[ previous ] [ next ] [ threads ]
 
 From:  m0n0wall query <mickmail40 dash m0n0wall at yahoo dot co dot uk>
 To:  m0n0wall <m0n0wall at lists dot m0n0 dot ch>
 Subject:  mismatched ID was returned
 Date:  Fri, 22 Sep 2006 00:14:05 +0000 (GMT)
Hi,
 
I am running version 1.21 m0n0wall on a soekris box.
I have a new customer that we want to establish a test connection with.
 
They have a CISCO 2000.
 
I get the following
 
 
racoon: INFO: IPsec-SA request for <their IP> queued due to no phase1 found.
racoon: INFO: initiate new phase 1 negotiation: MyIP[500]<=>Their IP[500]
racoon: INFO: begin Identity Protection mode.
racoon: INFO: received broken Microsoft ID: FRAGMENTATION
racoon: INFO: received Vendor ID: CISCO-UNITY
racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
racoon: INFO: received Vendor ID: DPD
racoon: INFO: ISAKMP-SA established MyIP[500]-TheirIP[500] spi:90d912cb8576398f:ed32c3530b4b9ce0
racoon: INFO: initiate new phase 2 negotiation: MyIP[0]<=>theirIP[0]
racoon: ERROR: mismatched ID was returned.
racoon: ERROR: failed to pre-process packet.
racoon: ERROR: phase2 negotiation failed

The Diagnostics IPSEC SAD screen shows Source TheirIP, Destination MyIP is active.

I have the following configured
Interface: WAN
Local subnet: Network 172.20.12.5/30 (This is my opt1 link)
Remote Subnet: 193.111.82.89/29
Remote Gateway: their IPAddress
Negotiation Mode: Main
My Identifier: My IP Address
Encryption: 3DES
Hash algorithm: MD5
DHKey Group: 2
Lifetime: not specified
Pre-Shared Key: confirmed OK
protocol: ESP
Encryption algorithms: 3DES
Hash algorithms: SHA1, MD5
PFS Key Group: off
LifeTime: not specified.
 
If I change the Remote IP Address or mask, phase 1 fails, so I assume these are correct.
Is the mismatched ID something to do with my local subnet and what has been specified on their side?
Is there any way of seeing what ID was actually sent?
 
Any advice would be much appreciated.

Thanks,

Mick