[ previous ] [ next ] [ threads ]
 
 From:  Andreas Ferrari <aferrari at stasoft dot ch>
 To:  Alexandre Moles <alexandre dot moles at awakit dot net>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] m0n0wall and IpCop IPSec teunnel
 Date:  Thu, 01 Jun 2006 14:07:44 +0200
Hi Alexandre

You need the same settings on both sides...

regards

Andreas


Alexandre Moles wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>  
> Hi,
> 
> I'm having trouble getting my vpn tunnel working between IpCop and
> m0n0wall.
> 
> I replaced the real public IP addresses in the following log and conf
> files, by :
>     - gw1-IP : ipcop
>     - gw2-IP : m0n0wall
> 
> Here's my log entries :
> 
> Jun  1 13:09:02 gwlille racoon: DEBUG: ===
> Jun  1 13:09:02 gwlille racoon: DEBUG: 380 bytes message received from
> gw1-IP[500] to 192.168.1.21[500]
> Jun  1 13:09:02 gwlille racoon: DEBUG:  39d1bda3 6ec86020 63c5ad87
> 179f2eea 08102001 493a1c7d 0000017c 85d719bd 50ded177 0feb9237
> 79313960 89d60cef 2cf01604 5443a4e9 784489b3 bce5c39f ae02a4ce
> 2b0987d5 1ba2d23e 56459223 934114b8 c9575063 2abd41fd 036caf8b
> 0831db96 9995dad2 b976e1d3 5963b521 0ae63e67 c71029bd ce5df477
> c305b6fe 5812ab1a 808d0560 bd66a104 1492a02d 0dfa093b de15b7fd
> 7885157e 7402e5f3 645491e5 7bbb5cd8 15c9bb89 4f65cc27 dd37b154
> 93b47121 28723cf0 b0c185d3 19103d5c 98338d37 a8b7f5a8 c1c158cf
> e1dca579 d02786ff 0794c7ec cd0f6719 1bb249a2 ed88cc92 f3f7152f
> fe5fac29 bd1a3c87 fe85711d fefe921a 0326eab0 1f6a7e2c 4f9b5c85
> b7747b62 657e7de4 659a0778 ef3ffd8b 62040f6f d0ca45c0 2e64661e
> 21124717 24cedae3 4555e3cf 36311e4b 34de1541 70fbde91 aa7b613b
> 095f53a3 7c2b2032 91bb61e4 6a4567f9 867a9d6c 56f210a9 ac5c6b18
> 8078bb7b 378760f0 93ad56ec 400710d0 05407718 7a2bd246 375d80af e531b902
> Jun  1 13:09:02 gwlille racoon: DEBUG: compute IV for phase2
> Jun  1 13:09:02 gwlille racoon: DEBUG: phase1 last IV:
> Jun  1 13:09:02 gwlille racoon: DEBUG:  e172b86f 339e2314 493a1c7d
> Jun  1 13:09:02 gwlille racoon: DEBUG: hash(sha1)
> Jun  1 13:09:02 gwlille racoon: DEBUG: encryption(3des)
> Jun  1 13:09:02 gwlille racoon: DEBUG: phase2 IV computed:
> Jun  1 13:09:02 gwlille racoon: DEBUG:  47a65389 711cf00d
> Jun  1 13:09:02 gwlille racoon: DEBUG: ===
> Jun  1 13:09:02 gwlille racoon: INFO: respond new phase 2 negotiation:
> 192.168.1.21[0]<=>gw1-IP[0]
> Jun  1 13:09:02 gwlille racoon: DEBUG: begin decryption.
> Jun  1 13:09:02 gwlille racoon: DEBUG: encryption(3des)
> Jun  1 13:09:02 gwlille racoon: DEBUG: IV was saved for next processing:
> Jun  1 13:09:02 gwlille racoon: DEBUG:  375d80af e531b902
> Jun  1 13:09:02 gwlille racoon: DEBUG: encryption(3des)
> Jun  1 13:09:02 gwlille racoon: DEBUG: with key:
> Jun  1 13:09:02 gwlille racoon: DEBUG:  11cd0d70 7b7b466c ec236276
> b63f68b7 98c45ea2 f3379b3c
> Jun  1 13:09:02 gwlille racoon: DEBUG: decrypted payload by IV:
> Jun  1 13:09:02 gwlille racoon: DEBUG:  47a65389 711cf00d
> Jun  1 13:09:02 gwlille racoon: DEBUG: decrypted payload, but not trimed.
> Jun  1 13:09:02 gwlille racoon: DEBUG:  01000018 dd6ccc1e 63ee64ea
> 794659e4 e5f8c14d 587814f5 0a000090 00000001 00000001 00000084
> 00030404 df6b5fd5 03000020 000c0000 80030002 80040001 80010001
> 80027080 80050002 80060080 03000020 010c0000 80030002 80040001
> 80010001 80027080 80050001 80060080 0300001c 02030000 80030002
> 80040001 80010001 80027080 80050002 0000001c 03030000 80030002
> 80040001 80010001 80027080 80050001 04000014 8e1fafb6 d6034640
> 1a6acec0 38641da7 05000084 9e26b4d9 7397da6a 79ff67ff d063d121
> 1fac571f e46f2f53 f3f5e34d c98aa0cf 554cb85f d7dffbf5 bf43f647
> a3eb9706 8ccdda95 26e48daa 2dcdd25c 6b4e7a58 811808e3 301c6732
> f1e53fa5 4f03fb78 10e4650d c95505ad 3084faad aa836f61 59cbf060
> f0582693 7db5ee14 bcef994e 0b6f7514 c31ff3f4 36387e35 5ce9bff5
> 05000010 04000000 c0a80a00 ffffff00 00000010 04000000 c0a80b00 ffffff00
> Jun  1 13:09:02 gwlille racoon: DEBUG: padding len=1
> Jun  1 13:09:02 gwlille racoon: DEBUG: skip to trim padding.
> Jun  1 13:09:02 gwlille racoon: DEBUG: decrypted.
> Jun  1 13:09:02 gwlille racoon: DEBUG:  39d1bda3 6ec86020 63c5ad87
> 179f2eea 08102001 493a1c7d 0000017c 01000018 dd6ccc1e 63ee64ea
> 794659e4 e5f8c14d 587814f5 0a000090 00000001 00000001 00000084
> 00030404 df6b5fd5 03000020 000c0000 80030002 80040001 80010001
> 80027080 80050002 80060080 03000020 010c0000 80030002 80040001
> 80010001 80027080 80050001 80060080 0300001c 02030000 80030002
> 80040001 80010001 80027080 80050002 0000001c 03030000 80030002
> 80040001 80010001 80027080 80050001 04000014 8e1fafb6 d6034640
> 1a6acec0 38641da7 05000084 9e26b4d9 7397da6a 79ff67ff d063d121
> 1fac571f e46f2f53 f3f5e34d c98aa0cf 554cb85f d7dffbf5 bf43f647
> a3eb9706 8ccdda95 26e48daa 2dcdd25c 6b4e7a58 811808e3 301c6732
> f1e53fa5 4f03fb78 10e4650d c95505ad 3084faad aa836f61 59cbf060
> f0582693 7db5ee14 bcef994e 0b6f7514 c31ff3f4 36387e35 5ce9bff5
> 05000010 04000000 c0a80a00 ffffff00 00000010 04000000 c0a80b00 ffffff00
> Jun  1 13:09:02 gwlille racoon: DEBUG: begin.
> Jun  1 13:09:02 gwlille racoon: DEBUG: seen nptype=8(hash)
> Jun  1 13:09:02 gwlille racoon: DEBUG: seen nptype=1(sa)
> Jun  1 13:09:02 gwlille racoon: DEBUG: seen nptype=10(nonce)
> Jun  1 13:09:02 gwlille racoon: DEBUG: seen nptype=4(ke)
> Jun  1 13:09:02 gwlille racoon: DEBUG: seen nptype=5(id)
> Jun  1 13:09:02 gwlille racoon: DEBUG: seen nptype=5(id)
> Jun  1 13:09:02 gwlille racoon: DEBUG: succeed.
> Jun  1 13:09:02 gwlille racoon: DEBUG: received IDci2:
> Jun  1 13:09:02 gwlille racoon: DEBUG:  04000000 c0a80a00 ffffff00
> Jun  1 13:09:02 gwlille racoon: DEBUG: received IDcr2:
> Jun  1 13:09:02 gwlille racoon: DEBUG:  04000000 c0a80b00 ffffff00
> Jun  1 13:09:02 gwlille racoon: DEBUG: HASH(1) validate:
> Jun  1 13:09:02 gwlille racoon: DEBUG:  dd6ccc1e 63ee64ea 794659e4
> e5f8c14d 587814f5
> Jun  1 13:09:02 gwlille racoon: DEBUG: HASH with:
> Jun  1 13:09:02 gwlille racoon: DEBUG:  493a1c7d 0a000090 00000001
> 00000001 00000084 00030404 df6b5fd5 03000020 000c0000 80030002
> 80040001 80010001 80027080 80050002 80060080 03000020 010c0000
> 80030002 80040001 80010001 80027080 80050001 80060080 0300001c
> 02030000 80030002 80040001 80010001 80027080 80050002 0000001c
> 03030000 80030002 80040001 80010001 80027080 80050001 04000014
> 8e1fafb6 d6034640 1a6acec0 38641da7 05000084 9e26b4d9 7397da6a
> 79ff67ff d063d121 1fac571f e46f2f53 f3f5e34d c98aa0cf 554cb85f
> d7dffbf5 bf43f647 a3eb9706 8ccdda95 26e48daa 2dcdd25c 6b4e7a58
> 811808e3 301c6732 f1e53fa5 4f03fb78 10e4650d c95505ad 3084faad
> aa836f61 59cbf060 f0582693 7db5ee14 bcef994e 0b6f7514 c31ff3f4
> 36387e35 5ce9bff5 05000010 04000000 c0a80a00 ffffff00 00000010
> 04000000 c0a80b00 ffffff00
> Jun  1 13:09:02 gwlille racoon: DEBUG: hmac(hmac_sha1)
> Jun  1 13:09:02 gwlille racoon: DEBUG: HASH computed:
> Jun  1 13:09:02 gwlille racoon: DEBUG:  dd6ccc1e 63ee64ea 794659e4
> e5f8c14d 587814f5
> Jun  1 13:09:02 gwlille racoon: ERROR: failed to get sainfo.
> Jun  1 13:09:02 gwlille racoon: ERROR: failed to get sainfo.
> Jun  1 13:09:02 gwlille racoon: ERROR: failed to pre-process packet.
> 
> My tunnel conf on m0n0wall :
> 
> <tunnel>
>             <interface>wan</interface>
>             <local-subnet>
>                 <network>lan</network>
>             </local-subnet>
>             <remote-subnet>192.168.0.0/24</remote-subnet>
>             <remote-gateway>gw1-IP</remote-gateway>
>             <p1>
>                 <mode>main</mode>
>                 <myident>
>                     <address>gw2-IP</address>
>                 </myident>
>                 <encryption-algorithm>3des</encryption-algorithm>
>                 <hash-algorithm>sha1</hash-algorithm>
>                 <dhgroup>2</dhgroup>
>                 <lifetime>28800</lifetime>
>                 <pre-shared-key>xxxxx</pre-shared-key>
>                 <private-key/>
>                 <cert/>
>                 <peercert/>
>                
> <authentication_method>pre_shared_key</authentication_method>
>             </p1>
>             <p2>
>                 <protocol>esp</protocol>
>                
> <encryption-algorithm-option>3des</encryption-algorithm-option>
>                
> <encryption-algorithm-option>blowfish</encryption-algorithm-option>
>                
> <encryption-algorithm-option>cast128</encryption-algorithm-option>
>                
> <encryption-algorithm-option>rijndael</encryption-algorithm-option>
>                 <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
>                 <hash-algorithm-option>hmac_md5</hash-algorithm-option>
>                 <pfsgroup>0</pfsgroup>
>                 <lifetime>28800</lifetime>
>             </p2>
>             <descr>VPN Lille to Cachan</descr>
>         </tunnel>
> 
> And finally my IpCop ipsec.conf file content :
> 
> config setup
>         interfaces=%defaultroute
>         klipsdebug=none
>         plutodebug="raw crypt parsing emitting control klips dns nat_t "
>         plutoload=%search
>         plutostart=%search
>         uniqueids=yes
>         nat_traversal=yes
>        
>
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.10.0/255.255.255.0,%v4:!192.168.0.0/255.255.255.0,%v4:!192.168.11.0/24
> 
> conn %default
>         keyingtries=0
>         disablearrivalcheck=no
> 
> 
> conn LilleCachan
>         left=gw1-IP
>         leftnexthop=%defaultroute
>         leftsubnet=192.168.10.0/24
>         right=gw2-IP
>         rightsubnet=192.168.11.0/24
>         rightnexthop=%defaultroute
>        
>
ike=aes128-sha-modp1536,aes128-sha-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha-modp1536,3des-sha-modp1024,3des-md5-modp1536,3des-md5-modp1024
>         esp=aes128-sha1,aes128-md5,3des-sha1,3des-md5
>         ikelifetime=1h
>         keylife=8h
>         dpddelay=30
>         dpdtimeout=120
>         dpdaction=restart
>         pfs=yes
>         authby=secret
>         auto=start
> 
> Hope anyone can give me a little help, I'm close to being desperate... :p
> 
> Regards.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>  
> iD8DBQFEfs4dXW1HhtcYan4RAkXAAJ0aJb7cHXcrVXwydejH1/dkIY+oNACfcBIk
> PS5JD4AcVd9sxJ56mJPV3TA=
> =korI
> -----END PGP SIGNATURE-----
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 


-- 
STASOFT AG
P: +41 61 726 80 70
F: +41 61 726 80 79