[ previous ] [ next ] [ threads ]
 
 From:  Eric Boudrand <eric at boudrand dot net>
 To:  "m0n0wall at lists dot m0n0 dot ch" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: AW: [m0n0wall] Problems with IPSec Site to Site Tunnel: ignore RESPONDER-LIFETIME notification
 Date:  Wed, 26 Nov 2008 23:11:55 +0100
Hi,

> I've made some other detection: if the peer side starts the tunnel
> first I've got following log entry:
> Nov 26 10:26:48 racoon: NOTIFY: the packet is retransmitted by
> x.x.x.x[500].
> Nov 26 10:26:38 racoon: INFO: received Vendor ID:
> draft-ietf-ipsec-nat-t-ike-02
> Nov 26 10:26:38 racoon: INFO: received Vendor ID:
> draft-ietf-ipsec-nat-t-ike-03
> Nov 26 10:26:38 racoon: INFO: received Vendor ID:
> draft-ietf-ipsec-nat-t-ike-07
> Nov 26 10:26:38 racoon: INFO: begin Identity Protection mode.
> Nov 26 10:26:38 racoon: INFO: respond new phase 1 negotiation:
> x.x.x.x[500]<=>x.x.x.x[500]
> 
> It look like the peer didn't receive a needed packet from our side,
> right?

draft-ietf-ipsec-nat-t-ike-07... The RFC 3947 was published in January
2005 and it is the reference document. The firmware of the Cisco does
not implement it. Anyway, that is details. There are no big difference
between this draft and the RFC. I think the remote gateway dropped the
response from the racoon. You should take a look to the Cisco logs.

I do not like racoon logs because some basic information are missing. In
main mode you have 6 exchanges and in Quick Mode 3 exchanges. You can
deduce very easily configuration error from the point at which the
negotiation failed. In this log, a packet is retransmitted in phase 1,
but which one ? Packet with Security Association payload (1rst and 2nd
exchanges) ? Or packet with ID payload (5th and 6th exchanges) ? Is
there a problem when using UDP port 4500 in the 5th and 6th exchanges ?
I do not think it is a configuration issue, because it worked. Cisco
logs will be helpful.

Regards.
-  
Éric