[ previous ] [ next ] [ threads ]
 
 From:  Alexandre Moles <alexandre dot moles at awakit dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  m0n0wall and IpCop IPSec teunnel
 Date:  Thu, 01 Jun 2006 13:23:09 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Hi,

I'm having trouble getting my vpn tunnel working between IpCop and
m0n0wall.

I replaced the real public IP addresses in the following log and conf
files, by :
    - gw1-IP : ipcop
    - gw2-IP : m0n0wall

Here's my log entries :

Jun  1 13:09:02 gwlille racoon: DEBUG: ===
Jun  1 13:09:02 gwlille racoon: DEBUG: 380 bytes message received from
gw1-IP[500] to 192.168.1.21[500]
Jun  1 13:09:02 gwlille racoon: DEBUG:  39d1bda3 6ec86020 63c5ad87
179f2eea 08102001 493a1c7d 0000017c 85d719bd 50ded177 0feb9237
79313960 89d60cef 2cf01604 5443a4e9 784489b3 bce5c39f ae02a4ce
2b0987d5 1ba2d23e 56459223 934114b8 c9575063 2abd41fd 036caf8b
0831db96 9995dad2 b976e1d3 5963b521 0ae63e67 c71029bd ce5df477
c305b6fe 5812ab1a 808d0560 bd66a104 1492a02d 0dfa093b de15b7fd
7885157e 7402e5f3 645491e5 7bbb5cd8 15c9bb89 4f65cc27 dd37b154
93b47121 28723cf0 b0c185d3 19103d5c 98338d37 a8b7f5a8 c1c158cf
e1dca579 d02786ff 0794c7ec cd0f6719 1bb249a2 ed88cc92 f3f7152f
fe5fac29 bd1a3c87 fe85711d fefe921a 0326eab0 1f6a7e2c 4f9b5c85
b7747b62 657e7de4 659a0778 ef3ffd8b 62040f6f d0ca45c0 2e64661e
21124717 24cedae3 4555e3cf 36311e4b 34de1541 70fbde91 aa7b613b
095f53a3 7c2b2032 91bb61e4 6a4567f9 867a9d6c 56f210a9 ac5c6b18
8078bb7b 378760f0 93ad56ec 400710d0 05407718 7a2bd246 375d80af e531b902
Jun  1 13:09:02 gwlille racoon: DEBUG: compute IV for phase2
Jun  1 13:09:02 gwlille racoon: DEBUG: phase1 last IV:
Jun  1 13:09:02 gwlille racoon: DEBUG:  e172b86f 339e2314 493a1c7d
Jun  1 13:09:02 gwlille racoon: DEBUG: hash(sha1)
Jun  1 13:09:02 gwlille racoon: DEBUG: encryption(3des)
Jun  1 13:09:02 gwlille racoon: DEBUG: phase2 IV computed:
Jun  1 13:09:02 gwlille racoon: DEBUG:  47a65389 711cf00d
Jun  1 13:09:02 gwlille racoon: DEBUG: ===
Jun  1 13:09:02 gwlille racoon: INFO: respond new phase 2 negotiation:
192.168.1.21[0]<=>gw1-IP[0]
Jun  1 13:09:02 gwlille racoon: DEBUG: begin decryption.
Jun  1 13:09:02 gwlille racoon: DEBUG: encryption(3des)
Jun  1 13:09:02 gwlille racoon: DEBUG: IV was saved for next processing:
Jun  1 13:09:02 gwlille racoon: DEBUG:  375d80af e531b902
Jun  1 13:09:02 gwlille racoon: DEBUG: encryption(3des)
Jun  1 13:09:02 gwlille racoon: DEBUG: with key:
Jun  1 13:09:02 gwlille racoon: DEBUG:  11cd0d70 7b7b466c ec236276
b63f68b7 98c45ea2 f3379b3c
Jun  1 13:09:02 gwlille racoon: DEBUG: decrypted payload by IV:
Jun  1 13:09:02 gwlille racoon: DEBUG:  47a65389 711cf00d
Jun  1 13:09:02 gwlille racoon: DEBUG: decrypted payload, but not trimed.
Jun  1 13:09:02 gwlille racoon: DEBUG:  01000018 dd6ccc1e 63ee64ea
794659e4 e5f8c14d 587814f5 0a000090 00000001 00000001 00000084
00030404 df6b5fd5 03000020 000c0000 80030002 80040001 80010001
80027080 80050002 80060080 03000020 010c0000 80030002 80040001
80010001 80027080 80050001 80060080 0300001c 02030000 80030002
80040001 80010001 80027080 80050002 0000001c 03030000 80030002
80040001 80010001 80027080 80050001 04000014 8e1fafb6 d6034640
1a6acec0 38641da7 05000084 9e26b4d9 7397da6a 79ff67ff d063d121
1fac571f e46f2f53 f3f5e34d c98aa0cf 554cb85f d7dffbf5 bf43f647
a3eb9706 8ccdda95 26e48daa 2dcdd25c 6b4e7a58 811808e3 301c6732
f1e53fa5 4f03fb78 10e4650d c95505ad 3084faad aa836f61 59cbf060
f0582693 7db5ee14 bcef994e 0b6f7514 c31ff3f4 36387e35 5ce9bff5
05000010 04000000 c0a80a00 ffffff00 00000010 04000000 c0a80b00 ffffff00
Jun  1 13:09:02 gwlille racoon: DEBUG: padding len=1
Jun  1 13:09:02 gwlille racoon: DEBUG: skip to trim padding.
Jun  1 13:09:02 gwlille racoon: DEBUG: decrypted.
Jun  1 13:09:02 gwlille racoon: DEBUG:  39d1bda3 6ec86020 63c5ad87
179f2eea 08102001 493a1c7d 0000017c 01000018 dd6ccc1e 63ee64ea
794659e4 e5f8c14d 587814f5 0a000090 00000001 00000001 00000084
00030404 df6b5fd5 03000020 000c0000 80030002 80040001 80010001
80027080 80050002 80060080 03000020 010c0000 80030002 80040001
80010001 80027080 80050001 80060080 0300001c 02030000 80030002
80040001 80010001 80027080 80050002 0000001c 03030000 80030002
80040001 80010001 80027080 80050001 04000014 8e1fafb6 d6034640
1a6acec0 38641da7 05000084 9e26b4d9 7397da6a 79ff67ff d063d121
1fac571f e46f2f53 f3f5e34d c98aa0cf 554cb85f d7dffbf5 bf43f647
a3eb9706 8ccdda95 26e48daa 2dcdd25c 6b4e7a58 811808e3 301c6732
f1e53fa5 4f03fb78 10e4650d c95505ad 3084faad aa836f61 59cbf060
f0582693 7db5ee14 bcef994e 0b6f7514 c31ff3f4 36387e35 5ce9bff5
05000010 04000000 c0a80a00 ffffff00 00000010 04000000 c0a80b00 ffffff00
Jun  1 13:09:02 gwlille racoon: DEBUG: begin.
Jun  1 13:09:02 gwlille racoon: DEBUG: seen nptype=8(hash)
Jun  1 13:09:02 gwlille racoon: DEBUG: seen nptype=1(sa)
Jun  1 13:09:02 gwlille racoon: DEBUG: seen nptype=10(nonce)
Jun  1 13:09:02 gwlille racoon: DEBUG: seen nptype=4(ke)
Jun  1 13:09:02 gwlille racoon: DEBUG: seen nptype=5(id)
Jun  1 13:09:02 gwlille racoon: DEBUG: seen nptype=5(id)
Jun  1 13:09:02 gwlille racoon: DEBUG: succeed.
Jun  1 13:09:02 gwlille racoon: DEBUG: received IDci2:
Jun  1 13:09:02 gwlille racoon: DEBUG:  04000000 c0a80a00 ffffff00
Jun  1 13:09:02 gwlille racoon: DEBUG: received IDcr2:
Jun  1 13:09:02 gwlille racoon: DEBUG:  04000000 c0a80b00 ffffff00
Jun  1 13:09:02 gwlille racoon: DEBUG: HASH(1) validate:
Jun  1 13:09:02 gwlille racoon: DEBUG:  dd6ccc1e 63ee64ea 794659e4
e5f8c14d 587814f5
Jun  1 13:09:02 gwlille racoon: DEBUG: HASH with:
Jun  1 13:09:02 gwlille racoon: DEBUG:  493a1c7d 0a000090 00000001
00000001 00000084 00030404 df6b5fd5 03000020 000c0000 80030002
80040001 80010001 80027080 80050002 80060080 03000020 010c0000
80030002 80040001 80010001 80027080 80050001 80060080 0300001c
02030000 80030002 80040001 80010001 80027080 80050002 0000001c
03030000 80030002 80040001 80010001 80027080 80050001 04000014
8e1fafb6 d6034640 1a6acec0 38641da7 05000084 9e26b4d9 7397da6a
79ff67ff d063d121 1fac571f e46f2f53 f3f5e34d c98aa0cf 554cb85f
d7dffbf5 bf43f647 a3eb9706 8ccdda95 26e48daa 2dcdd25c 6b4e7a58
811808e3 301c6732 f1e53fa5 4f03fb78 10e4650d c95505ad 3084faad
aa836f61 59cbf060 f0582693 7db5ee14 bcef994e 0b6f7514 c31ff3f4
36387e35 5ce9bff5 05000010 04000000 c0a80a00 ffffff00 00000010
04000000 c0a80b00 ffffff00
Jun  1 13:09:02 gwlille racoon: DEBUG: hmac(hmac_sha1)
Jun  1 13:09:02 gwlille racoon: DEBUG: HASH computed:
Jun  1 13:09:02 gwlille racoon: DEBUG:  dd6ccc1e 63ee64ea 794659e4
e5f8c14d 587814f5
Jun  1 13:09:02 gwlille racoon: ERROR: failed to get sainfo.
Jun  1 13:09:02 gwlille racoon: ERROR: failed to get sainfo.
Jun  1 13:09:02 gwlille racoon: ERROR: failed to pre-process packet.

My tunnel conf on m0n0wall :

<tunnel>
            <interface>wan</interface>
            <local-subnet>
                <network>lan</network>
            </local-subnet>
            <remote-subnet>192.168.0.0/24</remote-subnet>
            <remote-gateway>gw1-IP</remote-gateway>
            <p1>
                <mode>main</mode>
                <myident>
                    <address>gw2-IP</address>
                </myident>
                <encryption-algorithm>3des</encryption-algorithm>
                <hash-algorithm>sha1</hash-algorithm>
                <dhgroup>2</dhgroup>
                <lifetime>28800</lifetime>
                <pre-shared-key>xxxxx</pre-shared-key>
                <private-key/>
                <cert/>
                <peercert/>
               
<authentication_method>pre_shared_key</authentication_method>
            </p1>
            <p2>
                <protocol>esp</protocol>
               
<encryption-algorithm-option>3des</encryption-algorithm-option>
               
<encryption-algorithm-option>blowfish</encryption-algorithm-option>
               
<encryption-algorithm-option>cast128</encryption-algorithm-option>
               
<encryption-algorithm-option>rijndael</encryption-algorithm-option>
                <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
                <hash-algorithm-option>hmac_md5</hash-algorithm-option>
                <pfsgroup>0</pfsgroup>
                <lifetime>28800</lifetime>
            </p2>
            <descr>VPN Lille to Cachan</descr>
        </tunnel>

And finally my IpCop ipsec.conf file content :

config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug="raw crypt parsing emitting control klips dns nat_t "
        plutoload=%search
        plutostart=%search
        uniqueids=yes
        nat_traversal=yes
       
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.10.0/255.255.255.0,%v4:!192.168.0.0/255.255.255.0,%v4:!192.168.11.0/24

conn %default
        keyingtries=0
        disablearrivalcheck=no


conn LilleCachan
        left=gw1-IP
        leftnexthop=%defaultroute
        leftsubnet=192.168.10.0/24
        right=gw2-IP
        rightsubnet=192.168.11.0/24
        rightnexthop=%defaultroute
       
ike=aes128-sha-modp1536,aes128-sha-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha-modp1536,3des-sha-modp1024,3des-md5-modp1536,3des-md5-modp1024
        esp=aes128-sha1,aes128-md5,3des-sha1,3des-md5
        ikelifetime=1h
        keylife=8h
        dpddelay=30
        dpdtimeout=120
        dpdaction=restart
        pfs=yes
        authby=secret
        auto=start

Hope anyone can give me a little help, I'm close to being desperate... :p

Regards.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iD8DBQFEfs4dXW1HhtcYan4RAkXAAJ0aJb7cHXcrVXwydejH1/dkIY+oNACfcBIk
PS5JD4AcVd9sxJ56mJPV3TA=
=korI
-----END PGP SIGNATURE-----