[ previous ] [ next ] [ threads ]
 
 From:  Brian Lloyd <brian dash wb6rqn at lloyd dot com>
 To:  m0n0wall List <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Problem setting up IPSEC
 Date:  Sun, 13 Sep 2009 19:47:53 -0700
About a year ago I set up IPSEC between two systems running m0n0wall
1.3b15 (I think). Everything worked. For some reason I turned it off
(testing traffic coming through the firewall at the remote system I
think). When I tried to set it up again this week I am running into
problems.

The hardware at the near end is a WRAP.1e-2 board. The far end is a
Soekris net4511. Both boards are running 1.3b18. As far as I can tell
until this problem everything was working just fine on both routers.

I am simply trying to tunnel the traffic between the two LAN subnets
through IPSEC. Both ends are configured the same, using Blowfish and
SHA1. Also using a pre-shared key with domain names as the
identifiers.

The near-end machine (WRAP) claims to have a security association when
checking the diagnostic status. The far end machine does not. Looking
at the logs I see the following repeated on the near end machine:

----
Sep 13 19:34:24 racoon: INFO: initiate new phase 2 negotiation:
67.161.184.30[500]<=>67.159.139.125[500]
Sep 13 19:34:54 racoon: ERROR: 67.159.139.125 give up to get IPsec-SA
due to time up to wait.
----

The far end machine (Soekris) OTOH shows the following repeated in the  
log:

Sep 13 19:34:24 racoon: INFO: respond new phase 2 negotiation:
67.159.139.125[500]<=>67.161.184.30[500]
Sep 13 19:34:24 racoon: ERROR: failed to get sainfo.
Sep 13 19:34:24 racoon: ERROR: failed to get sainfo.
Sep 13 19:34:24 racoon: ERROR: failed to pre-process packet.
Sep 13 19:34:34 racoon: INFO: respond new phase 2 negotiation:
67.159.139.125[500]<=>67.161.184.30[500]
Sep 13 19:34:34 racoon: ERROR: failed to get sainfo.
Sep 13 19:34:34 racoon: ERROR: failed to get sainfo.
Sep 13 19:34:34 racoon: ERROR: failed to pre-process packet.

So it appears that the far-end machine is receiving the beginning of
the phase 2 negotiation but seems to be generating an error
internally.

I have put in a filter rule on both ends to allow inbound ESP packets  
destined for the WAN interface just to be sure.

Can someone suggest the next step in debugging this?

Thanks in advance.
--

73 de Brian, WB6RQN/J79BPL
Brian Lloyd - brian HYPHEN wb6rqn AT lloyd DOT com