:0xbfbff4d4: 192.168.220.0/24[0]
192.168.5.0/24[0] proto=any dir=out
Apr 21 12:19:23	racoon: DEBUG: db :0x80a5c08: 192.168.5.0/24[0]
192.168.220.0/24[0] proto=any dir=in
Apr 21 12:19:23	racoon: DEBUG: sub:0xbfbff4d4: 192.168.220.0/24[0]
192.168.5.0/24[0] proto=any dir=out
Apr 21 12:19:23	racoon: DEBUG: db :0x80ad008: 192.168.4.0/24[0]
192.168.220.0/24[0] proto=any dir=in
Apr 21 12:19:23	racoon: DEBUG: sub:0xbfbff4d4: 192.168.220.0/24[0]
192.168.5.0/24[0] proto=any dir=out
Apr 21 12:19:23	racoon: DEBUG: db :0x80ad408: 192.168.220.1/32[0]
192.168.220.0/24[0] proto=any dir=out
Apr 21 12:19:23	racoon: DEBUG: get pfkey X_SPDDUMP message	
Apr 21 12:19:23	racoon: DEBUG: sub:0xbfbff4d4: 192.168.220.0/24[0]
192.168.4.0/24[0] proto=any dir=out
Apr 21 12:19:23	racoon: DEBUG: db :0x80a5a08: 192.168.220.0/24[0]
192.168.220.1/32[0] proto=any dir=in
Apr 21 12:19:23	racoon: DEBUG: sub:0xbfbff4d4: 192.168.220.0/24[0]
192.168.4.0/24[0] proto=any dir=out
Apr 21 12:19:23	racoon: DEBUG: db :0x80a5c08: 192.168.5.0/24[0]
192.168.220.0/24[0] proto=any dir=in
Apr 21 12:19:23	racoon: DEBUG: sub:0xbfbff4d4: 192.168.220.0/24[0]
192.168.4.0/24[0] proto=any dir=out
Apr 21 12:19:23	racoon: DEBUG: db :0x80ad008: 192.168.4.0/24[0]
192.168.220.0/24[0] proto=any dir=in
Apr 21 12:19:23	racoon: DEBUG: sub:0xbfbff4d4: 192.168.220.0/24[0]
192.168.4.0/24[0] proto=any dir=out
Apr 21 12:19:23	racoon: DEBUG: db :0x80ad408: 192.168.220.1/32[0]
192.168.220.0/24[0] proto=any dir=out
Apr 21 12:19:23	racoon: DEBUG: sub:0xbfbff4d4: 192.168.220.0/24[0]
192.168.4.0/24[0] proto=any dir=out
Apr 21 12:19:23	racoon: DEBUG: db :0x80ad608: 192.168.220.0/24[0]
192.168.5.0/24[0] proto=any dir=out
Apr 21 12:19:23	racoon: DEBUG: get pfkey X_SPDDUMP message	
Apr 21 12:19:23	racoon: DEBUG: sub:0xbfbff4d4: 192.168.220.1/32[0]
192.168.220.0/24[0] proto=any dir=out
Apr 21 12:19:23	racoon: DEBUG: db :0x80a5a08: 192.168.220.0/24[0]
192.168.220.1/32[0] proto=any dir=in
Apr 21 12:19:23	racoon: DEBUG: sub:0xbfbff4d4: 192.168.220.1/32[0]
192.168.220.0/24[0] proto=any dir=out
Apr 21 12:19:23	racoon: DEBUG: db :0x80a5c08: 192.168.5.0/24[0]
192.168.220.0/24[0] proto=any dir=in
Apr 21 12:19:23	racoon: DEBUG: sub:0xbfbff4d4: 192.168.220.1/32[0]
192.168.220.0/24[0] proto=any dir=out
Apr 21 12:19:23	racoon: DEBUG: db :0x80ad008: 192.168.4.0/24[0]
192.168.220.0/24[0] proto=any dir=in
Apr 21 12:19:23	racoon: DEBUG: sub:0xbfbff4d4: 192.168.220.1/32[0]
192.168.220.0/24[0] proto=any dir=out
Apr 21 12:19:23	racoon: DEBUG: db :0x80ad408: 192.168.220.1/32[0]
192.168.220.0/24[0] proto=any dir=out
Apr 21 12:19:23	racoon: ERROR: such policy already exists. anyway
replace it: 192.168.220.1/32[0] 192.168.220.0/24[0] proto=any dir=out
Apr 21 12:19:23	racoon: DEBUG: get pfkey X_SPDDUMP message	
Apr 21 12:19:23	racoon: DEBUG: sub:0xbfbff4d4: 192.168.220.0/24[0]
192.168.5.0/24[0] proto=any dir=out
Apr 21 12:19:23	racoon: DEBUG: db :0x80a5a08: 192.168.220.0/24[0]
192.168.220.1/32[0] proto=any dir=in
Apr 21 12:19:23	racoon: DEBUG: sub:0xbfbff4d4: 192.168.220.0/24[0]
192.168.5.0/24[0] proto=any dir=out
Apr 21 12:19:23	racoon: DEBUG: db :0x80a5c08: 192.168.5.0/24[0]
192.168.220.0/24[0] proto=any dir=in
Apr 21 12:19:23	racoon: DEBUG: sub:0xbfbff4d4: 192.168.220.0/24[0]
192.168.5.0/24[0] proto=any dir=out
Apr 21 12:19:23	racoon: DEBUG: db :0x80ad008: 192.168.4.0/24[0]
192.168.220.0/24[0] proto=any dir=in
Apr 21 12:19:23	racoon: DEBUG: sub:0xbfbff4d4: 192.168.220.0/24[0]
192.168.5.0/24[0] proto=any dir=out
Apr 21 12:19:23	racoon: DEBUG: db :0x80ad608: 192.168.220.0/24[0]
192.168.5.0/24[0] proto=any dir=out
Apr 21 12:19:23	racoon: ERROR: such policy already exists. anyway
replace it: 192.168.220.0/24[0] 192.168.5.0/24[0] proto=any dir=out
Apr 21 12:19:23	racoon: DEBUG: get pfkey X_SPDDUMP message	
Apr 21 12:19:23	racoon: DEBUG: sub:0xbfbff4d4: 192.168.220.0/24[0]
192.168.4.0/24[0] proto=any dir=out
Apr 21 12:19:23	racoon: DEBUG: db :0x80a5a08: 192.168.220.0/24[0]
192.168.220.1/32[0] proto=any dir=in
Apr 21 12:19:23	racoon: DEBUG: sub:0xbfbff4d4: 192.168.220.0/24[0]
192.168.4.0/24[0] proto=any dir=out
Apr 21 12:19:23	racoon: DEBUG: db :0x80a5c08: 192.168.5.0/24[0]
192.168.220.0/24[0] proto=any dir=in
Apr 21 12:19:23	racoon: DEBUG: sub:0xbfbff4d4: 192.168.220.0/24[0]
192.168.4.0/24[0] proto=any dir=out
Apr 21 12:19:23	racoon: DEBUG: db :0x80ad008: 192.168.4.0/24[0]
192.168.220.0/24[0] proto=any dir=in
Apr 21 12:19:23	racoon: DEBUG: sub:0xbfbff4d4: 192.168.220.0/24[0]
192.168.4.0/24[0] proto=any dir=out
Apr 21 12:19:23	racoon: DEBUG: db :0x80ada08: 192.168.220.0/24[0]
192.168.4.0/24[0] proto=any dir=out
Apr 21 12:19:23	racoon: ERROR: such policy already exists. anyway
replace it: 192.168.220.0/24[0] 192.168.4.0/24[0] proto=any dir=out
Apr 21 12:19:35	racoon: DEBUG: get pfkey ACQUIRE message	
Apr 21 12:19:35	racoon: DEBUG: suitable outbound SP found:
192.168.220.0/24[0] 192.168.5.0/24[0] proto=any dir=out.
Apr 21 12:19:35	racoon: DEBUG: sub:0xbfbff4c0: 192.168.5.0/24[0]
192.168.220.0/24[0] proto=any dir=in
Apr 21 12:19:35	racoon: DEBUG: db :0x80a5a08: 192.168.220.0/24[0]
192.168.220.1/32[0] proto=any dir=in
Apr 21 12:19:35	racoon: DEBUG: sub:0xbfbff4c0: 192.168.5.0/24[0]
192.168.220.0/24[0] proto=any dir=in
Apr 21 12:19:35	racoon: DEBUG: db :0x80a5c08: 192.168.5.0/24[0]
192.168.220.0/24[0] proto=any dir=in
Apr 21 12:19:35	racoon: DEBUG: suitable inbound SP found:
192.168.5.0/24[0] 192.168.220.0/24[0] proto=any dir=in.
Apr 21 12:19:35	racoon: DEBUG: new acquire 192.168.220.0/24[0]
192.168.5.0/24[0] proto=any dir=out
Apr 21 12:19:35	racoon: DEBUG: (proto_id=ESP spisize=4 spi=00000000
spi_p=00000000 encmode=Tunnel reqid=16442:16441)
Apr 21 12:19:35	racoon: DEBUG: (trns_id=3DES encklen=0 authtype=hmac-sha)	
Apr 21 12:19:35	racoon: DEBUG: (trns_id=3DES encklen=0 authtype=hmac-md5)	
Apr 21 12:19:35	racoon: DEBUG: configuration found for 194.xxx.xxx.xxx.	
Apr 21 12:19:35	racoon: INFO: IPsec-SA request for 194.xxx.xxx.xxx
queued due to no phase1 found.
Apr 21 12:19:35	racoon: DEBUG: ===	
Apr 21 12:19:35	racoon: INFO: initiate new phase 1 negotiation:
213.xxx.xxx.xxx[500]<=>194.xxx.xxx.xxx[500]
Apr 21 12:19:35	racoon: INFO: begin Identity Protection mode.	
Apr 21 12:19:35	racoon: DEBUG: new cookie: 6809a3f577d0b525	
Apr 21 12:19:35	racoon: DEBUG: add payload of len 48, next type 13	
Apr 21 12:19:35	racoon: DEBUG: add payload of len 16, next type 0	
Apr 21 12:19:35	racoon: DEBUG: 100 bytes from 213.xxx.xxx.xxx[500] to
194.xxx.xxx.xxx[500]
Apr 21 12:19:35	racoon: DEBUG: sockname 213.xxx.xxx.xxx[500]	
Apr 21 12:19:35	racoon: DEBUG: send packet from 213.xxx.xxx.xxx[500]	
Apr 21 12:19:35	racoon: DEBUG: send packet to 194.xxx.xxx.xxx[500]	
Apr 21 12:19:35	racoon: DEBUG: 1 times of 100 bytes message will be
sent to 194.xxx.xxx.xxx[500]
Apr 21 12:19:35	racoon: DEBUG: 6809a3f5 77d0b525 00000000 00000000
01100200 00000000 00000064 0d000034 00000001 00000001 00000028
01010001 00000020 01010000 800b0001 800c7080 80010005 80030001
80020001 80040002 00000014 afcad713 68a1f1c9 6b8696fc 77570100
Apr 21 12:19:35	racoon: DEBUG: resend phase1 packet
6809a3f577d0b525:0000000000000000
Apr 21 12:19:35	racoon: DEBUG: ===	
Apr 21 12:19:35	racoon: DEBUG: 40 bytes message received from
194.xxx.xxx.xxx[500] to 213.xxx.xxx.xxx[500]
Apr 21 12:19:35	racoon: DEBUG: 6809a3f5 77d0b525 00000000 00000000
0b100500 a699b3f8 00000028 0000000c 00000000 0100000e
Apr 21 12:19:35	racoon: DEBUG: malformed cookie received or the
initiator's cookies collide.
Apr 21 12:19:45	racoon: DEBUG: 100 bytes from 213.xxx.xxx.xxx[500] to
194.xxx.xxx.xxx[500]
Apr 21 12:19:45	racoon: DEBUG: sockname 213.xxx.xxx.xxx[500]	
Apr 21 12:19:45	racoon: DEBUG: send packet from 213.xxx.xxx.xxx[500]	
Apr 21 12:19:45	racoon: DEBUG: send packet to 194.xxx.xxx.xxx[500]	
Apr 21 12:19:45	racoon: DEBUG: 1 times of 100 bytes message will be
sent to 194.xxx.xxx.xxx[500]
Apr 21 12:19:45	racoon: DEBUG: 6809a3f5 77d0b525 00000000 00000000
01100200 00000000 00000064 0d000034 00000001 00000001 00000028
01010001 00000020 01010000 800b0001 800c7080 80010005 80030001
80020001 80040002 00000014 afcad713 68a1f1c9 6b8696fc 77570100
Apr 21 12:19:45	racoon: DEBUG: resend phase1 packet
6809a3f577d0b525:0000000000000000
Apr 21 12:19:55	racoon: DEBUG: 100 bytes from 213.xxx.xxx.xxx[500] to
194.xxx.xxx.xxx[500]
Apr 21 12:19:55	racoon: DEBUG: sockname 213.xxx.xxx.xxx[500]	
Apr 21 12:19:55	racoon: DEBUG: send packet from 213.xxx.xxx.xxx[500]	
Apr 21 12:19:55	racoon: DEBUG: send packet to 194.xxx.xxx.xxx[500]	
Apr 21 12:19:55	racoon: DEBUG: 1 times of 100 bytes message will be
sent to 194.xxx.xxx.xxx[500]
Apr 21 12:19:55	racoon: DEBUG: 6809a3f5 77d0b525 00000000 00000000
01100200 00000000 00000064 0d000034 00000001 00000001 00000028
01010001 00000020 01010000 800b0001 800c7080 80010005 80030001
80020001 80040002 00000014 afcad713 68a1f1c9 6b8696fc 77570100
Apr 21 12:19:55	racoon: DEBUG: resend phase1 packet
6809a3f577d0b525:0000000000000000
Apr 21 12:20:01	racoon: DEBUG: get pfkey ACQUIRE message	
Apr 21 12:20:01	racoon: DEBUG: ignore the acquire because ph2 found	
Apr 21 12:20:02	racoon: INFO: caught signal 15	
Apr 21 12:20:02	racoon: DEBUG: get pfkey FLUSH message	
Apr 21 12:20:02	racoon: DEBUG: an undead schedule has been deleted.	
Apr 21 12:20:03	racoon: DEBUG: call pfkey_send_dump	
Apr 21 12:20:03	racoon: DEBUG: an undead schedule has been deleted.	
Apr 21 12:20:03	racoon: INFO: racoon shutdown