[ previous ] [ next ] [ threads ]
 
 From:  Alexandre Moles <alexandre dot moles at awakit dot net>
 To:  Andreas Ferrari <aferrari at stasoft dot ch>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] m0n0wall and IpCop IPSec teunnel
 Date:  Thu, 01 Jun 2006 14:34:07 +0200 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
I'm afraid I don't get the point...

I'd say have the same configuration as far as I know... I just have on
the IpCop side more options enabled, I mean I just put various
encrptyion methods.

I also have this line in the m0n0wall log :
racoon: INFO: ISAKMP-SA established 192.168.1.21[500]-gw1-IP[500]

which makes me think that the current setup is not totaly wrong.

If you could be a little more explicit I would much appreciate.

Thanks for your help !
Regards.


Andreas Ferrari wrote:
> Hi Alexandre
>
> You need the same settings on both sides...
>
> regards
>
> Andreas
>
>
> Alexandre Moles wrote: Hi,
>
> I'm having trouble getting my vpn tunnel working between IpCop and
> m0n0wall.
>
> I replaced the real public IP addresses in the following log and
> conf files, by : - gw1-IP : ipcop - gw2-IP : m0n0wall
>
> Here's my log entries :
>
> Jun  1 13:09:02 gwlille racoon: DEBUG: === Jun  1 13:09:02 gwlille
> racoon: DEBUG: 380 bytes message received from gw1-IP[500] to
> 192.168.1.21[500] Jun  1 13:09:02 gwlille racoon: DEBUG:  39d1bda3
> 6ec86020 63c5ad87 179f2eea 08102001 493a1c7d 0000017c 85d719bd
> 50ded177 0feb9237 79313960 89d60cef 2cf01604 5443a4e9 784489b3
> bce5c39f ae02a4ce 2b0987d5 1ba2d23e 56459223 934114b8 c9575063
> 2abd41fd 036caf8b 0831db96 9995dad2 b976e1d3 5963b521 0ae63e67
> c71029bd ce5df477 c305b6fe 5812ab1a 808d0560 bd66a104 1492a02d
> 0dfa093b de15b7fd 7885157e 7402e5f3 645491e5 7bbb5cd8 15c9bb89
> 4f65cc27 dd37b154 93b47121 28723cf0 b0c185d3 19103d5c 98338d37
> a8b7f5a8 c1c158cf e1dca579 d02786ff 0794c7ec cd0f6719 1bb249a2
> ed88cc92 f3f7152f fe5fac29 bd1a3c87 fe85711d fefe921a 0326eab0
> 1f6a7e2c 4f9b5c85 b7747b62 657e7de4 659a0778 ef3ffd8b 62040f6f
> d0ca45c0 2e64661e 21124717 24cedae3 4555e3cf 36311e4b 34de1541
> 70fbde91 aa7b613b 095f53a3 7c2b2032 91bb61e4 6a4567f9 867a9d6c
> 56f210a9 ac5c6b18 8078bb7b 378760f0 93ad56ec 400710d0 05407718
> 7a2bd246 375d80af e531b902 Jun  1 13:09:02 gwlille racoon: DEBUG:
> compute IV for phase2 Jun  1 13:09:02 gwlille racoon: DEBUG: phase1
> last IV: Jun  1 13:09:02 gwlille racoon: DEBUG:  e172b86f 339e2314
> 493a1c7d Jun  1 13:09:02 gwlille racoon: DEBUG: hash(sha1) Jun  1
> 13:09:02 gwlille racoon: DEBUG: encryption(3des) Jun  1 13:09:02
> gwlille racoon: DEBUG: phase2 IV computed: Jun  1 13:09:02 gwlille
> racoon: DEBUG:  47a65389 711cf00d Jun  1 13:09:02 gwlille racoon:
> DEBUG: === Jun  1 13:09:02 gwlille racoon: INFO: respond new phase
> 2 negotiation: 192.168.1.21[0]<=>gw1-IP[0] Jun  1 13:09:02 gwlille
> racoon: DEBUG: begin decryption. Jun  1 13:09:02 gwlille racoon:
> DEBUG: encryption(3des) Jun  1 13:09:02 gwlille racoon: DEBUG: IV
> was saved for next processing: Jun  1 13:09:02 gwlille racoon:
> DEBUG:  375d80af e531b902 Jun  1 13:09:02 gwlille racoon: DEBUG:
> encryption(3des) Jun  1 13:09:02 gwlille racoon: DEBUG: with key:
> Jun  1 13:09:02 gwlille racoon: DEBUG:  11cd0d70 7b7b466c ec236276
> b63f68b7 98c45ea2 f3379b3c Jun  1 13:09:02 gwlille racoon: DEBUG:
> decrypted payload by IV: Jun  1 13:09:02 gwlille racoon: DEBUG:
> 47a65389 711cf00d Jun  1 13:09:02 gwlille racoon: DEBUG: decrypted
> payload, but not trimed. Jun  1 13:09:02 gwlille racoon: DEBUG:
> 01000018 dd6ccc1e 63ee64ea 794659e4 e5f8c14d 587814f5 0a000090
> 00000001 00000001 00000084 00030404 df6b5fd5 03000020 000c0000
> 80030002 80040001 80010001 80027080 80050002 80060080 03000020
> 010c0000 80030002 80040001 80010001 80027080 80050001 80060080
> 0300001c 02030000 80030002 80040001 80010001 80027080 80050002
> 0000001c 03030000 80030002 80040001 80010001 80027080 80050001
> 04000014 8e1fafb6 d6034640 1a6acec0 38641da7 05000084 9e26b4d9
> 7397da6a 79ff67ff d063d121 1fac571f e46f2f53 f3f5e34d c98aa0cf
> 554cb85f d7dffbf5 bf43f647 a3eb9706 8ccdda95 26e48daa 2dcdd25c
> 6b4e7a58 811808e3 301c6732 f1e53fa5 4f03fb78 10e4650d c95505ad
> 3084faad aa836f61 59cbf060 f0582693 7db5ee14 bcef994e 0b6f7514
> c31ff3f4 36387e35 5ce9bff5 05000010 04000000 c0a80a00 ffffff00
> 00000010 04000000 c0a80b00 ffffff00 Jun  1 13:09:02 gwlille racoon:
> DEBUG: padding len=1 Jun  1 13:09:02 gwlille racoon: DEBUG: skip to
> trim padding. Jun  1 13:09:02 gwlille racoon: DEBUG: decrypted. Jun
> 1 13:09:02 gwlille racoon: DEBUG:  39d1bda3 6ec86020 63c5ad87
> 179f2eea 08102001 493a1c7d 0000017c 01000018 dd6ccc1e 63ee64ea
> 794659e4 e5f8c14d 587814f5 0a000090 00000001 00000001 00000084
> 00030404 df6b5fd5 03000020 000c0000 80030002 80040001 80010001
> 80027080 80050002 80060080 03000020 010c0000 80030002 80040001
> 80010001 80027080 80050001 80060080 0300001c 02030000 80030002
> 80040001 80010001 80027080 80050002 0000001c 03030000 80030002
> 80040001 80010001 80027080 80050001 04000014 8e1fafb6 d6034640
> 1a6acec0 38641da7 05000084 9e26b4d9 7397da6a 79ff67ff d063d121
> 1fac571f e46f2f53 f3f5e34d c98aa0cf 554cb85f d7dffbf5 bf43f647
> a3eb9706 8ccdda95 26e48daa 2dcdd25c 6b4e7a58 811808e3 301c6732
> f1e53fa5 4f03fb78 10e4650d c95505ad 3084faad aa836f61 59cbf060
> f0582693 7db5ee14 bcef994e 0b6f7514 c31ff3f4 36387e35 5ce9bff5
> 05000010 04000000 c0a80a00 ffffff00 00000010 04000000 c0a80b00
> ffffff00 Jun  1 13:09:02 gwlille racoon: DEBUG: begin. Jun  1
> 13:09:02 gwlille racoon: DEBUG: seen nptype=8(hash) Jun  1 13:09:02
> gwlille racoon: DEBUG: seen nptype=1(sa) Jun  1 13:09:02 gwlille
> racoon: DEBUG: seen nptype=10(nonce) Jun  1 13:09:02 gwlille
> racoon: DEBUG: seen nptype=4(ke) Jun  1 13:09:02 gwlille racoon:
> DEBUG: seen nptype=5(id) Jun  1 13:09:02 gwlille racoon: DEBUG:
> seen nptype=5(id) Jun  1 13:09:02 gwlille racoon: DEBUG: succeed.
> Jun  1 13:09:02 gwlille racoon: DEBUG: received IDci2: Jun  1
> 13:09:02 gwlille racoon: DEBUG:  04000000 c0a80a00 ffffff00 Jun  1
> 13:09:02 gwlille racoon: DEBUG: received IDcr2: Jun  1 13:09:02
> gwlille racoon: DEBUG:  04000000 c0a80b00 ffffff00 Jun  1 13:09:02
> gwlille racoon: DEBUG: HASH(1) validate: Jun  1 13:09:02 gwlille
> racoon: DEBUG:  dd6ccc1e 63ee64ea 794659e4 e5f8c14d 587814f5 Jun  1
> 13:09:02 gwlille racoon: DEBUG: HASH with: Jun  1 13:09:02 gwlille
> racoon: DEBUG:  493a1c7d 0a000090 00000001 00000001 00000084
> 00030404 df6b5fd5 03000020 000c0000 80030002 80040001 80010001
> 80027080 80050002 80060080 03000020 010c0000 80030002 80040001
> 80010001 80027080 80050001 80060080 0300001c 02030000 80030002
> 80040001 80010001 80027080 80050002 0000001c 03030000 80030002
> 80040001 80010001 80027080 80050001 04000014 8e1fafb6 d6034640
> 1a6acec0 38641da7 05000084 9e26b4d9 7397da6a 79ff67ff d063d121
> 1fac571f e46f2f53 f3f5e34d c98aa0cf 554cb85f d7dffbf5 bf43f647
> a3eb9706 8ccdda95 26e48daa 2dcdd25c 6b4e7a58 811808e3 301c6732
> f1e53fa5 4f03fb78 10e4650d c95505ad 3084faad aa836f61 59cbf060
> f0582693 7db5ee14 bcef994e 0b6f7514 c31ff3f4 36387e35 5ce9bff5
> 05000010 04000000 c0a80a00 ffffff00 00000010 04000000 c0a80b00
> ffffff00 Jun  1 13:09:02 gwlille racoon: DEBUG: hmac(hmac_sha1) Jun
> 1 13:09:02 gwlille racoon: DEBUG: HASH computed: Jun  1 13:09:02
> gwlille racoon: DEBUG:  dd6ccc1e 63ee64ea 794659e4 e5f8c14d
> 587814f5 Jun  1 13:09:02 gwlille racoon: ERROR: failed to get
> sainfo. Jun  1 13:09:02 gwlille racoon: ERROR: failed to get
> sainfo. Jun  1 13:09:02 gwlille racoon: ERROR: failed to
> pre-process packet.
>
> My tunnel conf on m0n0wall :
>
> <tunnel> <interface>wan</interface> <local-subnet>
> <network>lan</network> </local-subnet>
> <remote-subnet>192.168.0.0/24</remote-subnet>
> <remote-gateway>gw1-IP</remote-gateway> <p1> <mode>main</mode>
> <myident> <address>gw2-IP</address> </myident>
> <encryption-algorithm>3des</encryption-algorithm>
> <hash-algorithm>sha1</hash-algorithm> <dhgroup>2</dhgroup>
> <lifetime>28800</lifetime> <pre-shared-key>xxxxx</pre-shared-key>
> <private-key/> <cert/> <peercert/>
>
> <authentication_method>pre_shared_key</authentication_method> </p1>
>  <p2> <protocol>esp</protocol>
>
> <encryption-algorithm-option>3des</encryption-algorithm-option>
>
> <encryption-algorithm-option>blowfish</encryption-algorithm-option>
>
>
> <encryption-algorithm-option>cast128</encryption-algorithm-option>
>
> <encryption-algorithm-option>rijndael</encryption-algorithm-option>
>  <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
> <hash-algorithm-option>hmac_md5</hash-algorithm-option>
> <pfsgroup>0</pfsgroup> <lifetime>28800</lifetime> </p2> <descr>VPN
> Lille to Cachan</descr> </tunnel>
>
> And finally my IpCop ipsec.conf file content :
>
> config setup interfaces=%defaultroute klipsdebug=none
> plutodebug="raw crypt parsing emitting control klips dns nat_t "
> plutoload=%search plutostart=%search uniqueids=yes
> nat_traversal=yes
>
>
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.10.0/255.255.255.0,%v4:!192.168.0.0/255.255.255.0,%v4:!192.168.11.0/24
>
>
> conn %default keyingtries=0 disablearrivalcheck=no
>
>
> conn LilleCachan left=gw1-IP leftnexthop=%defaultroute
> leftsubnet=192.168.10.0/24 right=gw2-IP rightsubnet=192.168.11.0/24
>  rightnexthop=%defaultroute
>
>
ike=aes128-sha-modp1536,aes128-sha-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha-modp1536,3des-sha-modp1024,3des-md5-modp1536,3des-md5-modp1024
>  esp=aes128-sha1,aes128-md5,3des-sha1,3des-md5 ikelifetime=1h
> keylife=8h dpddelay=30 dpdtimeout=120 dpdaction=restart pfs=yes
> authby=secret auto=start
>
> Hope anyone can give me a little help, I'm close to being
> desperate... :p
>
> Regards.
>>>
>>>
>>>
> ---------------------------------------------------------------------
>  To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch For
> additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>
>
> -- Groupe Awak'iT
>
> *Alexandre Moles * Ingénieur - R&D Tel Mob Fax     : : :     +33 1
> 58 68 22 51 +33 6 84 26 84 37 +33 1 58 68 22 23
>
>
> *Groupe Awak'iT *- 21 rue Paul Lafargue - 94270 Le Kremlin-Bicêtre
> Std : +33 1 58 68 22 22 - vous êtes bienvenus at awakit dot net
>
>
> <http://www.awakit.net/signatures/actu1.html>
> <http://www.awakit.net/signatures/actu2.html>
> <http://www.awakit.net/signatures/actu3.html>
>
>
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iD8DBQFEft6/XW1HhtcYan4RAlnqAKDNSWfWIoTLDyOviTw0oK+z/MXQWgCdEs8C
HvTJg6nmLGBhfBvtlDmpiVo=
=QFGz
-----END PGP SIGNATURE-----